Jul 25, 2016
Cyber attacks get bigger, smarter, more damaging. P*rnHub launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded. Now, it turns out that the world's most popular p*rn*graphy site has paid its first bounty payout. But how much? US $20,000! Yes, P*rnHub has paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers P*rnHub 's website. The team of three researchers, Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities ( CVE-2016-5771/CVE-2016-5773 ) in PHP's garbage collection algorithm when it interacts with other PHP objects. One of those is PHP's unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths,