Sensitive Information Exposure in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows attackers to upload and execute dangerous file types (e.g. PHP shell) via the signature upload on the booking form.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Vik Booking for WordPress**

The famous Booking Engine and PMS online software for accommodations is now available also for WordPress as a native Plugin!

If you are looking for a reliable reservation system for a Hotel, B&B, Villa, Apartments, Hostel or any similar accommodation, then you have found the right plugin. In fact, Vik Booking is a **PCI-DSS** and **OpenTravel** compliant hotel Booking Engine used by thousands of properties every day.

This is the **free** version of the plugin, but you can upgrade to the **Pro** version at any time from your _wp-admin_ section. Experience the power of a true and internal Booking Engine that competes with the best ones of the world!

The **Pro** version is compatible with _Vik Channel Manager_, the first and only native Channel Manager for WordPress, listed as a Premier Partner of **Booking.com** since 2018 among the top 20 systems worldwide. **Full API** connections available with the most famous OTAs such as **Airbnb**, **Expedia** and **Google Hotel** for their new Free Booking Links! Beware of “fake” Channel Manager plugins that only offer unreliable iCal synchronizations with no private access to the OTA’s APIs.

Vik Booking was born in 2010 for a different web-software (CMS) than WordPress, and that’s how it became famous. The same powerful framework is now (since 2018) at the service of all webmasters, designers and web-agencies that work with WordPress. It’s definitely the hotel reservation plugin that you, or your client, were looking for.

Visit VikWP.com for more details. Interested in our full solution comprehensive of the Channel Manager? Visit also E4jConnect.

**Some of the unique features**

*   Custom Rate Plans (Refundable, Flexible, Non Refundable rates)
*   Rooms, Room Types and Sub-Units management functions
*   Availability Calendars and Occupancy Overview
*   Bookings Management made right
*   Feature-rich Back-end section
*   Front-end customizable booking process
*   8 different Views for the front-end (8 Types of Shortcode for your pages)
*   Compliant with any Pricing Model: Occupancy, Nightly, LOS, OBP etc..
*   Housekeeping features with Tableaux, festivities and room-day notes
*   Permissions/ACL Management functions for the various WP Users Roles
*   Multi-language support with built-in translation functions
*   Channel Manager compatible. We are a certified Channel Manager provider (e4jConnect).
*   Google Hotel Ads certified for Free Booking Links.

**Some of Pro version features**

*   Seasonal Rates and Rates Calendar with 1-click modification
*   Booking Restrictions: Min, Max LOS, CTA/CTD, Forced Arrival/Departure days
*   Custom Payment Gateways (over 60 available on VikWP.com)
*   SMS Gateways for automated notifications
*   Custom Cron Jobs Scheduling for automated tasks (reminders, invoices)
*   Customers Management functions, sales channels and commissions
*   Graphs and Statistics
*   Custom Options, Extra Services, Extra Fees
*   Add, Remove or Switch rooms from existing bookings
*   PMS Reports with extendable framework (built-in services for various countries)
*   Electronic invoices extendable framework compliant with Italy (Agenzia delle Entrate) and Greece (myDATA ΑΑΔΕ).
*   Registration functions: check-in, check-out, no-show
*   Our award winning solution of Booking Engine + PMS and Channel Manager is all you need on your WordPress website.

**Interested in, curious about the Pro version?**

You should take a look with your own eyes at the demo website to see what you can do with Vik Booking. Do not stop at the front-end though, make sure to visit the wp-admin section too.

1.  Front-end Demo Website
2.  Admin Demo Website

This plugin provides 1 block.

*   VikBooking Hotel Booking Engine & PMS

**Installation through the WordPress Plugins Browser**

*   Search for “Vik Booking” in the Add Plugin section of your website back-end
*   Install the Plugin by clicking on the apposite button
*   Activate the Plugin by using the apposite activation button
*   A link to access and configure Vik Booking will be visible in the left-menu
*   Enjoy it

**Alternative Installation Method**

You can only install the **free** version of Vik Booking, not the Pro version. If for some reasons the WordPress Repository installation won’t work, you can contact us to receive the zip installer file and upload it via FTP onto your server.

