hanno

hanno's avatar
hanno
🛡️ hanno_at_mastodon.social@momostr.pink
npub1syue...3cq9
Freelance Journalist. Industry Decarbonization, Climate, Energy, IT-Security. #searchable Newsletter (Climate/Energy/Industry): https://industrydecarbonization.com/ Web: https://hboeck.de/ LinkedIn: https://de.linkedin.com/in/hanno-boeck
Hallo @BSI ihr habt da ja jetzt ein Portal mit dem man Schwachstellen melden kann. Ich wollte ja nur mal ausprobieren wie das so aussieht, aber falls Ihr Euch wundert dass da niemand was meldet: offenbar ist das Portal immer der Meinung, dass der eingegebene CVSS-Wert ungültig ist, egal was man eingibt. (Davon abgesehen halte ich es für eine sehr dumme Idee, Leuten, die freiwillig was melden wollen, erstmal mit so einem Quatsch zu behelligen.) image
Anyone got a recommendation for a good web search engine? The one I used to use has decided to pivit towards providing a chatbot with a crappy search engine attached that isn't really working properly.
Now those gpg.fail people made me find similar vulns elsewhere (console control character injection). By "elsewhere" I mean... my own code. Opinions wanted: should "input can inject console output with ansi and control chars" always be considered a vuln/CVE? (I'll fix it in any case, I'm just wondering if I should do all the "security release/advisory/request CVE/..." stuff.)
German ministry renames itself, domain expires, is bought by SEO-spammer, expires again, is bought by domain grabber, then later bought by itsec company who now learns that apparently plenty of internal systems of the ministry still try to connect to the domain... I don't even know where to start how terrible that is and what it tells us about government IT security practices...
Mint Secure
Bundesdomain im Blindflug: DNS-Leaks und ein Jahrzehnt IT-Nachlässigkeit
Der Artikel zeigt, wie die vergessene Bundesdomain bafl.de weiterhin von Behörden-Systemen genutzt wird und DNS-Logs ausgewertet wurden.
 @npub1s9uc...2y0t good work!
I've recently stumbled upon an RCE "exploit" for the Serendipity blog software, which I happen to use and have contributed to in the past. From what I can tell, it does nothing interesting (it does not even work due to broken indents, if one fixes that it uploads a PHP shell given existing credentials, but that won't be executed unless you have a server config that executes .inc files). I'm 95% certain this is bogus. Yet... in case anyone wants to have a look:
GitHub
Exploit (probably bogus) on exploit-db · Issue #940 · s9y/Serendipity
I stumbled upon this: https://www.exploit-db.com/exploits/52036 This claims to be a remote code execution exploit for serendipity. I believe it is ...
Dear Infosec people who have looked at XML and XXE before: I am trying to get an understanding of Blind XXE. Many of the descriptions I find are lacking an important detail which makes the attack much less practical. Blind XXE works by building an URL which contains content of a file, allowing to exfiltrate content. However, in all my tests, that *only* works if the file contains no newlines, as those are not allowed in URLs. Am I missing something? 🧵
There's a study indicating that a cheap nasal spray that is already on the market (for allergies) can reduce Covid 19 infection risk by ~2/3rd, and also reduce other respiratorial infections. I'm somewhat torn between "too good to be true" and "any reason I shouldn't immediately buy and use this?" Anyone read any insightful (and particularly: skeptical, caveats) takes on it? https://jamanetwork.com/journals/jamainternalmedicine/fullarticle/2838335
Anyone happens to know if there's any easy trick to bypass an Incapsula "security firewall" that thinks downloading with curl/wget is an attack to be prevented? (It's not just the user agent, I tried that.)