来源

关联漏洞

Description

Bug bounty and vulnerability research reports by Desai Vinayak — includes CVE-2023-50290 (Apache Solr) and Zscaler subdomain takeover findings.

介绍

# 🧩 Bug Bounty Reports — Desai Vinayak

**🔒 Bug bounty and vulnerability research reports by _Desai Vinayak_.**  
This repository collects **passive, non-destructive** vulnerability write-ups and supporting evidence for **coordinated disclosure** and **remediation tracking**.

---

## 📁 Contents

📂 **reports/** — PDF, DOCX, and evidence files for each report:
- 🧠 `Bug_Bounty_Report_Desai_Vinayak_CVE-2023-50290.pdf` — Apache Solr Metrics API information disclosure (**CVE-2023-50290**).  
- 🌐 `zscaler_bugbounty_report.pdf` — Potential subdomain takeover findings for selected `zscaler.com` subdomains.  
- 📜 `CVE-2023-50290_summary.md` — Markdown summary of the Solr report.  
- 📜 `zscaler_subdomain_takeover_summary.md` — Markdown summary of the Zscaler findings.  

🧾 **Other files**
- 🤝 `CONTRIBUTING.md` — Guidance for triage teams and vendors.  
- 🕵️ `DISCLOSURE_POLICY.md` — Coordinated disclosure expectations.  
- 🧩 `ISSUE_TEMPLATE.md` — Template to open remediation/tracking issues.  
- ⚙️ `.github/workflows/` — CI placeholders.  
- 🚀 `PUBLISH.md` — Quick publish instructions.  

---

## 🧠 Summary

This repository currently contains two primary reports produced via **passive reconnaissance**:

### 🔹 Apache Solr — CVE-2023-50290
The Solr Metrics API can expose environment and configuration details that may leak sensitive information.  
📄 See the Solr PDF and summary in `/reports`.

### 🔹 Zscaler — Potential Subdomain Takeover
Several `zscaler.com` subdomains resolve to third-party hosts returning provider unconfigured/error pages (e.g., AWS ELB, Acquia, UptimeRobot).  
These may be vulnerable to takeover if unprovisioned.  
📄 See the Zscaler PDF and summary in `/reports`.

🧷 **All scans and evidence collection were passive and non-destructive:**  
DNS lookups, certificate-transparency checks, HTTP headers, and non-invasive content captures.  
No credentials, no POST requests, no exploitation performed.

---

## ⚙️ How to Use

👩‍💻 **Vendors / Triage Teams**
- Open an issue using `ISSUE_TEMPLATE.md`.  
- Reference the report filename in `/reports/`.  
- Include remediation steps, progress updates, and final status.

🧑‍🔬 **External Researchers**
- Please follow the coordinated disclosure policy (`DISCLOSURE_POLICY.md`)  
  before publishing or sharing findings.

---

## 🧰 Remediation Recommendations (High-Level)

✅ Remove or fix unused CNAME records that point to third-party services.  
✅ Properly configure custom domains on provider dashboards for services in use.  
✅ Restrict access to sensitive admin endpoints (e.g., Solr `/admin/metrics`) and require authentication.  
✅ Rotate any secrets that may have been exposed via configuration or environment variables.  
✅ Implement DNS monitoring and alerting for unexpected external CNAMEs or CT-log changes.

📎 _Detailed remediation steps are included in each report._

---

## 🤝 Coordinated Disclosure & Contact

**Reporter:** Desai Vinayak  
📧 **Email:** [desaivinayak449@gmail.com](mailto:desaivinayak449@gmail.com)

Please acknowledge receipt and provide a remediation timeline when opening issues or contacting the reporter.  
Coordinated disclosure is requested — **public disclosure should be delayed until remediation is complete** (see `DISCLOSURE_POLICY.md`).

---

## 📄 License

🪪 This repository is distributed under the **MIT License**.  
See `LICENSE` for full terms.

文件快照

 [4.0K]  /data/pocs/46fc4777100aae990d288a8fa92534251f71d9ee
├── [2.6K]  live_url.txt
├── [1.4K]  nuclei_exposed_more.txt
├── [3.4K]  README.md
├── [2.1K]  targets.txt
├── [ 57K]  urls.txt
├── [1022K]  zscaler_bugbounty_report.pdf
└── [5.9K]  zscaler_report.txt

1 directory, 7 files

备注