Internet Bug Bounty: Out of bounds read in libcurl's IMAP FETCH response parser

Reported to the curl security mailing list on 6 October 2017. Acknowledged on 6 October 2017. Patched on 8 October 2017. Reported to distros@openwall on 17 October 2017. Public release on 23 October 2017. CVE Pending. Vulnerability An IMAP FETCH response line indicates the size of the returned...

CodeIgniter: If the developer forgets to remove the built in controller welcome.php it helps the attacker to identify that the site is built with Codeigniter

The attacker can check the website's backend technology simply by typing sitename/index.php/welcome/index it will display the codeigniter welcome page if the developer dosen't removed the built in controller and view welcome.php and welcomemessage.php i attaching a screenshot below as a proof of...

Inflection: Limited arbitrary text inclusion in user invite emails

When creating a GoodHire account, a fairly wide range of ASCII characters are permitted in certain fields like Company Name. This field is included in email templates that are automatically sent to new users when an account owner invites them to join a GoodHire account. Theoretically, spam conten...

X (Formerly Twitter): Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv)

Summary: It's possible to get a listing of every files in the S3 bucket metrics.pscp.tv Description: The problem is using the AWS command line, it's possible to get a listing of files in the Amazon S3 Bucket with an AWS authentication. See screenshot F230035. This user authentication is easy to g...

Dropbox: Dropbox employee benefits documents are available in a test Dropbox folder

This report pointed out that we had left a shared link to a copy of our employee benefits documentation in a particular iOS build. This link was likely used for ad-hoc testing at some point and accidentally left in the build. While there is little security risk here, we removed the link from...

WordPress: Content Spoofing @ https://irclogs.wordpress.org/

Hello, Greetings, Today I was Free So I Decided to Do Pentest WordPress So i Found a SubDomain which is Vulnerable to Plain text Content Spoofing. PoC:- Url:- https://irclogs.wordpress.org/chanlog.php?channel=wordpress&day=Message Goes Here&sort=asca Example:-...

HackerOne: Invalid Host detection at https://hackerone.com/redirect

Hello,99 Summary: Host detection at https://hackerone.com/redirect is invalid and insecure. Description : On redirection page, host is detected and highlighted to prevent phishing attacks. But that protection is weak and can be bypassed. So an attacker can redirect victim on another host instead ...

arxius: API leaking infinite amount of valid Tokens.

Hi, I have found a leaking token API for the domain "https://arxius.io/" that is generating infinite amount of random valid tokens. Reproduce: 1. Go to the url: "https://arxius.io/api/account/token" 2. You can see the token generated. 3. Every time you reload the page a new random valid token is...

Mail.ru: [lk-cdn.3igames.mail.ru] apc.php

APC UPS status monitoring script was available from outside on lk-cdn.3igames.mail.ru 3igames.mail.ru is not currently covered with bug bounty program...

Ian Dunn: Timing Attack in Google Authenticator - Per User Prompt

Google Authenticator - Per User Prompt contains a timing attack vulnerability in how it validates the application password for a user account. if sha1 $attemptedpasswordplaintext === $validpasswordhash || wpcheckpassword $attemptedpasswordplaintext, $validpasswordhash...

Ian Dunn: Formula injection via CSV exports in WordCamp Talks plugin

The WordCamp Talks plugin does not attempt to sanitize CSV exports, which can lead to spreadsheet formula injection via malicious inputs. POC ======== Submit a new talk with the title of =1+1. Visit the All Talks page /wp-admin/edit.php?posttype=talks Click the CSV Export link Open the downloaded...

WordPress: [BuddyPress 2.9.1] Open Redirect via "wp_http_referer" parameter on "bp-profile-edit" endpoint

Hi, In a similar manner to 228569, it is currently possible to execute authenticated open redirections via the wphttpreferer parameter used in the BuddyPress extended user edit screen. Proof of concept Upon accessing the below URL, please select the "Update Profile" button, then select the "←Back...

Legal Robot: XSS on app.legalrobot.com

Go to app.legalrobot.com 2. Open the browser's javascript console 3. Type alert/xss!/ and press enter 4. Profit!...

Unikrn: Email abuse and Referral Abuse

Summary: Abuse of Email Invite and Referral Abuse Description: Logic Flaws : 1. Users have been provided with an option to invite friends as referrals. It is possible to abuse your email invite service by repeating the same request. It is a discredit to unikrn if someone repeatedly sends the...

