Node.js third-party modules: [metascraper] Stored XSS in Open Graph meta properties read by metascrapper

Hi Guys, metascrapper is vulnerable to Stored XSS via Open Graph metadata, if they are used in HTML without any sanitization. Module: A library to easily scrape metadata from an article on the web using Open Graph metadata, regular HTML metadata, and series of fallbacks...

Node.js third-party modules: [node-srv] Path Traversal allows to read arbitrary files from remote server

Hi Guys, node-srv contains Path Traversal vulnerability, which allows malicious user to read content of any file with known path. Module: Simple static node.js server. Supports Heroku and Grunt.js https://www.npmjs.com/package/node-srv Description node-srv does not sanitize path in the correct wa...

Node.js third-party modules: [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server

Hi Guys, angular-http-server https://www.npmjs.com/package/angular-http-server contains Path Traversal vulnerability, which allows malicious user to read content of any file with known path. Module: A very simple application server designed for Single Page App SPA developers...

WordPress: Open Redirect on the nl.wordpress.net

Description Hello. I discovered an Open redirect vulnerability on the nl.wordpress.org. Root cause The 301 Redirect contains full hostname, followed with @ without trailing slash, when using: GET /@google.com HTTP/1.1 Host: nl.wordpress.net User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64;...

Node.js third-party modules: [serve] Directory listing and File access even when they have been set to be ignored.

Module: - Name: serve - Version: latest 6.4.9 - Link: https://www.npmjs.com/package/serve Description: The serve modules allows directory browsing and to serve static files through the browser. The config option ignore can be used to tell the module which file or directory are forbidden and shoul...

Valve: Read Access to all comments on unauthorized forums' discussions! IDOR!

hi, For a forum's discussion, only moderator+ ranks are allowed to view comments which have been deleted by a officer/moderator . I have found an issue where a member who is not allowed to view deleted comments can get read access to the deleted comments on a forum's discussion. Also, a non-membe...

Automattic: wpjobmanager - unserialize of user input

Vulnerability occurs in getjoblistings function to be more precise line 160 - 164 in wp-job-manager-functions.php. $result = new WPQuery $queryargs ; $cachedquery = false; settransient $queryargshash, $result, DAYINSECONDS ; e.g. you perform serialize on object that have escsql-ed values and afte...

Khan Academy: CSRF token fixation and potential account takeover

Hi Team, Details: I have found that the csrftoken fkey parameter which prevent CSRF attacks is fixed in same browser and didn't changed even user login or logout , a lot of users can use the same CSRFtoken , this can be exploited such 2 ways : Shared computers: - attacker open...

VK.com: Opcode Cache

Раскрытие имен некоторых файлов...

Node.js third-party modules: [html-janitor] Bypassing sanitization using DOM clobbering

Module: Name: html-janitor Version: 2.0.2 Summary: Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous XSS in case user-controlled input is passed to the clean function. Description: Proof of concept: javascript var myJanitor = new HTMLJanitortags:p:; var...

Nextcloud: Email Notification should be get while changing password on apps.nextcloud.com

Hi, There is an issue with password reset functionality with Nextcloud: user is not receiving notification when he reset password. Issue: user not always gets a notification about password change. When user change his password then a notification is not send to the user. It is good to always send...

Node.js third-party modules: [html-janitor] Passing user-controlled data to clean() leads to XSS

Module: Name: html-janitor Version: 2.0.2 Summary: Passing user-controlled data to the module's clean function can result in arbitrary JS execution, because of unsafe DOM operations. The description "Cleans up your markup and allows you to take control of your HTML. HTMLJanitor uses a defined...

HubSpot: Reflected XSS and Server Side Template Injection in all HubSpot CMSes

Really I don't know why BugCrowd team closed my submission as N/A F337815 They mentioned that Not in Scope ?! So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days . Full Poc : I was found in this path /hcms/cta so this...

LocalTapiola: Authorization issue on 'valtakirjat' (/e2/verkkopalvelu/)

Issue The reporter found some inconsistencies related to authorizations and access between family members. Fix The application was fixed in a monthly release. Reasoning The issue was valid and the reporter provided a lot of valuable information for us to go on including traces, screenshots and...

Ruby on Rails: Path Traversal on Default Installed Rails Application (Asset Pipeline)

There is an information leak vulnerability in Sprockets. This vulnerability has been assigned the CVE identifier CVE-2018-3760. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Not affected: NONE Fixed Versions: 4.0.0.beta8, 3.7.2, 2.12.5 Impact ------ Specially crafte...

RubyGems: Cross-Domain JavaScript Source File Inclusion

The page includes one or more script files from a third-party domain. XSSI is a fancy way of saying: you are including in your program, someone elses code; You don't have any control over what is in that code, and you don't have any control over the security of the server on which it is hosted...

