Uber: It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without

Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...

HackerOne: HTTP Parameter Pollution using semicolons in iframe element at hackerone.com/careers allows loading external Greenhouse forms

Summary: I noticed that HackerOne career pages loads it's application forms from Greenhouse.io via an iframe. The ghjid parameter value is taken into the iframe element for the token parameter in the iframe URL boards.greenhouse.io. Any html characters are escaped in order to avoid XSS and possib...

Ruby: controlled buffer under-read in pack_unpack_internal()

Brief ----- There is a signedness error in the packunpackinternal, allowing the '@' type to trigger a buffer under-read when unpacking with a controlled format similar to format string implementation vulnerabilities. Code Vulnerability -------------------- Vulnerable version: 2.5.0 rc and prior...

WordPress: antispambot does not always escape <, >, &, " and '

The antispambot function escapes some randomly selected characters from its first argument, for example: , &, ", or '. These last five characters should always be escaped. There is a chance that this will print out unescaped: console.log"hello";'; Even though the chance of this happening is low,...

GitLab: SQL injection in MilestoneFinder order method

The MilestoneFinder is a class used to find milestones based on group or project identifiers. The class is used in multiple controllers. It allows to filter based on state and can be used to order the result set. One of the uses can be found in the Groups::MilestonesController. When the index...

Inflection: Clickjacking on https://www.goodhire.com/api

Researcher discovered x-frame options missing...

X (Formerly Twitter): Persistent DOM-based XSS in https://help.twitter.com via localStorage

Summary: I've found a DOM-based XSS vulnerability in the website help.twitter.com that persists via a localStorage key lastArticleHref. The value of this localStorage key is used to dynamically generate a piece of HTML code without proper encoding or filtering allowing an attacker to inject...

Unikrn: [crm.unikrn.com] Open Redirect

Hi there is an open redirect vulnerable in crm.unikrn.com POC curl http://crm.unikrn.com//example.com/ -L -v Response GET //example.com/ HTTP/1.1 Host: crm.unikrn.com User-Agent: curl/7.54.0 Accept: / HTTP/1.1 301 Moved Permanently Date: Thu, 14 Dec 2017 09:06:13 GMT Content-Type: text/html;...

Nextcloud: Registered users can change app password permissions for any user

Vulnerable URL http://server/nextcloud/index.php/settings/personal/authtokens/token ID Summary Nextcloud users can create app-specific passwords, also called authtokens, giving an app limited access to their account. Users can grant or deny access to their files for each app password. The functio...

Automattic: Improper markup sanitisation in Simplenote Android application.

Description The Simplenote Android application 1.5.6 still allows users to embed fully-fledged forms. html Sign in to Simplenote Please sign in Email Password Remember Me Forgot your password? F246484 A more convincing proof of concept could consist of hiding the form inside several paragraphs o...

Zomato: [www.zomato.com] Boolean SQLi - /█████.php

@gerbenjavado found that the parameter entityid was vulnerable to SQLi on endpoint /████.php using a Boolean technique. POC The POC uses ifmid@@version,1,1=5 which returns a 200 ok message. If changed for ifmid@@version,1,1=4 the server gives a 500 or 504 error, confirming the SQLi and proving da...

GSA Bounty: SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent

I've identified an SQL injection vulnerability in the website labs.data.gov that affects the endpoint /dashboard/datagov/csvtojson and can be exploited via the User-Agent HTTP header. I didn't extracted any data from the database, I've confirmed the vulnerability using sleep SQL queries with...

Deconf: Unauthenticated Reflected XSS in admin dashboard

The researcher has identified a Reflected XSS vulnerability within an analytics report of our plugin. The report was well documented, providing a step-by-step PoC to demonstrate the vulnerability...

shopify-scripts: mruby heredoc notation

Hi There exists a vulnerability in mruby when using the heredoc notation it doesn't need ulimit The minified test can be generated with the following command: ruby -e 'IO.binwrite"j3.rb", "\xa7 This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent...

X (Formerly Twitter): No Rate Limit in email leads to huge Mass mailings

Hi Team, I have found a logical flawNOT DoS in the website 'https://app.mopub.com/' 1.Use Burp Suite and capture below request upon navigation to Code integration 2.Click on Send button after entering email address in the input field of 'Enter one or more email addresses and we'll send you links ...

LocalTapiola: PHPMYADMIN Setup is accessible without authentication on https://lml.lahitapiola.fi/

Vulnerability Detail PhpMyAdmin setup page is accessible over the internet in which it's possible for the user setup the servers with required details. Vulnerable Endpoint https://lml.lahitapiola.fi/admin/phpMyAdmin/setup/index.php Attached screenshots F246247 F246248 Impact Its possible for an...

Semrush: Reflected XSS using Header Injection

Host : www.semrush.com Path : /billing-admin/profile/subscription/?l=de Payload : c5obc'+alert1+'p7yd5 Steps to reproduce : Request Header : GET /billing-admin/profile/subscription/?l=de HTTP/1.1 Host: www.semrush.com Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0;...

