Aggregator

文章讲述了一位安全研究人员从追逐高调漏洞转向关注看似无趣的信息泄露问题的经历。通过寻找API密钥、配置错误和开发文件等信息，他成功发现漏洞并获得赏金。这种方法不仅改变了他的研究方式，也带来了实际收益。

作者分享了从追逐高调漏洞转向关注低关注度但高价值的信息泄露（如暴露源代码、API密钥）的经验，并通过发现金融公司测试站点的安全问题获得赏金的故事，展示了转变安全研究思路的重要性。

Spamhaus是一个国际非营利项目，通过维护多个黑名单（如SBL、XBL）帮助过滤垃圾邮件和网络威胁。它被广泛用于保护邮件系统免受滥用，并影响邮件送达率。企业需注意保持良好的发送习惯、身份验证和列表管理以避免被列入黑名单。

这篇文章分享了作者作为漏洞赏金猎人和网络安全爱好者的经验，探讨如何通过系统性方法发现和利用常见漏洞类别来获得收益，并通过实际案例展示了如何将小问题转化为重大成果。文章适合零基础读者，并提供了持续学习的资源。

OAuth是一种允许第三方应用在不共享密码的情况下代表用户访问资源的框架。其核心组件包括授权服务器、客户端应用、授权码和访问令牌。通过令牌交换机制实现用户身份验证和资源访问控制。然而，配置错误或攻击（如CSRF和开放重定向）可能导致敏感信息泄露或账户接管（ATO），严重威胁用户安全。

小米召回超 11.6 万辆 SU7 标准版，雷军回应；特斯拉 Optimus AI 团队负责人离职加入 Meta；比亚迪仰望 U9 赛道版汽车官宣，超 3000 匹性能猛兽

当前环境出现异常，需完成验证后才能继续访问。

作者于2024年4月发现印度国家考试机构NTA的一个子域名使用Laravel框架，并通过目录遍历访问到.env文件，获取了数据库敏感信息。随后向CERT-In报告该漏洞并获确认。

作者通过回顾之前的安全测试报告，在某个子域名中发现了一个关键漏洞，并详细记录了这一过程。

作者通过回顾之前的渗透测试报告，在整理旧数据时发现了一个被遗忘的关键漏洞，并成功利用该漏洞进行攻击。

A vulnerability was found in Linux Kernel up to 6.2.2. It has been declared as critical. The impacted element is an unknown function of the component udf. Such manipulation leads to privilege escalation. This vulnerability is documented as CVE-2023-53295. The attack requires being on the local network. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability identified as critical has been detected in Linux Kernel up to 6.3.0. This affects the function __kernel_read. This manipulation causes missing initialization of a variable. This vulnerability is handled as CVE-2023-53172. The attack can only be done within the local network. There is not any exploit available. You should upgrade the affected component.

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.4.6. This vulnerability affects the function blk_mq_elv_switch_none. Executing manipulation can lead to null pointer dereference. This vulnerability is tracked as CVE-2023-53292. The attack is only possible within the local network. No exploit exists. You should upgrade the affected component.

A vulnerability marked as critical has been reported in Linux Kernel up to 6.12.44/6.16.4/6.17-rc3. The impacted element is the function bnxt_set_dflt_rings. The manipulation of the argument tx_ring[] leads to memory corruption. This vulnerability is traded as CVE-2025-39810. Access to the local network is required for this attack to succeed. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 6.1.52/6.4.15/6.5.2. This affects the function hv_pci_restore_msi_msg. Executing manipulation can lead to denial of service. The identification of this vulnerability is CVE-2023-53175. The attack needs to be done within the local network. There is no exploit available. Upgrading the affected component is advised.

A vulnerability was found in Linux Kernel up to 6.1.27/6.2.14/6.3.1. It has been rated as critical. This impacts the function dump_backtrace of the component f2fs. Performing manipulation results in buffer overflow. This vulnerability is known as CVE-2023-53262. Access to the local network is required for this attack. No exploit is available. Upgrading the affected component is advised.

A vulnerability classified as critical was found in Linux Kernel up to 6.17-rc3. Affected is the function xfs_attr_leaf_get of the component xfs. Such manipulation leads to escaping of output. This vulnerability is uniquely identified as CVE-2025-39835. The attack can only be initiated within the local network. No exploit exists. Upgrading the affected component is advised.

A vulnerability has been found in Linux Kernel up to 6.1.149/6.6.103/6.12.44/6.16.4/6.17-rc3 and classified as critical. This affects the function smb2_compound_op. The manipulation leads to incorrect control flow. This vulnerability is referenced as CVE-2025-39819. The attack needs to be initiated within the local network. No exploit is available. The affected component should be upgraded.

A vulnerability was found in Linux Kernel up to 6.1.1. It has been classified as critical. This impacts an unknown function. Performing manipulation results in incorrect control flow. This vulnerability is reported as CVE-2022-50261. The attacker must have access to the local network to execute the attack. No exploit exists. Upgrading the affected component is recommended.

A vulnerability labeled as critical has been found in Linux Kernel up to 6.1.30/6.3.4. This impacts the function bq25890_charger_external_power_changed. The manipulation of the argument psy results in null pointer dereference. This vulnerability is known as CVE-2023-53166. Access to the local network is required for this attack. No exploit is available. The affected component should be upgraded.