Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-mqpq-2p68-46fv: pyload Unauthenticated Flask Configuration Leakage vulnerability

### Summary Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### Details Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### PoC Run `pyload` in the default configuration by running the following command ``` pyload ``` Now browse to `http://localhost:8000/render/info.html`. Notice how the Flask configuration gets displayed. ![PoC](https://user-images.githubusercontent.com/44903767/294522246-4cc19c49-b315-4926-8fd6-ec3c3fdb7c1f.png) I was quite amused by this finding. I think it's a very interesting coming together of things that is so unlikely to happen. Below I will detail my process a bit more. I was looking through the code to see how the authorization mechanism is implemented when I spotted this route, which can be accessed by any unauthenticated actor - https://github.com/pyload/pyload/blob/57d81930edb59177c60830ad8ac36a91d0ec4c4e/src/py...

ghsa
Open in Source
#vulnerability#web#git#auth
GHSA-ghmw-rwh8-6qmr: pyload Log Injection vulnerability

### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. ### Details `pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file. ### PoC Run `pyload` in the default configuration by running the following command ``` pyload ``` We can now sign in as the pyload user and view the logs at `http://localhost:8000/logs`. ![Viewing the logs](https://user-images.githubusercontent.com/44903767/294433796-f2c96e39-8000-4649-99bb-9c50e786243d.png) Any unauthenticated attacker can now make the following request to inject arbitrary logs. ``` curl 'http://...

iGalerie 3.0.22 Cross Site Scripting

iGalerie version 3.0.22 suffers from a cross site scripting vulnerability.

Femitter FTP Server 1.03 Denial Of Service

Femitter FTP Server version 1.03 remote denial of service exploit.

PluXml Blog 5.8.9 Remote Code Execution

PluXml Blog version 5.8.9 suffers from a remote code execution vulnerability.

Form Tools 3.1.1 Cross Site Scripting

Form Tools version 3.1.1 suffers from a cross site scripting vulnerability.

Gentoo Linux Security Advisory 202401-07

Gentoo Linux Security Advisory 202401-7 - A vulnerability was found in R which could allow for remote code execution. Versions greater than or equal to 4.0.4 are affected.

Gom Player 2.3.92.5362 DLL Hijacking

Gom Player version 2.3.92.5362 suffers from a dll hijacking vulnerability.

Syrian Hackers Distributing Stealthy C#-Based Silver RAT to Cybercriminals

Threat actors operating under the name Anonymous Arabic have released a remote access trojan (RAT) called Silver RAT that’s equipped to bypass security software and stealthily launch hidden applications. “The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence,” cybersecurity firm Cyfirma said in a report

DoJ Charges 19 Worldwide in $68 Million xDedic Dark Web Marketplace Fraud

The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace, which is estimated to have facilitated more than $68 million in fraud. In wrapping up its investigation into the dark web portal, the agency said the transnational operation was the result of close cooperation with law enforcement authorities from Belgium