15369 matches found
Shopify: *.shopify.com - Authentication bypass
I´ve found a flaw in the authentication process when accessing the website https://upcoming.shopify.com. There seems to be an HTTP Authentication in place to prevent access without authentication. Please follow below POC to get access to https://upcoming.shopify.com without login. The website is...
GSA Bounty: open redirect in eb9f.pivcac.prod.login.gov
poc: https://eb9f.pivcac.prod.login.gov/?nonce=wI0UglN84A06Q4z4JnkZVc3i1V8%3D&redirecturi=https%3A%2F%2Fgoogle.com%23%40secure.login.gov%2Flogin%2Fpivcac visit this and will redirect to google.com Impact phishing...
Mail.ru: XSS на сайте https://warofdragons.my.games/.
Reflected XSS via GET parameter in https://warofdragons.my.games...
MTN Group: Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/
Hi there i found a information disclosure Microsoft FrontPage configuration in the subdomain https://www.mtn.co.za/ that allows me to see version number and scripting paths off sharepoint using firefox. POC: Go to the following url: https://www.mtn.co.za/vtiinf.html and you will see a blank page...
Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)
I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...
Node.js third-party modules: gitlabhook OS Command Injection
I would like to report OS Command Injection in gitlabhook. It allows execution of arbitrary code on the remote server, that waits for instructions from gitlab. Module module name: gitlabhook version: 0.0.17 npm page: https://www.npmjs.com/package/gitlabhook Module Description This is an easy to u...
GSA Bounty: Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov
Hi Team, I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username on data.gov x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/mtime:1513269652/atime:1513269652/md5:2049644b6b833f5dbb826f60a4721f64/ctime:1513269652 Server:...
GitLab: Private System Note Disclosure using GraphQL
Summary When you use the REST API or UI to view an issue's discussion/notes, private system note is hidden to member's only. Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue. They are properly...
Starbucks: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice
@geekjeremy, at the same time as other hackers who submitted their own reports, discovered a browsable WSDL service on an API endpoint under the starbucks.com.cn domain, running on a non-standard port. @geekjeremy demonstrated that the service had several functions that executed without any...
phpBB: CSS injection via BB code tag "█████"
The input to the "█████" BBcode tag is not properly filtered. It gets converted into a CSS style attribute for a span HTML element. Quotes " are removed, so there's no way to break out of the CSS style attributed. However it is possible to arbitrarily dress the resulting span element. To illustra...
Omise: Failure to Invalid Session after Password Change
While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Steps to Reproduce: ---------------------- Video PoC attached Step By...
WePay: Active mixed content issues on the site https://stage-go.wepay.com.
Hello. Summary: Page https://stage-go.wepay.com/static/ contains active mixed content: Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, an attacker can replace a picture sent via HTTP...
Starbucks: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/
This report from @spaceraccoon demonstrated a valid attack resulting in RCE and full compromise of the target. The detailed and thorough report was especially helpful throughout the triage process, and ultimately helped us reproduce and resolve the issue as quickly as possible. The vulnerable sit...
U.S. Dept Of Defense: [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/
Description Hello. I discovered a Path Traversal issue on the https://██████████/ I was able to turn it to the local file read, and after series of the test determined that it's possible to reach sensitive system files with administrator rights. POC The next request will read the...
Notepad++: No SearchEngine sanatizing can lead to command injection
Information: Summary: Notepad++ is vulnerable to a command injection vulnerability. Debug Info: Notepad++ v7.6.3 32-bit Build time : Jan 27 2019 - 17:20:30 Path : C:\Program Files x86\Notepad++\notepad++.exe Admin mode : ON Local Conf mode : OFF OS : Windows 10 64-bit Plugins : none Description:...
Semrush: XSS Reflected on my_report
Еще раз привет. На этот раз, кроме HTML-инъекции проходит полноценный XSS в дашбоарде пользователя. Payload: https://www.semrush.com/myreports/api/v1/document%22%3E%3Cimg%20src=x%20onerror=alertdocument.cookie%3E/4007861 PoC: На скрине Impact Кража сессионных куков...
HackerOne: Response program can create bounty table
Summary: Follow h1 document https://docs.hackerone.com/programs/bounty-tables.htmlgatsby, create bounty table only available for bounty program. Description: Step1: Create request to graphql entrypoint Step2: Change team id in parameter like this: "teamid":"Z2lkOi8vaGFja2Vyb25lL1RlYW0vMzYyOTE="...