U.S. Dept Of Defense: SQL Injection on █████

Background: It looks like the patch for 231338 has been reverted and this subdomain is yet again vulnerable to SQL injection. Summary: An Airforce subdomain is vulnerable to SQL Injection because the application does not produce sufficient validation on user input. This allows an attacker to...

Inflection: Amount Manipulation Buy Unlimited Credits in just $1.00

Researcher filed a duplicate report of an issue that had already been identified by another researcher and then requested public disclosure when we closed this as a duplicate...

Inflection: HTTP Host Header Injection on app.goodhire.com

Researcher reported an issue that was previously reported by a different researcher and subsequently removed from program scope and then requested that we publicly disclose the report after closing it as a duplicate...

Mail.ru: blind XXE when uploading avatar in mymail phone app

Blind XML external ENTITY / DTD injection via avatar upload feature in My.Com's MyMail backend results in potential SSRF...

New Relic: Captcha Bypass on SignUp Form

The g-recaptcha-response parameter was not validated on the server side when submitting a form to the /signups endpoint. Any or no value could be provided for this parameter...

New Relic: Newrelic s3 bucket is writeable and deleteable by authorized AWS users

@kunalbahl discovered an open S3 bucket that appeared to belong to us. It was determined that this belonged to another company and this information was forwarded to Amazon for remediation...

Informatica: [marketplace.informatica.com] - Stored XSS

The researcher has identified and reported a Stored XSS in Informatica website and helped us in resolving the issue...

Legal Robot: Two accounts can be made with same password

A really nice bug to look into i found this while i was making my own account as i was testing for some serious bug i decided to just look into that how Legal Robot behaves when two account are made with the same password. Hacker Scenario: Person1 makes a account with a password called password n...

Radancy: xss flash on http://presentatie.werkenbijmcdonalds.nl/

A vulnerability in a flash file caused javascript to be executed in banners hosted on presentatie.werkenbijmcdonalds.nl...

Inflection: Host Header Injection and Cache Poisoning

Researcher submitted a report duplicating an issue that had already been reported to us, and then requested that we disclose this report publicly. So here we are...

Mail.ru: XSS в теле письма, в блочных стилях.

Здравствуйте! Бага в тестируемом HTML парсере. В блочных стилях Рабочий код: \test background-image:url'//\27\29\3Bcw:;a:'\3b\3C/style/\20;a:\28\27\27'; background-image:url'//\27\29\3Bcw:;a:'\3b;a:\28\27\27'; \p background-image:url'//\27\29\3Bcw:;a:'\3b;a:\28\27\27'; В аттаче txt файл с...

Inflection: Privilege Escalation: Read-Only to Admin

While the interface hides the users page from read-only users, they can still perform PUT requests to the API to change their privileges where they only have read-only permissions...

Inflection: Goodhire Open Redirect

Researcher reported a duplicate issue...

Inflection: Information Disclosure and Privilege Escalation in app.goodhire.com/member/developers/api-settings

Researcher reported a missing authorization check when purchasing a report. As a result, any valid user with ordering privileges could place an order on behalf of any other account although would not be able to receive the results of the order. We added an authorization check to ensure that users...

Inflection: No password confirmation on changing primary email address

Users may change the primary email address associated with their account without being required to confirm their password again. The security researcher reporting this proposed that we add a password confirmation field when performing an email change. After considering the issue, we don't intend ...

Avito: CSS injection in avito.ru via IE11

Hi Team Security @avito I discovered CSS Injection on avito.ru in form search via IE11 Description CSS injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to...

Mail.ru: reflected XSS on healt.mail.ru

Reflected XSS via GET paramters in quiz game on promo site in health.mail.ru subdomain. .health.mail.ru was in the bug bounty program's scope on the moment of report submission...

Mail.ru: XSS на e.mail.ru в мобильном приложении!

Cross application scripting via message content in mobile mail application. Vulnerability affected a limited number of external domains connected in Mail.Ru mail application. Users of Mail.Ru mailboxes and largest mailbox providers were not affected, no access to confidential data was possible as...

Semrush: Email Spoofing

Hey SemRush, It appears that spoofed email can be sent from 1 of your emails. The following email is vulnerable: [email protected] Information: Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source...

International Islamic University Chittagong: Stored Xss on IIUC

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then deploy fix, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

International Islamic University Chittagong: SQL Injection On iiuc

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: add summary of...

Razer US: XSS vulnerability on amp.razerzone.com

The tester discovered a reflected XSS vulnerability on a media content server, exploitable via Firefox. This content server was used by Razer employees and close partners to store media related to Razer products. We appreciate the tester's hard work and as a courtesy we granted reputation for thi...

International Islamic University Chittagong: Reflected XSS

Summary: add summary of the vulnerability Description: search mechanism uses POST method to request for search . So if we change it to get normally the XSS dosen't popup . But if we break it with " this we can get XSS . Platforms Affected: https://ieeeiiucsb.org/search/" Steps To Reproduce: Visit...

Legal Robot: Legal Robot

well i m hacker in the messag you secktor in your fuckingt...

Razer US: [amp.razerzone.com] SQL injection via resource_type parameter

The tester discovered multiple SQL Injection vulnerabilities on a media content server. One used exploited a single quote and the other the cookie parameter. This content server was used by Razer employees and close partners to store media related to Razer products. We appreciate the tester's har...

Mail.ru: Blind XXE on my.mail.ru

Blind XXE in my.mail.ru Moi Mir avatar upload feature. Moi Mir is not covered by regular Bug Bounty program, a bounty was awarded as a bones due to high potential impact. Blind OOB XXE issue was found in upload avatar feature...

Starbucks: Multiple Subdomain takeovers via unclaimed instances

Hacker @benoculars was able to successfully faciliate multiple subdomain takeovers by taking advantage of a process flow to use some of the space provided for germany.openapi.starbucks.com, psv.openapi.starbucks.com, stage-psv.openapi.starbucks.com, and test-psv.openapi.starbucks.com. While we we...

Tor: Use of unitialized value in token_check_object (src/or/parsecommon.c:224)

Triggered in 22139c0, compiled with -fsanitize=memory and clang 6.0.0-trunk. ./fuzz-consensus test00d68 =9591==WARNING: MemorySanitizer: use-of-uninitialized-value 0 0x55ca86e51348 in tokencheckobject /root/tor/src/or/parsecommon.c:224:13 1 0x55ca86e51348 in getnexttoken...

Tor: Use of uninitialized value in networkstatus_parse_vote_from_string (src/or/routerparse.c:3533)

Triggered in 22139c0, compiled with -fsanitize=memory and clang 6.0.0-trunk. ./fuzz-consense test000bbb ==9293==WARNING: MemorySanitizer: use-of-uninitialized-value 0 0x5611f7f7e4de in networkstatusparsevotefromstring /root/tor/src/or/routerparse.c:3533:23 1 0x5611f75bbbd1 in fuzzmain...

Legal Robot: Broken links for stale domains may be leveraged for Phishing, Misinformation, Defaming

Hi, URL: https://www.legalrobot.com/press/2016/07/07/tech4good-on-a-global-scale/ Broken link for an expired domain which is available for sale: http://ecotechfoundation.net/ You may verify that it is available for sale @...

New Relic: [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key

@jonbottarini discovered an issue with our GraphQL implementation. This allowed a user without the proper authorization access to privileged account information on the same account. The writeup for this issue can read here: https://labs.detectify.com/2018/03/14/graphql-abuse/...

ownCloud: Password Complexity Not Enforced On Password Change

Hi! Owncloud does not enforce password complexity on password change, so it's possible to use passwords of any size or form. In example I can set my password to be "a" or "qwerty". How to reproduce: Change your password to something that does not match your required complexity. Proof Of Concept:...

WordPress: Stored XSS in WordPress

Hi, Introduction --------------- The upload mechanism in WordPress works by the role of the user who's trying to upload something. So every role has a permission to upload certain files. For the lowest role like author can upload harmless file such as txt, png, gif, jpg, zip, with this file the...

Zendesk: Secret API Key Leakage via Query String

See title...

Rocket.Chat: Remote Code Execution in Rocket.Chat Desktop

Summary: The Markdown parser can be tricked into allowing arbitrary Javascript leading to "remote code execution". Description: By combining the "link" and inline code block we can trick the parser into breaking out of the current HTML attribute. This allows us to control other attributes of the...

Tor: Address Bar Spoofing on TOR Browser

Hi TOR team, I would like to report a security bug in your browser: Step 1: Goto http://www.ոokia.com/http://jsbin.com/wuyikedaxi/1/edit?html,output Step 2: Observe that address bar points to http://www.ոokia.com/ which actually to be pointing to http://xn--okia-zgf.com, however browser displays...