Cross-Tenant Token Leakage in Azure Automation
Azure Automation would run an internal service serving JWTs that could be accessed across tenant boundaries.
Azure Automation would run an internal service serving JWTs that could be accessed across tenant boundaries.
Escaping to the Node Virtual Machine
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
Background
The vulnerability here is just a straight forward case of reading a size from the attacker, and using it in a memcpy
into a fixed size destination buffer on the stack.
A lot of this post, as the title indicates goes into the difficulties in determining the real client-ip in a modern envrionment where reverse proxies are quite common and normal. Pointing out some common issues:
Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.
Abusing an otherwise secure call to shell_exec
allows users to control part of the sed
commands leading to code execution.One thing of note is that this is the FreeBSD version of sed
which differs from the more common GNU version in that it doesn’t include the commands to directly execute commands…
Permissive parsing strikes again, MySQLjs by would accept objects as values for a parameterized query with a somewhat surprising default behaviour. The key issue here though is that MySQLjs exposes an interface entirely like prepared statements, but is actually crafting the query on the client side rather than using server-side prepared statements.
The core problem is an integer truncation due to a difference in the size of the long
primitive type between Windows and Linux systems.On Linux and BSD systems, sizeof(long)
will return 8, but on Windows this value is 4…