*   Download the installer zip file from VikWP.com
*   Unzip the archive on your computer’s local drive
*   Upload via FTP the unzipped folder _vikbooking_ onto your _/wp-content/plugins_ directory
*   Log in to your _wp-admin_ section and activate the plugin

**Is upgrading to Pro mandatory?**

No, not at all. However, it took our company 8 years to build the _Pro_ version and we are willing to spend a lot more years of work on this software. We encourage you to evaluate the free version first, and then upgrade to Pro to unlock its potential.

**Why some functions are not available in the free version?**

We are a software development company listed as a certified Channel Manager Provider by the major OTAs of the world. We work to deliver a full software solution for CMS and Web Software like WordPress as a valid alternative to the same proprietary and external systems. We make money by selling licenses of the Pro version.

**Is it worth upgrading to Pro?**

Vik Booking is not a one-page plugin. You can build websites worth a lot of money with this plugin. You don’t need anything else to deliver a complete website, if not a Theme and some experience with WordPress.

**Can I build a portal of multiple properties/apartments?**

No, you can’t! Vik Booking was designed specifically for single properties, or multiple properties managed by the same company. Basically, you cannot build a portal with multiple vendors where certain users should access and manage only their rooms and reservations. Vik Booking is a true booking engine for Hotels, B&Bs, Apartments, Villas and Hostels. It should be installed on the website of the accommodation. Even though permissions for receptionists and managers can be set up, the logic of the software remains single-vendor.  
If you are looking for a solution for a real-estate agency (for example) that manages multiple properties on its own, then it’s still fine as long as you don’t need specific users/owners to see or manage their own data because this is not supported.

**Can I use Vik Booking with my preferred Theme?**

Yes, of course. You are free to install Vik Booking on your website with your own Theme. The plugin will adjust to it thanks to its own CSS framework. It is also possible to work on a custom CSS file to adjust some layouts.

**What about Vik Channel Manager or E4JConnect?**

Vik Booking is the Booking Engine and PMS plugin, it can work alone on any existing website. However, if you are looking to establish real-time API connections with OTAs like Booking.com, Airbnb, Expedia, Google Hotel Ads etc.. then you need to use our full solution, which is composed of a one-time fee to purchase the Pro version of Vik Booking as well as the plugin Vik Channel Manager. The only recurring cost, just like any existing (and real) Channel Manager software, is the one to keep the connection active with the various channels. This is the subscription for our certified and award-winning Channel Manager service called “e4jConnect”. Please notice that all these services are entirely provided by our company, it’s one single company with no third party connections. We are the software developer company as well as the Channel Manager provider. This makes a big difference.

![](https://secure.gravatar.com/avatar/055347ee6a7c449d244d21bb1af44cf3?s=60&d=retro&r=g)

Ormai 6 mesi che utilizziamo il sistema e ci troviamo alla grande. Ha tutto quello che ci serve per la gestione quotidiana della struttura. Ogni aggiornamento vengono aggiunte nuove funzionalità e il support è super disponibile.

![](https://secure.gravatar.com/avatar/43ced06fdb7aa50df7cebc0cd6538966?s=60&d=retro&r=g)

I have used vikbooking in both joomla and wordpress version. This is a great product that does what most hotel/hostel business want to keep in-house. Having a great product is never enough without dedicated after-sale support. My personal experience with their support team has been positive throughout. It has been quick and to the point. I also see that their effort has never ceased in constant improvement in their product even though it has been out in the market for years. It shows that they listen to their customers' needs and strive to give something of value to all future customers. Two thumbs up.

