Xbtitfm Team

**Name of the Vulnerable Software and Affected Versions** xbtitFM version 4.1.18 **Description** The software contains an unauthenticated SQL injection issue. Remote attackers can manipulate database queries by injecting malicious SQL code through the `msgid` parameter. Crafted requests sent to the '/shoutedit.php' API endpoint, utilizing functions like EXTRACTVALUE, can allow attackers to extract database names, user credentials, and password hashes. **Recommendations** Apply a fix to address SQL injection in the `msgid` parameter of the '/shoutedit.php' API endpoint.

**Name of the Vulnerable Software and Affected Versions** xbtitFM version 4.1.18 **Description** xbtitFM 4.1.18 contains a path traversal issue that allows unauthenticated attackers to access sensitive system files. Attackers can manipulate URL parameters using directory traversal techniques, such as encoded path traversal characters in HTTP requests, to read critical system files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xbtitFM version 4.1.18 **Description** The software contains an insecure file upload issue. Authenticated attackers with administrative privileges can upload and execute arbitrary PHP code through the file hosting feature. File type restrictions can be bypassed by modifying the Content-Type header to image/gif and adding GIF89a magic bytes, allowing the upload of web shells. These web shells can then execute system commands using alternate PHP tags. The vulnerable feature is the `file hosting` functionality. The attack involves manipulating the `Content-Type` header and utilizing alternate PHP tags. **Recommendations** Apply a fix to restrict file uploads to authorized file types. Implement stricter validation of uploaded files, including checking file content and magic bytes. Disable or remove the `file hosting` feature if it is not essential.