Greenhouse.io - Debug information disclosure on oauth-redirector.services.greenhouse.io

HackerOne bug report to Greenhouse.io: The configuration of the Sintra framework application hosted at oauth-redirector.services.greenhouse.io exposes internal information when exceptions occur. The application is configured with the show_exceptions setting which causes internal application configuration, environment variables and source code snippets to be exposed when exceptions occur.

Continue reading on hackerone.com...

WordPress - Wordpress unzip_file path traversal

HackerOne bug report to WordPress: The Wordpress unzip_file function (https://codex.wordpress.org/Function_Reference/unzip_file) is vulnerable to path traversal when extracting zip files. Extracting untrusted zip files using this function this could lead to code execution through placing arbitrary PHP files in the DocumentRoot of the webserver.

Continue reading on hackerone.com...

GitLab - GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery

HackerOne bug report to GitLab: The GitLab::UrlBlocker IP address validation methods suffer from a Time of Check to Time of Use (ToCToU) vulnerability. The vulnerability occurs due to multiple DNS resolution requests performed before and after the checks. This issue allows a malicious authenticated user to send GET and POST HTTP requests to arbitrary hosts, including the localhost, cloud metadata services and the local network, and read the HTTP response.

Continue reading on hackerone.com...

GitLab - Importing GitLab project archives can replace uploads of other users

HackerOne bug report to GitLab: Importing a modified exported GitLab project archive can overwrite uploads for other users. If the secret and file name of an upload are known (these can be easily identified for any uploads to public repositories), any user can import a new project which overwrites the served content of the upload with arbitrary content.

Continue reading on hackerone.com...

Lob - Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE

HackerOne bug report to Lob: The Template Preview function allows users to render arbitrary HTML to a PDF document, this includes the ability to execute arbitrary Javascript. The HTML agent used to render the HTML is based on an old version of WebKit which has known security issues, for which public exploits and Proof of Concepts (PoCs) are available.

Continue reading on hackerone.com...

PIA Client - HTTP(S) Tunnelled Traffic Interception

Private Internet Access(PIA) VPN users connecting to the PIA VPN service from an untrusted/malicious network are at risk of having all VPN tunnelled HTTP(S) traffic intercepted. The PIA client for Windows honours the Web Proxy Auto-Discovery (WPAD) settings configured by the local network the client is connecting from.

Continue reading...

OpenVPN - HTTP(S) Tunnelled Traffic Interception

Windows OpenVPN users connecting to a VPN network from an untrusted/malicious network are at risk of having all VPN tunnelled HTTP(S) traffic intercepted by a 3rd party. OpenVPN on Windows honours the Web Proxy Auto-Discovery (WPAD) settings, configured by the network the client is connecting from, on VPN connections.

Continue reading...

dompdf - Local File Disclosure

Dompdf is vulnerable to a file disclosure vulnerability which can be exploited by anonymous, unauthenticated attackers to download arbitrary files from the underlying hosting server. Exploitation of this issue requires a non-standard configuration option to be set, specifically the DOMPDF_ENABLE_REMOTE option must be set to true.

Continue reading...