h1-ctf: ccc.h1ctf.com CTF

Summary: Claiming the flag, writeup to follow. ██████████ ██████ Impact...

h1-ctf: [100K-ctf] Multiple vulnerabilities leading to compromise of Pinger instance.

Hello, Gonna just submit flags first then will send my write up later tomorrow. ████ ██████ Thanks for fun! Impact An attacker can compromise Pinger instance located on https://ccc.h1ctf.com/2b5d2b11513d2c9b by chaining multiple vulnerabilities on https://ccc.h1ctf.com/...

Nextcloud: Download of file with arbitrary extension via injection into attachment header

Description ----------- When downloading mail attachments, the app fails to properly escape quotes in the content disposition header. Because of this, an attacker can send a victim a file with a benign extension such as .txt or .png which when downloaded will be stored with a malicious extension...

Nextcloud: Bypass of privacy filter / tracking pixel blocker

Description ------------ When the mail app receives inline images, it will block them for privacy reasons to prevent tracking pixels The images have been blocked to protect your privacy. This block works correctly for most remote resources in addition to images, remote CSS files, iframes, and som...

Mail.ru: add class vulnerable Stored XSS

https://happynumbers.com stored XSS in class name via class creation dialog...

Mail.ru: Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information

Incorrect CORS settings on account.my.games, allowed access to user information registration IP, email, username, birthday, profile visibility from .my.com. Vulnerability demonstrated by XSS at warofdragons.my.games...

Mail.ru: uchi.ru check_lessons Blind SQL Injection

Blind SQL Injection in uchi.ru page due to insecure use sort variable of GET parameter...

Nextcloud: Ratelimits do not apply to OCS DataResponse

Using $response-throttle on a DataResponse doesn't work as it is being transformed by BaseResponse into a OCS response. This response does not propagate any throttled setting. Impact Ratelimits on OCS DataResponse not functional...

Reddit: IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in `order_id` parameter

Summary: This vulnerability consist of modifying the PayPal transaction ID to buy a big coin pack but paying the small price for it. Impact: The only impact here could be that you don't earn the money you deserve, and users can offer a lot of presents to other users, breaking the magic of the...

Affirm: Open Redirect

Open Redirect Vulnerability: URL : https://www.affirm.com/ User can be redirect to malicious site POC:https://www.affirm.com///google.com/?www.affirm.com/?category=interview&page=2 I hope you know the impact of open redirect and more info refer https://cwe.mitre.org/data/definitions/601.html Impa...

Reddit: Deleting all DMs on RedditGifts.com

Summary: It's possible to delete all 4.4M private messages on RedditGifts.com due to missing permission check on DELETE request Steps To Reproduce: 1. Set up 3 accounts on RedditGifts.com FriendA, FriendB, Attacker 1. Have FriendA send message to FriendB 1. As Attacker send the following request...

Sony: SQL Injection on [█████████]

The researcher reported that the login form of a Sony endpoint was susceptible to an error-based SQL injection vulnerability. The researcher intercepted a login request using BurpSuite and then used SQLMap to discover the SQL injection. Once the SQL injection vulnerability was discovered, SQLMap...

curl: CVE-2021-22923: Metalink download sends credentials

Summary: When compiled --with-libmetalink and used with --metalink and --user curl will use the credentials for any further transfers performed. This includes different hosts and protocols, even ones without transport layer security such as http and ftp. As a result the credentials only intended...

curl: CVE-2021-22922: Wrong content via metalink not discarded

Summary: When compiled --with-libmetalink and used with --metalink curl does check the cryptographics hash of the downloaded files. However, the only indication that the hash was incorrect is a message displayed to the user. The files with incorrect hashes are left to the disk as-is. Since curl...

Kubernetes: Broken link hijacing in https://kubernetes-csi.github.io/docs/drivers.html

Summary : When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity. Steps To Reproduce 1...

GitLab: Stored XSS in Mermaid when viewing Markdown files

Summary GitLab's Mermaid configuration allows an attacker to inject HTML in the rendered Markdown. This can be combined with a CSP bypass using pipeline artifacts to achieve RCE. Steps to reproduce 1. Create a repository on GitLab.com 2. Add the following to .gitlab-ci.yml yaml --- job: script: -...

Showmax: xmlrpc.php is publicly available at https://stories.showmax.com/xmlrpc.php

Summary: Greetings @Showmax, i found an xmlrpc.php file on https://stories.showmax.com, it's publicly available and it accepts POST requests. Description: your site is a WordPress site based, xmlrpc.php is a file that is intended to make API calls between hosts, if it's enabled on a WordPress sit...

U.S. Dept Of Defense: Path traversal on [███]

Summary: The web application hosted on the "███████" domain is affected by a path traversal vulnerability that could permit to an attacker to include arbirtary files that are outside of the restricted directory. Description: The affected handler is the "█████". This handler receives, through the...

Sifchain: Clickjacking at sifchain.finance

Hi team, While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of...

Reddit: Oauth Misconfiguration Lead To Account Takeover

Summary: OAuth is a commonly used authorization framework that enables websites and web applications to request limited access to a user's account on another application. Crucially, OAuth allows the user to grant this access without exposing their login credentials to the requesting application...

Khan Academy: Bypass the fix of report #1078283 due to poor validation

Hi Khan Academy Team, I was able to bypass the fix you implemented for report 1078283. The URL validation you implemented on the endpoint continue checks the presence of khanacademy.org however it doesn't have any boundary checking to ignore domains starting with .org, so if an attacker register ...

GitHub Security Lab: [JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Python] CWE-090: LDAP Injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [GO]: CWE-326: Insufficient key size

This bug was reported directly to GitHub Security Lab...

MTN Group: Reflected XSS on dailydeals.mtn.co.za

Hello MTN Team. i found Reflected XSS on https://dailydeals.mtn.co.za/index.cfm?GO=DEALS vi cpID parameter with POST method Steps To Reproduce: 1. Intercept the https://dailydeals.mtn.co.za/index.cfm?GO=DEALS 2. Change Method to POST 3. Add empty line after last header 4. Write this code...

GitLab: Stored XSS in markdown via the DesignReferenceFilter

Summary When rendering markdown, links to designs are parsed using the following linkreferencepattern: https://gitlab.com/gitlab-org/gitlab/-/blob/v13.12.1-ee/app/models/designmanagement/design.rbL168 ruby def self.linkreferencepattern @linkreferencepattern ||= begin pathsegment =...

Basecamp: HTTP Request Smuggling via HTTP/2

HTTP Request Smuggling via HTTP/2...

Node.js: Node Installer Local Privilege Escalation

Node is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. To demonstrate thi...

Drugs.com: Cross-site Scripting (XSS) - Reflected

The drugs.com website was found to be vulnerable to a cross-site scripting XSS attack in the "imprint" parameter. The vulnerability was triggered when a long string of text was entered, which always resulted in search results. This allowed an attacker to inject malicious JavaScript code that coul...

Informatica: F5 BIG-IP Cookie potentially reveal BigIP pool name, backend's IP address and port, routed domain.

Hi Team, I hope everything is well. I am Kabeer Saxena a Security Researcher and I have found a bug Issue: ---------- F5 BIG-IP Cookie Remote Information Disclosure Vulnerable IP: ---------------- ██████:443 Certificate Information: ==X509v3 Subject Alternative Name:== ==DNS:████████== Summary:...

Nextcloud: Leaking sensitive information through JSON file path.

Hello team, I have found one JSON path at "https://lookup.nextcloud.com/" which is leaking some information like Username, email id, version, etc.. I guess it show the user who have installed or configure anything through the vendor. I was also able to download some of the zip files of the vendor...

MTN Group: Reflected XSS at dailydeals.mtn.co.za

Hello MTN Group: I found reflected XSS vi categoryid= parameter . The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is the...

8x8: [jitsi-meet] Authentication Bypass when using JWT w/ public keys

A Prosody module allows the use of symmetrical algorithms to validate JWTs. This means that tokens generated by arbitrary sources can be used to gain authorization to protected rooms. There are no known incidents related to this vulnerability. Please refer to the published advisory:...

Nextcloud: Serverinfo endpoints are not bruteforce protected nor are tokens properly generated

The serverinfo app allows accessing the endpoints also via a custom token. https://github.com/nextcloud/serverinfo/blob/9ae9dde028a684e53a1b37c9ba8e964ffe42a97f/lib/Controller/ApiController.phpL121 The token is set/generated via...

Internet Bug Bounty: 1-byte heap buffer overflow in DNS resolver

Official announcement: http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html A security issue in nginx resolver was identified, which might allow an attacker to cause 1-byte memory overwrite by using a specially crafted DNS response, resulting in worker process crash or, potentially,...

