The vulnerability here isn’t too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai’s web application firewall.
A couple interesting issues in OpenEMR leading to unauthenticated remote code execution and file disclosure.
Couple vulnerabilities here, the first bad regex allowing for the origin validation on cross-origin messages to be bypass. The second is a pair of innerHTML assignments with data from a cross-origin message.
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.
A PS2 emulator escape that can be exploited on PS4/PS5.In the previous binary episode we covered part 2 which was a stack overflow in Okage: Shadow King, by chaining that with this out-of-bounds (OOB) write in the emulator, full userland code execution is possible…
A hard to reach bug condition leading to a buffer overflow in Western Digital’s MyCloudHome, a consumer-grade NAS.
A bug in the readline library used in this case by chfn (change finger).They noticed that readline could take an INPUTRC environment variable for configuration data, which would get parsed line-by-line…
Some malformed hashes will “validate” with any value compared using password_verify. This is due to an old hack in PHP’s Blowfish implementation where a malformed hash with a $ character in the salt segment result in an early break and bad following logic.
A vulnerability in haproxy’s HTTP header parsing due to accepting empty header field names.The HPACK and QPACK decoders use a null field name to terminate the end of a list of headers…
A use-after-free (UAF) yielding double free in OpenSSH that’s hittable pre-authentication.The bug mainly comes down to the compat_kex_proposal function for doing key exchange, and its support for older clients that set the SSH_OLD_DHGEX flag…
A very easy stack overflow in the Okage Shadow King PS2 game.The profile name was copied into a stack buffer without bounds checking, allowing a stack overflow of the profile name to corrupt the return pointer on the stack…
A path traversal type issue in Kardex MLOG due to not properly handling windows path separators.The service’s GetFilehandler would check for an /api and /image slug, and if neither were present it would fall back on trying to construct a filename…
A small bug in processing/validating the entries in the Merkel tree resulting in the theft of 2 million BNB ($586 Million USD at time of the original theft).
A 19-year-old bug in XNUs Data Link Interface Layer or DLIL that lead to an out-of-bounds write on the heap.The root cause is that ifnet_attach() will get the next interface index as a 32-bit integer and downcast it to a uint16_t when saving the index…
Out of bounds read in cmark-gfm due to a lack of bounds check in validate_protocol.