Red Hat Security Advisory 2022-1935-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include bypass, privilege escalation, and server-side request forgery vulnerabilities.
5ac37a20c66d6dd00fcf5f109c3261ba56a23ac26523e73dc2b13bec0d586020
WordPress Booking Calendar plugin versions 9.1 and below suffer from PHP object injection and insecure deserialization vulnerabilities.
ca383548169d539c9e3c7a8fb2058f0828391d09365e432f7376f20ec13cc507
SAP Information System version 1.0.0 suffers from an improper authentication vulnerability that allows a malicious user to create an administrative account without needing to authenticate. The POST request is sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The problem occurs due to lack of session verification in the request.
81b2d35c550ef4f8db3fd0aac42c15232a707b20d75b5eeabeefd52e176de1e6
Online Sports Complex Booking System version 1.0 suffers from a remote blind SQL injection vulnerability in Users.php. This is a similar issue as the one discovered by Saud Alenazi in March of 2022 but affects a different file.
f3b7c99d8727d07603b174d479dfb42058fa680951e9988a3939e654323f2f78
Roxy File Manager version 1.4.5 proof of concept exploit for a PHP file upload restriction bypass vulnerability.
56429affeb38a91070ee24b0aaf512970594ce033504501832983da83e9dea5a
When the filter_var function is used in conjunction with the flags FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME, there is a vulnerability in PHP that allows the filter to be bypassed. A patch has been included by the researcher as the PHP security team seems to have ignored this concern.
adddea024dbdd005a547c113193969e21a6c422c65e5611f207efd46bf8ae635
ImpressCMS versions 1.4.2 and below pre-authentication SQL injection to remote code execution exploit. User input passed through the "groups" POST parameter to the /include/findusers.php script is not properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to construct a SQL query without proper validation, and this can be exploited by remote attackers to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection attacks. The application uses PDO as a database driver, which allows for stacked SQL queries, as such this vulnerability could be exploited to e.g. create a new admin user and execute arbitrary PHP code.
576e64698cc9d7062dccead415b9bdbbe2c02e4ae86258cd980164b5e56355cc
Ubuntu Security Notice 5300-3 - USN-5300-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 21.10. It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service, or possibly obtain sensitive information. It was discovered that PHP incorrectly handled certain scripts with XML parsing functions. An attacker could possibly use this issue to obtain sensitive information.
79f9d135d4d4a7c56dc43a848d48ffdb653c44069b4fe34f8a66deeb9811750f
Ubuntu Security Notice 5300-2 - USN-5300-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service, or possibly obtain sensitive information. It was discovered that PHP incorrectly handled certain scripts with XML parsing functions. An attacker could possibly use this issue to obtain sensitive information.
8d289bff69aa5a1c07a2ec7e6f761299daae4511e4dcce44a32c652a3e06a38e
Ubuntu Security Notice 5303-1 - It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.
eac3ef8542d9946db383117234b5345b135eed10bf4036c82db688ec31e6cf88
Ubuntu Security Notice 5300-1 - It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service, or possibly obtain sensitive information. It was discovered that PHP incorrectly handled certain scripts with XML parsing functions. An attacker could possibly use this issue to obtain sensitive information.
a3c43189a77d959782469e503170048c773cfe62638b7e5096d7604ac94e195c
This Metasploit module exploits a path traversal issue in Nagios XI before version 5.8.5. The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as www-data. The module achieves this by creating an autodiscovery job with an id field containing a path traversal to a writable and remotely accessible directory, and custom_ports field containing the web shell. A cron file will be created using the chosen path and file name, and the web shell is embedded in the file. After the web shell has been written to the victim, this module will then use the web shell to establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the autodiscovery job is removed as well.
056c02dbc5e575c5155e8c34f4766dcc9830256d1bc589d898d599d7f0e9dc4d
PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities.
6a2dcc3898ac3a1b90915521a41f2d6e5e9592121ab91ccecbf993baae2e11e2
PHP Restaurants version 1.0 suffers from a remote SQL injection vulnerability.
0b66b95fb0274768cbeb88fb3604dc7470a8f62cee12f074366923784dc89d91
PHP Unit version 4.8.28 suffers from a remote code execution vulnerability. Related CVE number: CVE-2017-9841. Authored by souzo
969a4a6b0fcb659dba0da5a8277fc2afa42e6757b9c324aab8c2a15efbdcd7ea
Library System in PHP version 1.0 suffers from a persistent cross site scripting vulnerability.
484590dc8cdcace436df1d2a4e2a63be9965f409ec7198e0fb2a122ca5c6b4ce
This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request for the payload, prior to getting a GET request. This exploit leverages an authenticated improper input validation in WordPress plugin Popular Posts versions 5.3.2 and below. The exploit chain is rather complicated. Authentication is required and gd for PHP is required on the server. Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget. A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once the post hits the top 5, and after a 60 second server cache refresh (the exploit waits 90 seconds), the homepage widget is loaded which triggers the plugin to download the payload from the server. The payload has a GIF header, and a double extension (.gif.php) allowing for arbitrary PHP code to be executed.
90db5fa8de8fdf34a913230d5320fbeba171c2aac53e75371d7b3d5919bde065
Bazaar Web PHP Social Listings suffers from a remote shell upload vulnerability.
f1629de60b9c1c66f85917fe4e27cf490f6caab55d5182d2047cf1df6cde10ab
Signup PHP Portal version 2.1 suffers from a remote shell upload vulnerability.
0ffc78db1554cc2312874b940b014bebbe2e06854b885e74b9060727a2e56e98
Online Enrollment Management System in PHP and PayPal version 1.0 suffers from a persistent cross site scripting vulnerability.
58b09da437a9db3ee5522fd14065907371363210d686eb9837c10907ebae0b69
This Metasploit module exploits an input validation error on the log file extension parameter of SuiteCRM version 7.11.18. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included.
7f2ef0fa96275977d80eca31460f8f2876baa953ce756a42a73f7d1524b141fb
PHP Laravel version 8.70.1 suffers from cross site scripting and cross site request forgery related vulnerabilities.
03959819037d931fa9bc8a86e042128e57d18e192cdb95d48075c2d8e2c636b5
This Metasploit module exploits local file inclusion and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user. NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface. Vulnerable versions allow for LFI because they rely on a version of PHP 5 that is vulnerable to string truncation attacks. This module leverages this issue in conjunction with log poisoning to gain remote code execution as root. Upon successful exploitation, the Aerohive NetConfig application will hang for as long as the spawned shell remains open. Closing the session should render the application responsive again. The module provides an automatic cleanup option to clean the log. However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed, may render the target (temporarily) unexploitable. This state can last over an hour. This module has been successfully tested against Aerohive NetConfig versions 8.2r4 and 10.0r7a.
f4fce0d3935a3baeeca64e47d1f3ececd06846dd7a61129d94c68314b7e81dbb
Red Hat Security Advisory 2021-4213-03 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a null pointer vulnerability.
743ac4c5b84cb5122f483307d386d734caf3f5fe3e3b3830f0feabd5cf82f541
PHP Event Calendar Lite Edition suffers from a persistent cross site scripting vulnerability.
09c617426974d7713fb8ccab94dcccb7210bc336670db3a9f3be869096871afb