Straightforward use-after-free in libcurl when processing MQTTs.The mqtt_doing()
routine will attempt to send any remainder of outgoing packet data using the mq->sendleftovers
pointer, freeing that pointer, but then never clearing the reference…
Three bugs relating to insecurely configured CloudKit containers, the big one being the accidental deletion of all Apple Shortcuts, but also the ability to delete records on Apple News, and modify data used on the iCrowd+ website.
There are four vulnerabilities in Azure’s Open Management Infrastructure (OMI), one allowing an unauthenticated attacker on the internet to execute code as root, the other three allowing local users of any level to execute code as root.
This is effectively a replay attack.Join a channel you can comment in, place a comment and capture that POST request…
A WAF bypass by confusing the Adobe Experience Manager Dispatcher (load balancer/waf/etc).Not a crazy idea but I don’t think we’ve covered any WAF bypass quite like this on the podcast before…
For a GitLab bug, this one is nice and simple, stored XSS in the “default branch name” field.For a group you can setup what the group’s default branch name should be for any new repositories created…
When SmugMug bought Flickr from Yahoo they had to move the authentication system away from Yahoo’s authentication.A side-effect of this was that the account deletion process previously had used the Yahoo authentication code as the CSRF token so in the move the token was removed and not replaced with anything functionally equivalent…
A rather non-intuitive bug where sending Content-Length: x
would result in source disclosure on Apache.
The cool part of this paper is the speculative type confusion attack where the browser’s optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.
The idea here is that by overflowing the value containing the size of a header name you can cause the header to be misinterpreted.