The vulnerability here isn’t too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai’s web application firewall.
A couple interesting issues in OpenEMR leading to unauthenticated remote code execution and file disclosure.
Couple vulnerabilities here, the first bad regex allowing for the origin validation on cross-origin messages to be bypass. The second is a pair of innerHTML assignments with data from a cross-origin message.
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.
A PS2 emulator escape that can be exploited on PS4/PS5.In the previous binary episode we covered part 2 which was a stack overflow in Okage: Shadow King, by chaining that with this out-of-bounds (OOB) write in the emulator, full userland code execution is possible…
A hard to reach bug condition leading to a buffer overflow in Western Digital’s MyCloudHome, a consumer-grade NAS.
A bug in the readline library used in this case by chfn (change finger).They noticed that readline could take an INPUTRC environment variable for configuration data, which would get parsed line-by-line…
Some malformed hashes will “validate” with any value compared using password_verify. This is due to an old hack in PHP’s Blowfish implementation where a malformed hash with a $ character in the salt segment result in an early break and bad following logic.
A vulnerability in haproxy’s HTTP header parsing due to accepting empty header field names.The HPACK and QPACK decoders use a null field name to terminate the end of a list of headers…
A use-after-free (UAF) yielding double free in OpenSSH that’s hittable pre-authentication.The bug mainly comes down to the compat_kex_proposal function for doing key exchange, and its support for older clients that set the SSH_OLD_DHGEX flag…