Presto Changeo testsitecreator up to v1.1.1 was discovered to contain a SQL injection vulnerability via the component disable_json.php.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Test Site Creator” (testsitecreator) from Presto Changeo for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-43980
*   **Published at**: 2023-09-28
*   **Platform**: PrestaShop
*   **Product**: testsitecreator
*   **Impacted release**: <= 1.1.1 (WARNING : see WARNING below)
*   **Product author**: Presto Changeo
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TestSiteClass::TestSiteIsCreated() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**WARNING** : Author discontinue support of its module so you should no longer continue to use them and do not have time to confirm us the scope of impacted versions so it could impact newer versions than 1.1.1.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.1.1**

    --- 1.1.1/modules/testsitecreator/classes/TestSiteClass.php
    +++ XXXXX/modules/testsitecreator/classes/TestSiteClass.php
    ...
    		return (bool)Db::getInstance()->getRow('
    			SELECT * 
    			FROM `'._DB_PREFIX_.'testsitecreator`
    			WHERE `test_site_created` = 1
    -			'.(is_null($id_testsitecreator) ? 'AND `name_testsitecreator` = "'.$name_testsitecreator.'"' : 'AND `id_testsitecreator` = '.$id_testsitecreator).'
    +			'.(is_null($id_testsitecreator) ? 'AND `name_testsitecreator` = "'.pSQL($name_testsitecreator).'"' : 'AND `id_testsitecreator` = '.(int) $id_testsitecreator).'
    		');
    

**Other recommendations**

*   Since author discontinue support on its modules, it is recommended to delete the module.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-02

Issue discovered during a code review by TouchWeb.fr

2023-08-02

Contact Author to confirm versions scope by author

2023-08-27

Recontact Author to confirm versions scope by author

2023-08-27

Author replied us to stop communicating with him

2023-09-21

Request a CVE ID

2023-09-27

Received CVE ID

2023-09-28

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-43980: [CVE-2023-43980] Improper neutralization of SQL parameter in Presto Changeo - Test Site Creator module for PrestaShop

FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

****

掲載日：平成17年04月01日\[2005.04.01\]  
更新日：令和05年09月29日\[2023.09.29\]

※ 【重要】医薬品医療機器等法対応医薬品等電子申請ソフトを初めてインストールされる方へ  

下のリンクからダウンロードできるファイルは、自己解凍形式の実行ファイルになっています。ダウンロードが終わりましたら、  
そのファイルをダブルクリックして実行するかまたは、お使いのウェブブラウザが備えるダウンロードファイルの実行機能を使用して実行して下さい。  
インストール方法の詳細については 「インストールマニュアル\[2023.09.29 UPDATE\]」をご参照ください。

医薬品医療機器等法対応医薬品等電子申請ソフトの実行に必要なオペレーティングシステムは次のとおりです。  
　　Windows 10・Windows 11 オペレーティングシステムでの動作保証  
　　（Windows 8.1以前のオペレーティングシステムでの動作を保証しません。）

申請ソフトに関するお問い合わせは、申請ソフトヘルプデスクまでお願い致します。

**申請ソフト（2023年09月版:**令和03年08月01日からの医薬品医療機器等法に対応**）のダウンロード\[約13.3MB\]\[2023.09.29 UPDATE\]**

【令和05年09月29日公開2023年09月版の主な変更・修正点】  
１．インストーラの再構成  
　インストーラを再構成しました。それに伴い、既にインストールされている申請ソフトが存在する場合、  
　旧バージョンのアンインストールを行うまでインストールすることができません。  
　その際、データのバックアップを実施してください。  
　詳しくはインストールマニュアル（4、23、27ページ）をご覧下さい。

２．申請データの入力項目の追加  
　E01、E02、E06、E11、E12、E16、F01、F02、F06、F11、F12、F16の【適合性の有無】欄について１（有）・２（無）に加え、  
　 ３（省略）を入力するようにしました。

