Notepad++: Security check failure or stack buffer overrun (crash)

poc.py 1 Run poc.py 2 Open notepad++.exe 3 Go to "Define language..." 4 Use tab "Comment and Number" 5 Open 1stfield.txt and copy content to clipboard 6 Paste clipboard on "Comment line style in field Open" 7 Open 2ndfield.txt and copy content to clipboard 8 Paste clipboard on "Comment line style...

Monero: Monero can leak unitialized memory

See this proof of concept: cpp include include include INITIALIZEEASYLOGGINGPP template static void invokehttpjsonvoid typename T::request ireq; typename T::response ires; std::string reqparam; if!epee::serialization::storettojsonireq, reqparam return; printf"%s\n", reqparam.cstr; int mainvoid...

Notepad++: Stack overflow affecting "ext" field on stylers.xml configuration file

Summary: A stack buffer overflow vulnerability affects "ext" field into "stylers.xml" configuration file. "isInList" function doesn't check boundaries on word64 array. Description: Vulnerability src file: notepad-plus-plus/PowerEditor/src/MISC/Common/Common.cpp Vulnerability line: line 329 Variab...

Open-Xchange: Username restriction bypass with SSL client authentication

Summary: Dovecot supports enforcing the login user name to be the one encoded in the SSL client certificate, thus restricting the username. Using SSL certificates that do not even contain the relevant field bypasses this restriction, maybe leading to full login bypass under some luckily rare...

Chrome: CVE-2019-5765: 1-click HackerOne account takeover on all Android devices

████████████...

Notepad++: Stack overflow in XML Parsing

Summary: A stack buffer overflow vulnerability has been detected in XML parsing functionality on Notepad++. That's due to the fact that invisibleEditView.getText function doesn't check buffer boundaries. Description: Vulnerability src file: notepad-plus-plus/PowerEditor/src/Notepadplus.cpp...

Internet Bug Bounty: Heap-buffer-overflow in Perl__byte_dump_string (utf8.c) could lead to memory leak

With crafted regex match, I have found a heap-over-flow in function Perlbytedumpstring, which would lead to memory leak. Reported to the Perl security mailing list on 11 Sep 2017. Confirmed as a security flaw by TonyC on 24 Feb 2018 CVE-2018-6797 assigned to this flaw on 7 Feb 2018 Public securit...

Rockstar Games: DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features

In this report, the researcher identified a DOM-based Cross-Site Scripting vulnerability under the GTAOnline section of the main site. This could have left to theft of cookies if left unresolved. Interestingly, a core factor in this vulnerability was a regression of a previously identified and...

Dropbox: Significant Two step verification Authentication Bypass

This report described a concern with our “Trust this Computer” feature in Dropbox web sign in. The way our “Trust this Computer” feature works, at a high level, is that while authenticating using 2FA, the user can request that this device be trusted in the future so they don’t have to use 2FA...

Eobot: Secure Pages Include Mixed Content Issue

Description The page includes mixed content, that is content accessed via HTTP instead of HTTPS. Steps 1 Enter these two URLs https://www.eobot.com/fee https://www.eobot.com/ad 2 Open Source Code viewer You will note and Mixed Content Error. http://bitcoin.sipa.be/speed-small-lin.png Fix A page...

Tron Foundation: DOS attack by consuming all CPU and using all available memory

Summary: A single request to submit a post to /wallet/deploycontract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap. With enough requests lets say 1K-10K depending upon...

New Relic: Bypass of #447975 - view mobile application token though "Application Information" sidebar on Installation page

In 447975 I demonstrated that it was possible to view the application token for a mobile app by visiting the upgrade page - this was subsequently fixed by disallowing access completely for a restricted user to view that page. I've found a workaround to this fix, and in doing so I've enable my...

New Relic: GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user

Overview As a restricted user, you cannot view the main account license key. If you are logged into your restricted user account, and visit https://support.newrelic.com/, when you attempt to create a ticket the root account license key will be exposed in the request. Steps to Reproduce 1. From a...

Weblate: No Rate Limit On Add new word

Hello I found in that there is no limit in the place of adding a new word which allows the attacker to add an infinite number of words which may cause a problem in the site and the server Steps To Reproduce : 1. Go To https://hosted.weblate.org/dictionaries/andors-trail/en/add And Fill in fields...

Nextcloud: Stored XSS/HTML injection in autocomplete suggestions for sharing

encrypted report, see attached GnuPG file. I tried to send this by mail, but [email protected] told me that I'm forced sic! to signup here. Please use 7F40 5A4F FAA3 F51B FEFD EE2F CE82 B2C8 6DCE BB9F to contact me. Impact encrypted report, see attached GnuPG file...

Hyatt Hotels: Hyatt WeChat Secret, Baidu AK Secret, and mysql db credentials inadvertantly made publicly available

This one is slightly odd, so I've rated it a low, as I'm not able to confirm whether or not these are active creds/secrets it's late and I don't speak/read Chinese. During recon for hyatt.com, I stumbled across this github.com repo that seems to be for hyatt's wechat setup:...

ok.ru: Privilege Escalation удаляем все созданные ссылки с okl.lt

IDOR at okl.lt allowed to hide links in another user's dashboard. The short link itself remained functional. Уязвимость позволяла скрывать все созданные ссылки другими пользователями в их панеле, но ссылка продолжала работать IDOR at okl.lt allowed to hide links in another user's dashboard. The...

Pornhub: XSS reflected on [https://www.youporn.com]

The researcher managed to obtain arbitrary javascript execution through reflected XSS on the Youtube World's RSS feed...

Internet Bug Bounty: imagecolormatch Out Of Bounds Write on Heap

The link to the PHP bug: https://bugs.php.net/bug.php?id=77270 This is possible to exploit in PHP 7.0.33 and 5.6.39. I used this vulnerability to write a local safe mode bypass exploit. It is possible to write up to 1200 bytes over the boundaries of a buffer allocated in the imagecolormatch...

Internet Bug Bounty: efree() on uninitialized Heap data in imagescale leads to use-after-free

The core bug: https://bugs.php.net/bug.php?id=77269 This bugfix actually involves two vulnerabilities: a call to efree on uninitialized data and another free based vulnerability. What is described below is a bug that was fixed in libgd two years ago CVE-2016-10166, but the patch was never applied...

Internet Bug Bounty: buffer overread in base64 code of the xmlrpc module

Malformed input to the xmlrpcdecode function can cause an out of bounds read in the base64 code. This is fixed in the latest updates of PHP 7.3.1 etc. Report: https://bugs.php.net/bug.php?id=77380 Impact If the attacker has access to the decoded output this may leak memory contents...

Internet Bug Bounty: Use after free and out of bounds read in xmlrpc_decode()

Malformed input can lead to use after free and out of bounds memory errors. This has been fixed with the latest updates of PHP 7.1.26/7.2.14/7.3.1. Note: I reported those as separate bugs to PHP, but they had the same underlying bug and were fixed by the same commit. The release notes only mentio...

OLX: XSS - main page - search[user_id] parameter

Hi, how you doing? This is a pretty straight foward XSS in the main page. Affected parameter: searchuserid Direct Link: https://www.olx.pt/braga/?searchuserid=1zqjeu'":/1zqjeu;9, ;prompt9;&view=galleryWide Tested in updated firefox. Impact XSS allows a intruder to inject html and client side...

Internet Bug Bounty: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile

Phar files with HALTCOMPILER; in unexpected places can lead to a buffer overrun. This is something I found while fuzzing with AFL using an ASAN instrumented PHP. The issue can be observed by disabling the ZEND allocator and using ASAN or valgrind/etc? with a crafted phar as input. I have prepared...

GitLab: Last build status and coverage leaked to unauthorized users

GitLab CI supports creating badges for the latest build/coverage on a certain branches. However, with restricted access, where users do not have access to pipelines, users still have access to the build/coverage status of any branch. This access works for different configurations: 1. For public...

Internet Bug Bounty: ZeroMQ libzmq remote code execution

Bug report and exploit: https://github.com/zeromq/libzmq/issues/3351 Fix by me: https://github.com/zeromq/libzmq/pull/3353 My motive for full disclosure is as follows: Is it true that it is not safe to use ZeroMQ over the internet because it will crash? Earlier versions of the ZeroMQ library befo...

New Relic: IDOR allows accounts to view full name of other accounts based on email through share notes feature

This is a similar IDOR that I've reported in the past - but now that "anything goes" is in scope I looked around and tried to find other areas within the application that this might exist in. And I found it while sharing a note: Steps to Reproduce From new user creation page: 1. Add a new user to...

Nextcloud: Private/confidential setting of calendar events is ignored on activity stream

https://github.com/nextcloud/server/pull/13331 Events that are private should not generate events for other users Events that are confidential should not leak the name to other users Impact The details are leaked to other users...

Nextcloud: WordPress vulnerable to multiple attacks at https://nextcloud.com

summary: your current version of WordPress is available to multiple attacks check INFO.php available attacks: - Unauthenticated Arbitrary File Deletion - lib/IPTraf.php User-Agent Header Stored XSS - Password Creation Restriction Bypass - wp-admin/admin.php whois Parameter Stored XSS - XSS & IAA ...

Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list

summary: A vulnerability classified as problematic has been found in OpenSSH 7.2p2. check INFO.pngAffected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability Username. CWE is...

MariaDB: CRLF injection at https://mariadb.org/.

A CRLF injection vulnerability was discovered on our website that could lead to attacks such as client side cookie injection. This has been resolved by adjusting the offending rewrite rule in our web server configuration...

Internet Bug Bounty: Buffer over-write in finfo_open with malformed magic file.

https://bugs.php.net/bug.php?id=71527 This bug causes a segfault when running with environment variable USEZENDALLOC set to 0, and also when compiled with ASAN with USEZENDALLOC set and unset. To reproduce, run the following PHP file, with the example magic file below. $ cat magic-open.php Magic...

Internet Bug Bounty: Negative size parameter in mb_split

https://bugs.php.net/bug.php?id=77367 mbsplit doesn't correctly detect the length when the $string has an unfinished multibyte character at the end of the string. This causes a crash due to a negative parameter to addnextindexstringl, which calls zendstringinit and memcpy. Could reproduce on...

