Internet Bug Bounty: heap-buffer-overflow (READ of size 48) in exif_read_data()

exifreaddata in PHP 5.6.36, 7.1.x and 7.2.x is vulnerable to a heap buffer overflow when fed a specially crafted JPEG. Any online service that reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. This has been fixed with the release of PHP 7.2.8 today. Other releases are...

WordPress: xss - reflected

vulnerable url: http://masterplan.wordpress.net/store/checkout/ payload: 1 Main Streetzbn0b"alertdocument.cookiek8ez0 vulnerable parameter: billing-address Request: POST /store/checkout/ HTTP/1.1 Host: masterplan.wordpress.net Accept-Encoding: gzip, deflate Accept: / Accept-Language: en...

Imgur: Go.imgur.com can be used to phish for account information

Right now the go.imgur.com domain is pointing to godoc.org/go.imgur.com but there is nothing at this resource. It is possible with encoded double dots to redirect go.imgur.com URLs to pages that phish for imgur account information. Proof of Concept === PoC 1:...

Node.js third-party modules: url-parse package return wrong hostname

Jul 19th 2018 - lolwaleet submitted a report to Node.js third-party modules. I would like to report url-parse package return wrong hostname in url-parse. Module module name: url-parse version: 1.4.1 npm page: https://www.npmjs.com/package/url-parse Module Description The url-parse method exposes...

Starbucks: Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com

Hello, This is fairly close to this report however these are different subdomains than the one in the report. This can be pretty serious since I can server virtually anything I want. In the 45 minutes I've held the domain I have served to 341 unique IP addresses. Two starbucks.com subdomains are...

Valve: SQL Injection in report_xml.php through countryFilter[] parameter

An unvalidated parameter on an partner reporting page reportxml.php could be used to read certain SQL data from a single backing database. Blind SQL Injection && Akamai WAF Bypass. Wait for the write-up ;...

Trello: Stored XSS via Chrome plugin

Stored XSS via Chrome plugin 1. Install the Trello Chrome plugin 2. Create a list on trello.com with a script injection title eg "alert'xss';" 3. Open the Chrome plugin and browse to the list, the code is executed from the plugin I've attached screenshots of the problem The origin is the chrome...

Nextcloud: HTML injection with AutoComplete suggestions

As user1 set your displayname to Name 2. As user2 autocomplete the name in the comments input or Talk chat input 3. Click on the user name you just autocompleted User2 is redirected to https://nextcloud.com Only works with HTML, not with script Impact User1 can trick user2 to render any html...

Node.js third-party modules: [ponse] Path traversal in ponse module allows to read any file on server

I would like to report path traversal in ponse. It allows reading local files on the target server. Module module name: ponse version: 2.0.1 npm page: https://www.npmjs.com/package/ponse Module Description Module for work with requests and responses Module Stats 317 downloads in the last week 163...

Augur: Subdomain takeover on slack.augur.net pointing to GitHub Pages

Summary The slack.augur.net record wasn't removed from the DNS after the migration to Discord invite.augur.net and was pointing to a non-existent page on GitHub Pages. So a subdomain takeover was possible and a proof-of-concept has been done to confirm this. Description Searching for subdomains o...

Soleo: Directory Traversal + HTTP Paramater Pollution leaking SQL/LDAP credentials

Upon visiting the login page of a provider’s IP Relay client, we noticed that if someone were to click the “forgot password” link, it would bring them to a URL which appeared as the following: https://./IPRelayApp/servlet/IPRelay?page=forgotPassword When attempting to modify the "page" GET...

Snapchat: Client IP Spoofing using "X-Forwarded-For: 127.0.0.1" on "studio-app.snapchat.com" exposing bucket details

Researcher's summary is accurate. An attacker could view a variety of non-sensitive service config information by setting the X-Forwarded-For: 127.0.0.1 header on a specific service path. By adding "X-Forwarded-For: 127.0.0.1" as a header while requesting a certain path on a certain snapchat...

Semrush: Improper authentication on registration

Hope you are doing well, one can register himself to semrush with any email ID. It means that there is no authentication mechanism if that email id is valid/invalid. Therefore a person with email ID that does not exist can also register and login to your platform. Summary: one can register himsel...

Rocket.Chat: Blind XSS in the rocket.chat registration email

Note: This report was initially sent via email and I was invited to submit this here. Hi team, During an audit on a third-party, I discovered that rocket.chat Android client might be vulnerable to blind XSS. My XSS payload fired in the context of the target's rocket.chat client as you can see bel...

Semrush: Stored XSS in '' Section and WAF Bypass

Summary Stored Cross-site Scripting XSS is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores...

Shopify: Potential SSRF and disclosure of sensitive site on *shopifycloud.com

Note: I am reporting this after talking with @shopify-peteryaworski Summary There is a staging/testing site for payment cancellations and refunds at shopifycloud.com. This site allows sending post request and fetching the response back to the user. This leads to SSRF because it allows fetching...

Khan Academy: POST XSS in https://www.khanacademy.org.tr/ via page_search_query parameter

Hey there, while testing your program I came across a XSS vulnerability in the search area of your website. The vector uses HTTP POST request and the parameter is "pagesearchquery"" on www.khanacademy.org.tr/arama.asp In the next topics I will demonstrate how you can reproduce the vulnerability...

U.S. Dept Of Defense: Server-Side Request Forgery (SSRF)

Hi, I've found a Server-Side Request Forgery SSRF Steps to reproduce: + start listening on your server + navigate to http://██████/help/ACPS.htmhttp://$yourserver:$port + you will get the request ██████ Impact Server-Side Request Forgery SSRF Attack...

U.S. Dept Of Defense: ████████ SQL

hi , i think i find a SQL in https://██████████/ POST /requestaccount.php? HTTP/1.1 Host: █████ User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:60.0 Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5...

Mail.ru: XSS на странице account.mail.ru/recovery

Reflected XSS via GET parameters in account.mail.ru...

U.S. Dept Of Defense: sql injection on /messagecenter/messagingcenter at https://www.███████/

Hi , i would like to report an issues that lead to SQL injection in search box at https://www.████/messagecenter/messagingcenter , if you add the character ' that usually used to test if the site have in sql injection the site will return with Incorrect syntax error that can confirm the site is...

Imgur: HTML Injection with XSS possible

Hi, I found HTML Injection on imgur.com Description: I couldn't get xss but i was able to include videos on my profile and also i was able to redirect users to malicious websites POC HTML injection: go to https://12test.imgur.com you don't need to login and you will see external videos and you wi...

HackerOne: Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com

Hi, I made a talk earlier this month about Client-Side Race Conditions for postMessage on AppSecEU: https://speakerdeck.com/fransrosen/owasp-appseceu-2018-attacking-modern-web-technologies In this talk I mention some fun ways to race postMessages from a malicious origin before the legit source...

Valve: CSRF | Ban or unban users in broadcast's chat

Steps to reproduce Start broadcast Attacker needs to craft special HTML page Get broadcast's steam idit contains in URL: https://steamcommunity.com/broadcast/watch/STEAM ID/ If attacker wants to unban somebody, he needs to create HTML page like this: document.getElementById"csrf-form".submit Unba...

Node.js third-party modules: Prototype pollution attack (merge.recursive)

I would like to report prototype pollution in merge. It allows an attacker to inject properties on Object.prototype. Module module name: merge version: 1.2.0 npm page: https://www.npmjs.com/package/merge Module Description Merge multiple objects into one, optionally creating a new cloned object...

Shopify: Preview bar: Incomplete message origin validation results in XSS

The JavaScript code at https://cdn.shopify.com/s/assets/storefront/bars/previewbarinjector-73a4756a265c637c998799750759ae548e7f68b136e8e93e83132904afc3d30d.js loaded by the shop front when a theme is previewed installs a message event listener. The following check is used to reject invalid event...

Node.js third-party modules: Prototype pollution attack (extend)

I would like to report prototype pollution in extend It allows an attacker to inject properties on Object.prototype. Module module name: extend version: 3.0.1 npm page: https://www.npmjs.com/package/extend Module Description node-extend is a port of the classic extend method from jQuery. It behav...

Slack: SSRF in api.slack.com, using slash commands and bypassing the protections.

Bypassing the reports 61312 and 356765 Tutorial: Go to api.slack.com and create an application with your own slash command. F320014 Enter your own domain: in your own domain: index.php location: http://:::22/ F320019 And save. Go to your Slack and type /youslash Try with my server...

Starbucks: Open Redirection in Login - Korean Starbucks

Summary: Open Redirection is performed in Korean Starbucks login page. An attacker can redirect victim to other site such as fishing. Description: When victim visit https://www.istarbucks.co.kr/login/login.do?redirecturl=//www.bughunting.net this site, and login, he/she is redirected to...

Node.js third-party modules: Prototype pollution attack (defaults-deep / constructor.prototype)

I would like to report a prototype pollution vulnerability in defaults-deep. It allows an attacker to inject properties on Object.prototype. Module module name: defaults-deep version: 0.2.4 npm page: https://www.npmjs.com/package/defaults-deep Module Description Like extend but recursively copies...

Node.js third-party modules: Prototype pollution attack (lodash / constructor.prototype)

I would like to report a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype. Module module name: lodash version: 4.17.10 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Modul...

Versa Networks: Session Fixation Exposure

In VOS user session identifier authentication token is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap...

Nextcloud: Ubuntu 12.04 Privilege Escalation

Hello Security Team, Description According to its self-reported version number, the Unix operating system running on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain...

Rockstar Games: Open redirect vulnerability

In this report the researcher discovered an open redirect vulnerability on one of our subdomains. The subdomain exists primarily to direct users to a different site, but it was possible to exploit by adding unexpected input in a subdirectory of the URL. This allowed an attacker to potentially...

Augur: Full UI hijack via dormant browser service workers

Augur UI hijack via dormant service workers Augur background The architecture of Augur currently consist of 3 individual layers: At the lowest level, Augur consists of a batch of smart contracts built on top of Ethereum. This level is enforced by a global blockchain and can be accessed via gatewa...

New Relic: Restricted user can bypass permissions restriction to create NR Alert policies

So this one is similar to my other privilege escalation issues, but it comes with a sidenote which may lead to some more interesting issues if you feel like digging into it. Issue: User with read only privileges can create NR Alert policies through POST request to Infrastructure-Data service...

Pornhub: idor allows you to delete photos and album from a gallery

The researcher discovered a vulnerability where a user may delete other users' images from their galleries...

Roblox: Reflected XSS through multiple inputs in the issue collector on Jira

Note I put this as Medium because that's what the CVE is. This vulnerability is known and it's classified under CVE-2018-5230. Here's a link to the thread on it by Atlassian: https://jira.atlassian.com/browse/JRASERVER-67289 Description --------------------- I noticed when testing that your Jira...

HackerOne: Team object exposes amount of participants in a private program to non-invited users

Summary: Hello. Similar to other reports, suddenly after the update with ordering users, the GraphQL API is exposing the amount of participants in a private program to non-invited users. This allows an attacker to retrieve the amount of participants in a private program, as well as their details...

Pornhub: Reflect XSS on Mobile Search page

The user was able to exploit the 'search' parameter being reflected in the page body in order to execute reflected XSS within the context of Redtube. Many of developer confuse that adding slashes at double quotes can protect the xss. However, At the DOM, Adding slashes is not protecting XSS...

Pornhub: Stored XSS in galleries - https://www.redtube.com/gallery/[id] path

Researcher successfully closed the image 'alt' attribute and injected javascript by intercepting the album creation request and submitting an XSS payload as the album title. This led to stored cross-site scripting on the user's album page, executed against any users who visited the album. Stored...

Pornhub: Stored XSS on the https://www.redtube.com/users/[profile]/collections

Researcher successfully closed the image 'alt' attribute and injected javascript by submitting an XSS payload as the collection title. This led to stored cross-site scripting on the user's collections page, executed against any users who visited the user's collections. The user's favorites page w...

Starbucks: svcardproxydevus.starbucks.com Subdomain take over

You have left a dns record pointing to a dead cloudapp vm. svcardproxydevus.starbucks.com - s00307ntmp0svcardproxydev0.trafficmanager.net - s00307dpipsvcardproxy00.eastus.cloudapp.azure.com = Dead Impact 1 Attacker takes over subdomain and then puts something like porn or something that shouldn't...

U.S. Dept Of Defense: Stored Xss Vulnerability on ████████

Summary: A Xss vulnerability using svg file & html file. Step-by-step Reproduction Instructions 1. Go to https://██████████/SitePages/Register.aspx and register. 2. Go to https://██████████/Profiles/My/Your Username/Blog/default.aspx and click Create a Post button. 3. Click Body textarea and clic...

Nextcloud: Missing memory corruption protection on Windows release built

Hi, we have noticed that the Windows Desktop Client doesn't enable the protections ASLR and DEP and others. These protections are per-default enabled since approximately 10 years in Visual Studio and are very important because they make exploitation a lot harder or even make some vulnerabilities...

Mail.ru: Path Traversal When Sharing with Cloud Mail.Ru App via a file with Crated Name

Path traversal vulnerability via crafted file name allowed user-assisted access to arbitrary application files in Mail.Ru Cloud android application...

Valve: Stored XSS in the guide's GameplayVersion (www.dota2.com)

Hi, team! The beginning of this issue looks like my previous report 369043, but this one will be much more interesting : So let's go! Steps to reproduce: 1 Open dota2 client and create new simple guide with XSS in the name. F318796 2 Publish this guide on steam. F318797 3 Now go to the Fiddler ap...

Pornhub: Mobile Reflect XSS / CSRF at Advertisement Section on Search page

The researcher identified a search query parameter vulnerable to cross-site scripting in the Mobile view. It is same vulnerability of redtube's mobile search page. The report is 380246 . This vulnerability is performed XSS because protecting with adding slashes at double quoters. At the tag's...

Flock: Subdomain takeover dew to missconfigured project settings for Custom domain .

While testing flock.com I got a domain flock.co what is under flock company . So I stared looking at it's subdomains and got subdomain newdev.flock.co . When I visited the subdomain in browser I got a error like below screenshot :- F365851 This took my attention . So I checked the DNS record for...

Monero: Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs

Summary: multiple identical txpubkeys were patched, but you can still use alternative txpubkeys to get the same result. Description: An attacker can craft an XMR transaction which causes the receiving wallet to report that it received twice as much XMR as the attacker actually sent. The balance o...