![](https://secure.gravatar.com/avatar/7d417cd1e89fdd0f4f19cdb1db74a9f3?s=60&d=retro&r=g)

I bought the VikBooking Pro plugin first, then the Channel Manager, then an e4JConnect subscription for a client that needed to manage reservations for a small 5-bungalow property in connection with Booking.com. After a brief learning curve and some great customer support on their part, the hotel receives bookings both directly and in sync with their main channel so we are very happy with the end result. The UI is friendly and simple enough for any private villa or independent multi-room property. It also adds the needed pages to your WP site. If you're just getting started, this is a good easy-to-learn solution. As far as pricing, if all you need is the booking engine -VikBooking Pro- and a simple way for customers to pay for their reservations online, it's fair as it comes with the ability to take payments through PayPal. If you need to manage additional channels and payment gateways, take the time to read through all of the options as the costs will rack up once you begin adding all the extras needed to fully operate a hotel successfully. E.g.: The booking engine, the channel manager, the required e4jConnect subscription(s) needed per channel (Airbnb, Booking.com, etc.), plus any additional payment gateway such as Stripe. Overall, I give it 5-starts for its easy setup, ease of use, and in a big way, the over-the-top customer support provided during our setup. I will be recommending them again for future projects.

![](https://secure.gravatar.com/avatar/5847523cbe714539bd5d497287bd50b8?s=60&d=retro&r=g)

Great plugin, really well thought out. This deserves way more credit than it gets!

![](https://secure.gravatar.com/avatar/d7e3934daa3d08dd6998b15da06f61a9?s=60&d=retro&r=g)

The plugin offers tons of great features. I would highly recommend using it for your hotel booking website.

![](https://secure.gravatar.com/avatar/bd5c3c4575f02e4ef76dc5bc53099c41?s=60&d=retro&r=g)

Very powerful plugin, with a user friendly interface and easy to manage but above all a level support that allows you to face any type of problem.

Read all 39 reviews

“VikBooking Hotel Booking Engine & PMS” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/9bed9c553b8bc648b045b7444d57f086?s=32&d=mm&r=g) e4jvikwp

**1.5.6**

_Release date – 19 April 2022_

*   Added support for customer profile picture (avatar).
*   Prevented switch of non refundable rates during booking modification.
*   Sanitized malicious data injections.
*   Fixed compatibility issues with Windows servers.
*   Major core framework release.
*   Dark mode appearance for dark color scheme preferences.
*   Multitask panel to quickly query the system without changing pages.
*   Browser (web push) notifications with real-time alerts.
*   New admin widgets and framework.
*   Reminders with scheduled due dates.
*   Rates flow monitoring for OTA and Website rates.
*   Custom data collection for guests registration.
*   myDATA AADE integration for electronic invoicing in Greece.
*   Inquiry reservations with pending status and auto room-assignment.
*   Backups: import and export an entire configuration from one site to another.
*   Visual (rich text) editor and composer for any email message.
*   New statistics tracking features.
*   Coupon codes with minimum stay filter.
*   New conditional text rules.
*   New permissions for front-end Tableaux and operators.
*   Support (and certification) for Google Hotel Free Booking Links!!! (Vik Channel Manager + E4JConnect subscription required)

**Earlier versions**

For further details about older versions, please refer to the changelog.md file of the plugin.

CVE-2022-27862: VikBooking Hotel Booking Engine & PMS

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.

On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

After sending the full disclosure details to the SiteGround security team on March 10, 2022 a patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.

Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.

**Description:** Authentication Bypass via 2-Factor Authentication Setup  
**Affected Plugin:** SiteGround Security  
**Plugin Slug:** sg-security  
**Plugin Developer:** SiteGround  
**Affected Versions:** <= 1.2.5  
**CVE ID:** CVE-2022-0992  
**CVSS Score:** 9.8 (Critical)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** ​1.2.6

SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.

When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site’s administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.

During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.

It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.

The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.

</pre>
<pre>public function validate\_2fa\_login( $user ) {
   // Bail if there is no valid user authentication.
   if ( ! isset( $\_POST\['sg-user-id'\] ) ) { // phpcs:ignore
      return;
   }

   $result = $this->check\_authentication\_code( wp\_unslash( $\_POST\['sgc2facode'\] ), wp\_unslash( $\_POST\['sg-user-id'\] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      if ( 0 == get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_configured', true ) ) { // phpcs:ignore
         // Arguments for initial 2fa setup.
         $args = array(
            'template' => '2fa-initial-setup-form.php',
            'qr'       => get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_qr', true ), // phpcs:ignore
            'secret'   => get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_secret', true ), // phpcs:ignore
            'error'    => esc\_html\_\_( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fa', wp\_login\_url() ) ),
         );
      } else {
         // Arguments for 2fa login.
         $args = array(
            'template' => '2fa-login.php',
            'error'    => esc\_html\_\_( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fa', wp\_login\_url() ) ),
         );
      }

      $this->load\_form( wp\_unslash( $\_POST\['sg-user-id'\] ), $args ); // phpcs:ignore
   }

   // Set the auth cookie.
   wp\_set\_auth\_cookie( wp\_unslash( $\_POST\['sg-user-id'\] ), intval( wp\_unslash( $\_POST\['rememberme'\] ) ) ); // phpcs:ignore</pre>
<pre>

_The authentication QR code and secret key displayed that would be displayed to potentially unauthorized users._

The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.

To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.

**Description:** Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes  
**Affected Plugin:** SiteGround Security  
**Plugin Slug:** sg-security  
**Plugin Developer:** SiteGround  
**Affected Versions:** <= 1.2.4  
**CVE ID:** CVE-2022-0993  
**CVSS Score:** 8.1 (High)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** ​1.2.6

In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.

Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.

</pre>
<pre>public function validate\_2fabc\_login() {

   $result = $this->validate\_backup\_login( wp\_unslash( $\_POST\['sgc2fabackupcode'\] ), wp\_unslash( $\_POST\['sg-user-id'\] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      $this->load\_form(
         wp\_unslash( $\_POST\['sg-user-id'\] ), // phpcs:ignore
         array(
            'template' => '2fa-login-backup-code.php',
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fabc', wp\_login\_url() ) ),
            'error'    => esc\_html\_\_( 'Invalid backup code!', 'sg-security' ),
         )
      );
   }

   // Set the auth cookie.
   wp\_set\_auth\_cookie( wp\_unslash( $\_POST\['sg-user-id'\] ), intval( wp\_unslash( $\_POST\['rememberme'\] ) ) ); // phpcs:ignore

Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.

Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.

While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.

Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.

**An Important Security Reminder: Audit Your WordPress Site’s User Accounts**

This vulnerability serves as an important reminder to audit your WordPress site’s user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user’s capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.

A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago, around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user’s account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here, and steal sensitive information from across the organization’s network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it’s important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides. Security is an active and continuous process.

**Timeline**

**March 10, 2022** – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy.  
**March 11, 2022** – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch.  
**March 11, 2022** – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality.  
**March 16, 2022** – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it.  
**April 6, 2022** – A fully and optimally patched version of the plugin is released as version 1.2.6.  
**April 9, 2022** – Wordfence Free users receive the firewall rules.

**Conclusion**

In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. This flaw has been fully patched in version 1.2.6.

We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against attempts by attackers to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both Wordfence Care and Wordfence Response include hands-on security support that provide you with ongoing assistance from our incident response team, should you need it.

_Special thanks to the team at SiteGround, for responding swiftly and working quickly to get a patch out to protect their customers and working to further secure the 2FA component._

CVE-2022-0992: Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin

The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the ~/inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21.

CVE-2022-1187: admin.php in wp-youtube-live/trunk/inc – WordPress Plugin Repository

Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.

 Hi all, 

I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. I was not the administrator of the scanner just had access to creating the target and running the scan. Our administrator was having access to all functionalities, Including downloading the reports and targets etc. 

Lets get to the technical details.

**Vulnerable Version:** 13.0.201217092 and before

**Fixed Version:** 14 and 14+

**\# Software description:**

Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security.

**\# Technical Details & Impact:**

It was observed that **Target** page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks:

Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.

Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website.

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

**\# POC**

To start the scan in Acunetix version 13.0.201217092 you have to add the target.

