Liberapay: csrf token did not changed after login/logout many times

hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one. Impact if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action...

Node.js third-party modules: [simplehttpserver] List any file in the folder by using path traversal.

I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: 0.1.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python's...

Mail.ru: Открытая информация phpinfo() на сайте https://agent.mail.ru

phpinfo was available on agent.mail.ru. agent.mail.ru is not currently covered with bug bounty program...

Mail.ru: LFI in beta.mail.ru

Local file read via file:// URI in report's image in beta.mail.ru. beta.mail.ru is not currently covered by bug bounty program. Чтение произвольных файлов сервера путем недостаточной проверки прикрепленных изображений...

Node.js third-party modules: Command injection in 'pdf-image'

I would like to report command injection in pdf-image It allows executing commands on the server Module module name: pdf-image version: 1.0.5 npm page: https://www.npmjs.com/package/pdf-image Module Description Provides an interface to convert PDF's pages to png files in Node.js by using...

Shopify: Potential to abuse pricing errors in saved carts

If someone abandons a shopping cart and the price changes between that time and when the abandoned cart recovery email is sent, the saved cart will always show the old price. If saved carts do not expire, this can create a situation where bad actors can fill and save shopping carts with sale pric...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

An application deserialization vulnerability was found in a misconfigured Department of Defense DoD website by @joaomatosf via POST/GET request. Impressive work. This showcases your skills! Thank you for supporting the DoD Vulnerability Disclosure Program!...

Node.js third-party modules: Prototype pollution attack (merge-options)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-options library. Module: merge-options Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part...

Node.js third-party modules: Prototype pollution attack (defaults-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the defaults-deep library. Module: https://www.npmjs.com/package/defaults-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object"...

VK.com: Монипулирование на страницах пользоватлей значением "Подсказывать стикеры в полях ввода"

Отсутствовал hash в запросах при изменении настроек стикеров. Ошибочка в репорте включить на конце 1 Включить https://m.vk.com/attachments?ajax=1&act=stickershintsenabled&value=1 CSRF - ОТСУСТВИЕ HASH дает возможность совершать переключение в мобильной версии ВК , подсказок в полях ввода ! Тем...

Open-Xchange: IDOR - setAttribute action of user object in API

Note. I selected sandbox.open-xchange.com as the asset in Hackerone but this was tested on a local installation . Hello, There appears to be a possible IDOR vulnerability in the following API endpoint for setting custom attributes:...

Aspen: No Rate Limit (Leads to huge email flooding/email bombing)

Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account confirmation emails for accounts on above selected domain which i...

Internet Bug Bounty: Perl $ENV Key Stack Buffer Overflow

The CPerlHost::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow. void CPerlHost::AddLPCSTR lpStr char szBuffer1024; LPSTR lpPtr; int index, length = strlenlpStr+1; forindex = 0; lpStrindex != '\0' && lpStrindex != '='; ++index szBufferindex = lpStrindex; szBufferindex = '\0...

Rockstar Games: Client-side Template Injection in Search, user email/token leak and maybe sandbox escape

In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However...

Roblox: Subdomain Takeover at creatorforum.roblox.com

Hello. A few days ago, I was looking at Roblox subdomains, and I noticed an unusual one called creatorforum.roblox.com. Upon further investigation, I visited it and saw that creatorforum.roblox.com's CNAME was a nonexistant Discourse website. I immediately reported to [email protected], and...

Internet Bug Bounty: Heap Use After Free in unserialize()

ext/standard/varunserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zvalgettype function in Zend/zendtypes.h. Exploitation of this issue can have an unspecified impact on the integrity of PHP. This...

Rockstar Games: CSRF Vulnerability allows attackers to steal SocialClub private token.

The researcher was able to combine a Flash exploit with a CSRF vulnerability in order to obtain sensitive user tokens from https://socialclub.rockstargames.com/profileedit/GetTokens. This page is ordinarily only called in a secure fashion such that an attacker is unable to see another user's...

WakaTime: No notificatoin sent on email after account deletion.

Hi again, Description: I've just noticed that there's no email notification received after successfully removal of account. Fixation: User should be notified by email notification at his email after removal of an account. Cheers Mansoor...

Mixmax: SSRF via webhook

Hi, There exists an SSRF vulnerability with the account webhook feature, allowing an attacker to verify the existence of the EC2 metadata url and enumerate URL's. POC: 1. Create a webhook at https://app.mixmax.com/dashboard/settings/rules with url http://169.254.169.254/latest/meta-data/. 2...

U.S. Dept Of Defense: Remote Code Execution (RCE) in DoD Websites

A remote code execution RCE vulnerability was found on a Department of Defense DoD website which could have enabled an attacker to execute remote commands on the web server. @joaomatosf was able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a...

Mixmax: Security Vulnerability - SMTP protection not used

Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...

Weblate: Option method enabled

Description HTTP OPTIONS method is enabled. Affected URL : https://demo.weblate.org/ https://weblate.org/en/ https://hosted.weblate.org PoC curl -X OPTIONS https://hosted.weblate.org -vv Output aku@galau:$ curl -X OPTIONS https://hosted.weblate.org -vv Rebuilt URL to: https://hosted.weblate.org/...

Nextcloud: Reflected XSS in error pages (NC-SA-2017-008)

Hello, I found a HTML injection vulnerability 1 flaw in the Nextcloud and Owncloud latest version. Through this vulnerability an attacker could manipulate the website. This vulnerability could affect to the logged users. An attacker could send a malicious link that contains the manipulated URL to...

Mail.ru: Cross-Site Request Forgery

CSRF in whiskas.ny.mail.ru "like" feature. whiskas.ny.mail.ru is not currently in the bug bounty scope...

Ruby: sprintf combined format string attack

In a ticket that was also reported to "shopify-scripts" regarding "MRuby", I reported in details a combined attack against the sprintf gem: Information leak Heap buffer underflow The full ticket details can be found in: Ticket 212239 The ticked was opened several minutes ago but I add it in case ...

Starbucks: Persistent XSS in www.starbucks.com

There is a persistent XSS in https://www.starbucks.com/coffee/espresso/latte-macchiato It is caused by loading scripts from: //starbucksmacchiato-prod.elasticbeanstalk.com/scripts/bn-v1.0.0-Release-min.js Note that starbucksmacchiato-prod.elasticbeanstalk.com is not registered on elastic beanstal...

Open-Xchange: Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf)

Discovery After installing the software for testing purposes locally I performed a little search for Flash files embedded in the platform and found the following: root@OpenXchange:/opt/open-xchange find . -iname .swf ./appsuite/apps/3rd.party/mediaelement/flashmediaelement.swf...

VK.com: Новый 2FA Bypass

Частичный обход проверки сессии. Косяк в функции смены пароля...

Reverb.com: IDOR - Ability to view unlisted products

Hi All, I believe I've found a vulnerability on your sandbox site which allows attackers to view the details of listings that are unpublished. Description While creating a product, I noticed there is a call to https://sandbox.reverb.com/api/listings/65905/productbundle which returns json details...

OLX: XSS and Open Redirect on https://jobs.dubizzle.com/

Hi, I found an interesting vulnerability.With this one we can redirect someone to a malicious site,or we can trigger XSS. STEPS TO REPRODUCE --------------------- 1-Go to that link https://jobs.dubizzle.com/en/pricing/?return=javascript:prompt31 2-Click the "Continue placing your ad" button. 3-XS...

Slack: Rate-limit bypass

Hello Slack, This vulnerability is about a 2FA Bypass, On Slack Web Application there is rate limit implemented. After performing 4-6 failed 2FA Attempt, Rate limit logic will ge Triaged and ask user to wait for next attemptpreventing automated 2FA Attempts I tested the same using iOS AppiOS 9.3....

Internet Bug Bounty: urllib HTTP header injection CVE-2016-5699

https://bugs.python.org/issue22928 https://access.redhat.com/security/cve/cve-2016-5699...

Legal Robot: Email spoofing possible via Legal Robot domain

Dear Team, There are few email spoofing tools available on for free and one of them is http://emkei.cz/ When i tried to send an email from [email protected] to my mail, it was successful and straight away delivered into my inbox but when i tried to send it from another mail id...

Nextcloud: More content spoofing through dir param in the files app

Hi! It's still possible to use an invalid dir param to spoof messages in the directory breadcrumbs area. For example, you can use URL-encoded periods to bypass the directory traversal prevention. By referencing a path that returns a 301, you can add a message in the dir param F108266:...

Nextcloud: Server side request forgery (SSRF) on nextcloud implementation.

An admin of nextcloud server can add other trusted nextcloud server in his own installation. The following request passes when a new add request is processed: http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 Macintosh;...

