Liberapay: csrf token did not changed after login/logout many times

hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one. Impact if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action...

Liberapay: Same CSRF token is being used for deleting other platform login’s within an account and across other liberapay Account’s

We’ve got “Accounts Elsewhere” option in the profile section. where we can connect our liberapay account with multiple other platform accounts. While deleting those Multiple other platform accounts same CSRF token is being used. I’ve signed up with a couple of liberapay accounts. Where I found th...

Liberapay: Unsecure changing password

I would like to report about changing the password. When you change the password it didn't require the current password. The scenario here is when you forgot to logout your account when you login on other device it is easy to takeover the account by changing the password of it. Impact Easy to...

Liberapay: twitter api access token leaked on github

sensitive token were leaked on GitHub page of liberapay . also mixpanel token was leaked TWITTERCONSUMERKEY=QBB9vEhxO4DFiieRF68zTA TWITTERCONSUMERSECRET=mUymh1hVMiQdMQbduQFYRi79EYYVeOZGrhj27H59H78 +TWITTERACCESSKEY=34175404-G6W8Hh19GWuUhIMEXK0LyZsy7N9aCMcy1bYJ9rI...

Liberapay: Phishing by Navigating Browser Tabs

Hi team, I was create a PR on github https://github.com/liberapay/liberapay.com/pull/1127 Details Opened windows through normal hrefs with target="blank" can modify window.opener.location and replace the parent webpage with something else, even on a different origin. While this doesn't allow scri...

Liberapay: Current CSP Policy chained with HTML Injection can lead to Data Exfiltration

Hi Team, Summary While reviewing the CSP headers for en.liberapay.com i noticed that img-src has a source set to which means any source on the internet. The following is found in the current CSP Header config. img-src blob: data: Description: If the site is vulnerable to HTML Injection its possib...

Liberapay: CSRF to make any user accept the invitation to the team

Description: The victim can be tricked into accepting the invite as a normal GET request is sent while accepting the request. Steps to reproduce Make an html page using the following code: click here Change" test" with your team mate. Impact The impact is low but still it can make a user to accep...

Liberapay: Origin IP found, Cloudflare bypassed

Hello team, during the initial assessment of your assets I've come across what seems to be the unprotected origin server for www.liberapay.com. Description The frontend currently resolves to ████ and ███, both owned by Cloudflare, which act as your reverse proxy and WAF. By correlating your SSL...

Starbucks: Information Leak - Github - JMS Information

Hi, After some research, I found a leak on GitHub that might lead to accessing sensitive data of employees or clients not sure based on the code. There is also a SAP S-user to access a cloud based HANA service. I have not confirmed what kind of data is in there to avoid potential legal issues. I...

Liberapay: Authenticated reflected XSS on liberapay.com via the back_to parameter when leaving a team.

Poc : Click the cancel button its redirect to 3rd party site. Regards, techguy Impact This vulnerability could redirect users to the attackers websites for phishing attacks...

Mail.ru: [account.mail.ru] XSS на странице восстановления пароля

При генерации формы восстановления пароля значение email подставляется туда как есть: https://account.mail.ru/recovery/support?email=%3Csvg%20onload=alertdocument.domain%3E Domain, site, application -- https://account.mail.ru/recovery/support Testing environment -- Firefox 60.0 Chrome 66.0 Steps ...

Node.js third-party modules: [markdown-pdf] Local file reading

I would like to report local file reading in markdown-pdf It allows to insert a malicious html code, which allows to read the local files. Module module name: markdown-pdf version: 8.1.1 npm page: https://www.npmjs.com/package/markdown-pdf Module Description Node module that converts Markdown fil...

Starbucks: SQL Injection Proof of Concept for Starbucks URL

browser: firefox quantum 60.0.1 64 bit os: windows 10 sqli type: char formula injection info found: oracle database system url: https://www.starbucks.de/coffee/our-coffees/format/whole-bean injected url using oracle concatenation and char functions:...

Trello: Stored XSS in Treeview plugin

There was a potential XSS issue in a third party power-up. While issues with third party apps are generally out of scope for our bug bounty program, in this case we opted to award a small bounty...

Mail.ru: [account.mail.ru] XSS на странице удаления аккаунта через backUrl

Недостаточная валидация параметра backUrl даёт возможность указать javascript-ссылку: https://account.mail.ru/user/delete?backUrl=javascript:alertdocument.domain javascript getBackUrl: function url return /^http/.testurl ? url : this.urlData.backUrl || this.config.get'backUrl' ||...

GSA Bounty: Multiple Bugs in api.data.gov/signup endpoint leads to send custom messages to Anyone

Hey there, while signing for new api key, i have found two bugs that is unusual and make anyone to send crafted or customised email to someone. Bug 1: - low 1. Go to https://api.data.gov/signup/ 2. Enter first and last name , then enter email id and get api key. Bug: You can use the same email id...

Passit: Insecure opening of external links in app.passit.io/list allows for reverse tabnabbing

Description https://app.passit.io/list renders external links under attacker control that open in a new tab such that the opened tab has access to the opening tab where the user was just browsing on app.passit.io via window.opener. This is likely due to the lack of specifying a rel="noopener"...

U.S. Dept Of Defense: LDAP Injection at ██████

Summary: An LDAP Injection has been found at the mentioned domain Description: While performing a user registration, is it possible to edit the request and inject invalid characters, resulting in a LDAP injection Step-by-step Reproduction Instructions 1. Visit page...

GitLab: Potensial SSRF via Git repository URL

Duplicate: Fixed in 8.17.4, 8.16.8, and 8.15.8 Original report: https://hackerone.com/reports/135937 SSRF when importing a project from a Repo by URL GitLab instances that have enabled project imports using "Repo by URL" were vulnerable to Server-Side Request Forgery attacks. By specifying a...

Zomato: [www.zomato.com] SQLi on `order_id` parameter

@saltedfish found that a parameter orderid was vulnerable to SQLi. POC for everyone to learn from this disclosed report - There was an endpoint which had orderid as one of the parameters. - Requesting '-if1=2,'0','1'-' in orderid parameter changed the Response Length and upon further investigatio...

Node.js third-party modules: [serve] Server Directory Traversal

I would like to report a Server Directory Traversal vulnerability in serve. It allows reading local files on the target server. Module module name: serve version: 7.0.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page...

Node.js third-party modules: [serve] Stored XSS in the filename when directories listing

I would like to report a Stored XSS issue in module serve It allows executing malicious javascript code in the user's browser. Module module name: serve version: 7.0.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page...

Vanilla: A SQL injection vulnerability in Vanilla

Summary: There is a SQL injection vulnerability in the vanilla, an attacker can use this vulnerability to obtain database information. Description: in applications/conversations/controllers/class.messagescontroller.php:164 php public function addMessage$conversationID = ''...

Node.js third-party modules: Privilage escalation with malicious .npmrc

Hello. I'm forwarding to you my conversation with npm staff regarding security issue. It allows to escalate to root privilages of victim using either: a basic social engineering - convincing victim to run npm in attacker-controlled folder eg. repository, including such innocent ones like "npm hel...

Nextcloud: File access control rules not enforced on image files

Installed Nextcloud from Snap package version 13.0.2snap1, revision 6916 on fresh Ubuntu 18.04 LTS install. 2. Installed and enabled Files access control v1.3.0 and Files automated tagging v1.3.0 apps. 3. As an administrator created an invisible collaborative tag Secret. 4. Added Files automated...

Yelp: CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card

@hk755a discovered an Insecure Direct Object Reference Vulnerability that allowed an attacker to associate a randomly added but subsequently deregistered credit card with their own account, via the /rewards/signup endpoint. While the attacker would not have been able to use this credit card as...

DuckDuckGo: SSRF in proxy.duckduckgo.com via the image_host parameter

Description https://proxy.duckduckgo.com/iur/ endpoint is vulnerable to ssrf via imagehost get parameter. Vulnerable URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://tudomanyok.hu/ Some internal URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://127.0.0.1:18091/...

Node.js third-party modules: [buttle] Path traversal in mid-buttle module allows to read any file in the server.

Hello Node.js third-party modules I would like to report path traversal in buttle module It allows me to read any file in the server if i know the path. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Description Simple static file + markdown server...

Nextcloud: Disclosed Version of PORTS SSH|HTTP|SSL

I found Version of ports are disclosed ,But the intersting that SSH port is open and showing his version == OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 Ubuntu Linux; protocol 2.0 F:302383 Searching I have found that this version has common vulunrablitie https://vuldb.com/?id.89622 So it's not good to disclos...

Automattic: RCE via Print function [Simplenote 1.1.3 - Desktop app]

In Simplenote 1.1.3 - Desktop app there is a stored XSS vulnerability that can be used to execute arbitrary code. If there is malicious code in the note and the user tries to print it for example to save it as a PDF, the malicious code runs. This report is based on the report 291539, by Yasin...

Bumble: Compromising the user ID

Vulnerability allows to compromise the user ID in the "Dating" menu. This is a serious vulnerability that violates the logic of the site and allows the attacker to write a message to the user he likes before the user responds reciprocally. In order to play the vulnerability, you need to go to the...

Tor: Tor Browser: iframe with `data:` uri has access to parent window

Version: 7.5.4 based on Mozilla Firefox 52.8.0 Tested with standard security slider. However, it's likely to be possible with a higher security level. Summary In Tor Browser iframe with data:uri inherits the origin of parent window. That leads to iframe has access to parent window. PoC Iframe cou...

GitLab: HTML TAG INJECTION ON PROFILE NAME

Allows me to change the profile name to an image tag and convert it into an html code and this tag appears perfectly on the "snippets" page. Suppose I include an image tag with source and when another user sees it on the "https://gitlab.com/snippets/1718284" page it will appear an image of an...

Mail.ru: Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/

Hi There, I have found a Clickjacking vulnerability on your site. Steps to reproduce: 1.Go to https://support.my.com this site 2.Generate a Clickjacking script, save it as .html and run into your browser Script: iframe width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter:...

Valve: Deleting other people's comments on ModeratorMessages

Due to a missing permissions check, anyone could delete a comment on a community moderator message knowing the unique comment GID and the SteamID of the message receiver. The endpoint has been corrected to verify the correct permissions. You were able to delete others people's comments on moderat...

Reverb.com: Items bought for free due to lacks of quantity controls

Hi, The server fails to check the quantity of the items that are going to be sell. Values = 0 are accepted as 1. PoC: Go here https://sandbox.reverb.com/fr/item/139897-fender-2-strap-leather-test-2018-leather Intercept the response after clicking "Add to cart" and put "quantity: 0" F302179 Procee...

Monero: forum.getmonero.org Shell upload

Summary: The method uploadProfile in the UsersController allows an attacker to upload a shell to the target server due to lack of image validation. Description: Steps To Reproduce: 1. Open POC https://forum.getmonero.org/uploads/profile/lNobodyl1527340454.php or...

Brave Software: DoS in Brave browser for iOS

Summary: Attacker could initiate DoS during page loading. Products affected: 1.6 18.05.17.13 Device iPhone 6s iOS 11.3.1 Steps To Reproduce: PoC: html let o = document.body.appendChilddocument.createElement'object'; // application/json or application/pdf are valid values too o.type = 'text/html' ...

Passit: Old sessions does not expire On changing password via https://app.passit.io/account/change-password

Description : On changing password only current session using which user changes password only that expires however old sessions in any other browser or device does not expire and remains active. Reproduction Steps : To verify the issue : 1. Log in to Browser A and make sure to check 'stay logged...

HackerOne: Exposing hackerone users personally identifiable information by abusing sandbox with swag reward enabled

Hi HackerOne Team, Summary: I have found a critical bug but this will require a bit user interaction, BUT please take note that once exploited, a hackerone user's PII - personally identifiable information can be exposed. I have found this bug by using the sandbox with swag reward enabled . --- Le...

HackerOne: Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot

Summary: The hacktivity of a private program is visible to banned user if he gets invited to a program by hackbot. Description: Back in 2016 i was banned by █████'s private program ███ due to some conflict between me and their security team, i think they manually put me in banned users list, but...

Mail.ru: Получаем все домены и поддомены icq с помощью amazonaws.com [config,txt]

Открытый доступ к config.txt на амазоне где лежат все ваши домены и поддомены "api.icq.net": "api.ic2ster.com", "bos.icq.net": "bos.ic2ster.com", "api.login.icq.net": "apilogin.ic2ster.com", "icq.com": "www.ic2ster.com ", "www.icq.com ": "www.ic2ster.com ", "files.icq.com": "files-com.ic2ster.com...

Node.js third-party modules: [simplehttpserver] List any file in the folder by using path traversal.

I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: 0.1.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python's...

Node.js third-party modules: [exceljs] Possible XSS via cell value when worksheet is displayed in browser

Hi Team, I would like to report Stored XSS vulnerability in exceljs module. It allows to execute JavaScript code embeded in the XLS sheet when data from the sheet are displayed in the browser. Module module name: exceljs version: 1.4.6 npm page: https://www.npmjs.com/package/exceljs Module...

Open-Xchange: command Injection in rawlog binary

Quick Overview I have found a Command Injection vulnerability in the code where a method calls an OS Shell command using an untrusted string to execute. Introduction Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable...

Slack: Internal SSRF bypass using slash commands at api.slack.com

@albatraoz found a bypass to report 61312, allowing information leakage via SSRF in Slash commands. We fixed the vulnerability and performed a through investigation. Thanks @albatraoz!...

Open-Xchange: Buffer overflow in sha3

Quick Overview I have found a Buffer Overflow OutOfBand vulnerability in the code where a buffer used is not properly verified before writing data to the buffer. Introduction Buffer overflow attacks, in their various forms, could allow an attacker to control certain areas of memory. Typically, th...

Open-Xchange: [XSS] content_disposition=inline in files

Hi. No filter for application/ when contentdisposition=inline PoC: - 1. Auth https://sandbox.open-xchange.com/ajax/share/021f28560fbe7d5b21f28d3fbe7d42379932c8eb965ee141/1/8/NTc/NTcvMzQ4 2. XSS...

HackerOne: HackerOne support disclosing report state without checking user identity

How was i able to to know the state of report using Hackerone Support: I was able to know the state of report using different email address by contacting Hackerone Support. So the thing is this is my report https://hackerone.com/reports/344238 which is not even disclosed and closed as informative...

Phabricator: The "Download Raw Diff" URL is viewable by everyone

mongoose This is similar to 213942, but less severe. Here is what you said in 213942: The change makes us write files with narrow permissions instead of broad permissions, write temporary files instead of permanent files and ... If I understand your comment correctly, suppose that an Administrato...