Daily Swig - Collaborative bug hunting ‘could be very lucrative’ – security pro Alex Chapman on the future of ethical hacking

“It all started with a Commodore 64, but Alex Chapman’s passion for programming crystalized into an interest in ethical hacking following a careers advice day at university.

Since graduating in computer science in 2007, the London-based vulnerability researcher has worked in pen testing, red teaming, and security research during stints at Deloitte, Context Information Security, and Yahoo.”

Continue reading on portswigger.net...

GitLab - Command injection on runner host

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.

Continue reading on about.gitlab.com...

Hacker Spotlight - Interview with ajxchapman

“Alex Chapman, otherwise known as @ajxchapman, has been a bug bounty hunter for over a decade after starting in the field as a pentester for Deloitte in 2007. Alex says being a full-time bounty hunter gives him the freedom he’s looking for to enjoy his work and spend quality time in London with his wife, baby girl and their West Highland Terrier.”

Continue reading on www.hackerone.com...

Full Time Bug Hunting with Alex Chapman

Continue reading on www.youtube.com...

Ubiquiti UniFi Video - Configuration restore privilege escalation

The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer.

Continue reading on community.ui.com...

Ubiquiti UniFi Video - Firmware update path traversal

The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer.

Continue reading on community.ui.com...

Greenhouse.io - Debug information disclosure on oauth-redirector.services.greenhouse.io

HackerOne bug report to Greenhouse.io: The configuration of the Sintra framework application hosted at oauth-redirector.services.greenhouse.io exposes internal information when exceptions occur. The application is configured with the show_exceptions setting which causes internal application configuration, environment variables and source code snippets to be exposed when exceptions occur.

Continue reading on hackerone.com...

SEMrush - Ad Builder Display Ads Path Traversal

HackerOne bug report to SEMrush: The Semrush Ad Builder for Display Ads is vulnerable to path traversal when extracting zip files and referencing images from the embedded data.csv file.

Continue reading on hackerone.com...

On Full-Time Bug Bounty Hunting

When I introduce myself to others in the IT Security industry as a full-time Bug Hunter getting paid through Bug Bounties, they often have many questions (when I do this to people outside the industry they look at me funny and fake reasons to excuse themselves). In this post I reflect on my experiences after 12 months bug hunting for my primary source of income, and try to answer some of the more common questions I receive.

Continue reading...

WordPress - Wordpress unzip_file path traversal

HackerOne bug report to WordPress: The Wordpress unzip_file function (https://codex.wordpress.org/Function_Reference/unzip_file) is vulnerable to path traversal when extracting zip files. Extracting untrusted zip files using this function this could lead to code execution through placing arbitrary PHP files in the DocumentRoot of the webserver.

Continue reading on hackerone.com...

Older Page 2 of 7 Newer