Tag
#git
### Summary Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. ### Details Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Although closing a file descriptor is seemingly a harmless task, this has been known to be exploitable: - With `--allow-read` and `--allow-write` permissions, one can open `/dev/ptmx` as stdin. This device happily accepts TTY ioctls and pipes anything written into it back to the reader. - This has been presented in a hacking competition (WACON 2023 Quals "dino jail"). - However, the precondition of this challenge was heavily contrived: fd 0 has manually been closed by FFI and `setuid()` was used...
### Summary Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example.com` may be sent to `notexample.com`. ### Details [auth_tokens.rs uses a simple ends_with check](https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89), which matches `www.deno.land` to a `deno.land` token as intended, but also matches `im-in-ur-servers-attacking-ur-deno.land` to `deno.land` tokens. ### PoC - Set up a server that logs requests. RequestBin will do. For example, `denovulnpoc.example.com`. - Run `DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain`. For example, `DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com` - Observe that the token intended only for the truncated domain is sent to the full domain ### Impact _Wha...
### Summary Serveral Server-Side Request Forgery (SSRF) vulnerabilities in RSSHub allow remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks. ### Details #### `/mastodon/acct/:acct/statuses/:only_media?` https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7 https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105 #### `/zjol/paper/:id?` https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13 #### `/m4/:id?/:category*` https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14 ### PoC - https://rsshub.app/mastodon/acct/test@a6wt15r2.requestrepo.com%23/statuses - https://rsshub.app/zjol/paper/a6wt15r2.requestrepo.com%23 - http...
## Impact When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. ## Patches This vulnerability was fixed in version https://github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87. Please upgrade to this or a later version. ## Workarounds No.
### Impact An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in [netresearch/jsonmapper](https://github.com/cweiske/JsonMapper), due to attempting to construct objects from scalar types by default without any validation, with unexpected results that caused PocketMine-MP to crash. Due to the relatively high number of security issues arising from this specific dependency, the team is exploring options to replace it. ### Patches In the meantime, the issue was fixed by pmmp/netresearch-jsonmapper@b96a209f9e8b76b899a0d0918493cd87eb3c02a7 and 6872661fd03649cc7a8762c41c16e9ee5a4de1c9. ### Workarounds Detecting the malicious data that triggers this issue is of rather high difficulty, so it's not likely that a plugin would be able to easily remediate this. ### References https://github.com/cweiske/jsonmapper/issues/226
### Summary If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by `BaseInventory->getItem()`. ### Details Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873 ### PoC Using Gophertunnel, use `serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})` ### Impact Server crash, all servers ### Patched versions This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.
In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0
### Impact The steps are as follows: 1. Access https://IP:PORT/ in the browser, which prompts the user to access with a secure entry point.  2. Use Burp to intercept:  When opening the browser and entering the URL (allowing the first intercepted packet through Burp), the following is displayed:  It is found that in this situation, we can access the console page (although no data is returned and no modification operations can be performed)." Affected versions: <= 1.10.0-lts ### Patches The vulnerability has been fixed in v1.10.1-lts. ### Workarounds It is recommended to upgrade the version to 1.10.1-lts. ### References If you have any questions or comments about this advisory: Open ...
### Summary Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. ### Details The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the. ### PoC 1. Capture login request in proxy tool like Burp Suite and select password field.  2. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a **400 Bad Request** status code with the message "**Invalid Password**" and response length **769** on 1st request which was sent at **_Tue, 16 Jan 2024 18:31:32 GMT_**  **Note**: _We have tested this vulnerabil...
### Summary The Casa OS Login page has disclosed the username enumeration vulnerability in the login page. ### Details It is observed that the attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error "**User does not exist**", If the password is incorrect application gives the error "**Invalid password**". ### PoC Capture the login request in a tool like Burp Suit and use the intruder tab for trying multiple usernames. Keep checking the response of each request if the response says **Invalid password** then the username is right. ### Impact Using this error attacker can enumerate the username of CasaOS. ### The logic behind the issue If the username is incorrect, then throw an error "User does not exist" else throw an error "Invalid password". This condition can be vice versa like: If the password is incorrect, then throw an error "Invalid password" else throw an error "User does not exist". ### ...