RATELIMITED: Server Header disclose The Os and Web server Version
Server header was present and disclosed the version of the web server and OS in HTTP responses. Server header was present and disclosed the version of the web server and OS...
Mail.ru: [e.mail.ru] Stored xss in Mpop cookie
XSS on e.mail.ru domain via cookie content XSS in cookie via mitm. Good article - https://habr.com/en/post/460101/ by @w2w...
Mail.ru: сервант статус
Apache server status was available at jw-cn-test-1.ext.terrhq.ru...
Vanilla: Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability
Summary: An authenticated admin user can inject an unserializable password in a another users account. Later when attempting a login with that user, the attacker can trigger a call to an unserialize in the splitHash function. By using a custom pop chain to write into the constants.php file, an...
Weblate: flood of comment no rate limit on commnets >> by using different user agent
It was possible to post 200- 300 of comments within minutes, there was no rate limiting applied...
Node.js third-party modules: Command Injection Vulnerability in libnmap Package
I would like to report a command injection vulnerability in libnmap. It allows an attacker to inject arbitrary OS commands instead of a valid network range to be scanned. Module module name: libnmap version: 0.4.11 npm page: https://www.npmjs.com/package/libnmap Module Description API to access...
Node.js third-party modules: Prototype Pollution Vulnerability in mpath Package
I would like to report prototype pollution vulnerability in mpath. It allows an attacker to inject arbitrary properties on Object.prototype. Module module name: mpath version: 0.4.1 npm page: https://www.npmjs.com/package/mpath Module Description G,Set javascript object values using MongoDB-like...
Node.js third-party modules: Command Injection is ps Package
I would like to report a command injection in ps package. It allows attacker to inject arbitrary OS commands instead of PID numbers. Module module name: ps version: 0.0.2 npm page: https://www.npmjs.com/package/ps Module Description A Node.js module for looking up running processes. Module Stats ...
Vanilla: Bypassing the Trusted Link Alert System
Summary: I have discovered a means of bypassing the system that will alert users of an untrusted link utilizing the Right to Left Overrride unicode character. The alert looks like this: https://i.imgur.com/9rp1K7b.mp4 Description: For this demonstration, I have added "facebook.com" to the trusted...
Mail.ru: Вывод значений переменных Nginx в теле страницы
При обращении к url вида: https://biz.mail.ru/$имяпеременнойnginx Значение этой переменной попадет в страницу ответа 404, во все места вида: e.mail.ru/login?lang=ruRU&Page=https%3A%2F%2Fbiz.mail.ru%2Fзначениепеременнойnginx Примеры запросов: 1 https://biz.mail.ru/test$realpathroot в ответе:...
Basecamp: Remote code execution on Basecamp.com
A critical flaw in Basecamp's profile image upload function leads to remote command execution. Images are converted on the server side, but not only image files but also PostScript/EPS files are accepted if renamed to .gif. This is probably due to ImageMagick / GraphicsMagick being used for image...
Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings
Hello! Vulnerability Details The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonpdump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which...
Liberapay: csrf token did not changed after login/logout many times
hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one. Impact if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action...
Mail.ru: Открытая информация phpinfo() на сайте https://agent.mail.ru
phpinfo was available on agent.mail.ru. agent.mail.ru is not currently covered with bug bounty program...
Node.js third-party modules: Privilege escalation allows any user to add an administrator
I would like to report privilege escalation in the npm module express-cart. It allows a normal user to add another user with administrator privileges. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully...
Node.js third-party modules: Fastify denial-of-service vulnerability with large JSON payloads
Module: Fastify - https://www.npmjs.com/package/fastify Affected versions: =0.37.0 all version before 0.38.0 Summary: A denial-of-service attack can be performed against servers running Fastify by sending a request with "Content-Type: application/json" and a very large payload. Description: Fasti...
VK.com: Монипулирование на страницах пользоватлей значением "Подсказывать стикеры в полях ввода"
Отсутствовал hash в запросах при изменении настроек стикеров. Ошибочка в репорте включить на конце 1 Включить https://m.vk.com/attachments?ajax=1&act=stickershintsenabled&value=1 CSRF - ОТСУСТВИЕ HASH дает возможность совершать переключение в мобильной версии ВК , подсказок в полях ввода ! Тем...
