Show Notes

115 - Zoho Auth Bypass, a Bogus Bug, and Leaking Microsoft Bug Reports

Exactly as the title puts it, cross-site scripting through content injected from the X-Forwarded-Host header. Its interesting that this one was paid out as without some other issue like cache poisoning it would be impossible as far I am aware to exploit this as you cannot control the headers of a random user’s requests.

An inability to decode the character in a user’s post, leading to HTTP 500 response.

In particular it looks like its coming from whatever code is processing the markdown, will attempt to decode the html entities contained and when that fails, crash. Its a bit of an interesting area because the ability to abuse this for censorship is definitely present. Though its also a pretty loud error, so if it were attacked in the wild it probably wouldn’t last too long.

As an attack though, these sorts of character encoding issues are somewhat interesting to see popup. Some languages like Python really don’t like dealing with unexpected characters and its easy to miss all the places text gets handled so they can crop up in some high impact locations.

Just send an email pretending to be part of another report and the system will make you part of it. Its really that simple, sending an email using your the email associated with your Researcher portal account with the subject VULN-<report number>will get that email added to the report and be copied on future updates. As report numbers are sequential integers one could predict reports easily or if they knew a particular number they could add themselves to it.

Little Snitch might block connections to some IPs, but only if they send data. Just opening the connection but not sending data is a fun way to get around the blacklist, and while significantly slower, one can still exfiltrate information using only a data-less connection.

This is almost an intended feature, basically if an attacker can craft a their own State cookie, they can trick the StateFilter into reading the forwardPath and forwarding their request to another servlet directly. The interesting side-effect here is that the redirect will bypass any other filters left in the chain and go directly to the other servlet.

This was abused (in-the-wild) with the AgentLogUploadServlet to with a directory traversal vulnerability to write a file. Only interesting part of that is that the filename was checked for directory traversal but the path, which was also influenced by user parameters was not. Used to upload a malicious jar (as a .zip) file that would get loaded on reboot.