15369 matches found
Open-Xchange: A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic)
Summary Sending a message to the local delivery agent with the number of MIME parts more than the dovecot core threshold of MIME parts results in ipanic. In the case of LMTP server it causes the child to abort connection. I believe that this can be quite problematic, if such a message lands in th...
Omise: Authenticity token doesnt expire after single use leading to CSRF
Summary Once you said that you ruby framework for making the authenticity-token which acts as a CSRF protection. You also send me this as to help me understand https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef . After finding i found that an authenticity-token c...
HackerOne: GraphQL field on Team node can be used to determine if External Program runs invite-only program
On 19th May, A new parameter policymarkdownhtml been introduced inside the team Graphql query. Using Graphql query, We can able to determine External program running privately on Hackerone as policymarkdownhtml parameter was able to fetch private internal policy. Note: Using this parameter, it wa...
Starbucks: Singapore - Account Takeover via IDOR
ko2sec discovered that an alternate site shared database and cookie credentials with card.starbucks.com.sg. By exploiting an endpoint on the alternate site, ko2sec was able to copy a PHPSESSID cookie value from that site over to card.starbucks.com.sg and then see user information, update the...
U.S. Dept Of Defense: Admin Login Credential Leak for DoD Gitlab EE instance
Summary A DoD employee/contractor exposed the ███ password in a GitHub repository █████████ leading to full ███ access in a DoD DISA-associated private Gitlab EE instance ███. Description The IP address ████ recently hosted the subdomain █████████ as of 2019-09-23. ██████ Now port 80 points to a...
Shopify: [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation
Summary In 791775, I submitted a bug at Sunday 5pm Canada time, it was triaged two hours later, and I got the temp fix message at around 3am the next day in Canada time. Truly awesome, the next day I retested after the first fix, and found that I - Cannot receive the email confirmation in the ema...
Internet Bug Bounty: Squid as reverse proxy RCE and data leak
Summary: This was a very difficult experience as Squid maintainers took a long time to answer. I tried getting help from HackerOne support, Dropbox support and the Internet Bug Bounty never e-mailed me back to no avail. What could have taken a few days took months. The vulnerability concerns a...
Affirm: Absence of Token expiry leads to Unauthorized login Access
Summary While doing the testing for the mobile app, I observed out that it is possible to bypass the authentication and gain unauthorized access to the user's account bu brute-forcing the PIN due to lack of login token expiry. The way affirm mobile login works is that, User inputs the phone numbe...
Rocket.Chat: API Keys Hardcoded in Github repository
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...
curl: curl successfully matches IP address literal in URL against IP address literal in certificate Common Name
Summary: A user may invoke the curl command line utility with an IP address literal in the URL, such as https://192.168.124.2/... If the HTTPS server presents a certificate whose Common Name matches this IP address literal as a string that is, Common Name is the ASCII string 192.168.124.2, then...
New Relic: Host Header Injection
Reproduction 1- open reset link https://login.newrelic.com/passwords/forgot 2- Enter the victim's email address and click Reset and Email Password 3- Intercept the HTTP request in Burp Suite & add X-Forwarded Host Header and write attacker.com/.newrelic.com link will be like...
Railto LLC: Administrator access to staging.railto.com
Summary: Hey team, While doing some recon for railto sub-domains. i came across a most critical bug which lets me complete access of https://staging.railto.com. i can add anything and removing anythings as i got the ADMIN level privilege. Steps 1. Go to https://staging.railto.com/admin url. 2. Se...
Ruby: OS Command Injection via egrep in Rake::FileList
When a file which has command file name of stating with | is in Rake::FileList, then egrep will execute the command. How to reproduce PoC pocrake.rb is the following. ruby require 'rake' list = Rake::FileList.newDir.glob'' p list list.egrep/something/ Example of executing. % ls -1 Gemfile...
Radancy: Wrong link on corne.maximum.nl
Domain and URL: corne.maximum.nl Hello, I noticed that your subdomain corne.maximum.nl links to the website "maximum.com" instead of "maximum.nl" "maximum.com" is in control of a Chinese organization as you said in your description. I think you've made a little mistake, but there is no impact :...
Weblate: HTML injection and information disclosure in support panel
Hello Weblate Team! I found HTML injection and information disclosure in support panel Description There is a form to weblate.org and hosted.weblate.org to send to support I poisoned the request, where I inserted such payload in all fields: " After that, when my payload got into the support panel...
curl: libcurl: SMTP end-of-response out-of-bounds read - CVE-2019-3823
libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtpendofresp isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol call reads beyond the allocated buffer. The read conten...
