Mail.ru: Uninitilized server memory disclosure via ImageMagick

It was possible to disclosure the part of server memory from uncontrolled location on the server belonging to "Moi Mir" my.mail.ru project via uploaded GIF image header manipulation. my.mail.ru is not currently in the Bug Bounty scope, reward was paid as a bonus due to potential severity...

Shopify: Cross-site scripting in "Contact customer" form

Hi, I found HTML Injection Vulnerability while admin contact with customer. In this vulnerability admin is attacker whereas customer is victim. Steps to Reproduce: 1. Go to Customers and Click on Customer Email Address. 2. New Pop-Up window will become open, In Customer Message field type this ht...

LocalTapiola: Verbose error message reveals internal system hostnames, protols and used ports (yrityspalvelu.tapiola.fi)

Issue The reporter found an error page that contained a reference to a server name + port in the internal network. No actual vulnerability or weakness was reported. Fix The error page was changed to a static page. Reasoning Trivial error page injection reports will not be accepted for this domain...

Ruby: NET::Ftp allows command injection in filenames

Hi While using NET::Ftp I realised you could get command execution through "malicious" file names. The problem lies in the gettextfileremotefile, localfile = File.basenameremotefile method. When looking at the source code, you'll note: def gettextfileremotefile, localfile = File.basenameremotefil...

Tor: De-anonymization by visiting specially crafted bookmark.

There is a way to import logs in 'about:memory' from local disk, however, tested on windows you can pass a network url that may point to attack controlled server which logs IP's. This connection is done by windows presumably and so doesn't hide real IP of Tor user. 1. Have victim drag and drop an...

VK.com: clickjacking в /lead_forms_app.php

Кликджекинг в «Форме сбора заявок». Можно было угнать номер и почту любого человека который нажмет на кнопкуbuton на нашем сайте, я считаю это довольно серьезно, ибо нажать кнопку можно было под любым предлогом, к примеру создав фейковый опрос на нашем сайте, а подтверждением голосования добавить...

Open-Xchange: Adding external participants to unaccessible appointments

Description When making an appointment users are able to invite additional participants which do not have an open-xchange account. However, it appears than any user can invite external participants to any appointment even this appointment is not accessible for him. Additionaly using the same bug...

Semrush: subdomain takeover at news-static.semrush.com

Summary: The subdomain news-static.semrush.com can be taken over by attackers and abuse it for further attacks Phishing, XSS Cross origin, malware, etc... Description: The subdomain news-static.semrush.com was pointed using CNAME to Amazon S3, but no bucket with that name was registered. This mea...

Internet Bug Bounty: Mercurial git subrepo lead to arbritary command injection

Hi IBB, I'd like to submit a issue exist in Mercurial. It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial preven...

Razer US: [zvault.razerzone.com] URL validation bypass

The researcher discovered that a page on our zVault that intended to perform redirection which allowed a URL bypass due to a coding flaw. The flaw was an attempt at sanitation that could actually be leveraged to redirect to a URL string useful for phishing. He provided an analysis of the code and...

Ubiquiti Inc.: Stored XSS => community.ubnt.com

Due to an error on the user input validation process, it was possible to create posts in some forums on community.ubnt.com with arbitrary HTML code, an especially crafted message could inject Javascript code on the page, resulting in stored XSS. A Stored XSS issue Was Discovered in ubnt Community...

Open-Xchange: SSRF in /appsuite/api/autoconfig

FYI: This was conducted on a local install of App Suite and not the sandbox. App Suite version was: 7.8.4 Rev14 Hello, There is a possible SSRF vulnerability in the following App Suite API endpoint that will primarily allow blind port scanning of the App Suite server and any internal servers...

Open-Xchange: [IDOR] Deleting other people's tasks

Description When creating tasks each task is assigned with an id value. Using this id it's possible to delete any task created in the same instance even if you don't actually have access to viewing or editing the task. Steps to Reproduce 1 Login to https://sandbox.open-xchange.com/ with user1 2...

Automattic: [public-api.wordpress.com] Stored XSS via Crafted Developer App Description

Hi, An injection in the "App Description" field within the WordPress Developers platform can be used to store and reflect JavaScript in the public-api.wordpress.com context. Steps to reproduce 1 As the "adversary" user, please visit the WordPress.com My Apps page and select "Create New Applicatio...

HackerOne: Query parameter reordering causes redirect page to render unsafe URL

Hello hackerone team I want to report I bypass w/c lead to XSS but limited only for IE due to CSP block on chrome Here is the POC ------------------ https://hackerone.com/redirect?signature=c9304cadaeabca0bfb7b92503c0318da5c42a86b&url=http%3A%2F%2Fbuglabs.me&url=JAVASCRIPT:alert%09document.domain...

HackerOne: Able To Check The Exact Bounty Balance of any Bug Bounty Program

Hello HackerOne, I found a way to check the exact bounty balance of any bug bounty program. Steps To Reproduce 1. Report to any program that giving a bounty 2. Go to your Inbox 3. Open the Burp Suite before you click the report you created for your target bug bounty program. 4. Click the Intercep...

