A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

CVE-2020-14393: DBI::Changes

An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.

@@ -3147,6 +3147,7 @@ XS(XS\_DBI\_dispatch); /\* prototype to pass -Wmissing-prototypes \*/

XS(XS\_DBI\_dispatch)

{

dXSARGS;

dORIGMARK;

dMY\_CXT;

  

SV \*h = ST(0); /\* the DBI handle we are working with \*/

@@ -3447,6 +3448,7 @@ XS(XS\_DBI\_dispatch)

XPUSHs(\*hp);

PUTBACK;

call\_method("DESTROY", G\_DISCARD|G\_EVAL|G\_KEEPERR);

MSPAGAIN;

}

else {

imp\_xxh\_t \*imp\_xxh = dbih\_getcom2(aTHX\_ \*hp, 0);

@@ -3539,8 +3541,8 @@ XS(XS\_DBI\_dispatch)

SV \*code = SvRV(\*hook\_svp);

I32 skip\_dispatch = 0;

if (trace\_level)

PerlIO\_printf(DBILOGFP, "%c {{ %s callback %s being invoked\\n",

(PL\_dirty?'!':' '), meth\_name, neatsvpv(\*hook\_svp,0));

PerlIO\_printf(DBILOGFP, "%c {{ %s callback %s being invoked with %ld args\\n",

(PL\_dirty?'!':' '), meth\_name, neatsvpv(\*hook\_svp,0), (long)items);

  

/\* we don't use ENTER,SAVETMPS & FREETMPS,LEAVE because we may need mortal

\* results to live long enough to be returned to our caller

@@ -3562,7 +3564,7 @@ XS(XS\_DBI\_dispatch)

}

PUTBACK;

outitems = call\_sv(code, G\_ARRAY); /\* call the callback code \*/

SPAGAIN;

MSPAGAIN;

  

/\* The callback code can undef $\_ to indicate to skip dispatch \*/

skip\_dispatch = !SvOK(DEFSV);

@@ -3890,7 +3892,7 @@ XS(XS\_DBI\_dispatch)

XPUSHs(&PL\_sv\_yes);

PUTBACK;

call\_method("STORE", G\_DISCARD);

SPAGAIN;

MSPAGAIN;

}

}

}

@@ -4047,7 +4049,7 @@ XS(XS\_DBI\_dispatch)

XPUSHs( result );

PUTBACK;

items = call\_sv(\*hook\_svp, G\_SCALAR);

SPAGAIN;

MSPAGAIN;

status = (items) ? POPs : &PL\_sv\_undef;

PUTBACK;

if (trace\_level)

CVE-2013-7490: Fixed risk of memory corruption with many arguments to methods RT#86744 · perl5-dbi/dbi@a8b98e9

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Hyland OnBase 19.x and below - Insufficient Authorization (Client-Side Enforcement of Server-Side Security)**

_From_: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Sat, 05 Sep 2020 10:09:54 +0000  

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase 
Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not 
likely to have fixed the vulnerabilities, especially given how numerous the instances of authorization bypass are.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side validation, the server-side contains a number of critical 
authorization bypass vulnerabilities, allowing both unauthenticated and underprivileged users access to administrative 
and non-administrative actions. All users are able to read and write to arbitrary medical record without proper 
permission, unauthenticated users including those who are not authenticated can leverage administrative functions to 
read or modify the server's configuration, and any user can get the list of administrators and even modify their own 
permissions. All versions of OnBase were found to be equally vulnerable.

