Cross-site scripting (XSS) vulnerability in NoneCms 1.3.0 allows remote attackers to inject arbitrary web script or HTML via feedback feature.
Daily Archives: May 8, 2023
CVE-2020-18132
Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.
CVE-2020-18131
Cross Site Request Forgery (CSRF) vulnerability in Bluethrust Clan Scripts v4 allows attackers to escilate privledges to an arbitrary account via a crafted request to /members/console.php?cID=5.
CIS Benchmarks May 2023 Update
Here is an overview of the CIS Benchmarks that the Center for Internet Security updated or released for May 2023.
USN-6060-2: MySQL vulnerabilities
USN-6060-1 fixed several vulnerabilities in MySQL. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.7.42 in Ubuntu 16.04 ESM.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-42.html
https://www.oracle.com/security-alerts/cpuapr2023.html
USN-6061-1: WebKitGTK vulnerabilities
Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
golang-1.19.9-1.fc37
FEDORA-2023-12504e8774
Packages in this update:
golang-1.19.9-1.fc37
Update description:
go1.19.9 (released 2023-05-02) includes three security fixes to the html/template package, as well as bug fixes to the compiler, the runtime, and the crypto/tls and syscall packages. See the milestone on the issue tracker for details.
USN-6060-1: MySQL vulnerabilities
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 8.0.33 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 22.10, and Ubuntu 23.04. Ubuntu 18.04 LTS has been updated to MySQL
5.7.42.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-42.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-33.html
https://www.oracle.com/security-alerts/cpuapr2023.html
golang-1.20.4-1.fc38
FEDORA-2023-7eb5fe654d
Packages in this update:
golang-1.20.4-1.fc38
Update description:
go1.20.4 (released 2023-05-02) includes three security fixes to the html/template package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle, crypto/tls, net/http, and syscall packages. See the milestone on the issue tracker for details.
New Wave of SHTML Phishing Attacks
Authored By Anuradha
McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information.
SHTML Campaign in the field:
Figure 1. shows the geological distribution of McAfee clients who detect malicious SHTML files.
Figure 1. McAfee Client Detection of SHTML
Attackers victimize users by distributing SHTML files as email attachments. The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.
Figure 2. Email with SHTML attachment
Analysis:
When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. To read the document, however, the user must enter his/her credentials. In some cases, the email address is prefilled.
Figure 3. Fake PDF document
Figure 4. Fake Excel document
Figure 5. Fake DHL Shipping document
Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior.
Figure 6. SHTML with JavaScript code
Below is the code snippet that shows how the blurred background image is loaded. The blurred images are taken from legitimate websites such as:
https://isc.sans.edu
https://i.gyazo.com
Figure 7. Code to load blurred image
Abusing submission form service:
Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark
Formspree.io is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address.
The attackers use the formpsree.io URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method.
Figure 8. Formspree.io as action URL with POST method
When the user enters the credentials and hits the “submit” button, the data is sent to Formspree.io. Subsequently, Formspree.io forwards the information to the specified email address. Below Figure 9. shows the flow of user submission data from webpage to attacker email address.
Figure 9. Flow of user submission data
Known malicious forms may be blocked, preventing the form submission data from being sent to the attacker. Below Figure 10. shows the Form blocked due to suspected fraudulent activity.
Figure 10. Form Blocked
To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated to a legitimate website.
Below Figure 11. shows the redirected webpage.
Figure 11. Redirected webpage
To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. It is a widespread and pervasive problem. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. A blurry image is enough to trick many users into believing the email as legitimate. To stay protected, users should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources.
IOCs
McAfee customers are protected against this phishing campaign.
Type
Value
Product
Detected
URL
formspree[.]io/f/xjvderkn
McAfee WebAdvisor
Blocked
URL
cianindustries[].com/error/excel.php
McAfee WebAdvisor
Blocked
URL
twenty88[.]com/mincs/mea.ph
McAfee WebAdvisor
Blocked
URL
sweet.classicbo[.]com/mailb_fixpd.ph
McAfee WebAdvisor
Blocked
Type
Value
Product
Detected
shtml(Adobe)
0a072e7443732c7bdb9d1f3fdb9ee27c
Total Protection and LiveSafe
HTML/Phishing.qz
shtml(Excel)
3b215a37c728f65c167941e788935677
Total Protection and LiveSafe
HTML/Phishing.rb
shtml(DHL)
257c1f7a04c93a44514977ec5027446c
Total Protection and LiveSafe
HTML/Phishing.qz
The post New Wave of SHTML Phishing Attacks appeared first on McAfee Blog.