VK.com: self-xss ads_easy_promote vk.com

Self-XSS в рекламе...

Zomato: [www.zomato.com] Leaking Email Addresses of merchants via reset password feature

Hi Team, Introduction Found a cool IDOR, which again leaks the email addresses of all Zomato Users. This attack works no matter if you own the restaurant or not. Proof of Concept - Below Post Request leaks the email addresses of the Restaurant Owners in response - Request POST...

Razer US: Database credentials leak at http://drivers.razersupport.com/.bash_history

The researcher discovered that the .bashhistory on this server had improper permissions, which allowed public viewing of the files. When a DB admin eventually executed a command involving clear text credentials for the database, this exposed the password for that database a Kayako DB used for...

Uber: The Microsoft Store Uber App Does Not Implement Server-side Token Revocation

Summary The Microsoft Store Uber App Windows Phone Architecture does not properly revoke or expire a rider's x-uber-token upon app signout. Security Impact When a user logs out/signs off of the app, the logout process is handled only locally on the application side, and without any type of...

Uber: The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting

Summary The https://cn-sjc1.uber.com/rt/users/apply-clients-promotions customer endpoint used to apply Uber promotions does not implement multifactor authentication, IP address blacklisting for multiple failed attempts, or IP address-based rate limiting to prevent brute force bearer token...

Uber: The Microsoft Store Uber App Does Not Implement Certificate Pinning

Summary The Microsoft Store Uber App Windows Phone Architecture does not properly implement certificate pinning. Security Impact Layer-2+ network traffic transmitted from and received by the app can be surreptitiously intercepted and transparently modified by an attacker, with no warnings or erro...

Razer US: POST XSS in careers.razerzone.com via the txt_email parameter.

The researcher discovered a POST based XSS on an administrative login page on our careers.razerzone.com website that would have allowed the execution of scripts in some browsers e.g. Firefox. This was fixed on 1/5. Another great report. We'd also like to acknowledge the researcher's effort in...

Razer US: Reflected XSS on https://press.razerzone.com

The researcher discovered a post reflected XSS on press.razerzone.com that allowed the delivery of a script payload via Firefox and demonstrated via a video. This was reported on 11/27 and deployed to production on 12/27...

HackerOne: Validation message in Bounty award endpoint can be used to determine program balances

Summary: Hi team, Found a idor in Checking if a Team has sufficient fund to award Steps To Reproduce 1. Start a new program and login to the account 2. A demo Report will be there 3. Then Set award Amount $100 4. Set award and intercept the request 5. change the reportids to 262262 262262 - mixma...

Cloudflare: Cloudflare does not sufficiently truncate credit card numbers in invoices

When a Cloudflare user has a paid account, but Cloudflare can't process the user's credit card, Cloudflare emails the user from [email protected], subject line "Cloudflare Failed Taking Payment for INV-D1234567". The email contains an attachment, "2017-11-19CloudflareINV-D1234567.pdf", a PDF...

Internet Bug Bounty: Multiple issues in Libxml2 (2.9.2 - 2.9.5)

Libxml2 is the XML C parser and toolkit developed for the Gnome project. Due to its flexible C implementation and continuous development, Libxml2 is known to be very portable, the library builds and works on a variety of systems Linux, Unix, Windows, CygWin, MacOS, MacOS X, RISC Os, OS/2, VMS, QN...

ok.ru: XSS в личных сообщениях

Доброго времени суток. Я нашел XSS в личных сообщениях. Поле, где юзер набирает сообщения не фильтруется. Туда можно встроить скрипт, используя багу, которую я описывал раньше. Пишем сообщение и у друга срабатывает XSS. Вы исправили возможность пилить ники, содержащие специальные символы через...

Unikrn: CSRF log victim into the attacker account

All the API endpoints v1 & v2 reflect sessionid to Set-Cookie response - which can lead victim to login attacker account, for example: Request: ====== POST /apiv1/ HTTP/1.1 Host: unikrn.com User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64; rv:57.0 Gecko/20100101 Firefox/57.0 Accept:...

VK.com: XSS работающая по всему сайту, где есть упоминания

Self-XSS в упоминаниях...

Ed: Possible to redirect to a (non-existing) subdomain after logging in via GitHub (leaking the token)

Summary To comment on an article a user has the option to login using his Github account. After logging in the user is normally redirect back to the URL he came from. I found out that it is also possible to redirect to a non-existing subdomain of edoverflow.com. It looks like the whitelist for th...

Ruby on Rails: ActionController::Parameters .each returns an unsafe hash

Rails 5.1.4 The goal of ActionController::Parameters's permit method strong parameters is to prevent accidental trust in the parameters sent by the client. We can therefore not simply create a hash of all the parameters in the params without permitting them first. When we really want to do this...

Ed: Oauth flow on the comments widget login can lead to the access code leakage

Description Hello. Here is a keyword: frog I discovered an little Oauth flow in the comments widget authentication process using redirecturi manipulations. The widget located on the all blogposts, which have URL https://edoverflow.com/2017/post-title/ Upon authentication, it appeared that code...

