hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.

**CVE-2023-33817 - SQL-Injection-found-in-HotelDruid-3.0.5**

HotelDruid v3.0.5 are vulnerable to SQL injection. An attacker could issue arbitrary sql command to retrieve data in databases or even execute remote code execution on target database system

This is my second repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowed any authenticated user such as admin or any user to inject malicious sql command into affected parameter to retrieve data in databases or even execute code execution on target system. Below are the steps to reproduce and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php Affected Parameter&Component :

inizioperiodo1 fineperiodo1 inizioperiodo2 fineperiodo2 inizioperiodo3 fineperiodo3 inizioperiodo4 &fineperiodo4 inizioperiodo5 fineperiodo5 inizioperiodo6 fineperiodo6 inizioperiodo7 fineperiodo7

Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI

Step 2 : Intercept with BurpSuite, and insert some basic payload like " '%2b(select\*from(select(sleep(10)))a)%2b' " and monitor the response. the sceenshot below shows the server have returns the response after 10 seconds , it seems we can move abit deeper :-) .

Step 3 : what if we save this into a burp file and pass it to sqlmap? The screenahot below shows the result of sqkmap.

Step 4 : We can expand abit more with below sqlmap command, i choose sql-shell . The screenshot below shown we can even execute sql command by abusing the vulnerable parameter.

Ps : Above steps is just POC for vendor, actually i have climb from sql-shell to fully OS command shell, but this may need more and more steps and technique involved and i think this is beyond what CVE request us to demo .

Screenshot below show the version of HotelDruid

CVE-2023-33817: GitHub - leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5

An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

chamilo / **chamilo-lms** Public

*   Notifications
*   Fork 441
*   Star 685
    

*   Code
*   Issues 436
*   Pull requests 27
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

More

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Vendor: Require enshrined/svg-sanitize

*   Loading branch information

AngelFQC committed

Jun 2, 2023

1 parent d0cc583 commit f6e8355

Showing **1 changed file** with **1 addition** and **0 deletions**.

1 change: 1 addition & 0 deletions composer.json

Show comments View file

Expand Up

@@ -59,6 +59,7 @@

"doctrine/orm": "~2.5",

"emojione/emojione": "1.3.0",

"endroid/qr-code": "2.5.\*",

"enshrined/svg-sanitize": "^0.16.0",

"essence/essence": "2.6.1",

"ezyang/htmlpurifier": "~4.9",

"facebook/php-sdk-v4": "~5.0",

Expand Down

**0 comments on commit f6e8355**

Please sign in to comment.

CVE-2023-34944: Vendor: Require enshrined/svg-sanitize · chamilo/chamilo-lms@f6e8355

A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.

**CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5**

HotelDruid v3.0.5 are vulnerable to multipe XSS vulnerability. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.

This is my third repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowed any authenticated user to inject arbitrary web script or HTML into affected parameter and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php Affected Webpage : crearegole.php Affected Parameter&Component : tipotariff from creaprezzi.php Affected Parameter&Component : inizioperiodo from crearegole.php

Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI

Step 2: Select the drop down list, it could be any and intercept with Burpsuite , then add the this payload after parameter tipotariff + your selectuon ID

payload used : a19yc%22%3e%3cscript%3ealert("THIS IS XSS FROM BB")%3c%2fscript%3emjf9oc2183m

Step 3: Forward and Enjoy :-) .

Second Affected Webpage

Step 1 : login and navigate to crearegole.php , Screenshot below shows the affected parameter

Step 2 : you can just intercept with burp and added the xss payload after affected parameter. payload used : a19yc%22%3e%3cscript%3ealert("THIS IS XSS FROM BB")%3c%2fscript%3emjf9oc2183m

Step 3 : Forward and Enjoy .

PS: Vendor have acknowledged and will release the bug fixes in next version. no coffee for BB.....Zzzz

CVE-2023-34537: GitHub - leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5

ProLogin version 1.9 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : ProLogin V1.9 Insecure Direct Object Reference Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               |  | # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /index.php/user_settings[-] When you add value (user_settings) after the index.php/,     an error page appears At the same time, it shows you the panel & limited control .[+] http://127.0.0.1/support.ihorizon.sa/index.php/user_settingsGreetings to :=============================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*|===========================================================================================

ProLogin 1.9 Insecure Direct Object Reference

Piyanas version 0.1 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Piyanas v0.1 User Login Page CSRF Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.piyanassystem.com/                                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : /add_user.php[+] Use Payload : /admin/add_user.php[+]  http://127.0.0.1/piyanassystemcom/piyanasmember/admin/add_user.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Piyanas 0.1 Cross Site Request Forgery

An issue in Dolibarr v16.0.0 to v16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

Vladimir had the opportunity to test the security of the Open Source CRM software Dolibarr during an intrusion test of a business tool.

