While I was trying to catch a bug in @inflection Program I started to test
goodhire.com It was in Scope But I didn't see it was have a
Hubspot CMS After many time of testing I've found a
Small Potential Server Side Template Injection
Then by some help from @fransrosen he helped me to break the elements and get a
The dork of Google was (
Some affected Websites :
It was great to see the HubSpot team resolve this issue within 24 hours of knowing that there was a problem!
They mentioned that Not in Scope ?!
So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days` .
I was found in this path
/_hcms/cta so this mean that controlled by Hubspot service ..
The affected Parameter was
First Possible Server Side template injection :
Server-side template injection occurs when user-controlled input is embedded into a server-side template, allowing users to inject template directives. This allows an attacker to inject malicious template directives and possibly execute arbitrary code on the affected server.
URL encoded GET input
referrerUrl was set to
The response contained the result of the evaluated expression: 49
I tried to exploit it by jinja Injection But
I failedI got
Malformed escape pair at index 78: https://www.example.com/content-rendering/v1/public/_hcms/cta?referrerUrl=%7B%for%20c%20in%20%5B1,2,3%5D%20%%7D%7B%7Bc,c,c%7D%7D%7B%%20endfor%20%%7D
Illegal character in query at index 81:
@fransrosen was able to Break out the element By this Payload
Payloadwas Awesome :)
Report Status : 22/1/2018
HubSpot_Security changed the priority to
HubSpot_Security rewarded 20 points to you
HubSpot_Security changed the state to Resolved 23/1/2018