Deriv.com: Leaking Referrer in Reset Password Link

On 12th Dec flex0geek reported that binary.com was leaking password reset tokens through referer headers . At first this sight the report was closed as we had fixed this earlier and our code base seemed fine . Later on the researcher sent a video POC which did show that we were leaking password...

HackerOne: Common response suggestion is sent to Google Analytics when user accepts duplicate comment Genius suggestion

Summary It was found that although the referrer-policy header for https://hackerone.com/hacktivity was set to strict-origin-when-cross-origin , a request to https://www.hackerone.com/blog contains full url path of the the hackivity page as the referer header eg...

Internet Bug Bounty: Exim handles BDAT data incorrectly and leads to crash/hang

Original article is here Incorrect BDAT data handling leads to DoS Vulnerability Analysis When receiving data with BDAT command, SMTP server should not consider a single dot ‘.’ in a line to be the end of message. However, we found exim does in receivemsg when parsing header. Like the following...

Internet Bug Bounty: Exim use-after-free vulnerability while reading mail header involving BDAT commands

Original article is here Use-after-free in receivemsg leads to RCE Vulnerability Analysis To explain this bug, we need to start with the memory management of exim. There is a series of functions starts with store such as storeget, storerelease, storereset. These functions are used to manage...

GitLab: Lack of validation before assigning custom domain names leading to abuse of GitLab pages service

One way to add a custom domain name for GitLab pages is to create a new DNS A record pointing to the IP of GitLab Pages server i.e. 52.167.214.135. A person who owns the domain name, could then add the domain name in the Pages settings at https://gitlab.com///pages. GitLab then assigns the domain...

HackerOne: Open redirect deceive in hackerone.com via another open redirect link.

The open redirect feature in hackerone does not work properly 2. When users submit a report. They can also use links in the report. 3. An attacker can deceive other users by using another website redirect link in hackerone.com For example consider the links below...

Uber: SSL-protected Reflected XSS in m.uber.com

Summary m.uber.com is susceptible to reflected XSS Security Impact A malformed URL can be used to render arbitrary SSL-protected web pages from m.uber.com Reproduction Steps https://m.uber.com/?bjbxm%3c%2fscript%3e%3cscript%3ealert1%3c%2fscript%3exrii5=1 Specifics From the rendered web page:...

Node.js third-party modules: [lactate] Static Web Server Directory Traversal via Crafted GET Request

Hi @vdeturckheim, A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. Module specification Name: lactate Version: 0.13.12 latest release build Verified conditions...

Weblate: Audit log validation

Issue For the docker image git clone https://github.com/WeblateOrg/docker.git weblate-docker, the IP address in the audit log in the user's profile, and in the administration console can be forged using the X-Forwarded-For header during the login process. This does not affect...

VK.com: Blind XXE on pu.vk.com

Blind XXE vulnerability in processing of uploaded documents. Blind XXE vulnerability in processing of uploaded XML-documents such as docx. Vulnerability was hard-exploitable, because all data retrieval channels did not work except DNS...

Node.js third-party modules: [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component

Hi, An injection in the highlighterId parameter of the clipboard.swf component can be used to reflect JavaScript in the context of hosts running Redis Commander. Module specification Name: redis-commander Version: 0.4.5 latest release build Verified conditions Test server: Ubuntu 16.04 LTS Browse...

Node.js third-party modules: [featurebook] Specification Server Directory Traversal via Crafted Browser Request

Hi, A crafted request can be leveraged to traverse the directory structure of a host using the featurebook server package, and request arbitrary files outside of the specified web root. Module specification Name: featurebook Version: 0.0.32 latest release build Verified conditions Test server:...

Node.js third-party modules: [augustine] Static Web Server Directory Traversal via Crafted GET Request

Hi, A crafted GET request can be leveraged to traverse the directory structure of a host using the augustine web server package, and request arbitrary files outside of the specified web root. Module specification Name: augustine Version: 0.2.3 latest release build Verified conditions Test server:...

Node.js third-party modules: [serve-here] Static Web Server Directory Traversal via Crafted GET Request

Hi, A crafted GET request can be leveraged to traverse the directory structure of a host using the serve-here web server package, and request arbitrary files outside of the specified web root. Module specification Name: serve-here Version: 3.2.0 latest release build Verified conditions Test serve...

shopify-scripts: SEGV on ary_concat

The following input demonstrates a crash: def z return begin 0.each do return end rescue = x ensure x.backtrace end end z ASAN report ./mruby/bin/mruby asd.rb ASAN:DEADLYSIGNAL ================================================================= ==43761==ERROR: AddressSanitizer: SEGV on unknown...

Inflection: Reflected Cross-site Scripting Vulnerability via JSON Error Message

Researcher uncovered a vulnerability where invalid JSON input was reflected back in the server error response. A specially-crafted invalid JSON request could then be used to trigger a reflected XSS on any page where the server error response was rendered in HTML...

