Shopify: Ability to link a Google account to another staff account/store owner that isn't linked yet

The https://pos-channel.shopifycloud.com/graphql-proxy/admin endpoint allows us to update a staff email address that is having a Shopify ID. Taking that into consideration, if a store is setup to use Google Apps as login service and if a staff/store owner hasn't yet linked his account to a Google...

Nord Security: Reflected XSS via IE

The reporter has found an HTML injection that lead to XSS with several payloads. It is important to note that this attack vector was only applicable via Internet Explorer. In addition, Microsoft is gradually ending support for Internet Explorer 11 within 2020/2021...

U.S. Dept Of Defense: Subdomain takeover of ███

Summary: The subdomain ██████ had an CNAME record pointing to an unclaimed ███████ webservice. This is a high severity security issue because an attacker can register the subdomain on ███ and therefore can own the subdomain █████████. Description: The dangling CNAME record of █████████ is pointin...

h1-ctf: [H1-2006 2020] CTF writeup

Context Well, against all expectations you finally get it, you got the flag! Let's go back in time to remember how. --- Twitter Once upon a time As always the CTF starts with a tweet: F855948 --- Subdomains According to the policy page, .bountypay.h1ctf.com is in scope. You decide to scan...

Radancy: [www.werkenbijbakertilly.nl] Denial of service due to incorrect server return can result in total denial of service.

Summary When sending too much data through file upload, the server returns an invalid 500 status code instead of the speed 429 status code, causing an internal denial of service. Description I uploaded a file from the https://www.werkenbijbakertilly.nl/vacatures/solliciteer/senior-hr-consultant-3...

Radancy: [www.werkenbijbakertilly.nl] Information Disclosure

the 50x status code server responded with an html page containing the nginx version. an update of the loadbalancer fixed the issue. Summary When the web server encountered a 502 GateWay error, I discovered a strange bug in which internal information was exposed. Description When web server 502...

Mail.ru: ICQ Android APP remote DoS

Memory corruption issue on GIF image processing leads to ICQ for Android application crash with potential for code execution. before testing and reporting DoS conditions please check @mailru rules and scope description to avoid signal/reputation loss, not every DoS report is accepted...

GitHub Security Lab: Golang : Add Email Content Injection query

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query to detect JNDI injections

This bug was reported directly to GitHub Security Lab...

h1-ctf: [H1-2006 2020] [CTF Writeup] A story about Bounty Payments, Collaboration & Community

H1-2006 CTF Writeup This is a story about both solving a CTF and, most importantly, on how to make friends during the journey and learn a lot a valuable things for the future. On a Friday evening I saw this tweet from HackerOne: F853545 Honestly, last CTF was really hard so I didn't really though...

Imgur: self-xss with ClickJacking can leads to account takeover in Firefox

Description Hi, i think i found a valid chaining issues here ClickJacking issue I discovered that have some endpoints that permits to frame imgur.com with some limitations, but even in this case, it is possible to carry out a proof of concept. One of the cases is in the /all/ directory of...

Lark Technologies: Stored XSS & SSRF in Lark Docs

A stored XSS cross site scripting vulnerability was discovered in Lark Docs that could be escalated into a Server Side Request Forgery SSRF vulnerability if opened in a headless browser on the Lark server. The vulnerability has been resolved. We thank @mike12 for reporting this to our team and...

Internet Bug Bounty: CVE-2020-9383 Floppy OOB read

A vulnerability was found in Linux Kernel up to 5.5.6 Operating System and classified as critical. Affected by this issue is the function setfdc of the file drivers/block/floppy.c. The manipulation with an unknown input leads to a memory corruption vulnerability Out-of-Bounds. Using CWE to declar...

Node.js third-party modules: [Uppy] Internal Server side request forgery (bypass of #786956)

I would like to report Internal Server-side request forgery in Uppy It allows the attacker to easily extract information from internal servers Module module name: Uppy version:1.15.0 npm page: https://www.npmjs.com/package/uppy Module Description Uppy is a sleek, modular JavaScript file uploader...

GitHub Security Lab: [Java] CWE-939 - Address improper URL authorization

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CPP: Missing/incomplete TLS server certificate hostname validation

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query to detect open Spring Boot actuator endpoints

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: gagliardetto: Query to detect incorrect conversion between numeric types

This bug was reported directly to GitHub Security Lab...

h1-ctf: [H1-2006 2020] Solution for the h1-2006 CTF challenge

Hi, The flag is ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. I didn't know I can send it prior to the report until I saw some disclosed solutions from the previous challenges. The report will follow later today. Regards @thehackerish Impact Multiple vulnerabilities on .bountypay.h1ctf.com allow ...

