#php

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites where PHP is configured with zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1 in the relevant php.ini file are NOT affected by this vulnerability. Sites that do not have the zend.exception_ignore_args setting enabled and are using the internal Moodle LMS authentication system are affected by this vulnerability.

In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS.

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and…

DevDojo Voyager 1.4.0 through 1.8.0, when Laravel 8 or later is used, allows authenticated administrators to execute arbitrary OS commands via a specific php artisan command.

If you use WhatsApp for Windows, you'll want to make sure you're on the latest version.

### Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like `#[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')]` on a member of an entity, the grant gets cached and is only evaluated once, even if the `object` in question is a different one. There is the `ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe()` method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164 and in its usage on line 90 it does indeed not create a cache key, but the `parent::normalize()` that is called afterwards still creates the cache key and causes the issue. ### Impact It grants access to properties that it should not. ### Workarounds Override the ItemNormalizer. Patched at: https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8

### Summary Using the Relay special `node` type you can bypass the configured security on an operation. ### Details Here is an example of how to apply security configurations for the GraphQL operations: ```php #[ApiResource( security: "is_granted('ROLE_USER')", operations: [ /* ... */ ], graphQlOperations: [ new Query(security: "is_granted('ROLE_USER')"), //... ], )] class Book { /* ... */ } ``` This indeed checks `is_granted('ROLE_USER')` as expected for a GraphQL query like the following: ```php ‌query { book(id: "/books/1") { title } } ``` But the security check can be bypassed by using the `node` field (that is available by default) on the root query type like that: ```php ‌query { node(id: "/books/1") { ... on Book { title } } } ``` This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API. ### Impa...

### Summary The `squelette` parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload `../../../../../../etc/passwd` was submitted in the `squelette` parameter. The requested file was returned in the application's response. ### Details File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem. ### PoC 1. Access the below URL to see the contents of `/etc/passwd`: **URL with payload:** `https://yeswiki.net/?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css` Similarly, contents of `wakka.config.php` can...

The device provides access to an unprotected endpoint, enabling the upload of MPFS File System binary images. Authenticated attackers can exploit this vulnerability to overwrite the flash program memory containing the web server's main interfaces, potentially leading to arbitrary code execution.

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities…