GHSA-6V7P-V754-J89V HTTP Response Splitting in Styx

Vulnerability Styx is vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Response Splitting'. Vulnerable Component The vulnerable component is the com.hotels.styx.api.HttpHeaders.Builder due to disabling the HTTP Header validation built into Netty in these...

HTTP Response Splitting in Styx

Vulnerability Styx is vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Response Splitting'. Vulnerable Component The vulnerable component is the com.hotels.styx.api.HttpHeaders.Builder due to disabling the HTTP Header validation built into Netty in these...

Vulnerability hunting with Semmle QL: DOM XSS

In two previous blog posts part 1 and part 2, we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­...

Vulnerability hunting with Semmle QL: DOM XSS

In two previous blog posts part 1 and part 2, we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­...

Vulnerability hunting with Semmle QL: DOM XSS

In two previous blog posts part 1 and part 2, we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­...

Semmle: Worker container escape lead to arbitrary file reading in host machine [again]

Summary: After a successful build, LGTM allow user to view the file list. By default, only source code files and build config files are reserved lgtm.yml and .lgtm.yml. If there are both files in folder, LGTM will process lgtm.yml file and skip .lgtm.yml, but it still keeps both of files in...

Semmle: Worker container escape lead to arbitrary file reading in host machine

Summary: Because lack of security, attacker will be able to remove original log file and replace it will a symlink to other file, After finishing job, host machine copy file from docker container. Because the original log file has been removed, the host machine will copy the symlink file. But the...

Semmle: Privilege escalation in workers container

Summary about the bugs: In the prepare step, semmle allows user to install new package. By upload a malicious package along with source code and force server to build this package, attacker will gain root access to the container Steps: 1. Create a malicious package contains the backdoor: I use th...

Using Semmle QL vulnerability out Part2-vulnerability warning-the black bar safety net

First part of this series introduced the Semmle QL, as well as the Microsoft Security Response Center MSRC how to use it to review to our report the vulnerability. This article discusses a How do we take the initiative to use it examples, including Azure firmware component of a security audit. Th...

Vulnerability hunting with Semmle QL, part 2

The first part of this series introduced Semmle QL, and how the Microsoft Security Response Center MSRC are using it to investigate variants of vulnerabilities reported to us. This post discusses an example of how we’ve been using it proactively, covering a security audit of an Azure firmware...

Vulnerability hunting with Semmle QL, part 2

The first part of this series introduced Semmle QL, and how the Microsoft Security Response Center MSRC are using it to investigate variants of vulnerabilities reported to us. This post discusses an example of how we’ve been using it proactively, covering a security audit of an Azure firmware...

Semmle: Authenticated Cross-Site-Request-Forgery

Summary: I have read the T&C to be eligible for bounty on this program. As per T&C authenticated CSRF requests are eligible for a bounty. I am not looking for the Bounty, However I want to give you an update on Authenticated CSRF that I have found. In the "Account Settings", a user can change his...

Semmle: Email addresses exposed in getPersonBySlug API

This researcher pointed out that the getPersonBySlug method in the internal API the API which our frontend code uses to retrieve data from the system exposed the email addresses of users who had connected Google accounts to their LGTM accounts. Since this API method does not check any...

ghostscript sandbox bypass remote command execution vulnerability alerts-a vulnerability alert-the black bar safety net

! 0x00 vulnerability background 11 on the 21st, Semmle team of security researchers Man Yue Mo by semmle website, once again that ghostscript security sandbox can be bypassed by constructing a malicious PDF content that can cause remote command execution. ghostscript is widely used, ImageMagick,...

Semmle: Server side includes in https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/savePublicInformation leads to 500 server error and D-DOS

Summary: Improper sanitizing of input in one of the input forms in https://lgtm-com.pentesting.semmle.net/internalapi/v0.2/savePublicInformation leads to server side include that causes a 500 internal server error and a possible denial of service. Description: After login in to semmle , in other ...

Experts Urge Rapid Patching of ‘Struts’ Bug

In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw -- in a Web component known as Apache Struts -- led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing...

Read: Apache Struts Patches ‘Critical Vulnerability’ CVE-2018-11776

On August 22, Apache Struts released a security patch fixing a critical remote code execution vulnerability. This vulnerability has been assigned CVE-2018-11776 S2-057 and affects Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The vulnerability was responsibly disclosed by Man Yue Mo fro...

Apache Struts2 S2-057 vulnerability analysis and early warning-vulnerability warning-the black bar safety net

It is possible to perform a RCE attack when the namespace value isn't set for a result defined in underlying xml configurations and in the same time, its upper actions configurations have no or wildcard namespace. The Same possibility when using the url tag which doesn't have value and action set...

New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. Apache Struts is an open source framework for developing web...

Vulnerability hunting with Semmle QL, part 1

Previously on this blog, we’ve talked about how MSRC automates the root cause analysis of vulnerabilities reported and found. After doing this, our next step is variant analysis: finding and investigating any variants of the vulnerability. It’s important that we find all such variants and patch...