Python's official documentation contains textbook example of insecure code (XSS)
Date: 2025-02-18
Author: Georgi Guninski
>From the official Python 3.12 documentation on the CGI module [1]
===
form = cgi.FieldStorage()
if "name" not in form or "addr" not in form:
ikipeia on Singularity [2]
The technological singularity—or simply the singularity—is a
hypothetical future point in time at which technological growth
becomes uncontrollable and irreversible, resulting in unforeseeable
consequences for human civilization.
ical singularity—or simply the singularity—is a
hypothetical future point in time at which technological growth
becomes uncontrollable and irreversible, resulting in unforeseeable
consequences for human civilization.
[1]:
https://www.linkedin.com/pulse/ai-chatgpt-writes-insecure-code-georgi-guninski
Searching the web for `javascript fork malloc bomb` returns results,
e.g. [here][1]: and [here][2]:
We got a javascript fork malloc bomb which crashed Chrome 121 on linux
with SIGILL and about one in five runs the virtual machine freezes.
SIGILL almost always is a sign of memory corruption :)
On a
Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)
Tested on: firefox 121 and chrome 120 on GNU/linux
Date: Thu Jan 18 08:38:28 AM UTC 2024
This is barely a DoS, but since it might affect Chrome too we decided
to disclose it.
If firefox user visits a specially crafted p
On Tue, Jan 9, 2024 at 12:45 AM Harry Sintonen wrote:
>
> On Mon, 8 Jan 2024, Georgi Guninski wrote:
>
> > When extracting archives cpio (at least version 2.13) preserves
> > the setuid flag, which might lead to privilege escalation.
>
> So does for example tar. The s
: Georgi Guninski
# date: Mon Jan 8 07:28:28 AM UTC 2024
# tested on cpio (GNU cpio) 2.13
mkdir -p /tmp/1
cd /tmp/1
touch a
chmod 4555 a
echo -n a | cpio -ocv0 > a.cpio
mkdir -p /tmp/2
cd /tmp/2
cpio -iv < ../1/a.cpio
ls -lh /tmp/2/a
#-r-sr-xr-x. 1 joro joro 0 Jan 8 09:10 /t
This is barely a DoS, but since Chrome has explicit protection
against it, we decided to disclose it.
If firefox user visits a specially crafted page, then firefox
may create many files in `~/Downloads`,
The user is notified about this in a small dialog, but there is
no option to stop the download
In short, I found anomaly in Fedora 37 and would like to
know if it is vulnerability.
As root type in terminal:
dnf update
If there is kernel update, watch stdout and stderr for:
##On Mon Aug 14 05:33:29 AM UTC 2023
(2/6): kernel-6.4.10-100.fc37.x86_64.rpm1.2 MB/s | 140 kB 00:00
/var
Affected: GNOME Files 43.4 (nautilus) on fedora 37
Description:
If an user A opens in GNOME files zip archive containing
`setuid` file F, then F will be silently extracted to
a subdirectory of CWD.
If F is accessible by hostile local user B and B executes F,
then F will be executed as from user
There is minor information disclosure vulnerability similar
to nmap in browser.
It is possible to check the existence of firewalled URL U via
the following javascript in a browser:
In short in Firefox 112, it is possible to check existence
of firewalled web servers. This doesn't work in Chrome and Chromium 112
for me.
If user A has tcp connection to web server B, then in the
following html:
http://B"; onload="load()" onerror="alert('error')" id="i1" />
the javascript funct
Is there low hanging fruit for the following observation?
The documentation of the python cgi module is vulnerable to XSS
(cross site scripting)
https://docs.python.org/3/library/cgi.html
```
form = cgi.FieldStorage()
print("name:", form["name"].value)
print("addr:", form["addr"].value)
```
Fir
On Fri, Sep 16, 2022 at 6:44 AM Matthew Fernandez
wrote:
>
>
> What is the security boundary being violated here? As a maintainer of
> some of the packages implicated here, I’m unsure what my actionable
> tasks are. The threat model(s) for my packages does not consider crashes
> to be a security
ping world
libgmp is library about big numbers.
it is not a library for very big numbers, because
if libgmp meets a very big number, it calls abort()
and coredumps.
2442 packages depend on libgmp on ubuntu20.
guest3@ubuntu20:~/prim$ apt-cache rdepends libgmp10 | wc -l
2442
gawk crash:
guest3@
::numeric::pow_intexp(GiNaC::numeric
const&) const ()
The non-minimal testcase
===
#sagemath code, copyright Georgi Guninski
def binnk3u(n,k): return ( (n/k)**(k))
n1=(2*10**3);d0=29004853178239;n0=SR(log(n1));
tt=binnk3u(n0+d0-1,d0);
print(&qu
Potential symlink attack in python3 __pycache__
Not sure if this is vulnerability, but it looks like
classical symlink attack.
In python3, if a script in directory DIR1 does "import another",
then python3 creates directory __pycache__ in DIR1 and puts
some files in __pycache__.
According to our
Summary: under certain circumstances, ipython3 may execute
code from the current working directory. This might be a
problem if the current working directory is not trusted.
python3 is safe.
Tested on ubuntu 20.
The following session illustrates it:
joro@bialokote:~/tests/dir2$ pwd
/home/joro/te
On Debian /home/loser is with permissions 755, default umask 0022
(If you don't understand the numbers, this means a lot of
files are world readable).
On multiuser machines this sucks much.
Question: How much sensitive data can be read on default install?
Partial results:
1. mutt (text email c
From my blog:
https://j.ludost.net/blog/archives/2020/05/21/short_notes_on_qmail_security_guarantee/index.html
Short notes on qmail security guarantee
Disclaimer: written in hurry, could be wrong.
djb offers monetary bounty for verifiable qmail exploit,
called "qmail security guarantee" [1].
H
pari/gp on debian stable allow arbitrary file write
pari/gp is CAS (computer algebra system).
pari/gp version 2.9.1 on debian stretch and 2.11 on debian buster
allow arbitrary file write and hence arbitrary code execution.
poc:
\\ a.gp
\\ to run: \r a.gp
default("logfile","/tmp/a.txt");d
From
https://j.ludost.net/blog/archives/2019/11/11/minor_security_issue_in_punbb_with_sqlite/index.html
Minor security issue in punbb with SQLite
Georgi Guninski security advisory #76, 2019
Running punbb-master from https://github.com/punbb/punbb
from Thu 07 Nov 2019 11:23:33 AM UTC
On Tue, Apr 15, 2014 at 09:20:11PM +0200, Hanno Böck wrote:
> On Tue, 15 Apr 2014 17:06:13 +0300
> Georgi Guninski wrote:
>
> > openssl accepts DSA (and probably DH) keys with
> > g=1 (or g= -1). Both are extremely weak, in
> > practice plaintext.
>
> openssl
openssl accepts DSA (and probably DH) keys with
g=1 (or g= -1). Both are extremely weak, in
practice plaintext.
g=1 works all the time
g= -1 works about half the time in DSA
(on vanilla openssl).
Is there a MITM implication in this,
e.g. can a MITM convince both parties
that g=1 -- in this case t
Warning: If you can break this probably you
can break md5 and sha1, so take care
Some people broke large SAT formulas [1] related
to a problem of Erdos with plingeling.
The md4 preimage encoding in SAT is much smaller.
The CNFs are https://j.ludost.net/md4crazy/
17b is 17 bytes preimage of zer
25 matches
Mail list logo
