Lost and Found Information System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross Site Scripting Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from a Stored Cross Site Scripting Vulnerability allowing authenticated attackers to execute javascript in context of other users including the admin# CVE : CVE-2024-378561) Go to the User Profile page2) Paste the XSS payload '<script>alert(document.cookie)</script>' in either of the first, last, middle name fields3) The payload will be triggered in the context of the admin or the other users# Exploit Title: Refelcted Cross Site Scripting Exploit - Lost and Found Information System

Lost And Found Information System 1.0 Cross Site Scripting

Quick Cart version 6.7 suffers from a remote shell upload vulnerability provided you have administrative privileges.

    # Title : Authenticated Remote Code Execution & Shell Upload# Product : Quick Cart# Vendor : https://opensolution.org/# Affected Version : 6.7# Researcher : Eagle Eye# Tested on : Window & Linux# Date : 11/06/2024# Affected path : admin.php , core/common-admin.php, database/config.php# Affected function : saveVariables()# Report : Already contact the vendor but no response# Description : Unfiltered parameter that post into admin.php?p=tools-config override any$config key value cause to unwanted file inclusion and allowed file extension overridinglead to remote code execution.# Step to reproduce (Method 1)- login at admin.php- click Products and New Product from top navbar- On the right panel, choose add file- Upload malicious script with extension txt or any allowed extension like jpg- click setting on right above- click save and intercept the request- on body parameter, add &default_pages_template=../../files/yourmaliciousfile.txt and proceed# Step to reproduce (Method 2)- login at admin.php- click setting on right above- click save and intercept the request- on body parameter, add &allowed_extensions=php and proceed- click Products and New Product from top navbar- On the right panel, choose add file- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php

Quick Cart 6.7 Shell Upload

Quick CMS version 6.7 suffers from a remote shell upload vulnerability provided you have administrative privileges.

    # Title : Authenticated Shell Upload# Product : Quick CMS# Vendor : https://opensolution.org/# Affected Version : 6.7# Researcher : Eagle Eye# Tested on : Window & Linux# Date : 11/06/2024# Report : Already contact the vendor but no response# Affected path : admin.php , core/common-admin.php, database/config.php# Affected function : saveVariables()# Description : Unfiltered parameter that post into admin.php?p=settings override any$config key value cause to file upload allowed extension overridinglead to shell upload.# Step to reproduce- login at admin.php- click setting on right above- click save and intercept the request- on body parameter, add &allowed_not_image_extensions=php and proceed- click Pages and New page from top navbar- On the panel, choose Add files- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php

Quick CMS 6.7 Shell Upload

Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.”

Operation Celestial Force employs mobile and desktop malware to target Indian entities

An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.

Source: Vladimir Stanisic via Alamy Stock Photo

A threat group is exploiting a critical, easily exploitable PHP bug for remote code execution (RCE) in living-off-the-land style ransomware attacks that target businesses and individuals running both Windows and Linux systems.

TellYouThePass is a ransomware group active since 2019 that attacks victims using known vulnerabilities, particularly those found within open source Web development languages, including the widely exploited Apache Log4j (CVE-2021-44228) and the Apache ActiveMQ Server RCE bug tracked as CVE-2023-46604, according to a blog post published this week by Imperva Threat Research.

Lately the group has been exploiting a critical RCE vulnerability found within the PHP scripting language discovered earlier this month and tracked as CVE-2024-4577. "We noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system," the researchers said.

Similar to Java, PHP is a commonly used language in Web development, making any flaws that affect it a broad attack surface for attackers. If the Log4j flaw is any indication, these types of vulnerabilities can set off a viral stream of attacks that can plague organizations and their respective security posture for years.

**Critical Flaw With Public Exploit**

CVE-2024-4577 is an argument-injection vulnerability that stems from errors in character-encoding conversions in PHP, particularly impacting the "Best Fit" feature on Windows systems. "It poses significant risks, potentially allowing malicious actors to execute arbitrary code on vulnerable servers," according to analysis of the flaw by Beagle Security.

Researchers at watchTowr released a proof-of-concept (PoC) exploit script for CVE-2024-4577 on their GitHub page on June 7, demonstrating that the bug was not difficult to exploit.

Apparently TellYouThePass got the memo and has pounced on the flaw to execute arbitrary PHP code on the target system, according to Imperva. Specifically, the group is "leveraging the code to use the 'system' function to run an HTML application file hosted on an attacker-controlled Web server via the mshta.exe binary," according to the post. Mshta.exe is a native Windows binary that can execute remote payloads; thus, the attack vector shows the group operating in a living-off-the-land style.

**How TellYouThePass Attacks**

First identified by security researchers in 2019, TellYouThePass and its ransomware has taken "various forms over the years," according to Imperva. Most recently, variants of the malware have taken the form of .NET samples delivered using HTML applications.

"The initial infection is performed with the use of an HTA file (dd3.hta), which contains a malicious VBScript," according to the post. "The VBScript contains a long base64 encoded string, which when decoded reveals bytes of a binary, which are loaded into memory during runtime."

Further analysis of the executable reveals that the ransomware is a .NET variant that upon initial execution sends an HTTP request to the command-and-control (C2) server containing details about the infected machine as a notification of infection. "The callback masquerades as a request to retrieve CSS resources likely designed to evade detection," according to Imperva.

Once executed, the ransomware enumerates directories, kills processes, generates encryption keys, and encrypts files within each enumerated directory that has a defined file extension. Its final act is to publish a ReadMe message in the Web root directory that provides victims the info they need to respond to the attack.

**Avoiding Compromise via CVE-2024-4577**

The issue affects PHP versions 8.1. before 8.1.29; 8.2. before 8.2.20; and 8.3. before 8.3.8 when using Apache and PHP-CGI on Windows. PHP versions 8.1.29, 8.2.20 and 8.3.8 patch the flaw.

There are other ways that organizations can mitigate exploit of the PHP flaw as well as avoid ransomware attacks in general. Patching affected systems would be the first obvious mitigation of CVE-2024-4577; however, as seen with Log4j, sometimes it's difficult to update every system that is affected by a flaw in a Web scripting language.

One way to minimize exploitation of the flaw is to disable running PHP with CGI mode enabled, according to an analysis of the flaw posted online by DEVCORE. "Since PHP CGI is an outdated and problematic architecture, it's still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM," according to the post.

Some general best practices to avoid being compromised by ransomware include having strong awareness of all the various assets and applications present in an environment and patching any vulnerabilities affecting them, according to Imperva. Organizations also should use Web firewall technology that can stop attacks once they are discovered, as well as a reliable anti-virus program as a first line of defense against malware campaigns like TellYouThePass.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

TellYouThePass Ransomware Group Exploits Critical PHP Flaw

Apple Security Advisory 06-10-2024-1 - visionOS 1.2 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-06-10-2024-1 visionOS 1.2

visionOS 1.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214108.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27817: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

CoreMedia  
Available for: Apple Vision Pro  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27831: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

Disk Images  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27832: an anonymous researcher

Foundation  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27801: CertiK SkyFall Team

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27836: Junsung Lee working with Trend Micro Zero Day Initiative

IOSurface  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27828: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory protections  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27840: an anonymous researcher

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27815: an anonymous researcher, and Joseph Ravichandran  
(@0xjprx) of MIT CSAIL

libiconv  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27811: Nick Wellnhofer

Messages  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27800: Daniel Zajork and Joshua Zajork

Metal  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-27802: Meysam Firouzi (@R00tkitsmm) working with Trend Micro  
Zero Day Initiative

Metal  
Available for: Apple Vision Pro  
Impact: A remote attacker may be able to cause unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-27857: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Safari  
Available for: Apple Vision Pro  
Impact: A website's permission dialog may persist after navigation away  
from the site  
Description: The issue was addressed with improved checks.  
CVE-2024-27844: Narendra Bhati of Suma Soft Pvt. Ltd in Pune (India),  
Shaheen Fazim

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: The issue was addressed by adding additional logic.  
WebKit Bugzilla: 262337  
CVE-2024-27838: Emilio Cobos of Mozilla

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 268221  
CVE-2024-27808: Lukas Bernhard of CISPA Helmholtz Center for Information  
Security

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improvements to the file  
handling protocol.  
CVE-2024-27812: Ryan Pickren (ryanpickren.com)

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed with improvements to the noise  
injection algorithm.  
WebKit Bugzilla: 270767  
CVE-2024-27850: an anonymous researcher

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: An integer overflow was addressed with improved input  
validation.  
WebKit Bugzilla: 271491  
CVE-2024-27833: Manfred Paul (@_manfp) working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: The issue was addressed with improved bounds checks.  
WebKit Bugzilla: 272106  
CVE-2024-27851: Nan Wang (@eternalsakura13) of 360 Vulnerability  
Research Institute

WebKit Canvas  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed through improved state management.  
WebKit Bugzilla: 271159  
CVE-2024-27830: Joe Rutkowski (@Joe12387) of Crawless and @abrahamjuliot

WebKit Web Inspector  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 270139  
CVE-2024-27820: Jeff Johnson of underpassapp.com

Additional recognition

ImageIO  
We would like to acknowledge an anonymous researcher for their  
assistance.

Transparency  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZnfN8ACgkQX+5d1TXa  
IvoomBAA23557a2KB9vrRnWu5nGWe5qidODwqadX9qUbErqlx6Hm0IMcKEGlaNjc  
i1BKib0QXYgh9IVzwn0/Q6GZX9mncM1EKJfjPVHJjdMPAXue9Dec7PeuSr4mQHUD  
bVUh9TS+ejQo9w06AQRdVDOGRl3uXX1E90h4uMVUPOXLkiobYJMlEdU4OAAaJ2MV  
qJvfQsTyzRNy4ciaFpc+5opWmaFse1AueE+Sjz30ed9tEjbyHML+yoy39HqAMheT  
lECfaKGLp28XyxsKCKW8+F5j83R4Rwi7U0nLROiRSukrwzq+Gbi52n/BTBvlxTc3  
Ng/4drldksgm9Uu6M9rRQFSRFBFKulK9Zxrj3qUK4Q6HvCTB+N4/gE7Yf11TyxPl  
+HkwG/ScIw9S4bB88FhA8rYMKIGIlZfDfh8NHCx3Wc11LE+p6LzX2RxQNKaSjgnf  
c1+VHJ3SwX/2mbtBdfPJdu5Qr6ofhanpsCiczJP2FkuSVGCPVIoq8Vam75rrueLn  
SLCHqgVker14Z12Q3XYRjyQrsI8nftu0pGZdYruAfw93Od0tTuX6i7G9VopHPRor  
1Y6JevWkhAC54KGWDmB2SRc6e3AZRaiAE25QE6I3nwAwRUCo2JZEjoQWfxYry1l2  
G5lga3qFvcbyriNoJPUfcKU7EzPYurVbY5rqpnUFi+xTtz1iyEw=  
=9AfP  
-----END PGP SIGNATURE-----

Apple Security Advisory 06-10-2024-1

XMB version 1.9.12.06 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Persistent XSS in XMB 1.9.12.06# Date: 06/12/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.xmbforum2.com/# Software Link: https://www.xmbforum2.com/download/XMB-1.9.12.06.zip# Version: 1.9.12.06# Tested on: Windows XP# CVE: N/A## Vulnerability DetailsA persistent (stored) XSS vulnerability was discovered in XMB 1.9.12.06.The vulnerability allows an attacker to inject malicious JavaScript codeinto a template or specific fields. This payload is stored on the serverand executed in the browser of any user who visits the forum, leading topotential session hijacking, data theft, and other malicious activities.### XSS in TemplateAn attacker can inject malicious JavaScript code into a template:1. Login as Admin: Access the XMB Forum with admin privileges.2. Navigate to the Administration Panel: Go to `/cp.php`, then in "Look &Feel" select "Templates". This will go to `/cp2.php?action=templates`.Select the "footer" template and click edit.3. Enter Payload: Add the XSS payload in the footer template:    <script>alert('XSS');</script>4. Save the Change: Click "Submit Changes".5. Trigger the Payload: The XSS payload will trigger anywhere the footertemplate is rendered.### XSS in News TickerAn attacker can inject malicious JavaScript code into the News Ticker fieldof the Front Page Options:1. Login as Admin: Access the XMB Forum with admin privileges.2. Navigate to the Administration Panel: Go to `/cp.php`, then in"Settings" go to "Front Page Options".3. Enter Payload: Add the XSS payload in the "News in Newsticker" field:   <img src=x onerror=alert(1)>4. Save the Change: Click "Submit Changes".5. Trigger the Payload: The XSS payload will trigger anywhere the NewsTicker is displayed eg, home page

XMB 1.9.12.06 Cross Site Scripting

Ubuntu Security Notice 6825-1 - It was discovered that the PDO driver in ADOdb was incorrectly handling string quotes. A remote attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 16.04 LTS. It was discovered that ADOdb was incorrectly handling GET parameters in test.php. A remote attacker could possibly use this issue to execute cross-site scripting attacks. This issue only affected Ubuntu 16.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6825-1  
June 10, 2024

libphp-adodb vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in ADOdb.

Software Description:  
- libphp-adodb: ADOdb is a PHP database abstraction layer library

Details:

It was discovered that the PDO driver in ADOdb was incorrectly handling  
string quotes. A remote attacker could possibly use this issue to   
perform SQL injection attacks. This issue only affected Ubuntu 16.04 LTS.  
(CVE-2016-7405)

It was discovered that ADOdb was incorrectly handling GET parameters in   
test.php. A remote attacker could possibly use this issue to execute   
cross-site scripting (XSS) attacks. This issue only affected Ubuntu   
16.04 LTS. (CVE-2016-4855)

Emmet Leahy discovered that ADOdb was incorrectly handling string quotes  
in PostgreSQL connections. A remote attacker could possibly use this issue  
to bypass authentication. (CVE-2021-3850)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
libphp-adodb 5.20.19-1ubuntu0.1

Ubuntu 20.04 LTS  
libphp-adodb 5.20.16-1ubuntu0.1~esm1  
Available with Ubuntu Pro

Ubuntu 18.04 LTS  
libphp-adodb 5.20.9-1ubuntu0.1~esm1  
Available with Ubuntu Pro

Ubuntu 16.04 LTS  
libphp-adodb 5.20.3-1ubuntu1+esm1  
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6825-1  
CVE-2016-4855, CVE-2016-7405, CVE-2021-3850

Package Information:  
https://launchpad.net/ubuntu/+source/libphp-adodb/5.20.19-1ubuntu0.1

Ubuntu Security Notice USN-6825-1

The call for papers for Hardwear.io 2024 in the Netherlands is now open. It will take place October 24th through the 24th, 2024 at the Marriott Hotel, Amsterdam, The Netherlands.

    *Conference Name: *Hardwear.io Netherlands 2024*Important Dates:**CFP Deadline: *10th August 2024*Conference Dates: *24th-25th October 2024*Venue: *Marriott Hotel, Amsterdam, The Netherlands*Website Link: *https://hardwear.io/netherlands-2024/cfp.phpWelcome to the 10th edition of Hardwear.io Netherlands 2024!Are you someone who has expertise in hardware security? Then, we've got youcovered, hardwear.io is a platform where researchers showcase and discusstheir innovative findings on attacking and defending hardware.>> Call For Papers (CFP) OPEN> Submission TopicsWe are interested in new and cutting-edge security work that has previouslynot been published. Some security topics for your reference include (butare not limited to):Integrated Circuits | Processors | Internet of Things / Smart Devices |Embedded Systems & Cryptography | Automobile, Aeroplane, Train AutomationSystems and Hardware Components | Industrial Control Systems / SCADA |Satellite Systems | Medical Devices> Submission CategoriesNew Research Category: A deep knowledge technical track that includes newresearch, vulnerabilities, zero days, or exploits. And by new we reallymean new i.e. if your research or talk has been published/showcased(partially or entirely) before, it will fall under the current researchcategory even though there are enhancements/changes to the originalresearch.Current Research and Workshop Category: Comprises known security issues,research presented/published elsewhere, case studies, twist to existingresearch, vulnerability, exploit, or research-in-progress.Tool Category: Comprises open-source security tools, exploits, hardware,etc. This is an excellent opportunity for the original authors to showcasetheir work to the world.> Speaker Benefits as per each research category:https://hardwear.io/netherlands-2024/cfp.phpReach out to cfp@hardwear.io for any further questions. Thank you!

Hardwear.io NL 2024 Call For Papers

Details have emerged about a new critical security flaw impacting PHP that could be exploited to achieve remote code execution under certain circumstances.
The vulnerability, tracked as CVE-2024-4577, has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system.
According to DEVCORE security researcher, the shortcoming makes

Tag

#php