Daniel Jones

**Name of the Vulnerable Software and Affected Versions** Webgalamb version 7.0 **Description** The issue arises from the wg7.php file in Webgalamb, which makes opportunistic calls to `htmlspecialchars()` instead of utilizing a templating engine with proper contextual encoding. This allows for the insertion of arbitrary strings into the database, enabling any JavaScript to be executed by the administrator, resulting in a cross-site scripting (XSS) issue. **Recommendations** For Webgalamb version 7.0, consider implementing a templating engine with proper contextual encoding to mitigate the risk of XSS attacks. As a temporary workaround, restrict access to the wg7.php file and ensure that all user input is thoroughly validated and sanitized to prevent malicious string insertion.

**Name of the Vulnerable Software and Affected Versions** Webgalamb versions prior to 7.0 **Description** The issue allows for SQL injection via the `Client-IP` HTTP request header in the subscriber.php file. **Recommendations** For versions prior to 7.0, update to version 7.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Webgalamb version 7.0 **Description** The issue concerns a lack of security measures to prevent CSRF attacks. This can be demonstrated through the API endpoint "wg7.php?options=1" which allows changing the administrator password. **Recommendations** For Webgalamb version 7.0, consider implementing proper CSRF protection mechanisms to prevent unauthorized changes to sensitive settings, such as the administrator password. As a temporary workaround, restrict access to the "wg7.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webgalamb versions prior to 7.0 **Description** A directory traversal vulnerability in system/ajax.php could lead to arbitrary code execution by authenticated administrator users, because PHP files are restored under the document root directory. The issue is related to the "wgmfile restore" functionality. **Recommendations** For versions prior to 7.0, consider restricting access to the system/ajax.php endpoint, specifically the "wgmfile restore" functionality, until a patch is available. As a temporary workaround, avoid using the "wgmfile restore" feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webgalamb versions prior to 7.0 **Description** The issue concerns the exposure of log files to the internet, potentially containing sensitive client data such as email addresses. This exposure also facilitates the exploitation of SQL injection errors. The log files are stored with predictable filenames, making them easily accessible. **Recommendations** For versions prior to 7.0, restrict access to the log files to prevent exposure of sensitive data and potential exploitation of SQL injection errors. Consider implementing proper access controls and secure storage for log files until a fixed version is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webgalamb versions prior to 7.0 **Description** The issue allows for arbitrary code execution, which can be exploited remotely without initial authentication. To exploit this, an attacker must bypass authentication to access administrative site functions, then upload a crafted CSV file containing a malicious payload. This payload becomes part of a PHP eval() expression in the subscriber.php file. **Recommendations** For Webgalamb versions prior to 7.0, consider restricting access to administrative functions and validating all uploaded files to prevent malicious payloads until a fix is available. As a temporary workaround, consider disabling the upload of CSV files in the subscriber.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webgalamb versions prior to 7.0 **Description** The system/ajax.php functionality in Webgalamb is supposed to be restricted to administrators. However, unauthenticated users can access most of these methods by utilizing certain query parameters, specifically `bgsend`, `atment sddd1xGz`, or `xls bgimport`. **Recommendations** For Webgalamb versions prior to 7.0, restrict access to the system/ajax.php functionality to prevent unauthenticated users from exploiting the vulnerable query parameters `bgsend`, `atment sddd1xGz`, or `xls bgimport`. Consider temporarily disabling these parameters until a patch is available.