The issue here is relatively simple despite the technical depth the authors go into on the crypto and how it’s used.AES-128 keys are used to encrypt challenge codes for the authentication flow between NFC tags and the alarm system, but the way these AES-128 keys are generated is naive and insecure…
While the hostnames were being validated for this vulnerability, injecting a @
into the path argument was sufficent to mislead the final URL parser and actual code making the HTTP request to go to an unapproved domain by tricking it into thinking the path is actually the host and everything before the @
is just credentials.
The gist of this is that an attack can use their own Time-based One-Time-Password (TOTP) code on another user’s account.
Combination of a local file inclusion bug and a file write bug.Firstly, the user/loader.php
and /user/index.php
pages had some interesting code where it would take a scripts
GET parameter to construct an include path in PHP…
The inital vulnerability here is an unbounded sscanf
into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world…
Basic idea is that the identifier pulled out of a message can point to a different handler between the initial check to redirect the message to the proper “sequence” and that sequence finding the proper endpoint/handler for it.
An integer overflow in Adobe Reader’s parsing of gesture coordinates.
The logout endpoint provided by the Shibboleth plugin for an Identity Provider to log a user out of services had an odd way of finding the right sessions to destroy that lead to the request originator being logged into another seemingly random account.
Different URL parser may treat mistakes in the URL differently, leading to behaviour differences that can be used. This research paper focused on five potential areas where parses disagreed on how to understand the URL
if you’re going to apply a blacklist to remove content…perform it recursively.