Nextcloud: Federated editing allows iframing possibly malicious remotes

So this attack is less likely now that you killed the trusted server auto adding. But as far as I could tell you did not clear out old servers. Let me first describe the attack: 1. UserA on ServerA sends a federated share to userB on serverB 2. Assume serverA and serverB are trusted servers 3. No...

Khan Academy: Enumerate all the class codes via google dorking

I used this particular google dork site:khanacademy.org/join/ to enumerate all the links of joining classes. 1. Go to google and use the above query to enumerate all of them. 2. Create the student account by filling all the required details 3. Now you're in the class without being actually invite...

Node.js: OOB read in libuv

Summary: The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uvgetaddrinfo. nodejs seems to use libuv and is possibly...

Reddit: XSS

hi security team i have found a XSS in old.reddit.com and in reddit.com Description: Cross-site scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the...

U.S. General Services Administration: Account takeover through multistage CSRF at https://autochoice.fas.gsa.gov/AutoChoice/changeQAOktaAnswer and ../AutoChoice/changePwOktaAnswer

Hi, Account takeover is possible through CSRF vulnerability at 'Change Security Question/Answer' & ' Change Password'. The endpoints - https://autochoice.fas.gsa.gov/AutoChoice/changeQAOktaAnswer & https://autochoice.fas.gsa.gov/AutoChoice/changePwOktaAnswer both are vulnerable to CSRF attack...

X (Formerly Twitter): Blind XSS on Twitter's internal Big Data panel at █████████████

An attacker appears to be able to send an XSS payload to Twitter staff members, using a Support Form. This XSS payload will execute in the context of an internal subdomain, allowing it to exfiltrate sensitive internal Twitter information...

Bitwarden: When uploading attachments, unencrypted file names are made available to the server

Certain Bitwarden clients were inadvertently posting raw filenames to the server when saving new attachments. The server was discarding this value and properly storing the encrypted filename, however, a malicious server could glean some information from the filename if it were inclined. The issue...

Courier: 2 Bypass of #1067533 rate limit via X-Forwarded-For<space>: Source IP on ( www.trycourier.app )

A vulnerability with AWS API Gateway was uncovered that allowed rate limiting to be bypassed when the X-Forwarded-For headed was manipulated a string added to the header key I was able to bypass the rate limit by adding extra space before the colon X-Forwarded-For: 127.0.0.1. The actual bug was i...

Sifchain: Clickjacking

Bug Bounty ReportVulnerability Report Vulnerability Name: UI Redressing Clickjacking Vulnerability Description: Clickjacking classified as a User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a user into clicking on something different from what t...

VK.com: Open redirect в карусели сообщения бота

Открытое перенаправление в каруселях чат-ботов. Уязвимость позволяет перенаправить пользователя на вредоносную ссылку из карусели, минуя away.php...

Clario: rXSS on https://mackeeperapp.mackeeper.com/landings/download-blue/

Summary: Founded XSS on https://mackeeperapp.mackeeper.com/landings/download-blue/ PoC https://mackeeperapp.mackeeper.com/landings/download-blue/?affid=b450fb80-0136-11eb-a01d-50cf6001b201-zzb&epayId=;alertdocument.domain;//&guid=xxx Impact An attacker can run any malicious javascript code on a...

Reddit: No rate limit leads to spaming post

Vulnerability description not provided...

QIWI: account impersonate through broken link

hi team, hope you are good, A link in qiwi.com was broken and anyone could create that account which leads to account impersonate poc:- F1310817 Steps To Reproduce 1 Visit https://qiwi.com/sm 2 the link will redirect you to http://unbouncepages.com/savemyphone/ which is throwing a error "The...

Ruby: CGI::Cookieクラスにおけるセキュリティ上好ましくない仕様および実装

以下のCGIスクリプトについて、name、path、domainに改行、等号、改行のインジェクションが可能 !/usr/bin/env ruby require "cgi" cgi = CGI.new name = "name" path = "/" domain = "example.jp" cookie = CGI::Cookie.new'name' = name, 'value' = "value", 'domain' = domain, 'path' = path cgi.out"cookie" = cookie...

Open-Xchange: Command Injection via STARTTLS in SMTP

During our research into the security of email servers at Münster University of Applied Sciences, we found a command injection vulnerability related to STARTTLS in Dovecot. See the attached advisory for details. The vulnerability allows a MITM attacker between a mail client and Dovecot to inject...