３．住所又は所在地に入力出来る桁数を増加  
　以下の様式・欄に入力出来る桁数を全角240文字以下としました。  
　・様式C01、02、06、11、12、16、41、42、46の「所在地」の項目  
　・様式L04、05、14、15、44、45の「所在地」の項目  
　・様式H01、11、21の「所在地」の項目、「外部試験機関等」配下の「住所」の項目

４．不具合修正  
　以下の不具合に対して修正を行いました。  
　・「指定成分を含む申請書ファイル検索」‐「検索キーの指定」で『医薬品配合目的』若しくは『医薬部外品配合目的』を選択すると、  
　 ソフトが強制終了してしまう不具合。  
　・E04の販売名が60文字までしか入力できない不具合  
　・E95で【変更内容】‐【変更前】及び【変更後】‐【構成】を必須から任意に変更  
　・E06、E16の【形状、構造、成分、分量又は本質】タブ‐【構成する成分，分量又は本質】タブ‐【構成する成分，分量又は本質】欄で  
　 改行されて表示されない不具合  
　・F04で【保管方法及び有効期間】-【簡略記載の有無】のエラーチェックが働いていなかった不具合

５．各種画面の修正  
　オンライン提出する/したファイルについて、「提出用申請データ出力」では「CD-R書込用ファイル出力」を、  
　 提出済み申請データ取り込みでは「CD・HD等から入力」をそれぞれ選択して操作してください。

６．各種マスタデータ内容の更新・修正  
　令和05年09月29日以前の各種マスタデータにおける、内容の更新・修正内容を反映しました。  
　各種マスタデータの最新版についてはこちらをご確認ください。

７．脆弱性対応  
　XML外部実体参照 (XXE)に関する脆弱性(CWE-611)が発見されたため、修正を行いました。

【令和04年04月28日公開2022年04月版の主な変更・修正点】  
１．不具合修正  
　以下2021年03月版の不具合に対して修正を行いました。  
　・旧バージョンの申請ソフトで作成した業許可の変更届において、【変更前】に欠格条項が含まれるデータを、  
　 「提出済み申請データ取り込み」機能にて取り込んだ場合、【変更後】タブに入力値が反映されない不具合  
　・各年の「2月29日」が正しく入力できない不具合  
　・L04、L05、L14、L15の鑑における代表者名欄の文字サイズやフォントを変更できない不具合  
　・A01～A06、A11～A16、K05、K15の鑑における誤記載

２．申請データの入力項目の追加  
　E31、E32、E36、F31、F32、F36における一部の項目を必須入力から任意入力にしました。

３．各種マスタデータ内容の更新・修正  
　令和04年04月28日以前の各種マスタデータにおける、内容の更新・修正内容を反映しました。  
　各種マスタデータの最新版についてはこちらをご確認ください。  
　なお、今回の改修に合わせ、大臣・知事・理事長名DB内の全ての氏名を削除しました。  
　大臣・知事・理事長の氏名は、申請書等の鑑への記載は不要です。

  

【令和03年08月02日公開2021年03月版の主な変更・修正点】  
１．作成申請・届書の追加  
　令和03年08月の薬機法改正の施行に伴い、追加の申請・届書を作成できるように  
　対応しました。

２．申請データの入力項目の追加  
　１．の対応に伴い、一部の申請・届書について、申請データの入力項目を追加するように  
　対応しました。

３．各種マスタデータ内容の更新・修正  
　令和03年03月31日以前の各種マスタデータにおける、内容の更新・修正内容を反映  
　しました。  
　各種マスタデータの最新版についてはこちらをご確認ください。  
　なお、今回の改修に合わせ、大臣・知事・理事長名DB内の一部氏名を削除しました。  
　削除された大臣・知事・理事長の氏名は、申請書等の鑑への記載は不要です。

４．不具合修正  
　以下の2点の不具合に対して修正を行いました。  
　・\[申請データ移行\]機能を使い、E15の申請書データを利用してE25を作成しようとしたところエラーになる不具合  
　・「令和2年2月29日」と入力するとエラーチェックにてエラーとなる不具合

【令和02年09月14日公開2020年09月版の主な変更・修正点】  
１．各種マスタデータ内容の更新・修正  
　令和02年09月14日以前の各種マスタデータにおける、内容の更新・修正内容を反映いたしました。  
　各種マスタデータの最新版についてはこちらをご確認ください。

【令和02年08月31日公開2020年08月版の主な変更・修正点】  
１．申請・届書の提出先の変更  
　令和02年09月の薬機法改正の施行に伴い、一部の申請・届書について、  
　提出先が厚生労働省から総合機構に変更するように対応しました。

２．作成申請・届書の追加  
　令和02年09月の薬機法改正の施行に伴い、追加の申請・届書を作成できるように対応しました。

３．申請データの入力項目の追加  
　２．の対応に伴い、一部の申請・届書について、申請データの入力項目を追加するように対応しました。

４．各種マスタデータ内容の更新・修正  
　令和02年08月31日以前の各種マスタデータにおける、内容の更新・修正内容を反映いたしました。  
　各種マスタデータの最新版についてはこちらをご確認ください。

５．責任者の資格の別入力時の表示切替への対応  
　一部の申請・届書について、「資格の別」の選択項目を対象となる項目のみ選択できるように対応しました。

６．申請書メンテナンスの機能追加  
　保存されている申請書の申請書名を、申請書メンテナンスから変更できるように対応しました。

７．不具合修正  
　以下の2点の不具合に対して修正を行いました。  
　・申請データ入力時に、複数行入力可能な箇所において、入力文字列を選択後BackSpaceキーの押下で削除したときに、  
　　余計な文字まで消えてしまう不具合。  
　・申請データ入力時に、複数行入力可能な箇所において、入力文字列をBackSpaceキーの押下で削除する際に、  
　　入力内容がおかしくなる不具合。

８．システムの必要条件の変更  
　Window7をサポート対象外としました。  
　最新のシステムの必要条件については「医薬品等電子申請ソフト使用上の注意」のページをご確認ください。

  

****

CVE-2023-42132: ＦＤ申請　医薬品医療機器等の承認・許可等　厚生労働省｜医薬品医療機器等法用医薬品等電子申請ソフトダウンロード

Every smartphone has an expiration date. Here’s when yours will probably come.

If you're shopping for a smartphone, you're probably weighing how powerful it is, how good the cameras are, and of course how much you're going to have to pay for it—but it's also worth considering how long the handset is going to last you.

A big part of that calculation comes down to the length of time that the phone will get updates. Apple just pushed out iOS 17, a software update that is heading to iPhones including the iPhone XR and the iPhone XS—handsets that launched in 2018.

For five-year-old phones to be getting (mostly) the same software features as the brand new iPhone 15 is something Apple can be proud of and that its users can be grateful for, but this kind of future-proofing isn't standard.

At the time of writing, Google promises Android updates for its Pixel phones for at least three years. For flagship Samsung Galaxy phones, the software update guarantee is for four years, and for the latest Fairphone 5, it's five years.

Pixel phones are covered for three years of software updates.

Courtesy of Google

There's another important time span to consider though, which is the one for security updates. These updates continue to be issued for older phones even after major software updates have finished, so important vulnerabilities can be patched and phones can be kept safe even if they're no longer getting new and improved features.

For Google and Samsung, security updates are provided for five years, while Fairphone is promising at least eight for the Fairphone 5, and possibly as many as 10. Apple doesn't have a fixed approach but tends to issue security updates for a year or two after software updates have finished—after seven years, Apple products are declared obsolete.

You may be planning to upgrade your smartphone before that happens, but not everyone will be—and knowing how long your device is going to be supported with updates from its manufacturer then becomes very important.

If you're struggling to find out this information about a particular gadget, the web can help—and specifically the endoflife.date site, which lists a whole host of hardware devices and software packages. You can see continually updated countdowns for manufacturer support for iPhones, Pixels, Galaxy phones, and more.

When Security Updates End

Software updates keep your phone properly patched up and supplied with the latest new features. In contrast, security updates make sure that a device stays secure and protected against evolving threats even after software updates have stopped. Which then prompts the question: What happens when security updates end?

To begin with, your device isn't going to suddenly stop working and become a useless brick of electronics. Assuming the components inside it are still functioning—which is by no means a given after five or six years—then you can continue to use the device in the same way that you always have.

