Infogram: Internal Ports Scanning via Blind SSRF (URL Redirection to beat filter)

Summary --------------------- This is a blind SSRF that lets you scan internal ports. Technical Details -------------------- Inspired by 281950, I found a way to evade the filter for the api endpoint webresource by using a URL Redirection service. I used tinyurl to create a url that linked to...

Mail.ru: Self-xss via drag&drop in email form

User-assisted XSS in message composer's drag-n-drop feature via alt property of emoji-style image...

Mail.ru: Possibility to view subdepartments for arbitrary domain

By directly referencing to department ID in biz.mail.ru, it was possible to see the names of departments without knowledge of which organization this department belongs to Leakage of every existing department/unit of every domain via changing parameters directly in http request...

HackerOne: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver.

Summary HackerOne allows bug bounty programs to integrate their reports queue with issue tracking tools such as Jira and Phabricator. By abusing a bug that I discovered in Ruby's native resolver, I am able to bypass the SSRF filter and could potentially scan your internal network. Vulnerability...

Trello: CSV injection [N/A]

Hello, We can inject commands in the name field of a board =210 or =cmd|'/C calc'!AO for example, and when it's exported to CSV it will be evaluated to 20 in the corresponding cell, this enables an attacker to spread malware and execute system level commands on a victim's machine if the victim...

Trello: Subdomain Takeover Possible [N/A]

Hello , Team Trello Security Today == 04/11/2017 , 03:52 , I Discovred A Issue in Your Website , i found this error In : http://d2k1ftgv7pobq7.cloudfront.net/ ======================================================= ERROR The request could not be satisfied. Bad request. Generated by cloudfront...

Internet Bug Bounty: Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse

Full background information is at krackattacks.com and all detailed information can be found in our research paper. Key Reinstallation Attack: 4-way handshake example We use the 4-way handshake to illustrate the idea behind key reinstallation attacks CVE-2017-13077. Note that in practice, all...

Gratipay: Saying goodbye to HackerOne and Gratipay.

Thank you, HackerOne I would like to make this the final report to Gratipay and thank everyone that was involved in this amazing journey. Gratipay is shutting down at the end of the year https://gratipay.news/the-end-cbfba8f50981 and to finish on a happy note we closed all of our reports as...

Shopify: Self-XSS in password reset functionality

Hi, When I opened this domain of yours, https://accounts.shopify.com/password-reset/new I just put the following text into email address box, [email protected] it change the colour of the text. Well my point here is that if you could inject HTML, you might be able to add a tag to the page. I...

Khan Academy: Frameset(Frame) html tag is allowed in html editor.(can lead to clickjacking)

Hello Sir/Mam , I was using the html editor in computer programming section , which allowed me to design a webpage. When i use the iframe tag , object tag and embed tag it show me the message that these tags are not allowed for security reasonsmay be cause of clickjacking attack or something but...

Semrush: Security misconfiguration "weak passwords".

The site has a security misconfiguration issue. The site accept weak passwords like "123" or "12345" or "abc12345" which can be guessed easily with the help of some auto attacks...

AlienVault : SQL Injection in AlienVault Product Forums

SQL Injection in alienvault.com on | AlienVault Product Forums |...

Open-Xchange: IDOR - setAttribute action of user object in API

Note. I selected sandbox.open-xchange.com as the asset in Hackerone but this was tested on a local installation . Hello, There appears to be a possible IDOR vulnerability in the following API endpoint for setting custom attributes:...

Razer US: Reflected XSS on domain support.razerzone.com

The researcher hisxo discovered a reflected XSS vulnerability on support.razerzone.com. hisxo also worked with H1 Triage to provide a valid PoC that demonstrated payload delivery using Burp Suite. We appreciate the extra work and look forward to working with the researcher in the future...

AlienVault : [www.threatcrowd.org] - SSRF : AWS private key disclosure

Summary: I've found that you can SSRF to 169.254.169.254 using the domain check feature. Private keys disclosed. Browsers Verified In: Firefox ESR 45.8.0 Steps To Reproduce: 1. Simple browse to...

AlienVault : [www.threatcrowd.org] Reflected XSS Bypass

bypass for reflected XSS utilizing JS...

Infogram: No Email Verification

There should be an email verification when creating a new user. B/c i can make an account from others email address for example: [email protected] Now when the real person, how own this email address cant make an account with his email address...

