<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Xyproto - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/xyproto/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:12:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/xyproto/feed.xml" rel="self" type="application/rss+xml"/><item><title>Algernon Server-Side Script Source Disclosure via NTFS Filename Manipulation (CVE-2026-52792)</title><link>https://feed.craftedsignal.io/briefs/2026-07-algernon-source-disclosure/</link><pubDate>Fri, 03 Jul 2026 11:12:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-algernon-source-disclosure/</guid><description>Algernon, when running on a Windows host, is vulnerable to CVE-2026-52792, allowing an unauthenticated attacker to exploit its `filepath.Ext()` processing to bypass script execution and obtain the raw source code of server-side scripts by appending NTFS-equivalent suffixes (such as `::$DATA`, trailing dot, or trailing space) to the URL, thereby leaking sensitive embedded secrets like database credentials, API keys, and `SetCookieSecret` values, which can lead to authentication bypass.</description><content:encoded><![CDATA[<p>CVE-2026-52792 exposes Algernon, a web server written in Go, to a critical server-side script source disclosure vulnerability when deployed on Windows operating systems. Affecting versions up to and including 1.17.8, this flaw stems from Algernon's file handler, which incorrectly interprets NTFS-equivalent filenames (e.g., <code>x.lua::$DATA</code>, <code>x.lua.</code>, <code>x.lua </code>). An unauthenticated client can append these suffixes to the URL of any server-side script (such as <code>.lua</code>, <code>.tl</code>, <code>.po2</code>) located on a public path. Instead of executing the script as intended, Algernon serves its raw source code, directly exposing embedded secrets like database connection strings, API keys, and the <code>SetCookieSecret</code> value. This vulnerability was published on 2026-07-02 and significantly impacts the confidentiality of sensitive information, potentially enabling attackers to forge session cookies and bypass authentication mechanisms.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance/Target Identification</strong>: An attacker identifies an Algernon web server instance running on a Windows host that is publicly accessible via HTTP/HTTPS.</li>
<li><strong>Public Script Enumeration</strong>: The attacker discovers or guesses the path to a server-side script (e.g., <code>index.lua</code>, <code>api.tl</code>) that is configured on a public path and is designed for execution rather than direct serving.</li>
<li><strong>Bypass Execution</strong>: The attacker crafts a specially formatted HTTP GET request by appending an NTFS-equivalent suffix (e.g., <code>::$DATA</code>, a trailing dot <code>.</code>, or a trailing space <code>%20</code>) to the script's URL (e.g., <code>http://target/index.lua::$DATA</code>).</li>
<li><strong>Source Code Disclosure</strong>: Due to the vulnerability, Algernon's <code>filepath.Ext()</code> function fails to recognize the script's true extension, bypassing the execution logic.</li>
<li><strong>Raw File Retrieval</strong>: Algernon proceeds to open the manipulated filename using <code>os.Open()</code>, which, on Windows, resolves the NTFS-equivalent name back to the original script file.</li>
<li><strong>Secret Exfiltration</strong>: The server streams the raw contents of the script file directly to the attacker, exposing any embedded secrets such as database credentials (<code>POSTGRES(&quot;postgres://app:S3cr3t@db/prod&quot;)</code>) or <code>SetCookieSecret(&quot;hardcoded-session-key&quot;)</code> values.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-52792 directly compromises the confidentiality of highly sensitive information. Attackers gain access to hardcoded database credentials, API keys, and session cookie secrets. For instance, a disclosed <code>SetCookieSecret</code> value enables an unauthenticated attacker to forge session cookies, allowing them to impersonate any user and bypass authentication mechanisms entirely, leading to unauthorized access. This can result in significant data breaches, privilege escalation, and complete compromise of the affected web application and potentially connected backend systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-52792</strong>: Upgrade Algernon to a patched version immediately to remediate the vulnerability.</li>
<li><strong>Deploy Webserver Detection Rule</strong>: Deploy the provided Sigma rule to your SIEM to detect attempts to access server-side scripts using NTFS-equivalent filenames.</li>
<li><strong>Review <code>SetCookieSecret</code> Usage</strong>: Audit all server-side scripts for hardcoded <code>SetCookieSecret</code> values and other sensitive credentials. Ensure these are retrieved from secure environment variables or a secrets management system.</li>
<li><strong>Enable Webserver Logging</strong>: Ensure detailed webserver access logs (<code>webserver</code> category) are collected and ingested into your SIEM, including full request paths, HTTP methods, and response status codes, to enable effective detection.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>webserver</category><category>vulnerability</category><category>code-disclosure</category><category>server-side-vulnerability</category><category>windows</category></item></channel></rss>