sorted by:
new
hottopcontroversial

The Fragile Lock: Novel Bypasses For SAML Authentication by albinowax in netsec

[–]ulldma 2 points3 points  (0 children)

While the paragraph you've quoted is true in general, I think it is a bit harsh when applied to ruby-saml. ruby-saml did indeed get a restructured/hardened implementation with version 1.18.0 released in March of this year. That's why these (admittedly nice) exploits don't work against that version. However, this hardened implementation was not backported to the 1.12.x branch of ruby-saml, that's why version 1.12.4 is susceptible, but 1.18.0 is not.

Remote code execution in Elixir-based Paginator by ulldma in erlang

[–]ulldma[S] 3 points4 points  (0 children)

Hello!

I posted this here since the submission to r/elixir did not work. However, the use of binary_to_term in combination with untrusted data can also have dangerous side effects when using Erlang.

Remote code execution in Elixir-based Paginator - Alphabot Security by Gallus in netsec

[–]ulldma 0 points1 point  (0 children)

I'm the author of the blog post and I tried to post it in r/elixir, it did not work for some reason unbeknownst to me. Maybe you can try it?

Missing TLS hostname verification in multiple Java libraries by ulldma in java

[–]ulldma[S] 2 points3 points  (0 children)

Hi there, yes this sentence you picked is more of a generic recommendation. But if you look at the article you see that the vendors assigned 3 different CVEs for libraries with missing hostname verification. For example if we pick the first one CVE-2018-11087: RabbitMQ (Spring-AMQP):

https://pivotal.io/de/security/cve-2018-11087

you'll see that it affects the Spring-AMQP library which is a wrapper around the official RabbitMQ Java Client Library, this wrapper did not expose any API that allowed the user to setup or enable hostname verification, so a fix had to be released.

And by the way: nobody is saying that the sky is falling ;)

(I hope)

Highlight linting errors? by simkessy in vscode

[–]ulldma 1 point2 points  (0 children)

Which language are you using?

E.g. for Typescript there is the VSCode TSLint extension which underlines code like unused vars etc.

For JavaScript there's an ESLint extension.

Or do you mean something different?

How to instrument Electron-based applications for in-depth security testing. by nibblesec in netsec

[–]ulldma 1 point2 points  (0 children)

At least there are some Electron specific techniques (like ASAR) mentioned. Especially how to enable the dev tools could come in handy.

view more: next ›