I found an arbitrary file write vulnerability (through path traversal)\nwhich would be exploited\nfor arbitrary code execution in Stellarium (desktop version).
\n"}, {"id": "http://www.gabriel.urdhr.fr/2023/03/07/mime-type-spoofing/", "title": "MIME-type spoofing in Firefox/Thunderbird and file managers", "url": "https://www.gabriel.urdhr.fr/2023/03/07/mime-type-spoofing/", "date_published": "2023-03-07T00:00:00+01:00", "date_modified": "2023-03-07T00:00:00+01:00", "tags": ["computer", "web", "security", "vulnerability", "firefox", "freedesktop", "thunderbird"], "content_html": "An interesting spoofing attack\nresulting from the interaction\nbetween Firefox (or Thunderbird)\nMIME types handling and file managers.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2023/02/28/rce-file-association-debian-mono/", "title": "Code execution through MIME-type association of Mono interpreter", "url": "https://www.gabriel.urdhr.fr/2023/02/28/rce-file-association-debian-mono/", "date_published": "2023-02-28T00:00:00+01:00", "date_modified": "2023-02-28T00:00:00+01:00", "tags": ["computer", "web", "security", "vulnerability", "debian", "freedesktop", "mono"], "content_html": "A dangerous file type association in Debian\nwhich could be used to trigger arbitrary code execution.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/05/05/browser-mediated-attacks-on-webdriver/", "title": "Browser-based attacks on WebDriver implementations", "url": "https://www.gabriel.urdhr.fr/2022/05/05/browser-mediated-attacks-on-webdriver/", "date_published": "2022-05-05T00:00:00+02:00", "date_modified": "2022-05-05T00:00:00+02:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "firefox", "dns-rebinding", "csrf"], "content_html": "Some context and analysis about attacks on\nin WebDriver implementations.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/03/24/zap-no-certificate-validation/", "title": "Lack of X.509 TLS certificate validation in OWASP ZAP", "url": "https://www.gabriel.urdhr.fr/2022/03/24/zap-no-certificate-validation/", "date_published": "2022-03-24T00:00:00+01:00", "date_modified": "2022-03-24T00:00:00+01:00", "tags": ["computer", "security", "zap", "tls", "vulnerability"], "content_html": "Lack of X.509 TLS certificate validation in OWASP ZAP\n(Zed Attack Proxy)\ncould be used for man-in-the-middle attacks.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/03/15/dns-rebinding-readymedia/", "title": "DNS rebinding on ReadyMedia/minidlna v1.3.0 and below", "url": "https://www.gabriel.urdhr.fr/2022/03/15/dns-rebinding-readymedia/", "date_published": "2022-03-15T00:00:00+01:00", "date_modified": "2022-03-15T00:00:00+01:00", "tags": ["computer", "security", "upnp", "dns-rebinding", "vulnerability"], "content_html": "A DNS rebinding vulnerability I found\nin ReadyMedia (formerly MiniDLNA)\nv1.3.0 and below.\nThis is CVE-2022-26505.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/", "title": "CSRF and DNS-rebinding to RCE in Selenium Server (Grid)", "url": "https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/", "date_published": "2022-02-07T22:15:00+01:00", "date_modified": "2022-02-07T22:15:00+01:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "csrf", "dns-rebinding"], "content_html": "Vulnerabilities in found on the WebDriver\nendpoints of Selenium Server (Grid).