1.  Click on "Add Target"
2.  Add any target address and in description add CSV Injection Payloads for test I have used **"=10+20+cmd|' /C calc'!A0"**
3.  ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Ad0y5kr3v5AqE2R5tMWz4ax0_1c0b95OwkEXxymKa0tjsJnu0c-6-J2-QEuIQO6-RMx6fVNY6A_MyyvkIIjzKRYKz2xNmEmkbeeqICVyLiKVc7mvX4xcey0T7HtW3aSaimNEyYZCmNYFBQSM1I1O9NTL6zj7UkUqmKVqg_lFXuW6yvW8XKEcRUnR/w640-h344/Embedd-csv-payload.jpg)
    
      
    
4.  Click on **Save** button
5.  The target with malicious payload will be shown in description column. 
6.  Click on **Export CSV** button
7.  ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcuUH2WvOEfpFGX9mjasXHY9AmpYIzhBq18lqIQIgLzt7Wd94plK0G7caX-FY6URk1QTalW8MBVWIHtUyfuDbL0EbCIQx6VUtQHnaeKrUnwLK00EK6zdpKPOqvJoeRnlL7f_dHIeteKl1JyzFkgsooOGVeS2Wv8ttWN_N24ZPk33g1P2FtQ0Lc7eqe/w640-h254/save-the-scan-click-export-csv.jpg)
    
      
    
8.  CSV will be download and upon opening it will ask for Enable execution 
9.  Click on enable as the Admin will always trust the downloaded since it downloaded from trusted source, Once enabled it will execute the payload

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpw6bGT67rxowuT7IzEKhL_p3IvG-wA7w39cFWlXp3wfbOPuyUAh9HI9cDlbaAWMgTnl1wO2BuR2p8AnXFQlEAPeFqp7Fc1ezAwg1FST5tApOfIXseIzVTKb1t7_V1blmc3cHde27dDBWNrXe7IjF3ZCUTOwRgUxyOwFcF14jKGfADMssd8nhIOPv7/w400-h246/2022-04-11%2012_04_09-DNS-Allzones.xlsx%20-%20Excel.png)

Vulnerability was reported to Acunetix they silently fixed in latest version after 13.0. I have verified its fixed on 14.7.22xxxx

Thanks

CVE-2022-29315: CSV Injection in Acunetix version 13.0.201217092

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

The increased adoption of cloud infrastructure by companies looking to improve agility and support a hybrid workforce has led to more development teams adopting security-as-code as a way to build security into software and products.

Over the past year, for example, Google has pushed security-as-code as a fundamental component of its cloud offerings, identifying in January "software-defined infrastructure" as one of the eight megatrends driving the security of the cloud. Encoding security configuration as code that can be an input into development and deployment processes lets organizations analyze their security configuration, change and redeploy easily, and continuously monitor the state of their security configuration to evaluate whether it matches policies.

The result is analyzable security configuration and continuously verifiable controls, says Phil Venables, vice president at Google and CISO for Google Cloud.

"The great thing about security-as-code is that you know the configuration that you have deployed exactly corresponds to what you had specified and analyzed as meeting your security requirements," he says. "Many breaches out there are not necessarily the result of an unknown risk, but are usually the result of some control that the organization thought they had not being deployed and operating when they needed it the most."

Security-as-code is an extension of the infrastructure-as-code movement that has come about as software-defined networks and systems have become more popular. DevOps teams have adopted infrastructure-as-code as the de facto standard for building and deploying software, containers, and virtual machines, but now companies are betting that the shift to cloud-native infrastructure will make security-as-code a key part of a sustainable approach to security.

**How Security-as-Code Works**  
In 2021, consulting firm McKinsey and Company identified security-as-code as perhaps the only way to secure cloud application and infrastructure at the speed at which modern businesses move.

"Capturing value in the cloud requires most companies to build a transformation engine ... to integrate cloud into business and technologies, drive adoption in priority business domains, and establish the foundational capabilities required to scale cloud usage safely and economically," the consulting firm wrote in a position paper. "SaC is the mechanism for developing foundational capabilities in cloud security and risk management."

Google intends to make the concept much more functional and part of any cloud infrastructure. In November, the company's Cybersecurity Action Team announced a Risk and Compliance as Code (RCaC) solution.

