[bounty] Git Config Injection and a Sophos Pre-Auth RCE

On this weeks bug bounty podcast we take a look at a few interesting issues. While they are all patched, there is reason to believe they'd all creep up in other applications too. First up is an RCE due to nested use of an escaped string. Second a fgets loop that doesn't account for long lines. A XML signature verification tool with a deceptive interface, and last a look at how Bash's privileged mode can backfire. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/207.html [00:00:00] Introduction [00:00:31] Analysis of Pre-Auth RCE in Sophos Web Appliance [CVE-2023-1671] [00:07:16] Git Arbitrary Configuration Injection [CVE-2023-29007] [00:11:41] Redash SAML Authentication Bypass [00:18:51] Bash Privileged-Mode Vulnerabilities in Parallels Desktop and CDPATH Handling in MacOS [00:29:38] Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO [00:34:37] [cPanel] Finding XSS in a million websites [CVE-2023-29489] [00:35:20] Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score [CVE-2023-1767] The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9