Internet Bug Bounty: Heap overflow in utf32be_mbc_to_code

https://bugs.php.net/bug.php?id=77418 Buffer overflow in mbctocode functions for UTF32BE, UTF32LE, UTF16BE, and UTF16LE due to incorrect length assumptions of a buffer. Provided a patch that was adapted to check the length of the buffer prior to using it. Impact Memory leakage and/or corruption...

Uber: SQLI on desafio5estrelas.com

Vendor created and managed site desafio5estrelas.com had a SQLI vulnerability which could potentially expose sensitive data. A time-based blind MYSQL SQLI vulnerability existed at the endpoint https://desafio5estrelas.com/login in the URL parameters "codigo". Basic SQLI that was found on an uber...

HackerOne: Response program can display "eligible for bounty" in scope area in program policy

Hello Hackerone Team and @jobert First of all, Happy new year to everyone. Summary Response program can also display "eligible for bounty" assets on program policy. It's basically causing from backend in terms of GRAPHQL mutation query for eligible in bounty:true which stays forever on response...

Internet Bug Bounty: heap buffer overflow in phar_detect_phar_fname_ext

The original report is here https://bugs.php.net/bug.php?id=77247 txt USEZENDALLOC=0 ./php-src-PHP-7.2.13/sapi/cli/php -r "vardumpnew Pharfilegetcontents'poc.phar',0,'test.phar';" txt ================================================================= ==44888==ERROR: AddressSanitizer:...

Rockstar Games: DOM Based xss on https://www.rockstargames.com/ ( 1 )

In this report the researcher identified a DOM-based Cross-Site Scripting vulnerability on the main rockstargames.com site. This could have been exploited to steal victim's cookies. The XSS vulnerability was discovered by combining multiple lower-severity vulns, such as directory traversal and an...

VK.com: Логирование ответов запросов VK API в приложении Клевер

Просмотр логов в режиме дебага...

RATELIMITED: Apache mod_negotiation filename bruteforcing https://api.ratelimited.me

The Apache modnegotiation module allowed for filename bruteforcing and information disclosure through a 406 Not Acceptable error response. This vulnerability has been fixed by disabling the MultiViews directive in Apache's configuration file and restarting the server...

Nextcloud: Github repo's wiki publicly editable

Hello Team, Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. POC link...

GitLab: A profile page of a user can be denied from loading by appending .html to the username

Summary: I was able to create a user with the username "dashboard.html". Once, the account is set up, when the user clicks on his profile, the actual dashboard will show up instead of his profile page. Same can be done for all the HTML pages in GitLab. Steps To Reproduce: 1. Register a new user...

CFP Time: Missing Two Factor Authentication in /admin/login

Hello Team, First of all this report is just mainly concern for Suggested security improvements based on your policy page. If and only if not mean possible, please do let me know. Thanks! INTRODUCTION Administrative panel is one of the main entry point for the website owner to manage their web ap...

Liberapay: User Enumeration

@offgouvea reported a user enumeration issue. User enumerations are out-of-scope as mentioned in our program's policy...

Rockstar Games: CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/

In this report, the researcher identified a Cross-Site Request Forgery vulnerability that could have allowed attackers to link a Facebook account to another user's Social Club account, and thus gain the ability to log in as the victim. We implemented an anti-CSRF token as part of the...

Khan Academy: Subdomain takeover on healthyhackathon.khanacademy.org and hackweek.khanacademy.org

Summary : healthyhackathon.khanacademy.org can be took over, since it points to a bucket in S3 but that bucket does not exists. I know this domain is used to host information of healthyhackathon which is held by khanacademy, but you will not be able to do this anymore if someone is going to claim...

CFP Time: Content spoofing on error pages or text injection

Poc: https://www.cfptime.org/%20is%20not%20available%20anymore%20,%20pls%20go%20to%20WWW.EVIL.COM%20because%20this%20site. Steps to reproduce: 1: Just browse this target on any browser 2: Target: http://www.cfptime.org/ 3: add any content after For example: this is not available anymore pls check...

HackerOne: Cross-site Scripting (XSS) on HackerOne careers page

Dear HackerOne team, Summary: I found DOM XSS at endpoint https://www.hackerone.com/careers, but can not bypass CSP. It's work on IE and Edge. Steps To Reproduce - JS file is "Masonry js file", vulnerability code: javascript //Checking for potential Lever source or origin parameters var pageUrl =...

CFP Time: Error Page Content Spoofing or Text Injection

Description: hello sir, i found that one you once you write any thing after / in www.cfptime.org/ is reflected in the error page example go to www.cfptime.org/texthere you will see test here in the 404 error page Steps To Reproduce: 1.go...

Ruby on Rails: XSS due to incomplete JS escaping

ActionView::Helpers::JavaScriptHelper inside rails/actionview/lib/actionview/helpers/javascripthelper.rb provides JS escaping in Rails, but fails to protect template literal strings. As such, there are two ways XSS can occur: XSS via template literal break out: 1 Create a view with the following...