OLX: XSS inside HTML Link Tag
Hello, i discovered XSS in sharjah.dubizzle.com. XSS is reflected inside HTML Link tag so it need some condition to trigger the payload. Step to Reproduce - Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert1337...
Starbucks: XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx
Description: Hi,guys,when i was visited the jobs of starbucks websites in Chinahttps://ecjobs.starbucks.com.cn, i found a features of uploaded user's photo.Thought the bypass the security restrictions of upload,i can upload html|xhtml|xml|config files etc.The uploaded html file can realize the...
Node.js third-party modules: [bower] Arbitrary File Write through improper validation of symlinks while package extraction
I would like to report file write in arbitrary locations via install command in bower It allows attackers to write arbitrary files when a malicious package is extracted. Module module name: bower version: 1.8.4 npm page: https://www.npmjs.com/package/bower Module Description Bower offers a generi...
RubyGems: 65534 times efficient, Brute-force attack for api_key
I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...
Chaturbate: Missing Rate Limitation at /photo_videos/photoset/create
Hello,I discovered that one is able to create an unlimited number of albums Via /photovideos/photoset/create/ Steps To Reproduce: 1.Login And Go to http://fr.chaturbate.co /photovideos/photoset/create/ 2.Fill the form 3.Enable a proxy interception tool e.g Burp Suite 4.Click Save 5.Send the POST...
Grammarly: "More on Wikipedia" link disclose "Referrer" and leak `window.opener` reference for arbitrary websites
Summary: "Referrer" leak http:// link to Wikipedia transferring Referrer header allows a remote attacker with MITM access to sniff Referrer URL for important tokens after following "More on Wikipedia" link. Controllable page MITM with window.opener pointing to the navigation-initiated webpage...
Mail.ru: ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ !
Reporter pointed to possibility to mark scheduled meeting request sent via ICS file as accepted in calendar via CSRF by bruteforcing attachment id. Currently, this behavior is not believed to introduce real additional security risks, because meeting can be added anyway without user's intervention...
New Relic: Missing security best practices (leads to further impact)
Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords steps to reproduce the two issues create account with password example badcracker@123 change password to...
Mail.ru: [e.mail.ru] XSS в поиске
Reflected XSS in e.mail.ru via GET paramters Multiple reflected XSS in the mailbox via the search param Timeline: Friday, July 6 2018, 23:26 – reported Saturday, July 7 2018, 01:13 – triaged Saturday, July 7 2018, 11:12 – temporary fix Monday, July 23 2018, 14:25 – resolved...
Mail.ru: слепая XSS в админ панели torg.mail.ru через отзыв
Blind XSS in admin panel for torg.mail.ru. torg.mail.ru is not in bug bounty program's scope, a bounty was awarded due to high potential impact. Недостаточная фильтрация приводит к XSS в административной панели в одном из поддоменов mail.ru через имя пользователя при оставлении отзыва...
Zomato: [www.zomato.com] SQLi on `order_id` parameter
@saltedfish found that a parameter orderid was vulnerable to SQLi. POC for everyone to learn from this disclosed report - There was an endpoint which had orderid as one of the parameters. - Requesting '-if1=2,'0','1'-' in orderid parameter changed the Response Length and upon further investigatio...
Ubiquiti Inc.: Two Factor Authentication Bypass
The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...
Valve: Aapp name leakage on economy history page
App name leakage on economy history page Partners with authorization to view economy logs for their own titles could be presented with a list of all game titles that have used economy features...
Reverb.com: Persistent XSS in https://sandbox.reverb.com/item/
Description I found a Persistent XSS in a listing page. The flaw is in the SoundCloud link that the listing owner can attachThe parameter is called productsoundcloudlinkattributeslink. There's no encoding on the user input and it looks like there's only client-side validation. PoC The payload:...
U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website
SUMMARY: ==================== The DoD https://██████/psc/EXPROD1/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks DoS over a Java Object Deserialization CWE-502 in the “monitor” service. Thus an attacker can generate an...
HackerOne: Extra program metrics disclosed via /PROGRAM_NAME json response
Summary: The response to www.hackerone.com/PROGRAM.json includes slamissedcount slafailedcount and researchercount. Description: Viewing the response from a program's json endpoint includes the values for slamissedcount, slafailedcount and researchercount. With regards to the SLA metrics, these a...