Technical Details
-------------------------------------------------
OnBase's reliance on client-side validation means that most server-side methods fail to properly check a user's 
authorization before allowing them access to the functionality. By directly accessing the server attackers can bypass 
client-side authorization, executing almost any action. In some cases, the OnBase server appears to check the user's 
authorization after performing the action or carries out the action even though it has verified that the user does not 
have the appropriate permissions. In other instances, the OnBase server fails to even verify that the user is 
authenticated. Administrative functionality, such as getting the list of all users, getting all user data, adding 
users, removing users, and modifying permissions are all accessable by unauthorized users through direct calls to the 
OnBase server. Server administrative functions also fail to properly validate a user's credentials, allowing both 
unauthorized and unauthenticated users to reconfigure the SQL server that OnBase uses, grab the list of all configured 
DCNs, add custom filters, and other actions. Unauthorized users could even access medical record information or patient 
data by directly querying the OnBase server.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they 
have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" 
and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the 
OnBase server is inaccessible to anyone other than trusted users.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing 
vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on 
behalf of client, but attempts were ignored

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Hyland OnBase 19.x and below - Insufficient Authorization (Client-Side Enforcement of Server-Side Security)** _AdaptiveSecurity Consulting via Fulldisclosure (Sep 07)_

CVE-2020-25251: Full Disclosure: Hyland OnBase 19.x and below

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client applications can write arbitrary data to the server logs.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Hyland OnBase 19.x and below - Insufficient Logging (Client-Side Enforcement of Server-Side Security)**

_From_: Adaptive Security Consulting via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Wed, 02 Sep 2020 15:03:25 +0000  

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). 
OnBaseFoundation EP2 and OnBaseFoundation EP3 were not available to test, but Hyland's response indicates that they are 
not likely to have fixed the vulnerability.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on the client-side to log failures, most malicious attacks are not logged and 
attacks by malicious users who are using clients such as the Unity Client can simply drop the "log" request that is 
sent to the server. Additionally, client-side logging is virtually non-existent and server-side logging is almost 
exclusively of errors.

Technical Details
-------------------------------------------------
The OnBase system is improperly designed so that the client is responsible for specifically calling server-side logging 
mechanisms for a log entry to be written, allowing attackers to perform actions directly without the action being 
logged or to simply drop the client's log query, which is separate from the action query. Additionally, attackers are 
able to write arbitrary data to the server logs, including logging fake/spoofed attacks and denial of service attacks 
that bombard the logging mechanism with data.

For example, according to Hyland's website, OnBase is heavily used in the government, medical, and financial sectors, 
where detailed logging of events, such as a user accessing a medical record, are required by law. If an attacker or 
malicious user performs an action, the requested action is sent to the OnBase server, where it is performed. The server 
then responds, after which the client issues a request to log the now completed action.

In this example, a malicious user wants to see the medical record of a neighbor, but doesn't want the supervisor to 
know that this data is being looked at. The user tells the Unity client to open the record. The Unity client tells the 
server to retrieve the data. The server retrieves the data and then sends it to the Unity client. The Unity client 
displays the data and, as it is doing so, sends a request to the OnBase server to log that the data is now being viewed 
by the user. If the user simply drops this packet (it is a SOAP request and is easily dropped), the Unity client never 
knows, but more importantly, that the user is viewing the data is never logged anywhere. This architecture is pervasive 
across OnBase and the complete lack of logging on the client-side, as well as proper server-side logging (the server, 
upon receiving the request to retrieve the record should be logging the action), enables attackers, both authorized and 
unauthorized, to hide their malicious activities both by simply "deleting" log entries (by dropping the log request) 
and by creating fake entries to either make it seem like someone else is performing the attack or to cause "log 
blindness" that hides the real malicious activity.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they 
have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" 
and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the 
OnBase server is inaccessible to anyone other than trusted users. No other mitigations are currently available.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and 
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and 
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing 
vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on 
behalf of client, but attempts were ignored

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Hyland OnBase 19.x and below - Insufficient Logging (Client-Side Enforcement of Server-Side Security)** _Adaptive Security Consulting via Fulldisclosure (Sep 04)_

CVE-2020-25250: Full Disclosure: Hyland OnBase 19.x and below

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to cause a denial of service (outage of connection-request processing) via a long user ID, which triggers an exception and a large log entry.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Hyland OnBase 19.x and below - Log Injection And Denial Of Service**

_From_: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Sat, 05 Sep 2020 10:42:16 +0000  

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase 
Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not 
likely to have fixed the vulnerabilities, especially given how numerous the instances of log injection are.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Hyland OnBase fails to properly sanitize data before writing it to the logs. OnBase also directly exposes logging 
methods to attackers, allowing attackers to create arbitrary log entries on behalf of any user, with or without 
authenticating. Attackers can also use these vulnerabilities to cause a denial of service.

Technical Details
-------------------------------------------------
OnBase contains two separate types of log injection vulnerabilities. First, because the OnBase architecture relies on 
the client-side performing data and privilege validation the OnBase server directly exposes logging methods that allow 
attackers to query those actions and write arbitrary log entries. These queries aren't properly validated, allowing 
attackers to submit entries on behalf of other users or even write to the logs without authenticating. Attackers can 
leverage this functionality to create ficticious log entries and ruin the integrity of the logs.

The second way that the OnBase server writes logs is through exception handling, directly concatenating user input into 
the exception. This method allows attackers to inject arbitrary data into the logs through the exception handling, 
creating ficticious log entries and ruining the integrity of the logs.

We found that a failure to rate-limit or size-constrain the user-supplied logs and logged information also meant that 
we could cause denial of service attacks by either writing frequently to the logs or writing large log entries. For 
example, if we try to send non-numeric characters as user id an exception will occur. Many OnBase methods will then 
print the user supplied information to the logs as part of the exception handling and logging method. If the user id is 
especially large (thousands of characters), the server will stop responding to connection requests after just a few 
instances. On the other hand, if the attacker uses a smaller user id they simply have to send many requests in a small 
amount of time to cause the server to stop responding. These same denial of service conditions can be met by using the 
OnBase server logging methods, instead of attacking the exception logging, by either making many small logging requests 
or by making a few very large logging requests.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they 
have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" 
and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the 
OnBase server is inaccessible to anyone other than trusted users and that a WAF be used (note that OnBase can use 
"optimized" communication that is pure binary -- if this is used, it will be much harder to configure the WAF to 
protect against these vulnerabilities).

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing 
vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on 
behalf of client, but attempts were ignored

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Hyland OnBase 19.x and below - Log Injection And Denial Of Service** _AdaptiveSecurity Consulting via Fulldisclosure (Sep 07)_

CVE-2020-25255: Full Disclosure: Hyland OnBase 19.x and below

An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Directory traversal exists for reading files, as demonstrated by the FileName parameter.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Hyland OnBase 19.x and below - Path Traversal**

_From_: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Sat, 05 Sep 2020 16:01:38 +0000  

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase 
Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not 
likely to have fixed the vulnerabilities.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
The Hyland OnBase server is vulnerable to path traversal allowing attackers to read and write to arbitrary files on the 
server.

Technical Details
-------------------------------------------------
The Hyland OnBase server fails to properly sanitize and escape user input allowing path traversal on the OnBase server. 
Multiple methods were found that directly concatinate user input into local file system calls without validation. Two 
separate types exist, read-only and write or append-only, allowing remote attackers who send SOAP calls directly to 
vulnerable methods using vulnerable parameters (typically "FileName").

Seven read-only instances and twelve write or append-only instances were found allowing the attacker to read 
configuration data and arbitrary files across the server and append, create, and write to arbitrary files on the 
server, including uploading malicious DLLs and backdoors.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they 
have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" 
and no known fix is in place. Run the Hyland OnBase server in a restricted environment under a service account that can 
only access those files required to operate. Restrict the ability of the service account to write to files to the 
greatest extent possible.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and 
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing 
vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on 
behalf of client, but attempts were ignored

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Hyland OnBase 19.x and below - Path Traversal** _AdaptiveSecurity Consulting via Fulldisclosure (Sep 07)_

CVE-2020-25248: Full Disclosure: Hyland OnBase 19.x and below

SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

Multiple SQL injection vulnerabilities exist in the password reset functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

OS4Ed openSIS 7.3

**Product URLs**

https://opensis.com/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Details**

openSIS is a student information system and school management system. It is available in commercial and open-source versions. It allows schools to create schedules and track attendance, grades and transcripts.

Multiple SQL injections exist in the password reset functionality of openSIS 7.3. A successful attack could allow an attacker to access information such as usernames and password hashes as well as other data stored in the database.

**CVE-2020-6137 - password_stf_email parameter**

The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection.

Below is an example post that will trigger the vulnerability:

    POST /opensis/ResetUserInfo.php HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 167
    Origin: http://[IP]
    DNT: 1
    Connection: close
    Referer: http://[IP]/opensis/ForgotPass.php
    Upgrade-Insecure-Requests: 1
    
    pass_user_type=pass_parent&pass_type_form=password&password_stn_id=&uname=za&month_password_dob=&day_password_dob=&year_password_dob=&pass_email=&password_stf_email=aa[SQL INJECTION]
    

The vulnerable code for this parameter is also at line 313:

    301     if ($_REQUEST['pass_user_type'] == 'pass_parent') {
    302         if ($_REQUEST['uname'] == '') {
    303             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Username.</b></font>';
    304             echo'<script>window.location.href="ForgotPass.php"</script>';
    305         }
    306         if ($_REQUEST['password_stf_email'] == '') {
    307             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Email Address.</b></font>';
    308             echo'<script>window.location.href="ForgotPass.php"</script>';
    309         }
    310
    311         if ($_REQUEST['password_stf_email'] != '' && $_REQUEST['uname'] != '') {
    312
    313             $par_info = DBGet(DBQuery('SELECT p.* FROM people p,login_authentication la  WHERE la.USER_ID=p.STAFF_ID AND la.USERNAME=\'' . $_REQUEST['uname'] . '\' AND p.EMAIL=\'' . $_REQUEST['password_stf_em    ail'] . '\' AND la.PROFILE_ID = 4'));
    314
    315             if ($par_info[1]['STAFF_ID'] == '') {
    316                 $_SESSION['err_msg'] = '<font color="red" ><b>Incorrect login credential.</b></font>';
    317                 echo'<script>window.location.href="ForgotPass.php"</script>';
    318             } else {
    319                 $flag = 'par_pass';
    320             }
    321         }
    322     }
    

**CVE-2020-6138 - uname parameter**

The uname parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. Below is an example post that will trigger the vulnerability:

    POST /opensis/ResetUserInfo.php HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 167
    Origin: http://[IP]
    DNT: 1
    Connection: close
    Referer: http://[IP]/opensis/ForgotPass.php
    Upgrade-Insecure-Requests: 1
    
    pass_user_type=pass_parent&pass_type_form=password&password_stn_id=&uname=za[SQL INJECTION]&month_password_dob=&day_password_dob=&year_password_dob=&pass_email=&password_stf_email=aa
    

The vulnerable code for opensis/ResetUserInfophp is at line 313 is due to a lack of input sanitation leading:

    301     if ($_REQUEST['pass_user_type'] == 'pass_parent') {
    302         if ($_REQUEST['uname'] == '') {
    303             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Username.</b></font>';
    304             echo'<script>window.location.href="ForgotPass.php"</script>';
    305         }
    306         if ($_REQUEST['password_stf_email'] == '') {
    307             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Email Address.</b></font>';
    308             echo'<script>window.location.href="ForgotPass.php"</script>';
    309         }
    310
    311         if ($_REQUEST['password_stf_email'] != '' && $_REQUEST['uname'] != '') {
    312
    313             $par_info = DBGet(DBQuery('SELECT p.* FROM people p,login_authentication la  WHERE la.USER_ID=p.STAFF_ID AND la.USERNAME=\'' . $_REQUEST['uname'] . '\' AND p.EMAIL=\'' . $_REQUEST['password_stf_em    ail'] . '\' AND la.PROFILE_ID = 4'));
    314
    315             if ($par_info[1]['STAFF_ID'] == '') {
    316                 $_SESSION['err_msg'] = '<font color="red" ><b>Incorrect login credential.</b></font>';
    317                 echo'<script>window.location.href="ForgotPass.php"</script>';
    318             } else {
    319                 $flag = 'par_pass';
    320             }
    321         }
    322     }
    

**CVE-2020-6139 - username_stf_email parameter**

The username_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection.

