217
Suscriptores
Sin datos24 horas
Sin datos7 días
Sin datos30 días
- Suscriptores
- Cobertura postal
- ER - ratio de compromiso
Carga de datos en curso...
Tasa de crecimiento de suscriptores
Carga de datos en curso...
Repost from 咕 Billchen 咕 |
git CVE-2024-32002, CVE-2024-32004, CVE-2024-32020 and CVE-2024-32021
fixed versions: v2.39.4, v2.40.2, v2.41.1, v2.42.2, v2.43.4 and v2.44.1, v2.45.1
* CVE-2024-32002:
Recursive clones on case-insensitive filesystems that support symbolic
links are susceptible to case confusion that can be exploited to
execute just-cloned code during the clone operation.
* CVE-2024-32004:
Repositories can be configured to execute arbitrary code during local
clones. To address this, the ownership checks introduced in v2.30.3
are now extended to cover cloning local repositories.
* CVE-2024-32020:
Local clones may end up hardlinking files into the target repository's
object database when source and target repository reside on the same
disk. If the source repository is owned by a different user, then
those hardlinked files may be rewritten at any point in time by the
untrusted user.
* CVE-2024-32021:
When cloning a local source repository that contains symlinks via the
filesystem, Git may create hardlinks to arbitrary user-readable files
on the same filesystem as the target repository in the objects/
directory.
Repost from Mirraの杂货铺
Photo unavailableShow in Telegram
今天是中国互联网30岁的生日!🎉
无论如何,三十年间,它将亿万个你我相连,纵使远隔万里,亦能心意相通!
让我们期待下一个三十年是什么样子吧!
❤ 2
Repost from Rosmontis's Daily🌸
Photo unavailableShow in Telegram
结论:疑似攻击者通过利用错误MIME type实现客户端欺骗。
涉及Telegram中的两个API功能——
sendVideo和InputFile。
sendVideo中的video字段支持两种输入方式,“InputFile or String”,
- (String)传递一个文件 ID(以字符串形式)来发送存储在 Telegram 服务器上的视频(推荐做法)
- (String/InputFile)传递一个 HTTP URL(以字符串形式)以便 Telegram 从互联网获取视频
- (InputFile)使用 multipart/form-data 上传一个新视频。
问题出在第二种,InputFile - Sending by URL时,目标资源可以拥有一个自定义的MIME标签,以指示其他Telegram客户端应该以什么方式加载这个资源。
而这些不怀好意的.pyzw文件,(可能由于漏洞)在这里都被指定为了video/mp4,导致其他Telegram客户端将以播放器模式展示这个文件。
响应标头:>图1<
请求方json:
{
"dcId": number,
"location": {
"_": "inputDocumentFileLocation",
"id": "*",
"access_hash": "*",
"file_reference": [
*, *, *, *
]
},
"size": 42,
"mimeType": "video/mp4",
"fileName": "***.pyzw"
}Mostrar todo...
Telegram Messenger (@telegram)
@CertiKAlert We can't confirm that such a vulnerability exists. This video is likely a hoax. Anyone can report potential vulnerabilities in our apps and get rewards:
https://core.telegram.org/bug-bounty💖 205 🔁 19
Repost from 冷曦的喵喵小屋
0 Day 安全提醒: Telegram Desktop <=4.16.4 有自动执行代码漏洞
消息来源:
https://t.me/strykerapp/453
https://t.me/exploitorg/30
The Stryker Project
❗Attention! 🕷️Zero day, Zero click RCE in Telegram Desktop <=4.16.4 Turn off automatic media downloading now! Code execution starts after image/video downloading, automatically No patch available yet. Update 1: Originally a warning will popup "exe file can be harmful..", without user confirmation nothing will happen (at least as we know) Update 2: Patched in the latest release
Elige un Plan Diferente
Tu plan actual sólo permite el análisis de 5 canales. Para obtener más, elige otro plan.