GitLab: SQL injection in MilestoneFinder order method
The MilestoneFinder is a class used to find milestones based on group or project identifiers. The class is used in multiple controllers. It allows to filter based on state and can be used to order the result set. One of the uses can be found in the Groups::MilestonesController. When the index...
Open-Xchange: Adding external participants to unaccessible appointments
Description When making an appointment users are able to invite additional participants which do not have an open-xchange account. However, it appears than any user can invite external participants to any appointment even this appointment is not accessible for him. Additionaly using the same bug...
Aspen: No Rate Limit (Leads to huge email flooding/email bombing)
Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account confirmation emails for accounts on above selected domain which i...
Weblate: Add another email address without verification
Introduction In the normal case, to link another email address to the Weblate account, users need to own the email address and click the verification link. However, I found an issue, that allows adding another email address without clicking on the verification link. Description and PoC: Create a...
Upserve : Ability to create own account UUID leads to stored XSS
I found an interesting bug where the system allows a user to create their own UUIDs. There are character length restrictions on this action, however it's not bound to a specific set of characters. Even so, I was able to include an external script that I URL shortened to just hit the character lim...
Mail.ru: The auth token does not expire on logging out and even after logging out all sessions
API token for web.icq.com was not expired after user logout...
WakaTime: Session not expired on logout
Description: Session management issue in https://wakatime.com Cookies are used to maintain session of the particular user and they should expire once the user logs out of his account.In secure web application,Cookies immediately expire once the user logs out of his account. But this is not...
shopify-scripts: Null pointer dereference with send/method_missing
The following program triggers a null pointer dereference with mruby b200c747: ruby def methodmissingm ensure begin A rescue break rescue end end send '' ASAN report: text ASAN:DEADLYSIGNAL ================================================================= ==12116==ERROR: AddressSanitizer: SEGV on...
Weblate: Option method enabled
Description HTTP OPTIONS method is enabled. Affected URL : https://demo.weblate.org/ https://weblate.org/en/ https://hosted.weblate.org PoC curl -X OPTIONS https://hosted.weblate.org -vv Output aku@galau:$ curl -X OPTIONS https://hosted.weblate.org -vv Rebuilt URL to: https://hosted.weblate.org/...
Paragon Initiative Enterprises: Full directory path listing
STEP: ==================== 1. goto https://bridge.cspr.ng/login and enter your username,password 2. click "LogIn" and intercept the request 3. change the value in cookie header and add 'single quote in PHPSESSID field eg: PHPSESSID=kn7e21dpp2ocai2ckn1v147qev' 4. Forward the packet and see full pa...
Paragon Initiative Enterprises: Directory Disclose,Email Disclose Zendmail vulnerability
i found three vulnerability Directory information disclose,Email address disclose, and possible Remote code execution in Zendmail during signup your code accept username with ',",/,@ while all of the special character must be forbidden or encoded in username Directory Disclose: 1. goto sign-up pa...
Internet Bug Bounty: CVE-2017-8798 - miniupnp getHTTPResponse chunked encoding integer signedness error
Integer signedness error in miniupnpc 1 allows remote attackers to cause a denial of service condition access violation and heap corruption via specially crafted HTTP response An integer signedness error was found in miniupnp's miniwget allowing an unauthenticated remote entity typically located ...
Paragon Initiative Enterprises: I am because bug
I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F181832 Thank you wish you because pay lots $$$$$$$$...
Dashlane: Throttling Bypass - ws1.dashlane.com
Description The host at ws1.dashlane.com throttles requests based on the IP address of the user after a certain amount of repeated requests. By adding the X-Forwarded-For header, an attacker can bypass the throttling completely, rendering the security measure ineffective against DOS attacks. Proo...
Mapbox: Open Aws Amazon S3 Buckets
Security researcher @saadahmed reported two Mapbox owned S3 buckets with public-read ACL. One of these, mapbox-js, was public-read by design, the other however was not and subsequently was switched to a private ACL. Thank you again @saadahmed, we appreciate you keeping Mapbox security in mind...
HackerOne: Able to create basic user account via Google login on HackerOne Drupal CMS
Summary: Hi, I've found that hackerone.com has drupal installed and when I navigated to this URL https://www.hackerone.com/user/password Found "Log in" and "password reset option". When I clicked on login it redirected me to google login Then I login using my gmail account and it redirected to...