Tencent Security Xuanwu Lab Daily News
• 0824: Safe Notes:
https://bugology.intigriti.io/intigriti-monthly-challenges/0824
・ 介绍了Intigriti八月挑战的一个安全笔记的赛题
– SecTodayBot
• Bypassing CSP via URL Parser Confusions : XSS on Netlify’s Image CDN:
https://sudhanshur705.medium.com/bypassing-csp-via-url-parser-confusions-xss-on-netlifys-image-cdn-755a27065fd9
・ 在Netlify的图像CDN上发现XSS漏洞并说明了如何绕过内容安全策略
– SecTodayBot
• IIS welcome page to source code review to LFI!:
https://medium.com/@omarahmed_13016/iis-welcome-page-to-source-code-review-to-lfi-23ec581049f5
・ 本文介绍了通过IIS欢迎页面到源代码审查再到LFI的过程,发现了eStreamChat开源软件存在LFI和盲SSRF漏洞。
– SecTodayBot
• CVE-2024-42815 (CVSS 9.8): Buffer Overflow Flaw in TP-Link Routers Opens Door to RCE:
https://securityonline.info/cve-2024-42815-cvss-9-8-buffer-overflow-flaw-in-tp-link-routers-opens-door-to-rce/
・ TP-Link routers存在关键漏洞(CVE-2024-42815),可能导致远程执行代码。
– SecTodayBot
• Faraday: Open Source Vulnerability Manager:
https://meterpreter.org/faraday-open-source-vulnerability-manager/
・ Faraday是一个开源漏洞管理工具,专为安全审计和渗透测试设计
– SecTodayBot
• oss-security – [vim-security] heap-buffer-overflow in Vim > 9.1.0038 && < 9.1.0707:
https://openwall.com/lists/oss-security/2024/08/31/1
・ Vim软件存在堆缓冲区溢出漏洞,通过优化游标位置计算而引入,可能导致崩溃。该漏洞已在Vim patch v9.1.0707中修复。
– SecTodayBot
• CERT/CC Vulnerability Note VU#455367:
https://kb.cert.org/vuls/id/455367
・ UEFI框架中的PKfail漏洞被发现,允许攻击者绕过关键的UEFI安全机制
– SecTodayBot
• Ctrl+Backspace inserts a small box instead of erasing:
https://superuser.com/questions/33142/ctrlbackspace-inserts-a-small-box-instead-of-erasing#:~:text=The%20%22box%22%20you‘re%20seeing%20is%20what%20is%20known,characters%20in%20the%20128%20character%20ASCII%20character-encoding%20scheme
・ 何使用AutoHotkey来覆盖键盘快捷方式,这为定制安全工具和脚本提供了新方法。
– SecTodayBot
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(9-2)