Info Sec & Developers Blog

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

 Hi all, Recently I have faced an issue where I was sending windows logs to my logs collector, however the logs were sent in below format Timestamp, System Hostname , Event-ID, etc etc Since to resolve the hostname to IP address the collector needed access to local DNS server, but there is no local DNS :-P So there are 2 solutions. Create local DNS server, and add all the entries of all the hosts and point the logs collector to this local DNS. Find some work around to be implemented on all the server so it can convert the hostname to its local IP before forwarding it to the logs collector. After googling for around 4-5 hrs. I wasn't able to find any proper solution, every solution which I was reading were converting IP to hostname. So I started reading the documentations of NXLOG and found a core function which can be used to convert the Hostname to Host IP.  Lets assume you have already configured the INPUT entity in the NXLOG config file and you know which logs to be co...

 Hi all, I am here with new post. Recently I have identified a csv injection vulnerability in one of the web-based time and attendance management software. Below are the details: Software Description: ZKBio Time is a powerful web-based time and attendance management software. With a powerful data handling capacity, the system can manage the attendance data of 10,000 employees. It can easily handle hundreds of devices and thousands of employees and their transactions. ZKBio Time comes with an intuitive user interface is able to manage timetable, shift and schedule and can easily generate attendance reports. Impacted Version: 8.0.7 (Build: 20220721.14829) and before. CVE ID: CVE-2022-40472 Vulnerability details: Login to ZKBio Time Application In the left Menu click on Messages -> Public Click on ADD new message button Write your Device Serial Number Mention any date/time and duration In Content Field Add your CSV injection payload. As shown below Any user who extract th...