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/02/07/geckodriver-dns-rebinding-rce/", "title": "DNS rebinding vulnerability to RCE in GeckoDriver", "url": "https://www.gabriel.urdhr.fr/2022/02/07/geckodriver-dns-rebinding-rce/", "date_published": "2022-02-07T22:10:00+01:00", "date_modified": "2022-02-07T22:10:00+01:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "firefox", "dns-rebinding"], "content_html": "A DNS rebinding vulnerability I found in\nGeckoDriver which could be used to execute arbitrary shell commands.\nThis is bug #1652612\nand CVE-2021-4138.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/08/16/chromedriver-cross-origin-request-forgery-rce/", "title": "Cross-origin/same-site request forgery to RCE in chromedriver", "url": "https://www.gabriel.urdhr.fr/2021/08/16/chromedriver-cross-origin-request-forgery-rce/", "date_published": "2021-08-16T23:22:56+02:00", "date_modified": "2022-02-13T23:19:32+01:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "csrf"], "content_html": "I found a cross-origin/same-site request forgery vulnerability\nin chromedriver.\nIt was rejected (won't fix) because it is only\npossible to trigger this from the cross-origin/same-site and not cross-site.\nIn practice, it means it is really only possible to trigger this from another\nlocalhost-bound web application.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/08/16/geckodriver-csrf-rce/", "title": "CSRF to RCE in GeckoDriver", "url": "https://www.gabriel.urdhr.fr/2021/08/16/geckodriver-csrf-rce/", "date_published": "2021-08-16T23:00:48+02:00", "date_modified": "2021-08-16T23:00:48+02:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "firefox", "csrf"], "content_html": "A Cross-Site Request Forgery (CSRF) vulnerability I found in\nGeckoDriver which could be used to execute arbitrary shell commands.\nCVE-2020-15660\nhas been assigned to this vulnerability.\nThis was fixed by GeckoDriver v0.27.0\nin 2020-07-27.\nThis is bug #1648964.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/06/24/gupnp-dns-rebinding/", "title": "DNS rebinding vulnerability in GUPnP", "url": "https://www.gabriel.urdhr.fr/2021/06/24/gupnp-dns-rebinding/", "date_published": "2021-06-24T00:00:00+02:00", "date_modified": "2021-07-05T18:50:55+02:00", "tags": ["computer", "security", "upnp", "dns-rebinding", "vulnerability"], "content_html": "GUPnP, a GNOME library for Universal Plug and Play (UPnP),\nwas vulnerable to DNS rebinding attacks.\nThis is CVE-2021-33516\nand GUPnP issue #24.\nThis was fixed\nin GUPnP 1.0.7 and GUPnP 1.2.5.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/06/12/pupnp-dns-rebinding/", "title": "DNS rebinding vulnerability in pupnp and npupnp", "url": "https://www.gabriel.urdhr.fr/2021/06/12/pupnp-dns-rebinding/", "date_published": "2021-06-12T00:00:00+02:00", "date_modified": "2021-06-12T00:00:00+02:00", "tags": ["computer", "security", "upnp", "dns-rebinding", "vulnerability"], "content_html": "I found that pupnp was vulnerable to DNS rebinding attacks.\nnpupnp, a fork a pupnp, was impacted as well.\nThis is demonstrated using Gerbera a UPnP MediaServer.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/04/05/firefox-doh-dns-rebinding-protection-bypass/", "title": "Firefox DoH DNS rebinding protection bypass using IPv4-mapped addresses", "url": "https://www.gabriel.urdhr.fr/2021/04/05/firefox-doh-dns-rebinding-protection-bypass/", "date_published": "2021-04-05T00:00:00+02:00", "date_modified": "2021-04-05T00:00:00+02:00", "tags": ["computer", "security", "vulnerability", "web", "dns-rebinding", "firefox"], "content_html": "I found that\nthe filtering of private IPv4 addresses\nin the DNS-over-HTTPS (DoH) implementation of Firefox could by bypassed.\nThis is CVE-2020-26961\nand Mozilla bug 1672528.\nIt has been fixed in Firefox 83,\nFirefox ESR 78.5\nand Thunderbird 78.5.