Exploit for Weak Password Recovery Mechanism for Forgotten Password in Gitlab

Giới thiệu - GitLab là trình quản lý kho dữ liệu lưu trữ...

Mail.ru: [https://geekbrains.ru/profile] - authenticity_token not tied to user session leads to CSRF attacks

CSRF on geekbrains.ru The CSRF token on /profile was valid, but not tied to user's session, e.g. Account A's Token was valid on Account B, this could have lead to change other user's phone number, birth date, legal name etc...

Ruby on Rails: The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes

When performcsrftokens is set to true, each form should protected against CSRF with a unique token that is not predictable by an attacker. Theperformcsrftoken is generated using a HMAC SHA-256 using a key that is exposed in a reversed authenticitytoken. The authenticitytoken is a Base64 encoding ...

GHSA-9PR6-GRF4-X2FR Omniauth allows POST parameters to be stored in session

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

Omniauth allows POST parameters to be stored in session

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

Session fixation

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

CVE-2017-18076

CVE-2017-18076 affects the OmniAuth Ruby library, specifically the code path in strategy.rb prior to version 1.3.2. The vulnerability stems from POST parameters being stored in the session in addition to GET parameters, which makes the authenticity_token (CSRF token) available in the callback pha...

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

GitLab: CSRF-Token leak by request forgery

Hi, I found the following issue in my own Gitlab installation. This is a request forgery that reveals the Rails authenticitytoken remotely, which in turn allows mounting state-changing CSRF attacks. Vulnerability The web app code relies on location.pathname in a number of places to create new...

New Relic: Login CSRF vulnerability

Hi New Relic security team, While doing pentesting on your website, I found that while logging into the account the "authenticitytoken" was not properly validated. I was able to login into my account even without "authenticitytoken". Impact: High Steps to Reproduce: 1 Login to your account. 2 Whi...

HackerOne: Improper session management

When a request with an invalid authenticitytoken is received, the user is logged out tested for updating user's profile, which is available here: https://hackerone.com/diekatze/profile/edit and the user receives a new session cookie, which is not authenticated at this point. However, the...