During last spring (2019) I started to “open and read” the Android applications before installing them. Reversing an APK file can be interesting to understand how an app works, how it manages the permissions and my data, if there are vulnerabilities. I was looking for a different Android mail client, so I started to reverse … Continue reading Javascript Injection in six Android mail clients
SUMMARY In Simplenote 1.1.3 – Desktop app there is a stored XSS vulnerability that can be used to execute arbitrary code. If there is malicious code in the note and the user tries to print it (for example to save it as a PDF), the malicious code runs. #358049 – RCE via Print function [Simplenote 1.1.3 – Desktop … Continue reading From XSS to RCE in Simplenote 1.1.3
INFO Product: GD bbPress Attachments Version: 2.5 Active installations: 10,000+ Product page: https://it.wordpress.org/plugins/gd-bbpress-attachments/ DESCRIPTION An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error[‘file’] in /code/attachments/front.php (line 349) is not … Continue reading GD bbPress Attachments 2.5 – Authenticated stored XSS
After many unsuccessful attempts to find an XSS in Yahoo’s domains, I decided to move my attention to Microsoft Bing. If you have a Microsoft account, Bing allows you to save online content (images, videos and places) on the page “My saves”, and allows to create collections to better manage your own content. The titles … Continue reading Stored XSS in Microsoft Bing
INFO Product: My Calendar Version: 2.5.16 Active installations: 30,000+ Product page: https://it.wordpress.org/plugins/my-calendar/ DESCRIPTION An authenticated user, who can add new events, can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel. In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized. PROOF OF CONCEPT My Calendar 2.5.16 is … Continue reading My Calendar 2.5.16 – Authenticated stored XSS
