Show newer

Maybe I can distract some people from vulnerable Java libraries. This funny cat walking across your tabs? It somehow ended up having pretty much the most severe vulnerability possible for a browser extension.

palant.info/2021/12/20/yes-fun

There I was smugly thinking: “Oh, I don’t use anything Java-based, no reason to care about that thing.” Wait, what? Ghidra? 🤦‍♂️

I’m off installing updates…

No, the crazy thing is that the most current Java version today still uses this clearly broken approach. It’s for backwards compatibility, you see?

Seriously, what kind of code could possibly depend on this broken equality concept? What justifies keeping this footgun around?

Show thread

Similarly, identical URLs might be considered different if the host is associated with multiple IP addresses, so that the DNS request produces different results. While there is caching, results are only cached for a limited time.

But IMHO the crazy thing isn’t that they’ve done it like this. This approach was already in Java 1.0, so we are talking about 1996 or even earlier here. There was little understanding of real-world URL handling back then.

Show thread

Yes, Java’s URL implementation has this weird concept of equality that depends on the results of DNS resolution. So different URLs will be considered equal (by means of .equals() and .hashCode()) if they resolve to the same IP address.

RT @ncweaver@twitter.com:

> I was today years old that I learned when you hash a URL in Java it does a DNS lookup to get the IP address associated with the hostname as part of the hash function.

twitter.com/ncweaver/status/14

Ah, ok, CCPA does not seem to apply. While accepting blog comments from California might be sufficient as “doing business in California,” I definitely do not meet any of the thresholds.

Show thread

But I should probably check at some point whether CCPA has any provisions affecting my site that go beyond GDPR.

Show thread

Either way, my response didn’t add to what’s already in my privacy policy: as the only personal information stored are blog comments and these are public already, I don’t need any kind of identity verification. Anybody could actually search through blog comments themselves.

Show thread

Got a request about my CCPA data access process, from a person apparently mass-mailing websites via a domain associated with the Princeton University. So I guess they are doing some kind of study and my website somehow got into their sample?

Mind you, this probably makes sense for logging patterns, adding context to logged data automatically. But resolving anything in the logged data is just 🤯 completely regardless of that vulnerability.

Show thread

Tried to make sense of that log4j disaster. Apparently, somebody had the great idea for a logger to resolve variables in messages automatically, so that the code doing the logging doesn’t have to. The JNDI resolver then allowed loading Java classes dynamically, even remotely. 🙄

crowdstrike.com/blog/log4j2-vu

Reported the vulnerability. Yes, it’s a classic combination: jQuery, untrusted input, dynamically generated HTML code. github.com/Adobe-CEP/Samples/i

Show thread

The amount of different output variants produced by WebPack and Browserify is staggering. Well, I guess I’ll keep adding them to my unwebpack script as I see them in the wild…

github.com/palant/js-analysis/

Somebody left an off-topic comment on my blog. I wondered whether I should just delete it silently or notify the author. Opted for the latter and received the reply below.

Yes, I should really disable comments after a year. No need to encourage people writing „free content.“

Third-party extensions without sandboxing? Turns out, Adobe applications still have that: extensions with unlimited access to the file system and ability to run executables. And the very first extension sample I looked at has an RCE vulnerability. Wow…

github.com/Adobe-CEP/CEP-Resou

Hm, an extremely popular browser extension with at least five red flags in its manifest? Nice, nice…

And I finally have the vulnerability acknowledged, with the fix expected to go live later today! 🥳

Show thread

Delivering a vulnerability report via a Discord server because none of the email addresses I can find yield a response – that’s a first one as well for me.

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.