As time goes on, you might start to notice a problem with some of your apps: Apps will often need the very latest versions of iOS or Android in order to run, and if you're not getting those updates, they may stop working or start misbehaving, or you may find yourself unable to update to the latest versions.

Security is a bigger problem. There will be some legacy protection in terms of the patches you've applied over the lifetime of the device, but your phone is no longer going to be prepared for newer exploits and malware attacks, and that puts your data at risk.

iOS 17 works on the iPhone 15 Pro—and on iPhones from 2018.

Courtesy of Apple

When mobile security vulnerabilities emerge, you'll find that many of them are aimed at older versions of operating systems, versions that don't have all of the necessary defense measures in place. The more time that goes by since the last security update, the bigger the risk you're running by still using your phone.

Apple, Google, and Samsung will often scramble to fix security issues as they're discovered, pushing out updates outside of the regular schedule in order to keep devices protected—and again, your phone is ineligible for these patches, except under rare circumstances, if you've reached the end-of-life stage.

You can choose to keep on using your phone: The usual practices of being careful with apps and websites, turning on two-factor authentication for your accounts, and keeping the lock screen securely locked all still apply, and offer some level of protection. However, your device is at significantly more risk of an attack.

As expensive as it may be, it might be time to think about upgrading your phone so you keep receiving updates—it doesn't have to be a brand-new one to get the latest iOS or Android software. When you do decide to say goodbye to your old handset, be sure to dispose of it responsibly.

How to Tell When Your Phone Will Stop Getting Security Updates

Ubuntu Security Notice 6386-2 - Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Kopf, and Oleksii Oleksenko discovered that some AMD processors could leak stale data from division operations in certain situations. A local attacker could possibly use this to expose sensitive information. It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle L2CAP socket release, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6386-2September 29, 2023linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Kopf, and OleksiiOleksenko discovered that some AMD processors could leak stale data fromdivision operations in certain situations. A local attacker could possiblyuse this to expose sensitive information. (CVE-2023-20588)It was discovered that the bluetooth subsystem in the Linux kernel did notproperly handle L2CAP socket release, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-40283)It was discovered that some network classifier implementations in the Linuxkernel contained use-after-free vulnerabilities. A local attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2023-4128)Lonial Con discovered that the netfilter subsystem in the Linux kernelcontained a memory leak when handling certain element flush operations. Alocal attacker could use this to expose sensitive information (kernelmemory). (CVE-2023-4569)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1038-raspi   5.15.0-1038.41   linux-image-raspi               5.15.0.1038.36   linux-image-raspi-nolpae        5.15.0.1038.36After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6386-2   https://ubuntu.com/security/notices/USN-6386-1   CVE-2023-20588, CVE-2023-40283, CVE-2023-4128, CVE-2023-4569Package Information:   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1038.41

Ubuntu Security Notice USN-6386-2

Red Hat Security Advisory 2023-5405-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow and code execution vulnerabilities.

Red Hat Security Advisory 2023-5405-01

Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-5159

**Mattermost Incorrect Authorization vulnerability**

Low severity GitHub Reviewed Published Sep 29, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

< 7.8.10

gomod github.com/mattermost/mattermost/server/v8 (Go)

\= 8.1.0

\>= 8.0.0, < 8.0.2

**Description**

Published to the GitHub Advisory Database

Sep 29, 2023

Last updated

Sep 29, 2023

GHSA-rp65-jpc7-8h8p: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-5193

**Mattermost Incorrect Authorization vulnerability**

Moderate severity GitHub Reviewed Published Sep 29, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

< 7.8.10

gomod github.com/mattermost/mattermost/server/v8 (Go)

\= 8.1.0

\>= 8.0.0, < 8.0.2

**Description**

Published to the GitHub Advisory Database

Sep 29, 2023

Last updated

Sep 29, 2023

GHSA-h8wh-f7gw-fwpr: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-5195

**Mattermost Incorrect Authorization vulnerability**

Moderate severity GitHub Reviewed Published Sep 29, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

< 7.8.10

gomod github.com/mattermost/mattermost/server/v8 (Go)

\= 8.1.0

\>= 8.0.0, < 8.0.2

**Description**

Published to the GitHub Advisory Database

Sep 29, 2023

Last updated

Sep 29, 2023

GHSA-9hwp-cj7m-wjw4: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-5194

**Mattermost Incorrect Authorization vulnerability**

Low severity GitHub Reviewed Published Sep 29, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

< 7.8.10

gomod github.com/mattermost/mattermost/server/v8 (Go)

\= 8.1.0

\>= 8.0.0, < 8.0.2

**Description**

Published to the GitHub Advisory Database

Sep 29, 2023

Last updated

Sep 29, 2023

GHSA-h69v-mvh9-hfrq: Mattermost Incorrect Authorization vulnerability

Categories: Personal
Tags: dependabot

Tags:  GitHub

Tags:  password

Tags:  attack

Tags:  imitate

Tags:  profile

Tags:  avatar

Tags:  commit

Tags:  resource

Tags:  dependency

We take a look at a clever attack imitating GitHub's Dependabot in order to publish rogue project updates.



(Read more...)




The post Dependabot impersonators cause trouble on GitHub appeared first on Malwarebytes Labs.

GitHub is experiencing issues of the “breached account and malicious code” variety. ITPro reports that unnamed individuals have been compromising accounts and using them to install malware capable of password theft. It’s a fairly elaborate scam which even includes imitation of GitHub’s popular Dependabot feature.

To make this scam work, attackers first obtained access tokens belonging to their targets. Once the attackers have control over the stolen accounts, they would change the alias for said accounts to “Dependabot\[bot\]” and begin making potentially dangerous code commits.

If you’re unfamiliar with the language of GitHub, don’t worry. GitHub is the place where developers can manage their project code. Bug tracking, software feature requests, task management, and wikis for each and every project are available to users.

When a developer is writing their code, they can eventually publish from their local workstation to GitHub’s staging directory. At this point, a “Commit” is made. The Commit is another way of saying "a snapshot", a version of your project as it exists at a specific moment in time.

In this case, the attackers deploy malicious code into the projects they hijack. They then steal secrets from the compromised project and send it back to base. Additionally, existing JavaScript files already present in the project are tampered with to add malware. Said malware will attempt to steal passwords from form submissions and send them to the command and control server run by the attackers. Stolen tokens gave access to many private repositories so both public and private projects were impacted.

In terms of how the attackers initially got in, some accounts were found to have been taken over by stolen personal access tokens. As Bleeping Computer notes, these tokens allowed developers to access GitHub without having to make use of two-factor authentication (2FA) steps. 

With the tokens stored locally on the developer’s machine, it’s possible that someone hijacking the system could easily grab the tokens required to breach individual GitHub accounts. Whether this was achieved by malware, social engineering or phishing, nobody has the answers at time of writing.

The sneaky part of this escapade is the imitation of the previously mentioned Dependabot. This helpful addition to GitHub assists developers in keeping on top of their project and all associated dependencies tied to it. Dependabot automates dependency updating tasks which helps to keep security issues at bay.

What’s happening up above is that the attackers are disguising their bogus updates under the visage of Dependabot. If you’re on GitHub for any length of time, seeing Dependabot popping up in relation to an update is commonplace. As a result, seeing the imitation Dependabot on a page is going to fool quite a few people who will assume all is well.

While the imitation helper isn’t perfect and doesn’t replicate the real thing exactly, those behind this will still reap some rewards. If you’re wanting to be on the lookout for fake Dependabot posts, the most overt signifier of fake activity is the profile avatar. Dependabot has a square profile image and a “bot” tag. Regular accounts have a circular avatar and are also unable to properly replicate the bot tag signifier.

Fake commit attacks have been seen before using a variety of techniques, but imitating the bot helper is new. It’s also somewhat ironic to see a GitHub function dedicated to keeping things secure being imitated in a way which severely impacts the safety of platform users. It may be that GitHub makes the Dependabot even more distinctive than it already is to help ward off future similar attacks.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#perl