Vulnerabilities

In this page I (used to) keep track of the vulnerabilities I found over time.

Summary:

  • Leakage of sensitive drivers' data in ride-hailing services awarded by Uber and Lyft.
  • Authentication flaw on SAML SSO can be used as launching pad of XSS on RelayState sanitization. See SAML SSO Specs Errata.
  • Multiple CSRF in Web application. Related CVEs: CVE-2017-8874 and CVE-2017-8930.
  • Uncontrolled resource consumption in Apache HTTPD, (CVE-2014-0118), and Apache CXF (CVE-2014-0109 and CVE-2014-0110). Discovery on Apache HTTPD awarded by Hackerone.
  • Multiple uncontrolled resource consumption vulnerabilities in XMPP servers via highly-compressed XMPP stanzas (xmppbombs). Awarded by the bounty program of Hackerone. Full report can be found here.
  • Discovered multiple logic vulnerabilities in eCommerce web application that would have allowed an attacker to shop for free or pay less. See VU#459446, VU#207540, and VU#583564

Security notes:

  • 14/05/2017: Multiple cross-site request forgery (CSRF) vulnerabilities in Simple Invoices, CVE-2017-8930
  • 09/05/2017: Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic, CVE-2017-8874
  • 17/07/2014: Apache HTTPD, Resource exhaustion that allows DoS, CVE-2014-0118
  • 08/05/2014: Apache CXF, Resource exhaustion that allows DoS, CVE-2014-0110, CVE-2014-0109
  • 10/04/2014: Prosody (Lightwitch), Resource exhaustion via xmppbomb DoS attack , CVE-2014-2744, CVE-2014-2745 ,
  • 10/04/2014: Tigase, Resource exhaustion via xmppbomb DoS attack,CVE-2014-2746,
  • 10/04/2014: Ignite Realtime Openfire, Resource exhaustion via xmppbomb DoS attack,CVE-2014-2741,
  • 22/02/2013: CS-Cart, Logic Vulnerability that allows to shop for free,CVE-2013-0118, VU#583564
  • 30/10/2012: TomatoCart, Logic Vulnerability that allows to pay less or shop for free, CVE-2012-4934, VU#207540
  • 18/09/2012: osCommerce,Logic Vulnerability that allows to shop for free, CVE-2012-2991, VU#459446