#git

### Summary Logic error in 2FA verification condition allows bypass of two-factor authentication ### Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/login.go#L55 There is no way for `Verify2Fa` to return an error **AND** true as `ok` at the same time, any codes are considered as valid. ### PoC Use any 6 digits as 2FA code ### Impact Bypass 2FA Authentication

### Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users ### Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35 Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution ### PoC 1. Login in to your komari instance 2. Hosting the following HTML code on internet, replace `<komari-addr>` and `<target-uuid>` into yours 3. Visit this HTML page, you can see your node is executing `uptime` without your actions ``` <pre></pre> <script> const socket = new WebSocket("wss://<komari-addr>/api/admin/client/<target-uuid>/terminal"); socket.addEventListener("open", (event) => { const binaryBlob = new Blob(['uptime\n'], { type: 'application/octet-stream' }); socket.send(binaryBlob); }); socket.addEventListener("message", (event) => { event.data.text().then(x ...

### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener noreferrer"` attribute. This allows the opened page to use the `window.opener` property to change the location of the original HFS tab. ### Details While most modern browsers have fixes already implemented for this `target="_blank"` exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab's content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious. ### Impact Affected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensit...

### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or `log_exceptions` is set to "always", which allows attackers to inject newlines and forge log entries. ### Details Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler. https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150 Attackers can inject newlines in logs by embedding`%0d%0a` in url path. `log_exceptions="always"` is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs. ### PoC ``` curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:819...

### Impact The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. ### Patches This has been fixed in slab v0.4.11. ### Workarounds Avoid using `get_disjoint_mut` with indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later. ### References - [https://github.com/tokio-rs/slab/pull/152](https://github.com/tokio-rs/slab/pull/152)

This week on the Lock and Code podcast, we speak with EFF Activism Director Jason Kelley about online age verification and the "grey web."

Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allow a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web component due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.

An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.

At the Defcon security conference in Las Vegas on Friday, Nakasone tried to thread the needle in a politically fraught moment while hinting at major changes for the tech community around the corner.