Vulnerabilities tagged "cool-vuln"

This was a really cool XSS filter bypass due to a parsing differential between PHP's multibyte string functions: `mb_strpos` and `mb_substr` when dealing with invalid UTF-8 sequences.

The Mediatek wlan driver on Android has several files exposed under the `/proc` virtual filesystem.Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer...

Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.

Though perhaps an accidental find by Abhi Sharma it is a great one none-the-less. With a race-condition leading to the bypass of a MFA check.

Dynamic typing strikes again! Once again some fun stuff can happen when passing in an array where a string is expected.

Normalization gone wrong, Mastodon, when attempting to normalize a domain would intend to remove any trailing `/`from it, however they did this using `.delete("/")` which removes all `/` characters from the string instead of just a trailing `/`. This meant that someone could use an account like `someone@mastodon.so/cial` to spoof the account `someone@mastodon.social`.

A request smuggling to global cache poisoning chain impacting Akami Edge nodes in front of an F5 BigIP server.

Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine.IN this case though the impact was easier to spot because the program processing the output logs was part of the same application...

A bit of an unexpected fault in GCC's `-fstack-protector` implementation that meant that the saved return address wasn't actually protected by the stack-protector on AArch64 in some cases.

The title gives this one away, the `header(...)` function in PHP will issue a warning (and keep executing) without adding the header to the response if the header contains a Carriage Return (\r), New-Line (\n) or Null-byte (\x00).That functionality may not be new to you as its purpose is to kill response splitting attacks, but @OctagonNetworks presents a fresh twist on this, probably not the first to have the thought but it was a neat idea to me...