Open-Xchange: Null pointer deference in call to `mail_get_flags`

run test suite on following input require "vnd.dovecot.testsuite"; require "fileinto"; require "imap4flags"; require "mailbox"; testset "message" text: Subject: Test message. Test message. . ; test "Flag changes between stores" fileinto :create "FolderA"; if not testresultexecute testfail "failed...

Open-Xchange: null dereference in `sieve_address_do_validate` (or redundant null check)

Function sieveaddressdovalidate in file sieve-address.c does dereference errorr if address == NULL errorr = "null address"; return FALSE; and then later checks for it being NULL : if errorr != NULL errorr = strcctx.error; So either, there is a first null check missing Or the later ones are...

Open-Xchange: Panic in file smtp-address.c: line 684 (smtp_address_write): assertion failed: (smtp_char_is_qpair(*p))

Reproducer is running test suite against file crash2.txt and getting following output : ./src/testsuite/testsuite crash2.txt Test case: crash2.txt: testsuitecatena: Panic: file smtp-address.c: line 684 smtpaddresswrite: assertion failed: smtpcharisqpairp Abort trap: 6 Content or crash2.txt is...

Open-Xchange: Panic: Input stream data unexpectedly has references

Run test suite binary on following input ./testsuite crash.txt with crash.txt file being : require "vnd.dovecot.testsuite"; require "variables"; require "editheader"; set "message" text: From: [email protected] To: [email protected] Subject: Frop! Frop! . ; testset "message" "$message"; test...

QIWI: PIN OK attack

PIN OK attack is an attack when a wedge-device created for MiTM is used to substitute the response from the card during an offline-PIN check and say that PIN was correct. Reproduction steps: An attacker with a stolen card without the correct PIN knowledge can use either a so-called wedge device f...

h1-ctf: [H1-2006 2020] CTF write-up

Hello, thank you for the awesome CTF! I definetly learned a lot. For now I will submit just the Flag. I am going to follow up with the Writeup as soon as possible. ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Kind regards, Alex - hackingfish Attached: A screenshot of the site which is showing the...

Mail.ru: Sidekiq Dashboard Publicly accessible at http://shopper.staging.instamart.ru/sidekiq/

Sideqiq dashboard was externally available on the http://shopper.staging.instamart.ru/ server in staging testing environment...

Engel & Völkers Technology GmbH: Information disclosure at https://printshop.engelvoelkers.com/packages/.bash_history

Hello! I found .bashhistory in the home directory and this file was accessible through the web screenshot in attachment. This file exposes sensitive information history commands, directories, software version that could help a malicious user to prepare more advanced attacks. POC:...

h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers

Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by...

Mail.ru: lenta_proxy information disclosure

Sensitive application configuration data disclose on lenta.proxy.instamart.ru...

Lark Technologies: Sub-Dept User Can Add User's To Main Department.

A vulnerability was found where users with permissions to manage the user section can add others outside of their department by changing the value of "departmentid" to an empty value. We thank @imrannisar for reporting this to our team...

h1-ctf: [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties

Summary: 1. A publicly accessible logfile discloses a user's credentials 2. Weak 2FA implementation allows user account takeover 3. Path injection in user's cookie allows SSRF, bypassing the IP restriction to list available builds on https://software.bountypay.h1ctf.com/ 4. API token leak in...

h1-ctf: [H1-2006 2020] Connecting the dots to send hackers their Bug Bounty

Hello team Thank you so much for organising the ctf it has helped a lot to learn and improve my knowledge now lets got to solution i have preapred short videos as a refrence for each part and broken down ctf in 8 challenges. So the ctf was broken into: 1. Gathering leaking to gain login credentia...

Mail.ru: [account.mail.ru] XSS-уязвимость в форме авторизации

User-assisted XSS in account.mail.ru due to unsafe usage of GET parameter Думаю, что данная XSS'шка является отличным примером того, что фильтрация HTML-символов во входных данных не всегда достаточная мера защиты. Если будем раскрывать уязвимость, то вот более удачная демонстрация, без моих куко...

Nextcloud: Allows any user to share their "Root" level folder by sharing "."

There seems to be a bug in the "File to Share" feature of Nextcloud Talk. This allows any authenticated user/admin to share their "root" level folder by manipulating the "path": parameter in the JSON body request to the remote API /nextcloud/ocs/v2.php/apps/filessharing/api/v1/shares Steps to rep...

h1-ctf: [H1-2006 2020] 36 hours of brain cycles utilized on solving a neat puzzle

Here we go: F852423 Recon: The given scope is: .bountypay.h1ctf.com Found subdomains: bountypay.h1ctf.com api.bountypay.h1ctf.com app.bountypay.h1ctf.com software.bountypay.h1ctf.com staff.bountypay.h1ctf.com www.bountypay.h1ctf.com Relevant GitHub repository:...

h1-ctf: [H1-2006 2020] The Story of Making Bounty Hunters Happy

Disclaimer: I will try to make this post a fun read, given that whoever triagges will be probably going through similar write-ups again and again. The beginning: Being away from HackerOne over a month had made me rusty. Although the call to arms for Mr. Mickos and the community could not be left...

h1-ctf: [H1-2006 2020] CTF Writeup!

The Beginning ===================== The scope of the H1-2006 CTF was .bountypay.h1ctf.com. After opening https://bountypay.h1ctf.com, I noticed that on the top left of the screen there was a dropdown with two login pages: one for Customers https://app.bountypay.h1ctf.com/ and one for Staff...

Zivver: Bypassing Rate limit for forgot password by using different ip addresses

This report describes a valid issue in the rate limiter configuration for the "forgot password" endpoint, in which only the authenticating user's IP address was used as a discriminator. This was resolved by limiting requests based on multiple discriminators including the target account and...

Nextcloud: Re-Sharing allows increase of privileges

User A shares a file/folder to user B with re-sharing permission, but readonly - User B shares this file/folder to User C Needs the shareapidefaultpermissions set to 1 all checkmarks off in admin panel - User B can add write permissions for the share to User C User C may also be anonymous using a...

curl: Poll loop/hang on incomplete HTTP header

Summary: When an incomplete server header is missing its value, the curl client will receive the packet but hang while parsing it. Examples of vulnerable server headers: Location, Content-Range and Connection. Adding the --max-timeoption will terminate the request as intended. Steps To Reproduce:...

Urban Dictionary: DOM XSS through ads

Multiple ads hosted on www.urbandictionary.com make the www.urbandictionary.com origin vulnerable to DOM XSS. Attached is an image of alertdocument.domain executing. The injection works in Firefox and Chrome. Visiting the following URL will probably cause an alert box displaying the document.doma...

Internet Bug Bounty: [CVE-2020-10543] Buffer overflow caused by a crafted regular expression

CVE ID: CVE-2020-10543 See: + https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod + https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod Impact Potential RCE...

h1-ctf: [H1-2006 2020] CTF Writeup

F851692 ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I'll try to have the writeup ready in the following days here: https://hipotermia.pw/bb/h1-2006-ctf-solution It will be password protected and I will post a comment here when it is ready. Thanks for this CTF, I really enjoyed it! Impact -...

HackerOne: SAML Response Reuse on hackerone.com/users/saml/auth

Summary: When logging in with SAML, the user's IDP authenticates the user and generates a SAML response. The IDP then redirects the user's browser back to HackerOne to submit the SAML response. Upon receiving the SAML response, HackerOne validates it, sets a session cookie in the user's browser,...

Mail.ru: Private file read through file attachment

my.com MyMail application for Android could be tricked by malicious local application selected as a file picker by user to copy the file from application folder to insecure location...

Helium: Read-Only user can delete users

hello this endpoint DELETE /api/invitations/0ff7e9f9-877a-40cc-b99f-f6b3b1bea3f8 vulnerable to Insecure Direct Object Reference Steps to reproduce the bug Let's assume that three accounts exist: [email protected] role Administrator [email protected] role Read-Only [email protected] invited user...

Mail.ru: mail.ru/touch xss(r) debug parameter

Reflected XSS in touch version of mail.ru via GET parameter debug...

GitHub Security Lab: Add check for disabled HTTPOnly setting in Tomcat

This bug was reported directly to GitHub Security Lab...

h1-ctf: [H1-2006 2020] [Multiple Vulnerability] CTF Writeup - @abdilahrf_

As there is a private invite for the first 10 solver, i send only the flag now F851115 will complete my writeup on the next comment. Impact Controlling martenmickos account...

h1-ctf: [H1-2006 2020] ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$

Still working on the report figured I should turn it in though :D Impact hugeee...