New Relic: Blind SSRF on synthetics.newrelic.com

Introduction It was possible to retrieve some data from the http://169.254.169.254/latest/ URL corresponding to the amazon instance metadatas. With more time, we can dump the whole content. PoC When creating a Ping Monitor on the https://synthetics.newrelic.com/accounts/XXXXXXX/synthetics URL, it...

Internet Bug Bounty: Adobe Flash Player OpportunityGenerator class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of OpportunityGenerator.update. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platform used for...

Dropbox: Dropbox apps Server side request forgery

Hi, SSRF is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. Usually, Server Side Request Forgery SSRF attacks target internal systems behind the firewall that are normally inaccessible from the outside world but using SSRF it’s possible...

Mail.ru: AXFR на plexus.m.smailru.net работает

MacBook-Pro:subbrute isox$ dig @217.69.129.107 plexus.m.smailru.net axfr ; DiG 9.8.3-P1 @217.69.129.107 plexus.m.smailru.net axfr ; 1 server found ;; global options: +cmd plexus.m.smailru.net. 600 IN SOA ns1.mail.ru. hostmaster.mail.ru. 2300425875 900 900 1209600 300 plexus.m.smailru.net. 600 IN ...

Trello: Error Page Text Injection.

AS we can see in report an user or attacker is able to inject his text into error page and can trap to user to visit other site by adding following link /test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.malicious.com%20so%20go%20to%20the%20new%20one%20since%20this%20one A...

Uber: User credentials are not strong on vault.uber.com

I was just trying to login vault.uber.com I entered email xx and password xx, I got loggedin to someones account. I entered email zz and password zz, I got loggedin to someones account. It means passowrd complexity and length of username/email is not enforced. This allowed my to access the someon...

Uber: Possibility to brute force invite codes in riders.uber.com

When adding new promotion codes for free rides, one could brute force invitation codes since there is no protection against brute force attacks. When going to payment page, it's possible to apply promotion code. If we intercept this request, we can brute force codes, since there is no captcha or...

HackerOne: External links should use rel="noopener" or use the redirect service

This is a rather low severity one and a successful exploitation relies on unlikely user interaction as well as the ability to control the HTML output of an remote host. Furthermore it is a kinda new hardening features in some browsers. Though one can work around this using "noreferrer" which is...

Mail.ru: Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing

Hi Mail.ru, I was surfing in your website and i was trying to find a Reflected Cross-site Scripting Vulnerability , So i was trying to find a way to inject my payload in a LINK . While Surfing i've found this link : https://pw.mail.ru/validate/index.html?refurl=pw.mail.ru Screenshot :...

Shopify: Full access to Amazon S3 bucket containing AWS CloudTrail logs

An Amazon S3 bucket used internally by Shopify was misconfigured, allowing external users to read, write and list objects. The excess permissions have been removed...

VK.com: Checking whether user liked the media or not even when you are blocked

Poc : Take 2 accounts A and B 1. Now from A id make a random post say http://vk.com/id307083341?w=wall30708334136 2.Now from C id try to like the post of A . 3.Now from B id visit https://vk.com/dev/likes.getList 4. now put the owner id A and the post id == 307083341 which 36 in this case 5.and i...

Vimeo: Legacy API exposes private video titles

Hi, I have discovered Vimeo's legacy API vimeo.com/api exposes private video titles. Example URL: https://vimeo.com/api/oembed.json?url=https%3A//vimeo.com/152133387 Vimeo provides the uploader with 5 privacy options for viewing videos: 1. Anyone 2. Only me 3. Only people I follow 4. Only people ...

Cloudflare: Clickjacking : https://partners.cloudflare.com/

Hey, The title of submission defines the issue very clearly which is clickjacking at https://partners.cloudflare.com/ this subdomain missing x frame headers. As this subdomain contain a partner login then it is dangerous to have this type of issue. You understand better what i mean ; Attached a...

Coinbase: HTML injection in apps user review

just watch this video https://www.dropbox.com/s/360cytluyiw2ym9/HTMLI.mp4?dl=0 this about full fake login exploit https://www.youtube.com/watch?v=5iRylyJTzWc...

Coinbase: SPF records not found

There is no TXT record in DNS zone that defines Sender Policy Framework entry for domain api.coinbase.com. These are the best practices and need to be configure in DNS records to protect your mail servers. using SPF records will help in spam filtering as SPF records does helps in verifying the...