The Password I Never Reset — And Still Got In
文章揭示了一个安全漏洞:通过“忘记密码”链接可绕过密码和MFA直接登录账户。
Aggregator
Just Wanted to Be a Driver, Ended Up Discovering a Time Capsule
1 day 12 hours ago
用户尝试注册东南亚某打车应用时,发现自己的手机号已被占用,并显示了一个旧的Yahoo邮箱账户。这表明该平台可能存在数据管理问题和用户信息泄露风险。
Just Wanted to Be a Driver, Ended Up Discovering a Time Capsule
1 day 12 hours ago
用户在注册东南亚某打车应用时,发现其手机号已被他人注册,并显示了一个旧的Yahoo邮箱账户信息。用户从未注册过司机账户,也未使用过该邮箱。这表明该应用可能保留了早期用户的旧数据。
Behind the Scenes: How Pre-Prod Leaks Led Me to Prod Secrets
1 day 12 hours ago
研究人员利用工具扫描预生产环境时发现 staging 服务器意外暴露了真实生产数据。
Behind the Scenes: How Pre-Prod Leaks Led Me to Prod Secrets
1 day 12 hours ago
一位安全研究人员在预生产环境中发现敏感信息泄露问题。通过工具扫描和Google搜索,识别出 staging 服务器暴露了生产环境的机密数据。案例强调了即使在非正式环境中也需重视安全防护的重要性。
Why Multi-Factor Authentication Still Isn’t Enough
1 day 12 hours ago
一家公司遭遇攻击,尽管所有用户都启用了多因素认证(MFA),但攻击者仍轻松入侵。MFA不再是万能的解决方案,网络犯罪分子已转向利用人性和技术漏洞,而非传统密码攻击。
The Rise of Ransomware-as-a-Service
1 day 12 hours ago
网络犯罪分子通过"勒索软件即服务"(RaaS)模式迅速扩张,使普通罪犯也能轻松发起大规模攻击。2024年 ransomware 攻击激增41%,损失超2650亿美元。
Quantum Computing vs. Current Encryption: The Ticking Time Bomb
1 day 12 hours ago
量子计算即将打破现代加密基础。传统加密依赖复杂数学问题,但量子计算机可迅速破解,威胁通信、金融等领域安全,多数机构尚未准备就绪。
Incident Response: What It Really Means
1 day 12 hours ago
文章区分了“事件”与“事故”的概念:事件是日常活动记录(如日志、登录),通常无需特别关注;而事故则指对业务造成实际影响的事件(如系统故障、数据泄露)。通过生活化比喻强调需快速准确处理真正紧急的情况。
$2,000 Bounty: Breaking Capability Enforcement in CosmWasm Contracts
1 day 12 hours ago
区块链智能合约的安全边界常依赖于声明式模型。研究者发现CosmWasm的能力模型存在重大漏洞,攻击者可通过编译时省略特定字符串绕过限制,执行被禁操作。该漏洞源于简单实现和误导性文档,凸显能力执行环境的安全隐患。
$2,000 Bounty: Breaking Capability Enforcement in CosmWasm Contracts
1 day 12 hours ago
安全研究员发现CosmWasm智能合约平台存在重大漏洞,允许攻击者绕过能力限制执行被禁止操作。该问题源于简单的能力模型实现和误导性文档,攻击者只需在编译时省略特定字符串即可利用此漏洞。
Enumerating Subdomains With Python
1 day 12 hours ago
文章探讨了子域名枚举在安全评估中的重要性及其工具技术。通过Python脚本实现DNS查询与暴力枚举功能,揭示目标组织的数字架构与技术栈。然而,该工具在扩展性和高级功能方面存在局限性。
$500 Bounty: Subdomain Takeover on live.firefox.com via Unclaimed Fastly CNAME
1 day 12 hours ago
文章描述了因未注册CDN条目导致的子域名接管风险,具体为firefox.com子域名live.firefox.com因CNAME指向Fastly但未配置,被研究人员接管并可能用于恶意攻击,凸显了此类技术问题对网络安全的重大威胁。
CVE-2014-4034 | Aas9 ZeroCMS 1.0 zero_view_article.php article_id sql injection (ID 127005 / EDB-33702)
1 day 12 hours ago
A vulnerability was found in Aas9 ZeroCMS 1.0. It has been classified as critical. Affected is an unknown function of the file zero_view_article.php. The manipulation of the argument article_id leads to sql injection.
This vulnerability is traded as CVE-2014-4034. It is possible to launch the attack remotely. Furthermore, there is an exploit available.
vuldb.com
How I Bypassed Account Verification with a Simple Host Header Trick
1 day 12 hours ago
文章描述了一种严重的安全漏洞——Host Header Injection攻击,该漏洞允许攻击者通过篡改HTTP请求中的Host头来生成指向其控制域的链接或重定向。这种漏洞可能导致令牌劫持、内部访问暴露、开放重定向以及验证和认证绕过等严重后果。
Not-So-Private Parts: How Public Buckets Spilled Internal Dashboards
1 day 12 hours ago
作者通过运行资产发现工具和网络爬虫,在目标网站上发现了暴露的AWS S3存储桶,进而访问了私人仪表盘和敏感商业文档,并成功获得了高价值漏洞赏金。
CVE-2010-1714 | Dev.pucit.edu.pk Com Arcadegames 1.0 index.php controller path traversal (EDB-12168 / Nessus ID 43636)
1 day 12 hours ago
A vulnerability has been found in Dev.pucit.edu.pk Com Arcadegames 1.0 and classified as problematic. This vulnerability affects unknown code of the file index.php. The manipulation of the argument controller leads to path traversal.
This vulnerability was named CVE-2010-1714. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2004-2131 | IBM Informix Extended Parallel Server up to 9.40.xc3 ONCONFIG memory corruption (EDB-23609 / XFDB-14970)
1 day 12 hours ago
A vulnerability has been found in IBM Informix Extended Parallel Server up to 9.40.xc3 and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument ONCONFIG as part of Environment Variable leads to memory corruption.
This vulnerability was named CVE-2004-2131. It is possible to launch the attack on the local host. Furthermore, there is an exploit available.
vuldb.com
无广告的哔哩哔哩国际版(白色图标)将在8月5日下架 已安装用户仍可继续使用
1 day 12 hours ago
哔哩哔哩国际版(白色图标)将于2025年8月5日下架,已安装用户仍可使用。国际版以无广告为特点,将被含更多广告的粉色图标常规版取代。现有用户权益可同步至新版本。
CVE-2006-1893 | ar-blog 5.2 print.php ID cross site scripting (EDB-27642 / XFDB-25834)
1 day 12 hours ago
A vulnerability has been found in ar-blog 5.2 and classified as problematic. This vulnerability affects unknown code of the file print.php. The manipulation of the argument ID leads to basic cross site scripting.
This vulnerability was named CVE-2006-1893. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com