There is a good deal of complexity in the object structure that is detailed in the post that I'm going to gloss over.Effectively you have an array of entry objects, and each entry has a pointer to a `user_data_value_element`...
`strcat` was used in a callback to craft the `xpath` for each element and it did this without any bounds checking.By nesting XML structures they could eventually overflow the memory region they were allocated in...
This one is a bit of a cross-user attack on the same machine, as `git` when executed in a directory that doesn't have a `.git` folder, will traverse upward looking for the `.git/` of the repo.The problem is if one accidentally invokes `git` while not in a repository it'll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage...
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user's Net-NTLMv2 hash could be disclosed.
Copying and pasting an HTML element with a script within it can result in an XSS in vditor text editor.This does feel like a bit of a stretch for an attack scenario, pasting in malicious content to an editor, but not really a thread situation I've thought much about either...
Great oversight spotted by the Light Spin team in Amazon Relational Database Service's (RDS) PostGre service allowing for arbitrary file reading and ultimately disclosure of internal service credentials.
A bug and exploit that hearkens back to old-school browser exploitation. The bug is a use-after-free in `concat_function()` for variable concatenation, which is abused in the PHP engine to escape `disable_functions` and `open_basedir` sandboxing.
Slight race-condition in the Pritunl VPN client leading to a semi-controlled file-write as SYSTEM which could be leveraged into code execution as SYSTEM.
Somewhat traditional CE.TE request smuggling attack on a few of Apple's domains.The main trick with this one was to place a `\n ` in the `Transfer-Encoding` header name...
Cool little trick against the NodeBB oauth flow resulting in a CSRF that would associate an attackers third-party account with a victim NodeBB account.
**tl;dr** Two CVEs, one an integer overflow due to incorrectly assuming the compiler would optimize an `enum` into a single byte, and the other some uninitialized kernel stack variables that could be exposed to userspace.
Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.
The title says it all, CSRF protection was disabled for a period of time on Stripe's Dashboard.As the most sensitive actions required reentering the user's password or solving a captcha the damage was limited but you could still change various account settings...