Preface: Bootstrap modal forms are displayed-on-action pop-up forms that are used for gathering data from website visitors and to register or log users.

Background: PHPZAG[.]COM is a programming blog that publishes practical and useful tutorials for programmers and web developers.

Solution formulated by PHPZAG – Live Add, Edit and Delete Datatables Records with Ajax, PHP & MySQL, solution formulated by PHPZAG.
Step 1 – Handle modal form submit using jQuery and make Ajax request with action addRecord to add new records.
Step 2 – Use call method addRecord() on action addRecord to add new records.
Step 3 – Create method addRecord() in class Records.php to add new records into MySQL database.

The vulnerability found on 19th May 2020, but NVD published on 7th July , 2020 finally. The source file can be download in the following url – https://www.phpzag.com/live-add-edit-delete-datatables-records-with-ajax-php-mysql/

Vulnerability details:
CVE-2020-8519 SQL injection in search parameter
CVE-2020-8520 SQL Injection in line 29 with ‘order’ and ‘column’ parameter
CVE-2020-8521 SQL Injection line 35 with ‘start’ and ‘length’ parameters

Preface: Nginx was written specifically to address the performance limitations of Apache web servers

Background: In March 2019, Nginx Inc was acquired by F5 Networks for US$670 million. According to statistic on 2020. Nginx server deployed by “375 million websites. There are 1,500 paying customers.

Vulnerability detail : A malicious user with access to the host where NGINX Controller is running on may eavesdrop on NATS connections and, thereby, gain unauthorized access data stored in the message queue. Please refer to the website for details – https://support.f5.com/csp/article/K59209532

Observation: The possible ways to exploit this vulnerability are as follows:
Refer to attached diagram, under such circumstances, design require ingress expose the cluster via a host port and also make it possible to advertise its public ip addresses.
A malicious user with access to the host where NGINX Controller is running on may eavesdrop on NATS connections and, thereby, gain unauthorized access data stored in the message queue.

Remedy: Upgrade to 3.6.0

Preface: A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability, said Microsoft.

Notice: If you are a Samba user, you should remain vigilant. Fix it immediately.

CVE-2020-10730
A client combining the ‘ASQ’ and ‘VLV’ LDAP controls can cause a NULL pointer de-reference and further combinations with the LDAP paged_results feature can give a use-after-free in Samba’s AD DC LDAP server.
https://www.samba.org/samba/security/CVE-2020-10730.html

CVE-2020-10745
Parsing and packing of NBT and DNS packets can consume excessive CPU in the AD DC (only)
Compression of replies to NetBIOS over TCP/IP name resolution and DNS packets (which can be supplied as UDP requests) can be abused to consume excessive amounts of CPU on the Samba AD DC (only).
https://www.samba.org/samba/security/CVE-2020-10745.html

CVE-2020-10760
The use of the paged_results or VLV controls against the Global Catalog LDAP server on the AD DC will cause a use-after-free.
https://www.samba.org/samba/security/CVE-2020-10760.html

CVE-2020-14303
The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process further requests once it receives a empty (zero-length) UDP packet to port 137.
https://www.samba.org/samba/security/CVE-2020-14303.html

Reference:
– De-referencing it means trying to access whatever is pointed to by the pointer.
– Use-After-Free vulnerabilities are a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code.

Preface: Currently, there are no known workarounds or mitigations for these vulnerabilities. Thankfully, the Redmond adds that the flaws are not publicly disclosed and that there are no known exploits in the wild. The firm credits Trend Micro’s Zero Day Initiative for privately disclosing the bugs.

Background:
From security point of view, attacker who keen to bypassing Windows Heap Protection traditionally by re-use method. However Microsoft had build heap protection since windows XP SP2 age. As of today, generic heap exploitation approaches not effective. There is no more easy write4. But attacker can relies on application technique. Which means controlling the controlling the algorithm to position data carefully on the heap. The historical method like Multiple Write4 with a combination of the Lookaside and the FreeList.

Microsoft has released security updates to address vulnerabilities in Windows 10.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1457

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1425

Preface: SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider.

Design weakness: The design weakness of SAML was not XML edge cases nor attacker stealing your signing keys.
SAML mistaken allowing your users to log in to apps throught they couldn’t access. In order to avoid this matter happen. You should ensure your SAML assertions only work with the right apps, use unique signing keys for each app or service provider.

Palo Alto Releases Security Updates for PAN-OS: Authentication Bypass – details refer to following link. https://security.paloaltonetworks.com/CVE-2020-2021

Preface: Dedicated to the specific industry, so called operation technology.

Details: Schneider Electric announce to public that their Easergy T300 has design weakness. When you go through the document (see below url). It official inform that you have to trust your source and make use of your firewall or VPN enforcing the protection. Perhaps you might ask, why don’t vendor issue a firmware upgrade. Yes, my idea is that this is one of the different in between information technology and operation technology. The standpoint of my idea do not written here because the post here only for short message. In short, the official recommendation should taken. Additional, in order to avoid the malware infection. It is better to enhance the DNS lookup function. As of today, Clean DNS service not expensive and easy to implement. The admin only modify workstation and server DNS IP address. My comment is that this is a cost effective solution to avoid malware infection because it increase the difficult to Mr. Malware contact with their C&C server.

https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2020-161-04_Easergy_T300_Security_Notification.pdf&p_Doc_Ref=SEVD-2020-161-04

Preface: As of June 2020, Apache is used by 37.7% of all the websites.

Versions Affected:
Apache Tomcat 10.0.0 – M1 to 10.0.0 – M5
Apache Tomcat 9.0.0. M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55

Impact: An attacker could exploit this vulnerability to cause a denial-of-service condition.

Background: HTTP/2 uses header compression which requires a strict commitment of resources compared to HTTP/1.1. The attack vectors for the vulnerabilities discovered in HTTP/2 follow a certain pattern. The main goal is to setup a queue of responses to exhaust the resources on a server.

Official announcement: The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for CVE-2019-10072 – http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E

Preface: If you don’t use the VMware 3D graphics feature. Perhaps the remedy solution this week by vendors in 3D features fixed will not your focus. But how about USB feature?

Background: To enable PCI devices to interrupt the CPU, all PCI devices on the PCI bus are assigned an IRQ number. The VMkernel uses discovery and interrupt rerouting mechanisms provided by the BIOS to assign these IRQ numbers. In certain cases due to hardware design, however, two or more devices might be tied to the same interrupt controller pin.

Impact:A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to crash the virtual machine’s vmx process leading to a denial of service condition or execute code on the hypervisor from a virtual machine.

Concept: Refer to attached diagram

Remedy: Official announcement -https://www.vmware.com/security/advisories/VMSA-2020-0015.html

Background: Magento is an e-commerce platform written in PHP atop the zend-framework, available under both open-source and commercial licenses. It is written in an advanced object-oriented idiom that uses the MVC pattern and XML configuration files, aiming for flexibility and extensibility.

Vulnerabilities announced this week – Hints
Vendor have the right to remain vulnerability details and not disclose to public. And therefore we only obtain below information.

PHP Object Injection – Arbitrary code execution (Critical) – CVE-2020-9663

Stores cross-site scripting – Sensitive information disclosure (Important) – CVE-2020-9665

Please refer to attached diagram. Perhaps it will let you find out the root causes.

Official announcement: https://helpx.adobe.com/security/products/magento/apsb20-41.html