Hello huntrs, as always, here is a quick update on this months progress.
lets-chat is a simple chat
application used for
small teams. Mik317 identified that it was vulnerable to a
POST-based CSRF issue which occurs in the
/account/profile endpoint, leading to
personal information change and
buggycoder-sys disclosed a path traversal vulnerability in the package httpster, a package that is downloaded over 10,000 times per week. It allows an attacker to read system files, and could have enabled them to leverage attacks like remote code execution.
Asjid Kalam fixed a command injection vulnerability in node-key-sender by replacing
execFile() which mitigates any possible Command Injections as it accepts inputs as arrays.
New Profile Page
Now when your contribution is accepted, your dog tag is placed on the bounty page, so the whole community can see your success!
See what it looks like in fsociety >>
Podcast: Bug huntr
Mufeed VH is a developer, a huntr sheriff, and has been in the bug bounty world for around 5 years. We recently co-wrote an article about the vulnerability found in the most used package in the NPM ecosystem, Lodash.
Listen in for his advice on how to manage your side projects, and how to stay positive and motivated throughout.
We discuss his setup, how he got started in open source, and the interesting way he fixed a ReDoS vulnerability in the package url-regex.
huntr of the month 🦸♀️ 🦸♂️
This month's huntr of the month is Asjid Kalam - well done! 👏 👏
In the last 30 days, Asjid has fixed 10 vulnerabilities in packages like ffmpeg-web-gui, access-policy and casperjs to name a few. Thank you for helping protect open source, we have awarded you this month's gold huntr of the month badge and will be getting a huntr hoody sent to you shortly! 🏆
Thank you for your love and support - there are plenty more vulnerabilities to find, fix and review, so keep it coming, and let's take September on head first!
Until next time...