Open JamesFoxxx opened 3 months ago
@maoning I found a way to execute RCE, it needs to deploy payload on an arbitrary path on any Git server like Github! I tried a simple HTTP and HTTPS server to serve the git repo but it doesn't work. what should I do, If I can put payloads in this repo we can validate the vulnerability with RCE.
@JamesFoxxx I'm testing out github payload hosting with this other plugin: https://github.com/google/tsunami-security-scanner-plugins/pull/449
You can also add your payload in the same /payloads directory, and open a separate PR for it, so that I can merge it in first.
https://github.com/google/tsunami-security-scanner-plugins/pull/467 for the payload (for tracking purpose)
@maoning I'll improve this PR to check with a RCE callback instead of simple response checking this week.
@maoning please merge these PRs first: https://github.com/google/security-testbeds/pull/43 https://github.com/google/security-testbeds/pull/42 This PR https://github.com/google/tsunami-security-scanner-plugins/pull/472 is important because after merge I should update the payload location in source code based on this repository URL.
PR is ready for review :) the test cases are not comprehensive yet, I'll add more test cases, please review the plugin first and till then I will find time to add more test cases.
apologize for the delay, it was a hard journey for me, I had to analyze a CVE with no public PoC, plus I had to find a way to disable authentication. after that, I upgraded the plugin to get an OOB confirmation. (I'll be happy if you can consider a bonus for this submission because I'm comparing this to most of the other bounty submissions) Best regards, James.
@maoning @tooryx
@lokiuox I wanted to apply one more update, I changed the phrase "argo cd instances" to "argo cd API server" in the namings and descriptions because the documentation explicitly says "Access The Argo CD API Server" in here. Also, the instances in argo cd should be related to application instances, so it was some kind of wrong naming that I did before.
@lokiuox please note that the guice injection for sleep duration is completely copied from this recently merged PR https://github.com/google/tsunami-security-scanner-plugins/pull/456
@lokiuox I'm sorry about this logging issue, I shoud've tested your last review before pushing it here.
I'm curious to know if there is any particular priority system or logical method applied when sorting the pull requests for review and merging. this pull request was reviewed one month ago by the Dyonsec team and before that I waited nearly two months to start reviewing, I'm curious because some contributors merged more than 2 PRs during this time, is there any priority between the products? it is 4 months :)) that I've been waiting to merge this PR CC: @tooryx and @maoning
Hi, it is related to my PRP https://github.com/google/tsunami-security-scanner-plugins/issues/431.