-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed CVE-2024-1728 False Negatives by Adjusting Regex Expressions #10518
Conversation
The previous version of the template used a greedy regex expression (.*), which was causing false negatives during testing on both Windows and Linux systems.
Thanks so much for your contribution @ShaneIan , we appreciate it! :) |
Hello, the response time for this PR was longer than usual because the team was traveling for DEFCON. Thank you for your contribution. Could you please confirm why the POST data was updated to remove the extra array brackets? Can you also confirm if it still works without them? Additionally, if you could share the redacted debug data, that would be very helpful. |
Yes, of course. For the duplicate bracket, I saw no reason for it to be there, as it was seemingly causing an error on my simulated client side. The client’s fileInput was expecting a dictionary, not a list, so formatting it as such was causing the fileInput to misunderstand. And yes, as of the last testing with the removed brackets, the template was able to produce positive results. As for the debug data, this is my first contribution, so I am unsure exactly what you mean. However, I absolutely can help. |
@ShaneIan, thank you for the confirmation. For the debug data, please run the template with the |
Nuclei Debug OutputI ran the template with debug information as requested: nuclei -t CVE-2024-1728-debug.yaml -u https://8c4e50cf2fa07a02f3.gradio.live -debug Output:
Findings:
|
Hi @ShaneIan, thank you for sharing the additional data. The PR notification was somehow missed and remained open. Thank you once again for updating the template |
You can grab some cool PD stickers over here http://nux.gg/stickers 😄 |
Hey @ShaneIan thanks for the sticker request! I'll send some off when I have them in hand (I'm new to the PD team and they're on order. :) ) |
Template / PR Information
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
Additional References: