Other applications using binary to extract untrusted archives are potentially vulnerable too

Other applications using binary to extract untrusted archives are potentially vulnerable too

A path traversal vulnerability in RarLab’s UnRAR binary can lead to remote code execution (RCE) on business email platform Zimbra and can potentially affect other software.

The UnRAR utility is used to extract RAR archives to a temporary directory for virus-scanning and spam-checking purposes.

However, a recently patched file-write flaw (CVE-2022-30333) means an unauthenticated attacker can “create files outside of the target extraction directory when an application or victim user extracts an untrusted archive”, according to a blog post published by Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource).

Catch up with the latest security research news

If malicious hackers manage to write to a known location, continued Scannell, they could potentially execute arbitrary commands on the system.

Successful exploitation of the high severity (CVSS 7.5) issue on Zimbra, an open source platform used by more than 200,000 businesses, “gives an attacker access to every single email sent and received on a compromised email server”.

They can also silently backdoor login functionalities and steal users’ credentials, as well as escalate access to an organization’s other internal services, warned Scannell.

**Symlink protection bypass**

The flaw resides in UnRAR’s mechanism for preventing symbolic link (symlink) attacks on Unix systems, whereby the function for validating relative symlinks, ,checks if the symlink target contains on Unix or on Windows.

This check can, however, be negated due to the fact that untrusted input is sometimes modified after it has been validated, which breaks assumptions made during the validation step.

Specifically, once the symlink has been validated, UnRAR converts backslashes (\\) to forward slashes (/) with to ensure that a RAR archive created on Windows can be extracted on a Unix system.

“By exploiting this behavior, an attacker can write a file anywhere on the target filesystem,” said Scannell.

**RCE on Zimbra**

Since the Amavis content filter used by Zimbra to analyze extracted files operates as the Zimbra user, added Scannell, the file-write primitive allows the creation and overwriting of files in other services’ working directories too.

The researcher detailed how an attacker could achieve RCE on Zimbra by writing a JSP shell to the web directory, using a file-based command injection, or creating an SSH key.

Sonar notified RarLab of the flaw on May 4, 2022, and a security patch was included with version 6.12 binaries, which were released on May 6.

Zimbr developer Synacor was also warned about the flaw on May 4 so it could warn users to patch their cloud instances.

A blog post detailing the technicalities was published yesterday (June 28).

Only Unix binaries – excluding Android – and implementations using RarLab’s code are affected.

Scannell thanked RarLab’s developers for “their very fast and professional handling of this issue”, and shouted out Zimbra’s security team for “warning their customers to help prevent exploitation”.

Zimbra is something of a specialty for Sonar, whose researchers have in the last 12 months discovered a bug chain leading to full Zimbra server compromise, an XSS flaw that powered spear phishing campaigns, and, only two weeks ago, a memcached injection vulnerability that imperilled login credentials.

RELATED Business email platform Zimbra patches memcached injection flaw that imperils user credentials

UnRAR path traversal flaw can lead to RCE in Zimbra

A vulnerability classified as problematic has been found in Easy Table Plugin 1.6. This affects an unknown part of the file /wordpress/wp-admin/options-general.php. The manipulation with the input "><script>alert(1)</script> leads to basic cross site scripting. It is possible to initiate the attack remotely.

CVE-2017-20108

SourceCodester Zoo Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via public_html/register_visitor?msg=.

    # Exploit Title: Zoo Management System 1.0 - Reflected Cross-Site-Scripting (XSS)# Date: 06/22/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: Server: XAMPP on Windows 10 # CVE: CVE-2022-31897# Description:Zoo Management System 1.0 is vulnerable to reflected cross-site scripting on the sign-up page. The "msg" parameter in 'http://localhost/public_html/register_visitor?msg=' is vulnerable.# Impact:An attacker could steal cookies with a crafted URL sent to the victims.# Exploit:Visit the following page: 1) http://localhost/public_html/register_visitor?msg=<script>alert(window.navigator.userAgent)</script>2) Alert pop up is fired!# Image poc:https://ibb.co/8XKDgJX -> Registration pagehttps://ibb.co/mTTmTmy -> XSS

CVE-2022-31897: Zoo Management System 1.0 Cross Site Scripting ≈ Packet Storm

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR).

**This site requires you to update your browser.** Your browsing experience maybe affected by not having the most up to date version.

**What is SilverStripe?**

******Super flexible & extensible**

Silverstripe CMS fits the outcomes you want, and doesn't force your business outcomes into an out-of-the-box solution. Customise to your needs!

**Easy-to-use**

You can be the CMS expert in no time! Get started quickly and deliver your content to your users fast.

**Robust & secure**

Don’t stay awake at night worrying! Silverstripe CMS is solid as a rock, with enterprise-level security and support, so you can rest easy!

**Open source**

Collaboration from our global army of community members and commercially supported by Silverstripe.

**Designed for digital teams**

*   Developer
*   Marketer
*   Author
*   IT Manager

**Easy to learn**  
Silverstripe Framework is created from the ground up to be easy to pick up and customise.

**Optimised to produce highly reusable code**  
Silverstripe Framework promotes coding structure that is easy to read and maintain.

**Powerful frontend template engine**  
Our templating engine is designed with frontend in mind. This makes creating digital experiences easy and fast.

**Faster to market**  
Launch campaign pages straight from the CMS without the time-consuming development process.  

**Easy to test and refine**  
Empower you to quickly test and refine campaigns as you go.

**Faster communications**  
Own the content and respond quickly to customers' feedback.

**Clear and easy-to-use**  
Silverstripe CMS is designed to be simple to learn and easy to use.

**Grow with your needs**  
Whether updating a page or publishing multiple pages on a large scale site.

**Permission controls**  
Give access to edit only specific areas of your site.

**Secure and scalable**  
Architected to safeguard your data from malicious activity or data-loss, even while scaling up complex sites.

**Supported at an enterprise-level**  
Behind the collaborative contributions of our open source community,  Silverstripe CMS and Silverstripe Framework are backed by Silverstripe.

**Robust and cost effective**  
Silverstripe CMS and Silverstripe Framework are built with reliability in mind. They are updated regularly and structured to be extendable.

**Getting started**

**Sites powered by SilverStripe CMS**

**50,000+**

Live SilverStripe sites

**4,000+**

Showcased SilverStripe sites

**400+**

Freelance developers and agencies

**Latest news**

**Revising our approach to major release**

We are publishing a Request For Comment (RFC) on a new Major Release Policy proposal. Our primary objective with this policy proposal is to provide certainty to Silverstripe CMS project owners by adopting a major release cadence that is sustainable and manageable. We are seeking feedback from the Silverstripe CMS community.

 

read

**UnDigital® uses Silverstripe CMS to launch 3 sites at once for Thyme Lifestyle Resort**

Digital experience agency, UnDigital, has been working with Thyme Lifestyle Resort, owned by Serenitas, to develop four websites using Silverstripe CMS with subsites. Throughout the build, both Serenitas and UnDigital have been excited by the usability of the CMS and the efficiencies the use of subsites has created for them both. This case study article discusses the brief Serenitas gave and the flawless websites UnDigital was able to deliver, using Silverstripe CMS. 

 

read

CVE-2022-28803: Silverstripe CMS » the open source CMS that empowers great web teams

A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter.

A xss vulnerability was discovered in WUZHI CMS 4.1.0

There is a reflected XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of /index.php?m=core&f=index&\_su=wuzhicms.

POC  
ji</textarea> <img/src=1 onerror=alert(document.cookie)>

Vulnerability trigger point  
http://localhost/index.php?m=core&f=index&\_su=wuzhicms. When attacker access -system settings - basic settings, Write poc in the statcode form , then XSS vulnerability is triggered successfully.

1、choose this part and write poc to \[statcode\] form  

2、submit and view webpage

CVE-2020-19897: wuzhicms v4.1.0 statcode reflected xss vulnerability  · Issue #183 · wuzhicms/wuzhicms

Silverstripe silverstripe/assets through 1.10 allows XSS.

CVE-2022-29858: Security Releases

Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.

CVE-2022-25238

By Owais Sultan
Application testing is a process that helps ensure the quality and safety of your software applications, whether the…
This is a post from HackRead.com Read the original post: How SAST Will Improve Your Overall Security: Intro

Application testing is a process that helps ensure the quality and safety of your software applications, whether the app is for a mobile or desktop device. Of course, it’s easy to understand why assessing & inspecting the security of an application can be beneficial. The process of testing can be used to find bugs and vulnerabilities, as well as to evaluate the overall security health of an application.

There are various types of testing that can be performed on an application, and the most popular ones are SAST, DAST, and IAST, but Static Application Security Testing (SAST) is one of the most effective ones.

Namely, SAST is a type of testing that analyzes an application’s source code rather than its binaries or executables. Many online security platforms like Mend SAST allow for an in-depth analysis of the application and can often find vulnerabilities that would otherwise be missed with other methods of testing.

**What is SAST?**

As we mentioned previously, SAST (Static Application Security Testing) is a type of security testing that analyzes your source code for vulnerabilities. This is in contrast to other forms of security testing, which focus on analyzing the behavior of running applications.

Regarding SAST, the method of testing can be used to find a wide variety of security issues, including SQL injection flaws, cross-site scripting (XSS) vulnerabilities, and unsafe coding practices that could lead to buffer overflows or attacks.

Thus, most experts believe that SAST is an important part of any security program, as it can help find vulnerabilities that other types of testing might miss. For example, a web application firewall (WAF) will only be able to detect and block SQL injection attacks if the attacker uses a specific type of payload that the WAF is configured to look for. However, SAST can find SQL injection flaws regardless of the payload that is used, as it analyzes the source code to look for insecure coding practices.

**Comparing SAST with IAST and DAST**

As we mentioned above, SAST is one of three main types of application security testing. The other two are Interactive Application Security Testing (IAST) and Dynamic Application Security Testing (DAST).

In its approach, IAST is similar to SAST in that it also analyzes the source code of an application. However, IAST tools are typically used while the application is running in order to provide more accurate results. This can make IAST more intrusive than SAST, as it can potentially interfere with the regular operation of the app.

On the other hand, DAST is different from both SAST and IAST as it focuses on analyzing the behavior of an application rather than its source code. DAST tools work by directly sending requests to the application and observing its response.

**Benefits of SAST**

There are many benefits of using SAST to improve the security health of your application, including:

*   **Improved overall security:** SAST can find vulnerabilities that other types of testing might miss. This means that your applications will be overall more secure.
*   **Reduced false positives:** since SAST analyzes the source code rather than the binaries or executables, it is less likely to produce false positives than its counterparts.
*   **Easier to use:** many SAST tools are easy to use and do not require a lot of training. This makes them ideal for organizations with somewhat limited resources.
*   **Faster results:** Unlike DAST and IAST, SAST tools can often find vulnerabilities much more quickly than other types of testing like manual code reviews.
*   **Lower costs:** SAST is usually less expensive than other types of testing, especially when comparing it to more intrusive methods like penetration testing.

**The Effect SAST Has On Security**

When it comes to testing the security of an application, SAST is an integral part of the security assessment, as it can find vulnerabilities testing methods might miss. Unlike other types of testing tools that can be used much later in the application’s software development lifecycle, SAST tools can test the security from the moment when the first lines of code are written.

This is why SAST has an incredibly positive effect on security – it can help the team of developers fix the problem even before it becomes one. For the vast majority of developers & applications, it is much easier to patch a vulnerability in its early stages and fix the line of code where it happens than to build a massive application only to remodel the code afterward.

**Conclusion**

We can conclude that SAST is incredibly beneficial & should be regarded as an essential part of the security assessment of an application. It can also help find vulnerabilities that other types of testing (like IAST and DAST) might miss, and it’s often faster and less expensive than its counterparts. So, if you are looking to improve the security of your applications, SAST is a great place to start.

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

How SAST Will Improve Your Overall Security: Intro

Developers need to think like WAF operators for security. Start with secure coding and think of Web application firewalls not as a prophylactic but as part of the secure coding test process.

A key approach to shifting security left is moving perimeter-focused security solutions down the stack by placing them in front of services and other infrastructure components, such as containers and container orchestration systems or API management systems and gateways.

While this does allow for more granular security, it's not a free lunch for developers. Just saying "The WAF will stop it" subverts the entire thinking and purpose of shifting left. Rather, developers must move from thinking of Web application firewalls (WAFs) as a prophylactic, to instead thinking of WAFs as a crucial part of their secure coding test process. Here's how they can accomplish that.

