Liberapay: No Data Validation, No Captcha, No Filters...

POST /for/new HTTP/1.1 Host: liberapay.com User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64; rv:52.0 Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer:...

Liberapay: Improper Data Validation / Unvalidated Input

Steps to reproduce: 1 - Be logged in a account 2 - Go to: https://liberapay.com/user/edit/statement 3 - Click on Visualize 4 - Submit and edit POST parameters to fuzz infinitely 5 - Wait the server proccess the request. I send only 2.813.054 characters. Improper input size validation... I'm sorry...

Liberapay: Cross site scripting (content-sniffing)

This type of XSS can only be triggered on and affects content sniffing browsers. This script is possibly vulnerable to Cross Site Scripting XSS attacks. This vulnerability affects /sign-up URL encoded POST input sign-in.currency was set to USDG8OAI!+! The input is reflected inside a text element...

Pornhub: Blind SQL injection and making any profile comments from any users to disappear using "like" function (2 in 1 issues)

Researcher found a blind SQL injection in the profile comment Like functionality, executing on the second request made for a given comment dislikes. Summary The injection was found manually, used discovery methods are basically the same as described in this awesome article by @gerbenjavado:...

VK.com: Долгоживущий хеш + получение частичного доступа к аккаунту после сброса сессии

Hash lifetime...

RBKmoney: SUBDOMAIN TAKEOVER [http://dev.rbk.money/]

The DNS record of dev.rbk.money pointed to the Github, but the domain was not used in any Github account. So it was possible to bind it to any repository...

Monero: monerod can be disabled by a well-timed TCP reset packet

Summary: A well-timed TCP reset RST can cause monerod or any service relying on epee to stop accepting new connections. Description: When a new connection is attempted, the handleaccept function is called. This does some error checking and finishes setting up the connection. Once the connection i...

Monero: Constant-time comparison is not always implemented; critical areas are vulnerable to key-timing attacks

In my most superficial of reviews, constant-time comparison appears to not be globally implemented at a glance, only implemented within the ref10 implementation. With that said, the following areas either appear to be vulnerable, or are potentially vulnerable, to key-timing attacks: 1. Containers...

Liberapay: Buffer overflow

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an arra...

IOVLabs: DoS through PeerExplorer

Summary: The peer discovery implementation is vulnerable to a Denial of Service attack due to improper management of connections. Description: The two main files of interest in detailing this vulnerability are PeerExplorer.java and NodeChallengeManager.java. To explain the flow of execution I'll ...

OLX: Search Page Reflected XSS on sharjah.dubizzle.com through unencoded output of GET parameter in JavaScript

Hi, I found a reflected XSS vulnerability on the search page of sharjah.dubizzle.com. Because the GET parameter keywords is not being encoded before parsing it into the JavaScript, an attacker can break out of the code an execute JavaScript in the targets browser. Vulnerable Code When searching f...

Mail.ru: Загрузка png бомбы, которая начинает DDOS атаку на бота со Стикерами.

ICQ sticker bot was vulneraeble to DoS via PNG compression bomb attack...

Dropbox: Bypass Local Authentication (TouchID)

​​This report describes an attack to bypass TouchID in the Dropbox Mobile iOS application on jailbroken iOS devices. Dropbox doesn’t consider jailbroken devices in scope for our bounty program...

Block.one: [FG-VD-18-101] Buffer Overflow Vulnerability in EOS's WAVM Library and also in latest WAVM Library Parent Repository

Hello Block.One / EOS Product Security Team, Good Afternoon. There exists a Memory Corruption vulnerability in the latest WAVM Library and also in the EOS code for WAVM Library. The PoC.wast file is attached along with this report. Reproduction Steps: - 1 Fetch latest WAVM library from the WAVM...

Block.one: [FG-VD-18-100] Heap Buffer Overflow Vulnerability in EOS's forked repository of Binaryen Library and also in latest Binaryen Library Parent Repository

Hello Block.One / EOS Product Security Team, Good Afternoon. There exists a Memory Corruption vulnerability in the latest Binaryen Library and also in the EOS repo for Binaryen Library. The Binaryens2wasmPoC.s file is attached along with this report. Reproduction Steps: - 1 Fetch latest Binaryen...

Liberapay: Punny code Detection Parsing should be implemented on Markdown

Hello Liberapay Security Team, Description When we insert any URL in Markdown Box in liberapay.com/profilename/edit/statement, it reflects on our main profile page. There was main issue which I discovered was about Punny code parsing method which was not enabled on Markdown. Step to Reproduce For...

Mail.ru: Stored XSS in api.icq.net

Crossite scripting in api.icq.net domain. icq.net is considered as a sandbox domain, it does not use HTTP authentication or cookies, but XSS could be used to facilitate phishing attack...

Y Combinator: Stored Cross Site Scripting

XSS was disclosed and was forwarded to our software team. A member of the software team fixed fairly quickly and we confirmed no data was exposed...

Liberapay: Returning back from the browser after logging off will disclose some information

Summary : --------- Hi, I found an issue that is after signing out from the account and click back button continuously from the browser it will disclose sensitive information in all pages that the user open it when he is using his account like for example identity page . I believe that this issue...

Node.js third-party modules: XSS in express-useragent through HTTP User-Agent

Hello, I would like to report an XSS in express-useragent module due a lack of validating User-Agent header. Please note I already created an Github issue and asked for CVE CVE-2018-9863. I did not know about Node.js third-party modules on hackerone. Description express-useragent is simple...

Liberapay: A single user can subscribe a community multiple times

There is no proper validation while subscribing for a community. A user can subscribe a single community multiple times. Steps to recreate: Step 1: Open any community Step 2: Click on subscribe button Step 3: Capture the POST request and submit it multiple times Step 4: Check the subscription cou...

Mail.ru: Reflected XSS in delivery-club.ru

Reflected XSS via GET argument. On the time of reporting, XSS in delivery-club.ru are not covered with bug bounty program...

Mail.ru: XSS https://health.mail.ru/my/ через внешнее имя аккаунта

Здравствуйте. Раньше репортил багу связанную с ником в одноклассниках так вот нашел еще одно место. На мобильной версии https://health.mail.ru/my/ в никнейме мы можем видеть self-stored xss. F305597 Так выглядит имя: F305599 Impact XSS...

Node.js third-party modules: Arbitrary File Write through archive extraction

I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...

Node.js third-party modules: Arbitrary File Write Through Archive Extraction

I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...

Liberapay: Csrf token does not meet security design

Almost all APIs in liberapay.com have csrf tokens.However, this token is not useful for the specified user. In the case that the user is not logged in, the csrf token is also generated, and after the login is successful, the token does not change.And the csrf tokens generated by other web browser...

Yelp: I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure)

@hk755a discovered an Insecure Direct Object Reference Vulnerability that allowed an attacker to obtain the last four digits of a credit card that has been registered with the Yelp platform, through the error messages that the /profilepayment/save endpoint returned...

Mail.ru: DNS Misconfiguration

Your localhost.mail.ru has address 127.0.0.1 and this may lead to "Same- Site" Scripting. Here is detailed description of this minor security issue by Tavis Ormandy: http://www.securityfocus.com/archive/1/486606/30/0/threaded I can also ping the localhost network from mail.ru, as in the image...

PullString: Eternal "change password" link.

Hi. Link for password change does not exprire after first use and may be reused many times, resulting password change every time. The issue is such links leak to google-analytics. I'd suggest expire link after first use. Also you store the link in Log output. This means easy leveraging XSS to...

Upserve : Insufficient validation of sides/modifiers quantity

Summary: The Upserve Online Ordering OLO application does not properly verify on the server side the number of sides/modifiers that have been added Description: Certain items allow for selection of a limited number of sides/modifiers, and the application restricts the number of sides/modifies tha...

Vanilla: Unsanitized input in email field

Users are able to inject javascript payloads in the email field which leads to stored XSS Steps to produce : 1. Go to profile and add "alert1"@example.com as your email . 2. We can see the popup at https://discuss.paytm.com/profile/preferences/profilename Impact Users can store malicious payloads...

Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings

Hello! Vulnerability Details The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonpdump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which...

Liberapay: REGISTRATION USING FAKE EMAIL ACCOUNT

Go to page https://liberapay.com/sign-up 2. Input email address I tried to register with some email address [email protected] [email protected] [email protected] [email protected] [email protected] 3. Select the currency you want to use 4. click "GO" button 5. Will automatically enter into account without going through the process of verification email...

Open-Xchange: [XSS] RSS Feed Widget

Hi. If type == null OR type any not htm, xhtm then data not sanitize, e.g.: - - - RssAction.java: java for SyndContent content : contents String type = content.getType; if null != type && type.startsWith"htm" || type.startsWith"xhtm" foundHtml = true; String htmlContent =...

