🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security

RSS Feed Symbol für Team IT Security

800+ IT News als RSS Feed abonnieren

Thema auswählen:

📚 Phabricator: Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object

🕛 Zeit seit Veröffentlichung: 717 Tage, 11 Stunden 2 Minuten
📆 Veröffentlicht am: 11.05.2022 um 23:19 Uhr
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com

The Conduit feed.publish API allows a user to publish stories to the feed. The API accepts a parameter "type" which will be set to PhabricatorTokenGivenFeedStory and accepts JSON in the "data" parameter such as the following: { "authorPHID": "PHID-USER-uyg3nn764yetx6nglnbx", "tokenPHID": "PHID-TOKN-medal-4", "objectPHID": "PHID-TASK-lg22pqfkf4iuqbmx35k4" } This data can be manipulated in order to spoof other users, this is done by replacing the "authorPHID" value with the user that the attacker wishes to spoof. We can additionally manipulate the "objectPHID" to any PHID of any other object, if the object is restricted, it will look like the attacker has access to the relevant object and was thus able to award the object with a token (though the attacker does not have access to the object and the story only shows for users with access to the object). The user PHID can easily be gotten from the relevant user's page. The attacker can get the object PHID of a restricted object from the HTML of a page if the restricted object is attached in some form to the page (e.g., a restricted task as a subtask of a viewable task). I'm not exactly sure what the purpose of this API is, but it should at least be restricted in some form (e.g, only callable by bots or administrators). An attacker can also simply spam the feed with lots of stories, or cause the feed to error if given bad data (such as an empty list), in which case the relevant row will need to be deleted from the... ...

Sharing is caring on Social Media

Join the Team IT Security Community

📌 Phabricator: Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object

🕛 691 Tage, 3 Stunden 15 Minuten
📆 11.05.2022 um 23:19 Uhr
📈 196.6 Punkte

📌 HackerOne: Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token.

🕛 1093 Tage, 23 Stunden 32 Minuten
📆 12.04.2021 um 08:03 Uhr
📈 61.28 Punkte

📌 Phabricator: Deprecated owners.query API bypasses object view policy

🕛 691 Tage, 3 Stunden 15 Minuten
📆 28.05.2022 um 20:39 Uhr
📈 39.76 Punkte

📌 ELI5 what made GitLab the more popular choice compared to other GitHub alternatives, like Phabricator, Launchpad, Savanah, etc.?

🕛 2150 Tage, 15 Stunden 51 Minuten
📆 08.06.2018 um 18:03 Uhr
📈 39.63 Punkte

📌 Phabricator: IDOR bug to See hidden slowvote of any user even when you dont have access right

🕛 1703 Tage, 10 Stunden 49 Minuten
📆 27.07.2019 um 21:16 Uhr
📈 37.98 Punkte

📌 New Zoom Screen-Sharing Bug Lets Other Users Access Restricted Apps

🕛 1136 Tage, 2 Stunden 6 Minuten
📆 19.03.2021 um 08:05 Uhr
📈 35.79 Punkte

📌 New Zoom Screen-Sharing Bug Lets Other Users Access Restricted Apps

🕛 1136 Tage, 2 Stunden 6 Minuten
📆 19.03.2021 um 08:05 Uhr
📈 35.79 Punkte

📌 I'll bet you guys will know this penguin. I recently learned Thai I like making circuit board art. It doesn't do anything other than look cool, but I think it does look cool!

🕛 563 Tage, 5 Stunden 36 Minuten
📆 13.10.2022 um 03:50 Uhr
📈 34.85 Punkte

📌 I have a job interview shortly that asks for knowledge of Linux, but I have none, nor do I have time to learn much at all. What are some other common computer skills that one could advertise to make up for a lack of experience with Linux?

🕛 1914 Tage, 5 Stunden 6 Minuten
📆 31.01.2019 um 04:15 Uhr
📈 33.28 Punkte

📌 I wrote a FUSE filesystem that allows you to mount HTTP directory listings. I have to say Linux is great. I have no idea how to do that in some other operating system.

🕛 2106 Tage, 4 Stunden 6 Minuten
📆 23.07.2018 um 05:29 Uhr
📈 33.23 Punkte

📌 ThreatList: Game of Thrones, a Top Malware Conduit for Cybercriminals

🕛 1853 Tage, 16 Stunden 34 Minuten
📆 01.04.2019 um 17:40 Uhr
📈 30.8 Punkte

📌 CVE-2021-4249 | xml-conduit up to 1.9.0.0 DOCTYPE Entity Expansion Parse.hs infinite loop (ID 161)

🕛 469 Tage, 0 Stunden 4 Minuten
📆 15.01.2023 um 09:17 Uhr
📈 30.8 Punkte

📌 Apex Legends: Ignite introduces a new Legend named Conduit and cross-progression for all platforms

🕛 184 Tage, 18 Stunden 49 Minuten
📆 26.10.2023 um 17:13 Uhr
📈 30.8 Punkte

📌 In A Year Like No Other, What Did Yours Look Like? Take The Survey.

🕛 1068 Tage, 14 Stunden 51 Minuten
📆 25.05.2021 um 18:09 Uhr
📈 30.76 Punkte

📌 Want to Make Fedora (or any other distro) look like Ubuntu?

🕛 659 Tage, 15 Stunden 8 Minuten
📆 08.07.2022 um 21:05 Uhr
📈 30.53 Punkte

📌 TIBCO FTP Community Edition up to 6.5.0 on Windows Server/C API/Golang API/Java API/.Net API access control

🕛 1119 Tage, 20 Stunden 5 Minuten
📆 04.04.2021 um 11:57 Uhr
📈 29.69 Punkte

📌 CVE-2022-48367 | eZ Publish Ibexa Kernel prior 7.5.28 Object State access control (GHSA-5x4f-7xgq-r42x)

🕛 389 Tage, 19 Stunden 41 Minuten
📆 04.04.2023 um 14:05 Uhr
📈 29.32 Punkte

📌 I want to make Linux look exactly like MacOS. (like red Star os) Reasons given below

🕛 1178 Tage, 0 Stunden 21 Minuten
📆 05.02.2021 um 10:46 Uhr
📈 29.3 Punkte

📌 Sudo? More like Su-doh: There's a fun bug that gives restricted sudoers root access (if your config is non-standard)

🕛 1657 Tage, 10 Stunden 50 Minuten
📆 14.10.2019 um 23:14 Uhr
📈 29.28 Punkte

📌 5 vulnerabilities in Samba. One critical flaw CVE-2022-32744 allows Active Directory users to change passwords of other users

🕛 632 Tage, 12 Stunden 3 Minuten
📆 04.08.2022 um 21:38 Uhr
📈 28.84 Punkte

📌 Unpatched Windows Bug Allows Attackers to Spoof Security Dialog Boxes

🕛 1873 Tage, 18 Stunden 1 Minuten
📆 12.03.2019 um 16:09 Uhr
📈 28.84 Punkte

📌 I've finally found a good scan of the "Unix Magic" poster by Gary Overcare. Does anyone know where I can find the other two? Does anyone have one of the other two and would be willing to have it professionally scanned?

🕛 1342 Tage, 20 Stunden 36 Minuten
📆 24.08.2020 um 12:46 Uhr
📈 28.7 Punkte

📌 Researchers have unearthed a security flaw in a swann security camera that allows attackers to spy on the video and audio feed of anyone’s camera.

🕛 2101 Tage, 20 Stunden 50 Minuten
📆 27.07.2018 um 13:21 Uhr
📈 28.31 Punkte

📌 In Linux world we often come across terminals and teletypes, so in case you haven't seen them, here's what the originals look like, why console doesn't display passwords when you typed them and why browser bookmarks are called like that (LOUD) - star

🕛 1957 Tage, 20 Stunden 21 Minuten
📆 18.12.2018 um 12:54 Uhr
📈 28.12 Punkte

📌 CVE-2022-44108 | pdftojson 94204bb Object.cc Object::copy(Object*) stack-based overflow

🕛 463 Tage, 0 Stunden 34 Minuten
📆 21.01.2023 um 08:16 Uhr
📈 27.84 Punkte

📌 Buho allows you to take quick notes and have them synced using your NextCloud account. You can use it on an Android or Linux phone and have the notes available also on your Windows or Linux desktop PC. More info and packages on the Maui Weekly blog p

🕛 1092 Tage, 15 Stunden 6 Minuten
📆 01.05.2021 um 18:48 Uhr
📈 27.77 Punkte

📌 Look at this text I have received twice. Should I be scared? I blocked it but how does a random email like that have my number?

🕛 1746 Tage, 9 Stunden 51 Minuten
📆 17.07.2019 um 22:24 Uhr
📈 27.48 Punkte

📌 MWatcher - Publish New Posts from RSS Feed

🕛 367 Tage, 0 Stunden 45 Minuten
📆 27.04.2023 um 07:47 Uhr
📈 27.47 Punkte

📌 I don't have the money to donate to the projects I like, so I have taken to seeding torrents instead, to at least give something back to the community I love. Let me know if there are any other (legal) torrents I shoud seed.

🕛 1326 Tage, 21 Stunden 6 Minuten
📆 09.09.2020 um 12:32 Uhr
📈 27.46 Punkte

📌 Hey—can anyone tell me generally what’s going on here? I want to say something positive/informed, like, looks like XXX is going great! But I don’t do this so don’t have the words. What more can I say besides, like, “coding”?

🕛 613 Tage, 4 Stunden 51 Minuten
📆 24.08.2022 um 04:22 Uhr
📈 27.24 Punkte

📌 Phishers Spoof USPS, 12 Other Natl’ Postal Services

🕛 190 Tage, 15 Stunden 3 Minuten
📆 09.10.2023 um 22:39 Uhr
📈 27.14 Punkte

📌 Contributing to KDE is easier than you think – Phabricator patches using the web interface

🕛 1455 Tage, 13 Stunden 6 Minuten
📆 03.05.2020 um 20:55 Uhr
📈 27.1 Punkte

📌 New Relic: "Basic user" which can only access a limited subset of the platform can access certain pages which are restricted to the user by the account owner.

🕛 1313 Tage, 14 Stunden 33 Minuten
📆 25.08.2020 um 11:01 Uhr
📈 27.05 Punkte

📌 How to Access Restricted Folder in Windows : Access Denied Error

🕛 662 Tage, 1 Stunden 21 Minuten
📆 06.07.2022 um 10:47 Uhr
📈 27.05 Punkte

📌 VMware API Allows Limited vSphere Users to Access Guest OS

🕛 2465 Tage, 19 Stunden 36 Minuten
📆 28.07.2017 um 14:30 Uhr
📈 26.32 Punkte

matomo