Semrush: Insecure Direct Object Reference on API without API key

Summary: It is possible to query the semrush API without specifying an API key. This allows anyone to query the API and retrieve information without having paid for a subscription. This is not a security vulnerability as such, but I believe it does undermine your business model in that a user doe...

Monero: Out-of-bounds read when importing corrupt blockchain with monero-blockchain-import

It is possible to trigger an out-of-bounds read in monero-blockchain-import when importing a corrupt blockchain and not verifying blocks and transitions during import --verify 0. Using a corrupt importfile, the attacker has full control over bufferblock in importfromfile blockchainimport.cpp. As...

AlienVault : DOM-Based XSS in www.alienvault.com

Summary: There is a DOM-Based XSS vulnerability in the 'usma-code' parameter in /products/usm-anywhere/free-trial/thank-you-approved . Description: The link...

Gratipay: Reflected SQL Execution

my friend are the best hackers hackerone.com/rashidziaur hackerone.com/smziaurrashid hackerone.com/s4k16 they teach me how to hack a toaster F234731 Please Giv us $$$$$ for our family we are pooor . please consider this bug in your site F234733...

Gratipay: i am The bug

I am the bug i found a bug in your site here it is F234717 my friend are the greatest hackers hackerone.com/s4k16 and smziaurrashid told me u will giv me $$$ for my father F234723...

International Islamic University Chittagong: i am because bug

I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F234714 Thank you wish you because pay lots $$$$$$$$...

International Islamic University Chittagong: Admin access on http://119.18.148.140/iiuc/ through leaked credentials

The researcher was able to access admin panel using admin credential that leaked as a plain text through error message...

International Islamic University Chittagong: Union Based SQL injection in https://ieeeiiucsb.org/registration/details

Due to the lack of proper sanitization on our registration system, the researcher able to find a sql vulnerability which expose the database name & user id. We'd like to thank him for a nice catch on our system...

International Islamic University Chittagong: PHP Myadmin Accesable & Database Error Information

Dear Team, MyPHPAdmin console is accessible over the internet as well as Directory of PHP documentation is accessible. Refer all attached images Kindly MOve this to 403 Forbidden resources Steps below to reproduce the same. enter this Url http://119.18.148.140/phpmyadmin/ accessible over Internet...

International Islamic University Chittagong: Improper error handler

during the analysis it was found that when we submit the form and try to upload a txt file then it show a error page with internal path disclosure...

International Islamic University Chittagong: Application fees changeable

When i submit the form of the Url http://119.18.148.140/iiuc/home/apply-online then I intercept the form request and change the 500 into 100. Application did not give the option to change the money but by intercepting the request we can change the money. Application should removed the application...

International Islamic University Chittagong: #2 Full Path Disclosure on http://119.18.148.140/iiuc/login/logining

This researcher able to bypass our fix on full path disclosure on login page...

International Islamic University Chittagong: SQL injection in http://119.18.148.140/hrd/js/makeemployeeid.php

Hello, The mentioned page takes at least two GET parameters, namely q and departmentname. The two parameters are vulnerable to SQL injection as both are placed into SQL query strings without proper sanitization. It seems like the PHP script uses the affected parameters into two SQL queries, since...

International Islamic University Chittagong: Another Internal Path Disclosure

Keeping your previous fixes in mind, I found another endpoint which is disclosing full internal path through 500 Internal Server error. POC-URL: http://119.18.148.140/iiuc/login/ Request: GET http://119.18.148.140/iiuc/login/ HTTP/1.1 Host: 119.18.148.140 Connection: keep-alive User-Agent:...

International Islamic University Chittagong: Directory Listing

https://ieeeiiucsb.org/assets/reg/assets/ It was observed that the above URLs are vulnerable to Directory Traversal Attack. Properly controlling access to web content is crucial for running a secure web server. Directory Traversal is an HTTP exploit which allows attackers to access restricted...

International Islamic University Chittagong: Default credentials on http://119.18.148.140/hrd/

Hello, When the mentioned URL is opened, the user is presented with a login form that logs them into the "HR & Payroll" system of the university. The issue here is that the credentials used are the application's default credentials, which are mentioned here...

International Islamic University Chittagong: Full Path Disclosure on http://119.18.148.140/iiuc/login/logining

A misconfiguration on login page leads to exposure of full path through error message...

International Islamic University Chittagong: Full Path Disclosed

Hi, i want to say that you have not fixed the previous report properly i can still find the path fix it properly the paths should be hidden text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://119.18.148.140/hrd/login.php? Cookie:...

AlienVault : DOM Based XSS in https://threatcrowd.org

Hello AlienVault security team, I found a DOM Based XSS in https://threatcrowd.org via report function. Proof of Concept Steps to reproduce: 1. https://threatcrowd.org/report.php?report= 2. Fill in with this payload: javascript:promptdocument.domain 3. Send link to victim, when victim click in to...

Mail.ru: Download attachments with traversal path into any sdcard directory (incomplete fix 106097)

Привет 106097 был исправлен не полностью, все еще можно скачать вложение в письме мимо downloads директории на sdcard. Если имя файла будет что-от вроде "../file.txt" то такой файл будет скачен мимо /sdcard/download. Для файлов "%2e%2e%2f/file.txt" скачивает правильно. Скачать можно только на...

International Islamic University Chittagong: Full Path Disclosure

Hi Team, i would like to report sensitive info disclosure via login page PoC: send below request to see the path disclosure. GET /hrd/logining.php HTTP/1.1 Host: 119.18.148.140 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:56.0 Gecko/20100101 Firefox/56.0 Accept:...

International Islamic University Chittagong: Information Exposure Through Directory Listing

Hi Team, I would like to report Information Exposure Through Directory Listing bug which is presented in iiucbd.com PoC: Navigate to the following Link: 'http://119.18.148.140/hrd/js/' internal pages are exposed. FIX: Disable the directory listing. Regards, mrroot...

International Islamic University Chittagong: XSS Via error message

Hi Team, found xss via error message. PoC: Navigate to http://119.18.148.140/hrd/login.php?error=%3Cscript%3Econfirm1%3C/script%3E%20ID%20or%20Password%20does%20not%20find. Regards, Mr.R3boot...

International Islamic University Chittagong: Information Exposure Through Directory Listing

Hi Team, I would like to report Information Exposure Through Directory Listing bug which is presented in iiucbd.com PoC: Navigate to the following Link: http://www.iiucbd.com/assets/admin/js/datables/src/ There are some sensitive API methods disclosed via above link. If you feel there is no...

International Islamic University Chittagong: Email HTML Injection and Possible Stored Cross-Site Scripting in ieeeiiucsb.org

Hello International Islamic University Chittagong I found a Email HTML Injection in ieeeiiucsb.org Summary: add summary of the vulnerability This attack can be use to create a phishing email using your email app Steps To Reproduce: 1. Go to https://ieeeiiucsb.org/registration/ 2. Choose any event...

Mavenlink: Uninitialized server memory disclosure via ImageMagick gif parser

A CVE in ImageMagick allowed an attacker to recover random server memory via GIF upload. GIF processing has since been disabled...

HackerOne: Reverse Tabnabbing Vulnerability in Outgoing Links

The external links in the reports are not properly handled, using the issue the links can access the openers and replace them with some other page. To Verify the issue, just go to any report which do have any external link and inspect the proceed button. Where the issue lies: rel="noreferrer"...

Infogram: Javascript Payload reflected Back in Report Embed Code

1Create new Report template 2Spoof its name with payload " My Report alertdocument.cookie;div id=" 3Visit Back to your library list https://infogram.com/app//library 4Select The Created report and click view on web,Click the Share Button 5Copy & embed the code somewhere in html file you ll triage...

Gratipay: Bypassing X-frame options

bypass X-Frame-Options Proxy protection NOT used DomainUsing: gratipay.com Proxy protection NOT used , i can bypass X-Frame-Options header and recreate clickjacking on the whole domain. I see that you don't have a reverse proxy protection this allows all users to proxy your website rather than...

HackerOne: GraphQL sessions aren't immediately invalidated when user password is changed

Summary: While changing password, once user clicks on "Change password" button after giving necessary values, on https://hackerone.com/settings/pass/edit, the session expires and the user is redirected to https://hackerone.com/users/signin for logging in again with the updated/changed password. A...

Infogram: Multiple xss on infogram templates

Hello Team, There is a multiple xss on some templates. Payload used : "...

Infogram: XSS when Shared

Introduction XSS on an embedded piece of code that, when shared, may make it seem as if it was infogram.com that was doing the malicious act. Proof of Concept 1. Create an account 2. Create a project titled "scriptalert1;" 3. Click on share Here's an example of the share embedded code:...

Inflection: Host Header Injection or cache poisoning in multiple domains

Researcher submitted a report related to host header injection, which is currently considered out of scope for our program, so we closed the report. Researcher requested public disclosure...