Open-Xchange: SSRF in VCARD photo upload functionality

FYI - Tested on local installation of App Suite 7.8.4 REV 14, CentOS 7.4, x64 Hello, I believe I may have found another SSRF re-direct vulnerability which again will allow port scanning of the App Suite server and the internal network, this is similar to my earlier report: 293847 The endpoint is...

Infogram: New team invitation functionality allows extend team without upgrade

Privilege escalation vulnerability was found, which allowed to bypass the limitation of team members...

RBKmoney: Open Redirection on auth.rbk.money

An open redirect vulnerability was found in KeyCloak. Find writeup soon in my website ; Edit , Write is here : http://abartandhakal.com.np/main/2018/01/27/open-redirection-on-rbk-money/...

Pornhub: Blind SQL injection in Hall of Fap

Summary: There is a blind SQL injection vulnerability in GET parameter topsort in page https://www.tube8.fr/ajax-hof/. Description: SQL functions can be injected into the SQL query. Using the sleep function, which makes the database sleep, we can notice the injection. PoC The following request wi...

Internet Bug Bounty: GarlicRust - heartbleed style vulnerability in major I2P C++ router implementations

Brief ----- I2pd and kovri are both C++ I2P routers that share the same code base, as kovri was forked from i2pd several years ago. The vulnerability lies in a common code piece, making both implementations vulnerable, as was acknowledged by orignal, the main developer of i2pd. The vulnerability ...

shopify-scripts: Invalid read leading to a segfault

PoC === The attached POC demonstrates invalid reads leading to a segfault. Debug info ========== gdb report: 423│ dispatchlinkedcodegenscope s, int pc 424│ 425│ mrbcode i; 426│ int pos; 427│ 428│ if !pc return; 429│ for ;; 430├─── i = s-iseqpc; gdb p pc $1 = -32730 valgrind report: ==21952==...

WePay: open 80 port of internal host leaking some configuration info

A testing stage server was accessible from the internet leaking some debug info. Thanks @ruvlol for reporting this to us. A testing stage was accessible to everyone in internet, leaking some debug info...

Open-Xchange: [XSS] Portal Widget Mail

Hi. No filter for Mail in Widget F244689 Steps - 1. Compose New mail html or plain: F244687 2. Add to Portal this mail F244688 3. Sometimes payload run after Add. If not then go to Portal. OX update the data every 10min and this script will run every 10min in any section. That is, as Crontab. :...

Trello: Sessions Token In Get Parameter Request Initiating Websocket Connection

When anyone login into trello.com application then after authentication, application sends session token into get parameter. so attacker can sniffing this session token form web history, proxy history or log cause fully account takeover. HTTP Request : GET...

shopify-scripts: heap-buffer-overflow in OP_R_BREAK

The following input demonstrates a crash: def z e Array = a rescue lambda yield end z break Array ASAN report: ./mruby/bin/mirb 2084out.rb mirb - Embeddable Interactive Ruby Shell = :z = nil mirb:6: undefined method 'e' for main NoMethodError = nil...

Internet Bug Bounty: Mailsploit: a sender spoofing bug in over 30 email clients

Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents MTA aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC DKIM/SPF or spam filters. Bugs were...

WordPress: code.wordpress.net subdomain Takeover

Hy Wordpress sec i found as it is posible to takeover this domain http://code.wordpress.net when you navigate it you will get this error msg: Warning! Domain mapping upgrade for this domain not found. Please log in and go to the Domains Upgrades page of your blog to use this domain. $ host...

shopify-scripts: heap-use-after-free in OP_RESCUE

The following input demonstrates a crash: def e proc ensure z rescue yield end e Class def x new Class 0 ensure 0 = 00end rescue 0 rescue z ASAN report ./mruby/bin/mruby out.rb ================================================================= ==10040==ERROR: AddressSanitizer: heap-use-after-free ...

Mapbox: Admin Panel Accessed (OAuth Bypassed )

On December 4, 2017, @aneeskhan reported an authentication bypass vulnerability on a Mapbox internal portal. The vulnerability allowed them to bypass OAuth authentication and generate a valid session for the site. This session was then used by @aneeskhan to access information on the portal which...

PortSwigger Web Security: Improper Certificate Validation

1 Obtained a key from PortSwigger official site. 2 Downloaded latest version of burp 1.7.29 from PortSwigger and activated license. 3 Downloaded previous version of burp v1.7.17 and used same key for the activation. And, I was able to activate license on the old version of BurpSuite. Impact Singl...

X (Formerly Twitter): Improper Host Detection During Team Up on tweetdeck.twitter.com

Hi Give this url https://twitter.com/teams/authorize?targetscreenname=&authorizecallback=https%3A%2F%2F%0Agoogle.com%[email protected] to any authorised user for team up and after authorization of his 2nd account he will be redirected to google.com . First I tried to make it malicious with adding...

RBKmoney: Information Disclosure - Composer.lock

Non-sensitive information disclosure via composer.lock...