VK.com: Просмотр приватных видео записей у Пользователей
Просмотр некоторых приватных видеозаписей. VK решил заплатить 100$ , но я переубедил.... ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██...
RubyGems: Delete directory using symlink when decompressing tar
In 2.7.6, the safety of symlink is confirmed with mkdirpsafe, Before that FileUtils.rmrf destination is running. Therefore, if tmp/dir is specified after tmp - /tmp, the following /tmp/dir is deleted. Proof of concept builder.rb ruby require 'rubygems/package' class GemBuiler def initialize spec,...
Mail.ru: CSRF on lootdog.io
CSRF vulnerability for phone/email change action. On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty...
Starbucks: Able to reset other user's password in https://card.starbucks.com.sg/
Description In the website https://card.starbucks.com.sg/ there is a password reset function https://card.starbucks.com.sg/forgetPassword.php that sends the password reset link to the user's email. By using a web proxy to monitor the request, the email address can be changed to allow the attacker...
Informatica: [http://www.informatica.com]- info disclosure
Researcher has identified and reported an sensitive information leakage in one of our domain. He helped us in resolving the issue...
WordPress: Open Redirect on the nl.wordpress.net
Description Hello. I discovered an Open redirect vulnerability on the nl.wordpress.org. Root cause The 301 Redirect contains full hostname, followed with @ without trailing slash, when using: GET /@google.com HTTP/1.1 Host: nl.wordpress.net User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64;...
HackerOne: Domain spoofing in redirect page using RTLO
Summary: Hello, Domains can be spoofed on redirect page using RTLO. Description Include Impact: Using http://[email protected] & RTLO method, i found a way where redirect page host detection can be spoofed Steps 1. Insert this on report Just Click Here 2. On click of link, it will redirect to...
International Islamic University Chittagong: Improper error handler
during the analysis it was found that when we submit the form and try to upload a txt file then it show a error page with internal path disclosure...
AlienVault : DOM Based XSS in https://threatcrowd.org
Hello AlienVault security team, I found a DOM Based XSS in https://threatcrowd.org via report function. Proof of Concept Steps to reproduce: 1. https://threatcrowd.org/report.php?report= 2. Fill in with this payload: javascript:promptdocument.domain 3. Send link to victim, when victim click in to...
Nextcloud: Banner Grabbing - Apache Server Version Disclousure
Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...
Internet Bug Bounty: CVE-2017-13008 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().
Reported to the devs on 6 March 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/5edf405d7ed9fc92f4f43e8a3d44baa4c6387562 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-80211.c:parseelements. ./tcpdump -n ...
Coinbase: New Device Confirmation Bug
Device auto-confirmation appeared to be an issue, but was intended functionality...
HackerOne: Updating payout preference to CurrencyCloud doesn't notify user via email
When change payment method in user's payments, then a notification about Change payment method is sent to the user email. However, user not always gets a notification about change payment method - when change payment method via add payout method on Payout Methods, then such a notification is not...
Algolia: SAUCE Access_key and User_name leaked in Travis CI build logs
hello algolia team, I founded the SAUCE AccessKey and Username was leaked in Travis CI build logs of instantsearch.js product Line-249-&-250. This can be used to perform every API calls of sauce-lab.e.g Creating a Sub account. I created a test account for testing. sorry for this ; . You should...
Internet Bug Bounty: heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()
Reported to the Perl security mailing list on 25 August 2016. ==17057==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b978 at pc 0x0000004a9201 bp 0x7ffe97551890 sp 0x7ffe97551048 READ of size 61 at 0x60800000b978 thread T0 0 0x4a9200 in interceptormemcmp...
GlobaLeaks: Information Disclosure
I have observed that the application is leaking information while accessing "https://demo.globaleaks.org/l10n/en". It does not restrict access to file, which can possibly provide an attacker with information such as default credentials test:test, username for accessing administrative functions,...
Automattic: Broken Authentication - Security token gets captured via man in the middle attack
Product / URL http://en.instagram-brand.com/register/reset/?email= Description and Impact The password reset links issues by Instagram Brand gets delivered to users inbox with a http scheme and NOT https scheme. This causes an attacker stealing those links and performing mass account takeovers an...
Nextcloud: Missing SPF Flags on nextcloud.com
Hello NextCloud Details i just test your domain which is nextcloud.com and i surprised that i can send a legit email to a user. Impact Attacker can use this to send a Legit Email to the Victim and attacker can send a Malicious Web Links and Phishing Sites. Video Proof of Concept...