**The Explosion of WAFs and Cloud-Native Software**

While many companies still deploy WAF appliances, the fastest-growing segment of this market is WAF software that runs in the cloud. With the rise of cloud-native architectures and ephemeral infrastructure, more organizations are putting WAFs deeper into their application stacks — right in front of microservices. Some are even using WAFs for internal protection to enact robust zero-trust frameworks. So, the new reality is, developers are far more likely to come into close contact with WAFs today than at any point in the past. That said, WAFs at the microservice level are not foolproof.

**Before Deploying the WAF: Secure Coding Is Critical**

To start, developers must create applications under the assumption that all security controls can and will fail. This is important because it encourages them to build applications that are secure by default. Secure coding means using basic design principles — like code minification to obscure code — while ensuring that all variables and calls are checked against the OWASP Top 10 vulnerability list. There are dozens of ways that attackers can exploit poorly written code, including SQL injection, cross-site scripting, broken access controls, and file upload vulnerabilities.

A key part of this effort is to ensure developers are running linters and formatting checkers against all code. Usually, you will want developers to run code through software composition analysis (SCA) to identify risky dependencies and libraries that require updates. A secure coding process and mentality is more critical now because cloud-native microservices have turned security inside out.

At this point, the application security or DevSecOps teams run the code against some sort of simulation and add the WAF. For many developers, this is the end of the story. They assume, "We have deployed a WAF. We're safe now." They are wrong. Increasingly, the applications developers ship microservices, linked via APIs. Developers "own" their microservices and APIs and are responsible for security. The microservices and APIs may have highly specific rules and optimizations that can impact WAF behaviors and policies. Each application is different, and many unique APIs emerge.

For microservices, developers tend to rapidly ship code and make faster iterations on microservices because those smaller applications are loosely coupled and do not impact other applications. That makes for greater agility but also greater security risk if the changes are not run through the same cumbersome security process as observed at application launch.

**Learning to Think Like a WAF Operator**

Developers should always ask themselves before they ship code, "How will this impact my WAF coverage and security posture?" This question is good because it teaches them to think about how WAFs are working and not working — in other words, threat modeling.

Threat modeling is critical because there are known ways that attackers work around WAFs or exploit WAF weaknesses. For example, by default, Kubernetes exposes APIs for services and connections. Locking down Kubernetes APIs without messing up functionality is notoriously difficult, particularly if you're changing the applications and service calls in the applications on a regular basis. Recently, Shadowserver Foundation calculated that 84% of Kubernetes APIs servers had left themselves exposed to detection on the public Internet.

Understanding a WAF is a key precursor to threat modeling and, by extension, thinking like a firewall operator. Some WAF comprehension is tacit knowledge. For instance, tuning a WAF to limit false positives and false negatives to an acceptable level remains challenging. Developers looking to shift left can piggyback on experienced WAF operators to learn the tuning process and, in turn, better understand how the WAF responds to real-world traffic. Today, some organizations also deploy machine learning to help developers easily tune their WAFs by making rule and policy suggestions based on unsupervised learning across multiple WAFs.

**Better WAF Comprehension Leads to More Secure Code**

Even better, good WAF comprehension also transfers over into more secure coding. Developers that intimately understand WAFs — and have hands-on experience tuning them — benefit from tacit knowledge that is difficult to teach, and experience that goes beyond Open Web Application Security Project (OWASP} checklists. An equally good practice is, in a safe environment, to have developers work alongside red-team members to see how a smart attacker might compromise their apps and bypass default WAF settings.

The bottom line is simple: Developers, take time to know your WAF and learn its weaknesses. WAF wisdom will help you write secure code now and save your apps from being hacked in the future.

A WAF Is Not a Free Lunch: Teaching the Shift-Left Security Mindset

Zoo Management System version suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Zoo Management System 1.0 - Stored Cross-Site-Scripting (XSS)# Date: 05/26/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: Server: XAMPP# Description:Zoo Management System 1.0 is vulnerable to a stored cross site scripting in “Add Classification” functionality of the admin panel.# Exploit:1)Goto: http://localhost/admin/public_html/admin_login and login with the provided credentials2)Goto: http://localhost/admin/public_html/save_classification3)The “Classification Display Name” and “Classification Table Name” are both vulnerable so you can put <script>alert(“xss”)</script> in one of them4)Goto: http://localhost/admin/public_html/view_classifications5) Stored XSS payload is fired# Image Poc:https://ibb.co/FXc5zLthttps://ibb.co/CtFSQrQ

Tag

#xss