Mail.ru: XSS at https://icq.com/people

DOM Based XSS existed in old people search subservice icq.com/people. This functionality was removed...

Open-Xchange: [SSRF] PDF documentconverterws

Hi. Previous report 260576 Example: F305199 /ppt/slides/rels/slide1.xml.rels: xml Result: F305196 Impact Scan network Read any file file:///home/example/test.odf...

OLX: Reflective XSS at olx.ph

Hello, I would like to report a reflective XSS at https://www.olx.ph. Steps to reproduce Visit the following link: https://www.olx.ph/all-results?q=car&utmsource=OptHomepageVar0&utmmedium=Search&utmcampaign=toto%27-alertdocument.domain-%27-%27 An XSS should pop-up F305078 Technical Details The...

Uber: SQLI on uberpartner.eu leads to exposure of sensitive user data of Uber partners

The Uber EU test site has a SQLI vulnerability exposing several databased and based on the database names, may expose hashed passwords and Uber partner information. Basic time-based SQLI that disclosed a database on a Uber EU test site. Check out my blog https://healdb.tech/blog/ or my Twitter...

Uber: Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files

The Uber Greece AWS S3 bucket was open, allowing any remote user to view and download the files. Some of these files included confidential internal documents which could negatively impact Uber's brand. I found a uber microsite that had a link to this AWS bucket being used by Uber greece. Had some...

Liberapay: CSRF token manipulation in every possible form submits. NO server side Validation

Web Application is generating CSRFtoken values inside cookies which is not a best practice for web applications the revelation of cookies can reveal CSRF Tokens as well. Authenticity tokens should be kept separate from cookies and should be isolated to change operations in the account only...

Liberapay: The csrf token remains same after user logs in

Description As the CSRF token doesn't change after login. Any other user that uses the same workstation is vulnerable. A safer way would be to use dynamic CSRF token or just change the token after login, so attacker doesn't get hold of this. Details of the attacks scenario in a shared workstation...

Liberapay: Insecure Account Deletion

Hi Team, The removal of account is one of the sensitive part of a web application that needs to protect, therefore removing an account should validate the authenticity of the user, however i have found that when removing an account, the system did not require the user to input the account passwor...

Liberapay: Unsafe deserialization in Libera Pay allows to escalate a SQL injection to Remote Command Execution

Hello. There isn't a direct vulnerability, however a SQL injection would easily be escalated to a Remote Code Execution. I can't directly exploit it due to the restriction on team names it does not accept hexdecimal values. I, however, submit this issue in advance and will attempt to escalate thi...

Liberapay: Missing back-end user input validation can lead to DOS flaw

Hello Team, Usually such kind of reports are out of scope, however I still would like to report you the business logic weakness that should be eliminated, at least from my point of view. Due to missing user input validation it is can lead to application unavailability. Details: During brief revie...

Semmle: DOMXSS in redirect param

Summary The redirect param can consist of a javascript: url, which results in XSS. If a victim visits a malicious URL and logs in, the attacker can perform actions on behalf of the victim. Steps to reproduce 1 Logout 2 Visit...

Monero: Trusted daemon check fails when proxied through torsocks or proxychains

Summary: If torsocks1 or proxychains1 is enforced when using Monero wallet with a remote node without explicit --untrusted-daemon arguments given, the application will assume the daemon is trusted. Description: By default, the wallet checks if the daemon address can be trusted by calling...

Liberapay: Liberapay Non Verified Account Takeover with signup feature

Hi, So i saw a strange behaviour of your web on signup feature when that can be escalated to Account Takeover but for limited timeline, Issue: When a New user signup for an account on https://en.liberapay.com/ he have to enter his email address only and it doesn't say anything about sending a...

Liberapay: Anyone can register organization legal type as "Soletrader"

When Organization type is registered, two values are displayed : Business and Organization. When another value is provided, an error message is printed saying the Legal Type is wrong. This error message is not printed and request success when the value "Soletrader" is provided. The value...

Liberapay: CSRF ON EDITING NAME (OPTIONAL)

Allows an attacker to change one's account information in this case ie information from "Name Optional". Attackers can change the information without having to login to victim account or without having to login but only by using CSRF technique. I tried changing the "Name Optional" information to...

Liberapay: Able to View other users income history

Hello, I found an IDOR that i was able to view income history of other users, Steps to reproduce issue, 1. Login into account and fire up Burpsuite 2. The got to profile page and click on view income history 3. Then you can see a request like GET /Liberapay/charts.json HTTP/1.1 Host: liberapay.co...