08-01-26, 10:17 AM
BTW, mods, I tried posting the full database of pomf.tv a few days ago but it still awaits mod approval, can someone please make it visible as well as this, thank you
hello darkforums community, today I share with you every vulnerability I found in pomf.tv and a few exploits I wrote for them
The first vulnerabilities are multiple SQL injections in the search field:
### Strategy: Blind bin
Method: GET
Path: /search/
Query: qry=ds+or(<query>)--+-s1AB
Header: Content-Type: text/plain
### Strategy: Blind bit
Method: GET
Path: /search/
Query: qry=ds+and(<query>)--+-elgc
Header: Content-Type: text/plain
But that's not all, after scanning every javascript library they have I have many outdates libraries with known vulnerabilities
this file: https://pomf.tv/template/plugins/chartjs/Chart.min.js
uses: chart.js version 2.7.3
leaving it vulnerable to CVE-2020-7746 The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
the second vulnerable file is: https://pomf.tv/template/plugins/datatab...les.min.js
this file uses this library:
jquery.datatables, version 1.10.18 is vulnerable.
the first is CVE-2020-28458:
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
and the second vulnerable library in this file is: CVE-2021-23445
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
the last js file with outdated libraries is https://pomf.tv/template/plugins/momentjs/moment.min.js
the first vulnerability lies within moment.js, version 2.27.0
CVE-2022-31129 is the vulnerability: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
CVE-2022-24785: Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2023-22467: Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
last set of vulnerabilities was from a shodan scan of a backend IP I found:
CVE-2021-23017
CVE-2025-23419
CVE-2023-44487
CVE-2021-3618
You can view the Shodan scan here: https://www.shodan.io/host/198.98.54.178#80
But I wrote an exploit for one of them that works!!! I have a PoC for it as well
The exploit I wrote for was: CVE-2021-23017
it basically exploits the Nginx resolver and allows to forge and send UDP packets from any trusted DNS server
to cause 1-byte memory to overwrite, resulting in worker process crash or potential other impact. In this case every livestream is now running very slow, and so is the site, here is the script I wrote: https://files.catbox.moe/597jwp.py
I also have an exploit for: CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. heres the script: https://files.catbox.moe/i8y6v1.py
and thats all the vulnerabilities I found.
hello darkforums community, today I share with you every vulnerability I found in pomf.tv and a few exploits I wrote for them
The first vulnerabilities are multiple SQL injections in the search field:
### Strategy: Blind bin
Method: GET
Path: /search/
Query: qry=ds+or(<query>)--+-s1AB
Header: Content-Type: text/plain
### Strategy: Blind bit
Method: GET
Path: /search/
Query: qry=ds+and(<query>)--+-elgc
Header: Content-Type: text/plain
But that's not all, after scanning every javascript library they have I have many outdates libraries with known vulnerabilities
this file: https://pomf.tv/template/plugins/chartjs/Chart.min.js
uses: chart.js version 2.7.3
leaving it vulnerable to CVE-2020-7746 The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
the second vulnerable file is: https://pomf.tv/template/plugins/datatab...les.min.js
this file uses this library:
jquery.datatables, version 1.10.18 is vulnerable.
the first is CVE-2020-28458:
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
and the second vulnerable library in this file is: CVE-2021-23445
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
the last js file with outdated libraries is https://pomf.tv/template/plugins/momentjs/moment.min.js
the first vulnerability lies within moment.js, version 2.27.0
CVE-2022-31129 is the vulnerability: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
CVE-2022-24785: Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2023-22467: Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
last set of vulnerabilities was from a shodan scan of a backend IP I found:
CVE-2021-23017
CVE-2025-23419
CVE-2023-44487
CVE-2021-3618
You can view the Shodan scan here: https://www.shodan.io/host/198.98.54.178#80
But I wrote an exploit for one of them that works!!! I have a PoC for it as well
The exploit I wrote for was: CVE-2021-23017
it basically exploits the Nginx resolver and allows to forge and send UDP packets from any trusted DNS server
to cause 1-byte memory to overwrite, resulting in worker process crash or potential other impact. In this case every livestream is now running very slow, and so is the site, here is the script I wrote: https://files.catbox.moe/597jwp.py
I also have an exploit for: CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. heres the script: https://files.catbox.moe/i8y6v1.py
and thats all the vulnerabilities I found.