Keybase: Claiming ownership of GitHub handles via forked GitHub gists.

Description An attacker can claim ownership of a GitHub user's handle if the user forks the attacker's gist with a verification snippet generated by the attacker pointing towards the user's handle. PoC With my colleague's permission @jackds I claimed their GitHub handle with this gist:...

Keybase: Keybase extension hostname-validation regular expression issue.

Description The following snippet in js/identities.js allows all hostnames ending in twitter.com, facebook.com, etc. to display the Keybase message window. The issue stems from the fact that you use . instead of \. in your regular expression. js service: "twitter", getUsername: functionloc return...

Keybase: Difference in query string parameter processing between Hacker News and Keybase Chrome extension spawns chat to incorrect user

Hello! When using the Keybase Chrome extension and viewing a Hacker News profile page with an additional id parameter in the query string, Hacker News uses the username from the first id parameter, whereas the Keybase extension uses the username from the second id parameter. Example URL:...

Node.js third-party modules: [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url

Hi, This report is about Arbitrary Directory Listing vulnerability I found in serve module. Vulnerability does not allow to open arbitrary file due to send module which handles file reading and implements its own validation and protection against Path Traversal attacks. However serve handles...

Showmax: Stored blind xss on showmax support team

This report describes a phishing attack. It was performed through html injection into 3rd party chat application and a bit of social engineering. The merit of the attack was in providing html code which was then executed on the support agent side. The code was able to retrieve some cookies and lu...

Trello: Trello Gold accounts free for 1 year

It is possible to create Trello Gold accounts and use it for free for 1 year. The issue lies in credit card validation. PoC: 1. Create a new trello account 2. After verification, go to Profile Trello Gold 3. Choose billed annually, enter a valid credit card number with $0 on it. and click on...

HackerOne: While adding a payment method - Notification email not sent to newly added email ID as well as there is no verification for new email id (Paypal)

Description: As you know hackerone allows us to add payout method. On selecting paypal we are asked to add paypal email id. On saving new email id. A hackerone account holder i.e account from which payout method was changed gets a notification email saying that "The payout method was changed form...

VK.com: CSRF отредактировать карточки в посте у группы

Отсутствие хеша в запросе на редактирование рекламной карусели. Видеодемонстрация импакта: https://youtu.be/BO8lCwv01f0...

Coinbase: Double Payout via PayPal

An issue with the handling of the PayPal transaction states resulted in a user being able to both withdraw money from PayPal, but not have the funds deducted from their account...

Grab: Leak ██████████ information in real time through API request

The researcher identified an endpoint that was publicly accessible and contained minuscule amount of sensitive information with some dummy data. We quickly resolved the issue and rewarded the researcher. We are thankful to @severus for his continued contribution to our bug bounty program to keep...

HackerOne: Submitted reports state logs leakage

Hi team, Summary ---------- The endpoint https://hackerone.com/ returns a JSON response containing some informations about the , the parameter signal is returned as a high precision float number up to 14 digits after the comma, the fractional part of this JSON parameter can be used to disclose so...

Node.js third-party modules: [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl

Hi, This report is about Directory Traversal vulnerability I found in html-pages module. Module: html-pages is a module which allows to browse directories and serve static files in the browser. The vulnerability exists in the latest available version 2.0.7 Link to npm page:...

Pornhub: xss

The researcher found a GET parameter, the value of which was output in the page source, resulting in XSS...

Phabricator: Window.opener protection Bypass

SUMMURY ======== If you create a post/comment with a link like http://x.com in fabricator then server add rel="norefferrer" to anchor tag . So child window dont have access to parent window. But it can be bypassed with url like /\x.com/index.php and child window can change the location property o...

Mail.ru: reflected xss on cycloferon.health.mail.ru

Reflected XSS in http://cycloferon.health.mail.ru/ promo site. This domain is not covered by bug bounty program. Since this site is not longer supported, an access was closed as a workaround...

Internet Bug Bounty: Urllib connects to a wrong host

Description ----- The inconsistent of URL parsing and URL fetching are distinct Original bug report ----- - https://bugs.python.org/issue30500 - http://python-security.readthedocs.io/vuln/bpo-30500urllibconnectstoawronghost.html Note ----- - None Thanks : Impact SSRF...

Mail.ru: [e.mail.ru] XSS на странице отправки денежного перевода

Reflected XSS in https://e.mail.ru/money/send via messageid GET parameter XSS via a GET param...

Internet Bug Bounty: Inappropriate URL parsing may cause security risk!

Description ----- The behaviors in parseurl and httpwrap/cURL are different Original bug report ----- - https://bugs.php.net/bug.php?id=74192 Note ----- - CVE-2017-7189 assigned Thanks : Impact SSRF...