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-dial/", "title": "DNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation", "url": "https://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-dial/", "date_published": "2021-03-22T23:17:24+01:00", "date_modified": "2021-03-22T23:17:24+01:00", "tags": ["computer", "security", "vulnerability", "dial", "dns-rebinding", "csrf"], "content_html": "I found\na DNS rebinding vulnerability as well as a Cross Site Request Forgery\n(CSRF) vulnerability\non the DIAL (Discovery And Launch)\nimplementation of the Samsung TV UE40F6320 (v1.0), from 2011.\nThis can be used to open any installed application (eg. Netflix and Youtube)\nand force the vizualisation of a given video in the applications.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-upnp-dns-rebinding/", "title": "DNS rebinding vulnerability in Samsung SmartTV UPnP", "url": "https://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-upnp-dns-rebinding/", "date_published": "2021-03-22T23:15:29+01:00", "date_modified": "2021-03-22T23:15:29+01:00", "tags": ["computer", "security", "vulnerability", "dns-rebinding", "upnp"], "content_html": "I found\na DNS rebinding vulnerability on the Universal Plug-and-Play (UPnP)\ninterface of the Samsung TV UE40F6320 (v1.0), from 2011.\nThis could be used, for example, to change the channel, to know\nwhich channel is currently used or open the builtin browser to any URI.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2020/09/23/dns-rebinding-freebox/", "title": "DNS rebinding vulnerabilities in Freebox", "url": "https://www.gabriel.urdhr.fr/2020/09/23/dns-rebinding-freebox/", "date_published": "2020-09-23T00:00:00+02:00", "date_modified": "2020-09-23T00:00:00+02:00", "tags": ["computer", "security", "vulnerability", "web", "upnp", "dns-rebinding", "csrf", "device", "privacy"], "content_html": "I found some DNS rebinding vulnerabilities in Freebox devices\n(CVE-2020-24374,\nCVE-2020-24375,\nCVE-2020-24376,\nCVE-2020-24377)\nas well as a Cross Site Request Forgery (CSRF) vulnerability\n(CVE-2020-24373).\nThese vulnerabilities were fixed in 2020-08-05.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2019/02/12/yunohost-rce-csrf/", "title": "Remote code execution via cross site request forgery in InternetCube and YunoHost", "url": "https://www.gabriel.urdhr.fr/2019/02/12/yunohost-rce-csrf/", "date_published": "2019-02-12T00:00:00+01:00", "date_modified": "2019-02-12T00:00:00+01:00", "tags": ["computer", "web", "security", "yunohost", "csrf", "vulnerability"], "content_html": "How I found remote code execution vulnerabilities\nvia Cross Site Request Forgery (CSRF)\non the administration interfaces\nof InternetCube applications\nand of the YunoHost administration interface\nwhich could have been used to execute arbitrary code as root.\nThese vulnerabilities were fixed in YunoHost 3.3, OpenVPN Client app 1.3.0.\nand YunoHost 3.4.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2018/05/30/more-browser-injections/", "title": "More example of argument and shell command injections in browser invocation", "url": "https://www.gabriel.urdhr.fr/2018/05/30/more-browser-injections/", "date_published": "2018-05-30T00:00:00+02:00", "date_modified": "2018-05-30T00:00:00+02:00", "tags": ["computer", "unix", "debian", "security", "shell", "vulnerability"], "content_html": "In the previous episode, I talked about\nsome argument and shell command injections vulnerabilities\nthrough URIs passed to browsers.\nHere I am evaluating some other CVEs\nwhich were registered at the same time (not by me).
\n"}, {"id": "http://www.gabriel.urdhr.fr/2018/05/28/browser-injections/", "title": "Argument and shell command injections in browser invocation", "url": "https://www.gabriel.urdhr.fr/2018/05/28/browser-injections/", "date_published": "2018-05-28T00:00:00+02:00", "date_modified": "2018-05-28T00:00:00+02:00", "tags": ["computer", "unix", "debian", "security", "shell", "vulnerability", "freedesktop"], "content_html": "I found an argument injection vulnerability\nrelated to the handling of the BROWSER environment variable\nin sensible-browser.\nThis lead me (and others) to a few other arguments and shell command injection\nvulnerabilities in BROWSER processing and browser invocation in general.