VK.com: Stealing Private Information in VK Android App through PlayerProxy Port Remotely

Incorrect interaction with the network...

Coursera: No Password Verification on Changing Email Address Cause Account takeover

In coursera.org website, there is no password verification on changing email id. Generally when user try to change the password , they were asked to verify the request by entering old password. For the same reason a verification should be there on changing email. But the worst part is, when user...

Unikrn: session_id is not being validated at email invitation endpoint

sessionid is not being validated at email invitation endpoint request sample: POST /apiv1/inviteemail HTTP/1.1 Host: unikrn.com User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64; rv:57.0 Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5...

Coinbase: User provided values passed to PHP unset() function

In the Coinbase wpe commerce open source library, a researcher observed a call to the PHP unset function that relied on user controlled input. The reporter observed that this could allow a malicious user to destroy arbitrary variables in the environment where this library is deployed...

LocalTapiola: Exposed authentication (/cs/Satellite)

Basic report information Brute Force and Information disclosure Domain: www.lahitapiola.fi Steps To Reproduce: REQUEST POST /cs/Satellite HTTP/1.1 Host: www.lahitapiola.fi User-Agent: Mozilla/5.0 Windows NT 6.2; WOW64; rv:18.0 Gecko/20100101 Firefox/18.0 Accept:...

Valve: Reflected XSS in www.dota2.com

Hi guys, Description I found another XSS in www.dota2.com. This time it is located in http://www.dota2.com/international/live/5/5/1. However it seems that when you can change the /5/5 folders to any other number to confirm and it still worked. I tested this on...

Razer US: Authenticated DOM-based XSS in deals.razerzone.com via the rurl parameter.

The researcher discovered that deals.razerzone.com was vulnerable to Authenticated DOM-based XSS via the rurl parameter, which could allow account hijacking via session cookies. The researcher identified the specific code snippet and provided two PoCs with different techniques. Another great repo...

WordPress: Arbitrary file deletion in wp-core - guides towards RCE and information disclosure

Vulnerable place 1: wp-admin/post.php $newmeta'thumb' is placed into DB not sanitized directly from user input. case 'editattachment': checkadminreferer'update-post' . $postid; // Don't let these be changed unset$POST'guid'; $POST'posttype' = 'attachment'; // Update the thumbnail filename $newmet...

Slack: Shared-channel BETA persists integration after unshare

@oneiroi discovered a bug in the Shared Channels Beta wherein notifications may still be delivered to an unshared channel previously shared. This did not affect data not in notifications, and we patched and performed a thorough investigation. Thanks for the report @oneiroi!...

Nextcloud: SQL Injection found in NextCloud Android App Content Provider

Using Drozer, we identified com.nextcloud.client is vulnerable to Sql Injection here is output from drozer: dz run scanner.provider.injection -a com.nextcloud.client Scanning com.nextcloud.client... Not Vulnerable: content://com.nextcloud.android.providers.UsersAndGroupsSearchProvider...

Valve: Link filter protection bypass

Description Hi, there is a protection bypass in the linkfilter function. By using the character 。 %E3%80%82 url encoded instead of a normal dot in urls, it is possible to bypass the blocking. PoC Normal request : https://steamcommunity.com/linkfilter/?url=pornhub.com F240919 Bypass :...

HackerOne: IDOR on Program Visibilty (Revealed / Concealed) against other team members

Hi HackerOne Team, Summary: When you are a part of a program security team, you have a choice to show in your profile that you are a member of the sec team, you can also hide it if you don't want to show it to your profile, any team member can do that using your profile settings here:...

Automattic: Crafted frame injection leading to form-based UI redressing.

Summary One can inject iframes into a note and create a login form that sends the user's details to a third-party server. Once again I will let the PoC do most of the explaining. PoC Paste the following snippet into a Simplenote and then view it in the preview panel. I am using the latest stable...

Automattic: [Simplenote for Windows] Client RCE via External JavaScript Inclusion leveraging Electron

Hi, A carefully crafted injection in the Markdown parser within Simplenote for Windows can be leveraged to achieve remote code execution via an external JavaScript file. The nature of Simplenote's content sharing system, which makes use of tags containing email addresses, means that an adversary...

HackerOne: Introspection query leaks sensitive graphql system information.

Summary: Interospection query leaks sensitive data. Introduction As we know graphql was initially developed and used by facebook as an internal query language and so the features of graphql mostly revolve around internal and development areas. Graphql executes queries using a type system with the...

Mail.ru: XSS on account.mail.ru/login

Уязвимость на станице https://account.mail.ru/login и подготовка файлов для атаки --------------------- В процессе исследования заметил, что на странице https://account.mail.ru/login не валидируется значение параметра v. Значение выводится на странице как есть и используется в пути до скрипта...

Monero: Kovri: potential buffer over-read in garlic clove handling + I2NP message creation

Brief ----- There is a lack of sanitation checks when handling Garlic messages in the kovri I2P router. Sending a specially crafted Garlic message can cause the router to send onward an I2P message containing leaked RAM data, triggering a massive information leakage. Technical Details: ==========...