Eric Rafaloff

My personal blog on software development and security

Home » Category: Vulnerability Disclosures

Bug Disclosure: Pervasive Open Redirect in GitLab

While performing a code review of the GitLab open source codebase, I found a pervasive open redirect vulnerability affecting project pages. The Project Application controller defines a before_action filter named . This filter attempts to detect and remove the git extension that may appear in a project request’s URI. In order to do this, it Continue Reading

Bug Disclosure: Remote Code Execution In BlackBerry Workspaces Server

While performing a network penetration test for one of our clients at GDS, I came across a BlackBerry Workspaces (formally WatchDox) Server. These servers can be deployed on customer networks and function as stand-alone appliances. According to BlackBerry: BlackBerry(R) Workspaces lets you collaborate securely, with all the features you expect from an advanced enterprise file Continue Reading