> Dolibarr ERP CRM is a modern software package to manage your company or foundation’s activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, …). It is open source software (written in PHP) and designed for small and medium businesses, foundations and freelancers.
> 
> Ref: https://github.com/Dolibarr/dolibarr  

Our pentester discovered a **critical vulnerability** exploitable by an **unauthenticated attacker**. It provides access to a **competitor’s entire customer file,** prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it **affects Dolibarr 16.x versions**.

**EDIT (22/03/2023)** : Dolibarr version 16.0.5 fixes this vulnerability for v16. (https://github.com/Dolibarr/dolibarr/blob/16.0.5/ChangeLog#L34).

**EDIT2 (13/06/2023)** : CVE-2023-33568 assigned.

**Discovery of the vulnerability**

In order to perform tests on the software itself without impacting the client’s production, and having access to as much information as possible, the consultant created a local Dolibarr environment in the identified version.

The containerized image https://hub.docker.com/r/tuxgasy/dolibarr allows one to have a functional environment in minutes with Docker to start hunting for vulnerabilities. The tuxgasy/dolibarr:16 image was used to discover this vulnerability.

Without necessarily trying to delve too much into the details of the Dolibarr code base, the auditor simply listed all the PHP files accessible from the root of the web server in order to identify those which are accessible without authentication:

> **find . -type f -name “\*.php”**

One of the scripts thus accessible attracts attention because its response differs from the others:https://github.com/Dolibarr/dolibarr/blob/16.0.4/htdocs/public/ticket/ajax/ajax.php.

Reading the PHP code instructs us on the required parameters: **_action_** and **_email_**.

In particular, **_action_** must be equal to “**getContacts**“.

When all conditions are met, the following response is returned to the unauthenticated user:  
Dolibarr integrates some protections and checks that the variables sent by users do not contain suspicious patterns (XSS, SQL injections):

If the parameters have been protected in this way, the injections are therefore generally more complex to exploit.

We are therefore currently in the presence of unauthenticated access to the details of a contact, provided that the attacker knows the email address associated with it.

Digging deeper into the PHP code, the pentester lands on the SQL query called:

We can observe the use of the SQL LIKE operator: with a bit of luck the ‘**%**‘ character can be used to transform the query and make it return all the records!

All contact details are returned in a single request.

A sorting on a few fields demonstrates the interest of this vulnerability:

An attacker could access a **competitor’s entire customer file**, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved.

Attacker can get other information such as technical data about the database:

**Impact & PoC**

Dolibarr 16.x versions are affected. Version 17 disables access to this page by default, a specific Dolibarr option must be set for it to be accessible again.

The estimated CVSSv3 score is 7.5 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1), however the nature of the data and the ease of exploitation make it **a critical vulnerability**.

Linux command to reproduce the vulnerability and display some arbitrary fields:

> **curl -sk ‘\[URI\_DOLIBARR\]/public/ticket/ajax/ajax.php?action=getContacts&email=%’ | jq -r ‘.contacts\[\] | {id, socname, poste, email, phone\_perso, phone\_pro, note\_public, note\_private}’**

**Recommendations**

Business tools as important as an ERP/CRM must be properly secured:

*   Open access to the Internet only if strictly necessary (prefer VPN access)
*   Only use the plugins useful for your use cases
*   Perform regular account reviews
*   Keep the various software components up to date
*   Ensure that your access policy is correctly implemented (password complexity, 2FA, …)
*   Implement, and maintain, a policy of least privilege
*   Perform regular penetration testing (regardless of application exposure)

✅ Many Dolibarr instances are exposed on the Internet: for those which are in version 16.x remember to upgrade quickly!

**Communication with the software publisher**

Dolibarr’s Coordinated Disclosure Process is documented at the following URL: https://github.com/Dolibarr/dolibarr/security/policy.

The firs answer was (very) fast. On the other hand, the Dolibarr ecosystem could gain in security by communicating in a clear and precise manner on the vulnerabilities discovered and fixed in a centralized place, such as the Github “Security Advisories”.

21/02/2023 : First email sent by Vladimir following the Dolibarr process

21/02/2023 : Response from developer Eldy validating the vulnerability and indicating that the feature in question will be disabled with Dolibarr 17

05/03/2023 : Dolibarr v17 released

14/03/2023 : Article published

CVE-2023-33568: Dolibarr : unauthenticated contacts database theft

Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5.

@@ -0,0 +1,90 @@

<?php

// Copyright (C) <2015> <it-novum GmbH>

//

// This file is dual licensed

//

// 1.

// This program is free software: you can redistribute it and/or modify

// it under the terms of the GNU General Public License as published by

// the Free Software Foundation, version 3 of the License.

//

// This program is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

// GNU General Public License for more details.

//

// You should have received a copy of the GNU General Public License

// along with this program. If not, see <http://www.gnu.org/licenses/>.

//

// 2.

// If you purchased an openITCOCKPIT Enterprise Edition you can use this file

// under the terms of the openITCOCKPIT Enterprise Edition license agreement.

// License agreement and license key will be shipped with the order

// confirmation.

  

declare(strict\_types=1);

  

use Migrations\\AbstractMigration;

  

/\*\*

\* Class UniqueIndexForIsUnique

\*

\* Created via:

\* oitc migrations create UniqueIndexForIsUnique

\*

\* Run migration:

\* oitc migrations migrate

\*

\*/

class UniqueIndexForIsUnique extends AbstractMigration {

/\*\*

\* Change Method.

\*

\* More information on this method is available here:

\* https://book.cakephp.org/phinx/0/en/migrations.html#the-change-method

\* @return void

\*/

public function change(): void {

  

if ($this\->hasTable('agentchecks')) {

$this\->table('agentchecks')

\->addIndex(

\[

'name',

\],

\['unique' => true\]

)

\->update();

}

  

if ($this\->hasTable('macros')) {

$this\->table('macros')

\->addIndex(

\[

'name',

\],

\['unique' => true\]

)

\->update();

}

  

if ($this\->hasTable('users')) {

$this\->table('users')

\->addIndex(

\[

'email',

\],

\['unique' => true\]

)

\->addIndex(

\[

'email',

'ldap\_dn'

\],

\['unique' => true\]

)

\->update();

}

  

}

}

CVE-2023-3218: ITC-3014 Add unique index to MySQL tables to avoid race condition #1517 · it-novum/openITCOCKPIT@2c2c243

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Timestamp:

04/26/2023 04:45:29 PM (7 weeks ago)

listingthemes

Message:

**1.2.0**

*   Disable cluster on map
*   Fix in categories, field visibility configuration
*   Map infowindow improvements
*   WooCommerce compatibility improvements
*   Count issue fix in listings amanage dashboard
*   Layout improvements
*   Security improvements
*   Fixed Open Redirection
*   Fixed Cross-Site Request Forgery
*   Fixed file url issues
*   vendor libs update

File:

  

*   wpdirectorykit/trunk/vendor/Winter\_MVC/core/mvc\_loader.php (4 diffs)

**Legend:**

Unmodified

Added

Removed

*   **wpdirectorykit/trunk/vendor/Winter\_MVC/core/mvc\_loader.php**
    
    r2898501
    
    r2904689
    
     
    
    78
    
    78
    
            if(empty($this->plugin\_directory))
    
    79
    
    79
    
            {
    
    80
    
     
    
                $file = WINTER\_MVC\_PATH.'/../../application/helpers/'.ucfirst($filename).'.php';
    
    81
    
     
    
            }
    
    82
    
     
    
            else
    
    83
    
     
    
            {
    
    84
    
     
    
                $file = $this->plugin\_directory.'application/helpers/'.ucfirst($filename).'.php';
    
     
    
    80
    
                $file = WINTER\_MVC\_PATH.'/../../application/helpers/'.sanitize\_file\_name(ucfirst($filename)).'.php';
    
     
    
    81
    
            }
    
     
    
    82
    
            else
    
     
    
    83
    
            {
    
     
    
    84
    
                $file = $this->plugin\_directory.'application/helpers/'.sanitize\_file\_name(ucfirst($filename)).'.php';
    
    85
    
    85
    
            }
    
    86
    
    86
    
    …
    
    …
    
     
    
    93
    
    93
    
            if(empty($this->plugin\_directory))
    
    94
    
    94
    
            {
    
    95
    
     
    
                $file = WINTER\_MVC\_PATH.'/../../application/controllers/'.ucfirst($class).'.php';
    
    96
    
     
    
            }
    
    97
    
     
    
            else
    
    98
    
     
    
            {
    
    99
    
     
    
                $file = $this->plugin\_directory.'application/controllers/'.ucfirst($class).'.php';
    
     
    
    95
    
                $file = WINTER\_MVC\_PATH.'/../../application/controllers/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
     
    
    96
    
            }
    
     
    
    97
    
            else
    
     
    
    98
    
            {
    
     
    
    99
    
                $file = $this->plugin\_directory.'application/controllers/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
    100
    
    100
    
            }
    
    101
    
    101
    
    …
    
    …
    
     
    
    141
    
    141
    
        {
    
    142
    
    142
    
    143
    
     
    
            if(is\_child\_theme() && file\_exists(get\_stylesheet\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php'))
    
    144
    
     
    
            {
    
    145
    
     
    
                $file = get\_stylesheet\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php';
    
    146
    
     
    
            }
    
    147
    
     
    
            elseif(file\_exists(get\_template\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php'))
    
    148
    
     
    
            {
    
    149
    
     
    
                $file = get\_template\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php';
    
     
    
    143
    
            if(!empty($this->plugin\_directory)) {
    
     
    
    144
    
                $plugin = basename($this->plugin\_directory);
    
     
    
    145
    
            } else {
    
     
    
    146
    
                $plugin = basename( plugin\_dir\_path(  dirname( \_\_FILE\_\_ , 3 ) ) );
    
     
    
    147
    
            }
    
     
    
    148
    
     
    
    149
    
            if(is\_child\_theme() && file\_exists(get\_stylesheet\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php'))
    
     
    
    150
    
            {
    
     
    
    151
    
                $file = get\_stylesheet\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php';
    
     
    
    152
    
            }
    
     
    
    153
    
            elseif(file\_exists(get\_template\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php'))
    
     
    
    154
    
            {
    
     
    
    155
    
                $file = get\_template\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php';
    
    150
    
    156
    
            }
    
    151
    
    157
    
            elseif(empty($this->plugin\_directory))
    
    …
    
    …
    
     
    
    188
    
    194
    
    189
    
    195
    
        public function model($class)
    
    190
    
     
    
        {
    
     
    
    196
    
        { 
    
    191
    
    197
    
            if(empty($this->plugin\_directory))
    
    192
    
    198
    
            {
    
    193
    
     
    
                $file = WINTER\_MVC\_PATH.'/../../application/models/'.ucfirst($class).'.php';
    
    194
    
     
    
            }
    
    195
    
     
    
            else
    
    196
    
     
    
            {
    
    197
    
     
    
                $file = $this->plugin\_directory.'application/models/'.ucfirst($class).'.php';
    
     
    
    199
    
                $file = WINTER\_MVC\_PATH.'/../../application/models/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
     
    
    200
    
            }
    
     
    
    201
    
            else
    
     
    
    202
    
            {
    
     
    
    203
    
                $file = $this->plugin\_directory.'application/models/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
    198
    
    204
    
            }
    
    199
    
    205
    
           
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-2278: Changeset 2904689 for wpdirectorykit/trunk/vendor/Winter_MVC/core/mvc_loader.php – WordPress Plugin Repository

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

04/26/2023 04:45:29 PM (7 weeks ago)

listingthemes

Message:

**1.2.0**

*   Disable cluster on map
*   Fix in categories, field visibility configuration
*   Map infowindow improvements
*   WooCommerce compatibility improvements
*   Count issue fix in listings amanage dashboard
*   Layout improvements
*   Security improvements
*   Fixed Open Redirection
*   Fixed Cross-Site Request Forgery
*   Fixed file url issues
*   vendor libs update

File:

  

*   wpdirectorykit/trunk/application/controllers/Wdk\_resultitem.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wpdirectorykit/trunk/application/controllers/Wdk\_resultitem.php**
    
    r2821684
    
    r2904689
    
     
    
    46
    
    46
    
            if($this->form->run($rules))
    
    47
    
    47
    
            {
    
     
    
    48
    
     
    
    49
    
                // Check \_wpnonce
    
     
    
    50
    
                check\_admin\_referer( 'wdk-resultitem-edit\_'.$id, '\_wpnonce' );
    
     
    
    51
    
    48
    
    52
    
                // Save procedure for basic data
    
    49
    
     
    
                $data = $this->resultitem\_m->prepare\_data($this->input->post(), $rules);
    
     
    
    53
    
                $data = $this->resultitem\_m->prepare\_data(wdk\_get\_post(), $rules);
    
    50
    
    54
    
    51
    
    55
    
                // Save standard wp post
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-2277: Changeset 2904689 for wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php – WordPress Plugin Repository

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_admin' function in versions up to, and including, 1.2.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to delete or change plugin settings, import demo data, delete Directory Kit related posts and terms, and install arbitrary plugins. A partial patch was introduced in version 1.2.0.

Tag

#php