Vulnerabilities tagged "server"

A pretty classic command injection vulnerability but in ClamAV.Often seen (in my experience) running on mail-servers to scan incoming email attachments...

Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.

Authentication Bypass in Apache's OFBiz by including a the GET param `requirePasswordChange=Y` using this will simply bypass the need to authenticate due to some mishandling of errors.

This one starts off with a fun mass-assignment issue.Early on in the processing chain of a HTTP request to CrushFTP's web interface it will parse all the HTTP headers into a Java `Properties`object...

This vulnerability impacts kubernetes setups using NGINX as the ingress controller via [ingress-nginx](https://github.com/kubernetes/ingress-nginx). At first I wanted to blame this one on block-listing when they should have used an allow-list, but its not quite that, but it is basically just a missed edge-case that allows for code execution.

When using curl, if the `--data-raw` argument starts with a `@` it will be treated as a filename and the file itself will be included as the data of the request. This sort of bug would be hard to exploit in the context of Burp and Chrome, requiring a victim to "Copy as cURL" a malicious request in the first place, and then run it...

The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin's Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing...

In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.

The `username`, `from_name` and `password` fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file.Using this it is possible to include configuration parameters that are not normally exposed...

This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify's incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)...