Closed r00tuser111 closed 1 year ago
magl0
commented
2 years ago Hi @r00tuser111,
Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.
Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.
Thanks!
YuriyPobezhymov
commented
1 year ago Please take a look #273
YuriyPobezhymov
commented
1 year ago Any updates?
nttran8
commented
1 year ago Hi @YuriyPobezhymov! Reward has been granted. Thanks!
YuriyPobezhymov
commented
1 year ago @nttran8, great, waiting for email.
nttran8
commented
1 year ago Hi @YuriyPobezhymov! The internal status indicates reward has been granted. Could you please double check? Thanks!
nttran8
commented
1 year ago Hi @YuriyPobezhymov! The email from the rewards program was sent on June 1 and I think you're pending the email from the payment team right?
YuriyPobezhymov
commented
1 year ago Hello @nttran8. In my email inbox I see only one email about WSO2: "Tsunami Patch Reward Submission 68: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/ for WSO2 products". This thread doesn't contain any further interactions, like they were for old submissions. So I haven't even panel decision result.
YuriyPobezhymov
commented
1 year ago @nttran8, any updates?
nttran8
commented
1 year ago Hi @YuriyPobezhymov, thank you for your patience. The email sent on June 1 is a reply to the email chain you mentioned. I forwarded you the email for reference. In the meantime, we're reaching out to the payment team and will inform you of any updates.
YuriyPobezhymov
commented
1 year ago @nttran8, I don't see forwarded email.
nttran8
commented
1 year ago @YuriyPobezhymov Thanks for flagging! We see where the issue is and is in the process of initiating payment.
nttran8
commented
1 year ago @YuriyPobezhymov Decision email has been sent! The payment team is processing the reward.
YuriyPobezhymov
commented
1 year ago @nttran8, still haven't any emails from the payment team
YuriyPobezhymov
commented
1 year ago Hello @nttran8! Thank you, I've got reward. Waiting for accepting my Dupal fingerprinting PR #326 from you team.
Hello.
I would like to start implementing a plugin to detect WSO2 Unrestricted arbitrary file upload and remote code to execution vulnerability.
Reference:
Description: Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.
versions: WSO2 API Manager 2.2.0 and above WSO2 Identity Server 5.2.0 and above WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0 WSO2 Identity Server as Key Manager 5.3.0 and above WSO2 Enterprise Integrator 6.2.0 and above