atxsinn3r · rafaelrodriguesaceno · Apr 30, 2024 · Apr 30, 2024 · Apr 30, 2024 · Apr 30, 2024
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,18 @@
+name: OSV-Scanner PR Scan
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+    branches: [master]
+  merge_group:
+    branches: [master]
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents
+  contents: read
+
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
diff --git a/CVE-2015-8562.php b/CVE-2015-8562.php
@@ -0,0 +1,107 @@
+// https://voidsec.com/analysis-of-the-joomla-rce-cve-2015-8562/
+
+
+
+// Check for clients browser
+if (in_array('fix_browser', $this->security) && isset($_SERVER['HTTP_USER_AGENT'])){
+    $browser = $this->get('session.client.browser');
+
+    if ($browser === null){
+        $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);
+    }
+    elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser) {
+        // @todo remove code:                    $this->_state   =       'error';
+        // @todo remove code:                    return false;
+    }
+}
+
+joomla_session` VALUES ('02di8ph9l9on7aa905khshtu57',0,1,'1505489800',
+'__default|a:8:{
+	s:15:"session.counter";		        i:1;
+	s:19:"session.timer.start";		i:1505489800;
+	s:18:"session.timer.last";		i:1505489800;
+	s:17:"session.timer.now";		i:1505489800;
+	s:22:"session.client.browser";	        s:11:"curl/7.55.1";
+	s:8:"registry";					
+		O:9:"JRegistry":1:{
+						s:7:"\0\0\0data";
+						O:8:"stdClass":0:{}
+		}
+	s:4:"user";O:5:"JUser":24:{
+		s:9:"\0\0\0isRoot";	        b:0;
+		s:2:"id";			i:0;
+		s:4:"name";			N;
+		s:8:"username";		        N;
+		s:5:"email";			N;
+		s:8:"password";		        N;
+		s:14:"password_clear";	        s:0:"";
+		s:5:"block";			N;
+		s:9:"sendEmail";		i:0;
+		s:12:"registerDate";		N;
+		s:13:"lastvisitDate";		N;
+		s:10:"activation";		N;
+		s:6:"params";			N;
+		s:6:"groups";					
+			a:1:{
+						i:0;
+						s:2:"13";
+			}
+		s:5:"guest";			i:1;
+		s:13:"lastResetTime";		N;
+		s:10:"resetCount";		N;
+		s:10:"\0\0\0_params";	
+			O:9:"JRegistry":1:{
+						s:7:"\0\0\0data";
+						O:8:"stdClass":0:{}
+			}
+		s:14:"\0\0\0_authGroups";
+			a:1:{
+						i:0;
+						s:1:"1";
+			}
+		s:14:"\0\0\0_authLevels";
+			a:2:{
+						i:0;
+						i:1;
+						i:1;
+						i:1;
+			}
+		s:15:"\0\0\0_authActions";	N;
+		s:12:"\0\0\0_errorMsg";	        N;
+		s:10:"\0\0\0_errors";	        a:0:{}
+		s:3:"aid";			i:0;
+	}
+	s:13:"session.token";			s:32:"ead9d16586b72de83eab1761e20436e4";
+}'
+,0,'');
+
+
+
+public function write($id, $data)
+{
+    // Get the database connection object and verify its connected.
+    $db = JFactory::getDbo();
+    $data = str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
+    try    {
+        $query = $db->getQuery(true)
+            ->update($db->quoteName('#__session'))
+            ->set($db->quoteName('data') . ' = ' . $db->quote($data))
+            ->set($db->quoteName('time') . ' = ' . $db->quote((int) time()))
+            ->where($db->quoteName('session_id') . ' = ' . $db->quote($id));
+
+      // Try to update the session data in the database table.
+      $db->setQuery($query);
+
+      if (!$db->;execute())      {
+            return false;
+      }
+      /* Since $db->execute did not throw an exception, so the query was successful.
+         Either the data changed, or the data was identical.
+         In either case we are done.
+      */
+      return true;
+    }
+    catch (Exception $e)    {
+        return false;
+    }
+}
diff --git a/CVE-2019-1937 b/CVE-2019-1937
@@ -0,0 +1,61 @@
+
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
+      (...)
+            httpRequest = (HttpServletRequest)request;
+            logger.debug("doFilter url: " + httpRequest.getRequestURL().toString());
+            boolean isAuthenticated = this.authenticateUser(httpRequest);
+              ^^^ 1.5) invokes authenticateUser() (function shown below)
+
+            String samlLogoutRequest;
+            if(!isAuthenticated) {
+              ^^^ 1.6) if authenticateUser() returns false, we go into this branch
+
+                samlLogoutRequest = request.getParameter("SAMLResponse");
+                logger.info("samlResponse-->" + samlLogoutRequest);
+                if(samlLogoutRequest != null) {
+                    this.handleSAMLReponse(request, response, chain, samlLogoutRequest);
+                } else {
+                  ^^^ 1.7) if there is no SAMLResponse HTTP parameter, we go into this branch
+
+                    HttpSession session;
+                    ProductAccess userBean;
+                    String requestedUri;
+                    if(this.isStarshipRequest(httpRequest)) {
+                      ^^^ 1.8) checks if isStarshipRequest() returns true (function shown below)
+
+                        session = null != httpRequest.getSession(false)?httpRequest.getSession(false):httpRequest.getSession(true);
+                        userBean = (ProductAccess)session.getAttribute("USER_IN_SESSION");
+                        if(userBean == null) {
+                          ^^^ 1.9) if there is no session server side for this request, follow into this branch...
+
+                            try {
+                                userBean = new ProductAccess();
+                                userBean.setCredentialId("");
+                                userBean.setAdminPasswordReset(true);
+                                userBean.setProductId("cloupia_service_portal");
+                                userBean.setProfileId(0);
+                                userBean.setRestKey(httpRequest.getHeader("X-Starship-Request-Key"));
+                                userBean.setStarshipUserId(httpRequest.getHeader("X-Starship-UserName-Key"));
+                                userBean.setLoginName("admin");
+                                  ^^^ 1.10) and create a new session with the user as "admin"!
+
+                                userBean.setStarshipSessionId(httpRequest.getHeader("X-Starship-UserSession-Key"));
+                                requestedUri = httpRequest.getHeader("X-Starship-UserRoles-Key");
+                                userBean.setAccessLevel(requestedUri);
+                                if(requestedUri != null && requestedUri.equalsIgnoreCase("admin")) {
+                                    AuthenticationManager authmgr = AuthenticationManager.getInstance();
+                                    userBean.setAccessLevel("Admin");
+                                    authmgr.evaluateAllowedOperations(userBean);
+                                }
+
+                                session.setAttribute("USER_IN_SESSION", userBean);
+                                session.setAttribute("DEFAULT_URL", STARSHIP_DEFAULT_URL);
+                                logger.info("userBean:" + userBean.getAccessLevel());
+                            } catch (Exception var12) {
+                                logger.info("username/password wrong for rest api access - " + var12.getMessage());
+                            }
+
+                            logger.info("userBean: " + userBean.getAccessLevel());
+                        }
+
+                        chain.doFilter(request, response);
diff --git a/cross-site-scripting-xss.php b/cross-site-scripting-xss.php
@@ -0,0 +1,24 @@
+<?php
+// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+if (PHP_SAPI === 'cli') {
+    parse_str(implode('&', array_slice($argv, 1)), $_GET);
+}
+
+if (NULL == $_GET['name']) $_GET['name'] = "Guest! ";
+
+echo 'Hello, welcome ' . $_GET['name'];
+
diff --git a/go/example1/api/routes/healthcheck.go b/go/example1/api/routes/healthcheck.go
@@ -0,0 +1,27 @@
+// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// nolint
+package routes
+
+import (
+	"net/http"
+
+	"github.com/labstack/echo"
+)
+
+// Healthcheck is the heathcheck function.
+func Healthcheck(c echo.Context) error {
+	return c.String(http.StatusOK, "WORKING!\n")
+}
diff --git a/go/example1/api/server.go b/go/example1/api/server.go
@@ -0,0 +1,39 @@
+// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// nolint
+package main
+
+import (
+	"github.com/labstack/echo"
+	"github.com/labstack/echo/middleware"
+
+	"github.com/ZupIT/horusec/examples/go/example1/api/routes"
+)
+
+func main() {
+
+	echoInstance := echo.New()
+	echoInstance.HideBanner = true
+
+	echoInstance.Use(middleware.Logger())
+	echoInstance.Use(middleware.Recover())
+	echoInstance.Use(middleware.RequestID())
+
+	// health routes
+	echoInstance.GET("/healthcheck", routes.Healthcheck)
+
+	echoInstance.Logger.Fatal(echoInstance.Start(":8888"))
+
+}
diff --git a/go/example1/api/util/util.go b/go/example1/api/util/util.go
@@ -0,0 +1,47 @@
+// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// nolint
+package util
+
+import (
+	"crypto/md5"
+	"fmt"
+	"io"
+	"strings"
+)
+
+// HandleCmd will extract %GIT_REPO%, %GIT_BRANCH% and %INTERNAL_DEP_URL% from cmd and replace it with the proper repository URL.
+func HandleCmd(repositoryURL, repositoryBranch, internalDepURL, cmd string) string {
+	if repositoryURL != "" && repositoryBranch != "" && cmd != "" {
+		replace1 := strings.Replace(cmd, "%GIT_REPO%", repositoryURL, -1)
+		replace2 := strings.Replace(replace1, "%GIT_BRANCH%", repositoryBranch, -1)
+		replace3 := strings.Replace(replace2, "%INTERNAL_DEP_URL%", internalDepURL, -1)
+		return replace3
+	}
+	return ""
+}
+
+// GetMD5 returns the MD5 of a string.
+func GetMD5(s string) string {
+	h := md5.New()
+	io.WriteString(h, s) // #nohorus
+	md5Result := fmt.Sprintf("%x", h.Sum(nil))
+	return md5Result
+}
+
+// ReturnError will return a nil error.
+func ReturnError() error {
+	return nil
+}