Latest News

A list of topics we covered in the week of October 28 to November 3 of 2024

A vulnerability was found in Umbraco CMS 12.3.6. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Cybersecurity researchers have discovered a new version of a well-known Android malware family dubbed FakeCall that employs voice phishing (aka vishing) techniques to trick users into parting with their personal information. "FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client…

Online grooming crimes against children have reached a record high, with Snapchat being the most popular platform for…

Plus: Cops take down a notorious infostealer, Strava leaks world leaders’ locations, and a hacking scandal is causing chaos in Italy.

The large-scale operation took advantage of open repositories, hardcoded credentials in source code, and other cloud oversights.

### Summary When a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditional file:///etc/passwd gets blocked ### Details The root cause is the payload source:file:///etc/passwdpasses the regex [here](https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19) and also passes the check [here](https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35) where a traditional file:///etc/passwd would get blocked ### PoC [CL-ChangeDetection.io Path Travsersal-311024-181039.pdf](https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf) ### Impact It depends on where the webdriver is deployed but generally this is a high impact vulnerability

### Summary By default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by encoding `/` as its URL encoded form `%2F`. ### Details 1.) Oak uses [decodeComponent](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25) which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first. 2.) The function [isHidden](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125) is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`. ### PoC ```ts // server.ts import { Application } from "jsr:@oak/oak@17.1.2"; const app = new Application(); app.use(async (context, next) => { try { await context.send({ root: './root', hidden: false, // default }); } catch { await ...