Below is an example post that will trigger the vulnerability:

    POST /opensis/ResetUserInfo.php HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 162
    Origin: http://[IP]
    DNT: 1
    Connection: close
    Referer: http://[IP]/opensis/ForgotPass.php
    Upgrade-Insecure-Requests: 1
    
    user_type_form=username&uname_user_type=uname_staff&username_stn_id=1&pass=12&month_username_dob=1&day_username_dob=1&year_username_dob=1994&username_stf_email=1[SQL INJECTION
    

The vulnerable code in this case is at line 340:

    324 if ($_REQUEST['user_type_form'] == 'username') {
    325     if ($_REQUEST['uname_user_type'] == 'uname_student') {
    326         if ($_REQUEST['username_stn_id'] == '') {
    327             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Student Id.</b></font>';
    328             echo'<script>window.location.href="ForgotPass.php"</script>';
    329         }
    330         if ($_REQUEST['pass'] == '') {
    331             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Password.</b></font>';
    332             echo'<script>window.location.href="ForgotPass.php"</script>';
    333         }
    334         if ($_REQUEST['month_username_dob'] == '' || $_REQUEST['day_username_dob'] == '' || $_REQUEST['year_username_dob'] == '') {
    335             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Birthday Properly.</b></font>';
    336             echo'<script>window.location.href="ForgotPass.php"</script>';
    337         }
    338
    339         if ($_REQUEST['username_stn_id'] != '' && $_REQUEST['pass'] != '' && $_REQUEST['month_username_dob'] != '' && $_REQUEST['day_username_dob'] != '' && $_REQUEST['year_username_dob'] != '') {
    340             $stu_dob = $_REQUEST['year_username_dob'] . '-' . $_REQUEST['month_username_dob'] . '-' . $_REQUEST['day_username_dob'];
    341             $stu_info = DBGet(DBQuery('SELECT s.* FROM students s,login_authentication la  WHERE la.USER_ID=s.STUDENT_ID AND la.PASSWORD=\'' . md5($_REQUEST['pass']) . '\' AND s.BIRTHDATE=\'' . date('Y-m-d',     strtotime($stu_dob)) . '\' AND s.STUDENT_ID=' . $_REQUEST['username_stn_id'] . ''));
    342
    343             if ($stu_info[1]['STUDENT_ID'] == '') {
    344                 $_SESSION['err_msg'] = '<font color="red" ><b>Incorrect login credential.</b></font>';
    345                 echo'<script>window.location.href="ForgotPass.php"</script>';
    346             } else {
    347                 $get_uname = DBGet(DBQuery('SELECT USERNAME FROM login_authentication WHERE USER_ID=' . $_REQUEST['username_stn_id'] . ' AND PROFILE_ID=3'));
    348                 $_SESSION['fill_username'] = $get_uname[1]['USERNAME'];
    349                 echo'<script>window.location.href="index.php"</script>';
    350             }
    351         }
    352     }
    

**CVE-2020-6140 - username_stn_id parameter**

The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection.

Below is an example post that will trigger the vulnerability:

    POST /opensis/ResetUserInfo.php HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 143
    Origin: http://[IP]
    DNT: 1
    Connection: close
    Referer: http://[IP]/opensis/ForgotPass.php
    Upgrade-Insecure-Requests: 1
    
    user_type_form=username&uname_user_type=uname_student&username_stn_id=1[SQL INJECTION]&pass=12&month_username_dob=1&day_username_dob=1&year_username_dob=1994
    

The vulnerable code for this issue is at line 365:

    353     if ($_REQUEST['uname_user_type'] == 'uname_staff') {
    354
    355         if ($_REQUEST['pass'] == '') {
    356             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Password.</b></font>';
    357             echo'<script>window.location.href="ForgotPass.php"</script>';
    358         }
    359         if ($_REQUEST['username_stf_email'] == '') {
    360             $_SESSION['err_msg'] = '<font color="red"><b>Please Enter Email Address.</b></font>';
    361             echo'<script>window.location.href="ForgotPass.php"</script>';
    362         }
    363
    364         if ($_REQUEST['username_stf_email'] != '' && $_REQUEST['pass'] != '') {
    365             $stf_info = DBGet(DBQuery('SELECT s.* FROM staff s,login_authentication la WHERE la.USER_ID=s.STAFF_ID AND la.PASSWORD=\'' . md5($_REQUEST['pass']) . '\' AND s.EMAIL=\'' . $_REQUEST['username_stf_email'] . '\''));
    366
    367             if ($stf_info[1]['STAFF_ID'] == '') {
    368                 $_SESSION['err_msg'] = '<font color="red" ><b>Incorrect login credential.</b></font>';
    369                 echo'<script>window.location.href="ForgotPass.php"</script>';
    370             } else {
    371                 $get_uname = DBGet(DBQuery('SELECT USERNAME FROM login_authentication WHERE USER_ID=' . $stf_info[1]['STAFF_ID'] . ' AND PROFILE_ID=' . $stf_info[1]['PROFILE_ID']));
    372                 $_SESSION['fill_username'] = $get_uname[1]['USERNAME'];
    373                 echo'<script>window.location.href="index.php"</script>';
    374             }
    375         }
    376     }
    

**Timeline**

2020-06-02 - Vendor Disclosure  
2020-08-13 - Vendor provided patch to Talos for testing  
2020-08-17 - Talos confirmed patch resolved issue  
2020-08-31 - Public Release

Discovered by Yuri Kramarz of Cisco Talos.

CVE-2020-6137: TALOS-2020-1080 || Cisco Talos Intelligence Group

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.

The WordPress GiveWP plugin, which has 70,000+ active installations, fixed vulnerabilities affecting version 2.5.9 and below.

**Reference**

_A CVE ID has been requested and we’ll update this post when it is assigned._

**Unauthenticated settings change**

In the “includes/gateways/stripe/includes/admin/admin-actions.php” script, the give_stripe_connect_save_options function is loaded via the admin_init hook:

function give\_stripe\_connect\_save\_options() {

   $get\_vars = give\_clean( $\_GET );

   // If we don't have values here, bounce.
   if (
      ! isset( $get\_vars\['stripe\_publishable\_key'\] )
      || ! isset( $get\_vars\['stripe\_user\_id'\] )
      || ! isset( $get\_vars\['stripe\_access\_token'\] )
      || ! isset( $get\_vars\['stripe\_access\_token\_test'\] )
      || ! isset( $get\_vars\['connected'\] )
   ) {
      return false;
   }

   // Update keys.
   give\_update\_option( 'give\_stripe\_connected', $get\_vars\['connected'\] );
   give\_update\_option( 'give\_stripe\_user\_id', $get\_vars\['stripe\_user\_id'\] );
   give\_update\_option( 'live\_secret\_key', $get\_vars\['stripe\_access\_token'\] );
   give\_update\_option( 'test\_secret\_key', $get\_vars\['stripe\_access\_token\_test'\] );
   give\_update\_option( 'live\_publishable\_key', $get\_vars\['stripe\_publishable\_key'\] );
   give\_update\_option( 'test\_publishable\_key', $get\_vars\['stripe\_publishable\_key\_test'\] );

   // Delete option for user API key.
   give\_delete\_option( 'stripe\_user\_api\_keys' );

}
add\_action( 'admin\_init', 'give\_stripe\_connect\_save\_options' );

The function lacks a capability check and a security nonce. Because the admin_init hook can be triggered by anyone, an unauthenticated user can tamper with the authentication credentials of the Stripe Connect payment gateway: ACCESS\_TOKEN, REFRESH\_TOKEN, PUBLISHABLE\_KEY, ACCOUNT\_ID.