Internet Bug Bounty: Inappropriately parsing HTTP response leads to PHP segment fault!

Description ----- A NULL Pointer Deference in parsing HTTP header. It is very easy to trigger this segment fault and may be vulnerable in some scenarios. Original bug report ----- - https://bugs.php.net/bug.php?id=75535 Note ----- - None Thanks : Impact Segment fault...

Internet Bug Bounty: Potential infinite loop in gdImageCreateFromGifCtx!

Description ----- It is easy to trigger in web application if the web use GD as its image library. For example, It can be triggered if a website resize the user-uploaded GIF, and ALL PHP version are affected! Original bug report ----- - https://bugs.php.net/bug.php?id=75571 Note ----- -...

ok.ru: Обход функций закрытого профиля, получения возможности комментировать закрытые подарки и просматривать их

Insecure direct object reference allowed posting comments to user gifts despite of privacy settings. Уязвимость позволяла создавать комментарии к подаркам пользователя даже если это запрещено настройками приватности...

Slack: Information leakage and default open port

@freem0 found Prometheus plugin output that was exposed at one of our servers. The information exposed including some OS information metrics about memory usage, but no customer data was at risk and no exploit was possible. Thank you @freem0!...

LocalTapiola: Malicious file upload (secure.lahitapiola.fi)

Basic report information Summary: Malicious file upload Description: Hello! I noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg: F254353 How ever if a user impersonate another user just a one example and start the conversatio...

Yelp: ClickJacking on IMPORTANT Functions of Yelp

SUMMARY: Few Important function of yelp.com are vulnerable to ClickJacking Attack. DESCRIPTION: Please have an Introduction about the vulnerability Type: https://en.wikipedia.org/wiki/Clickjacking ClikcJacking is similar to CSRF with just an extra involvement of the victim to click somewhere on t...

Showmax: Query string parameter modifications returned in page

NOTE BEFOREHAND: I KNOW it's not located on the core showmax.com domain, but that doesn't effect the applications of this and it still has the same risk. Summary: At https://sso.showmax.com/auth/failure?message=, you can change the message parameter to any text and it will be returned on the page...

Monero: Corrupt RPC responses from remote daemon nodes can lead to transaction tracing

Dear Monero security team, We’re writing to disclose a privacy vulnerability when using monero-cli or monero-gui with an untrusted remote node. When using a remote node, the Monero client relies on the node to provide information from the blockchain, in particular the public keys and transaction...

LocalTapiola: Information exposure via error pages (www.lahitapiola.fi Tomcat)

Summary: Information exposure via error pages Description: Hello there! I take the risk that this report might be closed as a N/A but because you are running outdated tomcat I wanted to take this risk and report this to you. So here we go.. When you navigate to the page e.g...

Mail.ru: XSS ( Работа с письмами )

Заходим в почту. 2. Настройки - Работа с письмами. Получаем GET запросом входящие параметры...

Concrete CMS: Administrators can add other administrators

Because I know you like crayons here's a token of my appreciation... :D F253771 Concrete5 version: 8.3.1 Release date: 12/20/17 Where: Core CMS Vulnerability: Privilege Escalation OTG-AUTHZ-003 Privilege escalation occurs when a user gets to access more resources than is normally allowed when it...

Mail.ru: Возможность залить шелл на https://widget.operator.mail.ru

It was possible to upload a shell code to widget.operator.mail.ru via file upload feature. widget.operator.mail.ru is a part of games.mail.ru and is not currently covered by bug bounty program. Shell upload...

Grab: Unrestricted access to https://██████.█████myteksi.net/

Hello again Grab Security Team ! Following my previous research, it seems that your Microservices architecture you are currently running on .█████myteksi.net is publicly exposed on another endpoint : https://█████████.█████myteksi.net. Summary: When researching and starting a new enumeration of...

Internet Bug Bounty: ACME TLS-SNI-01/02 challenge vulnerable when combined with shared hosting providers

The ACME TLS-SNI-01 and TLS-SNI-02 specification assumed wrong in terms of how current major cloud providers routed and validated domains. This was reported earlier this week to Let's Encrypt, and they decided to disable the method. Today Let's Encrypt decided to sunset both TLS-SNI-01 and...

Grab: Unrestricted access to Eureka server on ██████

Hi Grab Security Team, First of all, best wishes for 2018, empty of bugs if possible ;- Summary: I found that the following endpoint is hosting Netflix Eureka Server █████ and that even if some URLs are requiring authentication 401 code for some of thems like /metrics for example, it is still...

Uber: ubernycmarketplace.com is vulnerable to the Heartbleed Bug

The Heartbleed Bug was a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This allows attackers to eavesdrop on communications, stea...