Companies that have embraced DevOps know that repeatable software builds rely on being able to specify the configuration of infrastructure elements — whether software applications, pipeline builds, or containers — as code in a file. This infrastructure-as-code approach allows developers and operations specialists to express and analyze the configuration before it is deployed.

Security-as-code aims to do the same thing for security, in an approach that many have called DevSecOps. Security-as-code expresses the security configuration of a variety of elements, including what security testing should be performed, the criteria for vulnerability scanning, encryption requirements, and access controls.

**How Does it Affect SBOMs?**  
Google sees the current efforts to make software bills of materials (SBOMs) more explicit and functional as a key component of the future of software-as-code. The components of a software program could be analyzed during any build and the policies described in the security-as-code file would be applied. Using a component that is vulnerable to a specific threat, such as Log4j, could stop the build. Other requirements, such as a high level in the Supply Chain Levels for Software Artifacts (SLSA), could also be specified, Google's Venable says.

"This mechanism allows you to start making richer decisions," he says. "This programmability of the environment to enforce security policy is pretty transformational compared to what any of us used to be able to do in traditional on-premise environments."

Google is joined by others blazing a trail into the security-as-code arena. The growing movement to encode security as a configuration file that can be incrementally improved led security firm Tenable Network Security to acquire Accurics, a maker of security-as-code technology.

"It's far more effective to find and fix the issues at the point of creation in code, rather than where they manifest in the cloud," Renaud Deraison, chief technology officer for Tenable Network Security, said in a blog announcing the acquisition. "In this way, we can ensure that what is deployed is secure by default and that any fixes are a simple merge request rather than a patch or operational afterthought."

Not everyone is convinced that security configurations will be ensconced in code anytime soon. While configuration files traveling along with software-defined infrastructure components could bring significant benefits — such as the audit ability and improved change management — companies are still too reactionary to adopt the technology, says Brian Fox, chief technology officer and co-founder of Sonatype, a software-management and security firm.

Software composition analysis (SCA) services that can automate the identification of risky software components — a service that Sonatype provides — provides some of the automated benefits of security-as-code. Most businesses have no idea of even what components make up their software, Fox says.

"We are super early in the adoption cycle with this," he says. "All the reasons that infrastructure-as-code made sense will make sense with security-as-code, but the industry is not quite there yet, because so many people do not have the mechanisms to even do this, never mind doing it as code."

Security-as-Code Gains More Support, but Still Nascent

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

An Insecure Direct Object Reference issue exists in the Tyler Odyssey platform before 17.1.20. This may allow an external party to access sensitive case records.

CVE-2022-26665: What Happened With Tyler Technologies

Google patches a critical flaw in its Chrome browser, bringing its count of zero-day vulnerabilities fixed in 2022 to four.

Google fixed two vulnerabilities in its Chrome web browser as part of an emergency update this week, including a type confusion vulnerability that is already being exploited in the wild.

The type confusion vulnerability (CVE-2022-1364) impacts the JavaScript and WebAssembly engine in the browser. With this kind of flaw, a program will allocate a resource (such as a pointer or object) using one type but will later try to access the resource using an incompatible type. The vulnerability can be exploited to cause the browser to crash, trigger logical errors, or even execute arbitrary code.

"Google is aware that an exploit for CVE-2022-1364 exists in the wild," the company wrote in the alert. Details will be restricted until a majority of users have updated to Chrome version 100.0.4896.127 across the Windows, Linux, and Mac platforms.

The issues also affect other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.

The second issue that was fixed appears to be related to issues that were uncovered internally. The alert calls it "various fixes from internal audits, fuzzing, and other initiatives."

This is the third emergency update for Chrome in 2022, and the third zero-day vulnerability patched so far this year. In March, Google (along with Microsoft) fixed a critical flaw to the Chromium v8 JavaScript engine (CVE-2022-1096) that was being actively exploited.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Emergency Update Fixes Chrome Zero-Day

A zero-code remote code injection vulnerability via configuration.php in Chamilo LMS v1.11.13 allows attackers to upload arbitrary code in the form of a new plugin.

Tag

#google