**Authenticated settings change**

In the “includes/admin/emails/ajax-handler.php” script, the give_set_notification_status_handler function is loaded via the wp_ajax hook. It is used to enable or disable email notifications sent by GiveWP to the administrator:

function give\_set\_notification\_status\_handler() {
   $notification\_id = isset( $\_POST\['notification\_id'\] ) ? give\_clean( $\_POST\['notification\_id'\] ) : '';
   if ( ! empty( $notification\_id ) && give\_update\_option( "{$notification\_id}\_notification", give\_clean( $\_POST\['status'\] ) ) ) {
      wp\_send\_json\_success();
   }

   wp\_send\_json\_error();
}

add\_action( 'wp\_ajax\_give\_set\_notification\_status', 'give\_set\_notification\_status\_handler' );

The function lacks a capability check and a security nonce and thus can be accessed by an authenticated user such as a subscriber.

This vulnerability could be used in conjunction with the previous one: after tampering with the payment gateway, the attacker could disable all email notifications sent to the admin, which includes the notification sent when a new donation is received.

**Additional issues**

In the “includes/misc-functions.php” script, the give_get_ip function is used to retrieve the user IP address:

function give\_get\_ip() {

   $ip = '127.0.0.1';

   if ( ! empty( $\_SERVER\['HTTP\_CLIENT\_IP'\] ) ) {
      // check ip from share internet
      $ip = $\_SERVER\['HTTP\_CLIENT\_IP'\];
   } elseif ( ! empty( $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\] ) ) {
      // to check ip is pass from proxy
      $ip = $\_SERVER\['HTTP\_X\_FORWARDED\_FOR'\];
   } elseif ( ! empty( $\_SERVER\['REMOTE\_ADDR'\] ) ) {
      $ip = $\_SERVER\['REMOTE\_ADDR'\];
   }

   /\*\*
    \* Filter the IP
    \*
    \* @since 1.0
    \*/
   $ip = apply\_filters( 'give\_get\_ip', $ip );

   // Filter empty values.
   if ( false !== strpos( $ip, ',' ) ) {
      $ip = give\_clean( explode( ',', $ip ) );
      $ip = array\_filter( $ip );
      $ip = implode( ',', $ip );
   } else {
      $ip = give\_clean( $ip );
   }

   return $ip;
}

It relies on untrusted user input (HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR) that is sanitised in order to prevent attacks such as XSS, but isn’t properly validated: GiveWP will accept Client-IP: foo as a valid IP address.

**Timeline**

The vulnerability was reported to the authors on October 18, 2019 and a new version 2.5.10 was released on October 28, 2019.

**Recommendations**

Update as soon as possible if you have version 2.5.9 or below installed.  
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet

CVE-2020-20627: Multiple vulnerabilities fixed in WordPress GiveWP plugin.

An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field.

CVE-2020-15020: Elementor Website Builder – More than Just a Page Builder

Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters.

\============================================================================================================================

| # Title : Mara CMS 7.5 Cross Site Scriping |

| # Author : George Tsimpidas |

| # Tested on : Kali Linux (X64) | |

| # Vendor : https://sourceforge.net/projects/maracms/ |

| # CVE : CVE-2020-24223 |

\============================================================================================================================

Mara CMS 7.5 suffers from a Reflected Cross Site Scripting vulnerability.

Description :

This Reflected XSS vulnerability allows any authenticated user to

inject malicious code via the parameter contact.php?theme=<inject>.

The vulnerability exists because the parameter is not properly

sanitized and this can lead to malicious code injection that will be

executed on the target’s browser.

PoC

\[+\] Use Payload : seven69387';alert(1)//154

Path : http://localhost/contact.php?theme=< inject payload here>

Full Path :

http://localhost/contact.php?theme=seven69387';alert(1)//154

Tag

#perl