LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket

2 years ago 99
BOOK THIS SPACE FOR AD
ARTICLE AD

26. June 2021

This article has been indexed from DZone Security Zone

Rocket.Chat is one of the most popular open-source solutions for team communication, written in JavaScript and TypeScript. It has more than 12 million users worldwide and there are over 800,000 server instances deployed that are being used to exchange confidential information and files. My security research team and I discovered critical vulnerabilities in its source code that could have been used by an attacker to take complete control over a server, starting with as little as any user’s email address. 

In this blog post, I investigate these vulnerabilities by first taking a quick look at NoSQL databases, then explain how injections look like in that context. I then analyze the found vulnerabilities and how they can be chained for an exploit. Finally, I give advice on how to prevent such bugs in your applications.

Read the original article: NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket

Read Entire Article
  3. NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket

Related

Critical infrastructure security will stay poor unless everyone pulls together

Critical infrastructure security will stay poor unless everyone pulls together

Latvian TV Channels Hacked to Broadcast Russian Victory Day Parade

Latvian TV Channels Hacked to Broadcast Russian Victory Day Parade

Europol Hacked? IntelBroker Claims Major Law Enforcement Breach

Europol Hacked? IntelBroker Claims Major Law Enforcement Breach

Friday Squid Blogging: Squid Mating Strategies

Friday Squid Blogging: Squid Mating Strategies

Iran most likely to launch destructive cyber-attack against US – ex-Air Force intel analyst

Iran most likely to launch destructive cyber-attack against US – ex-Air Force intel analyst

New LLMjacking Attack Lets Hackers Hijack AI Models for Profit

New LLMjacking Attack Lets Hackers Hijack AI Models for Profit

Trending

1. Ishan Kishan
2. CUET UG
3. Gautam Gambhir
4. Mother
5. Chelsea
6. Amit Shah
7. CUET UG 2024 Admit Card
8. KKR बनाम MI
9. KKR vs MI
10. Rishabh Pant

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved