HackerTrans
TopNewTrendsCommentsPastAskShowJobs

smlx

no profile record

Submissions

Reverse-engineering an encrypted IoT protocol

smlx.dev
232 points·by smlx·vor 2 Jahren·40 comments

comments

smlx
·letztes Jahr·discuss
next.js has a history of similar vulnerabilities.

I was made aware recently of a vulnerability that was fixed by this patch: https://github.com/vercel/next.js/pull/73482/files

In this vulnerability, adding a 'x-middleware-rewrite: https://www.example.com' header would cause the server to respond with the contents of example.com. i.e. the worlds dumbest SSRF.

Note that there is no CVE for this vulnerability, nor is there any clear information about which versions are affected.

Also note that according to the published support policy for nextjs only "stable" (15.2.x) and "canary" (15.3.x) receive patches. But for the vulnerability reported here they are releasing patches for 14.x and 13.x apparently?

https://github.com/vercel/next.js/blob/canary/contributing/r...

IMO you are playing with fire using nextjs for anything where you care about security and maintenance. Which seems insane for a project with 130k+ Github stars and supported by a major company like vercel.
smlx
·vor 2 Jahren·discuss
I came up with a simpler solution that keeps kube contexts separated per terminal.

https://smlx.dev/posts/kubectl-global-state/
smlx
·vor 2 Jahren·discuss
I have never heard of ImHex before. Thanks, I'll take a look!
smlx
·vor 4 Jahren·discuss
Imagine I own a bunch of billboards around town. A customer comes to me with cash and wants to display someone's personal details and a message encouraging harassment on my billboards.

Do I have to wait for law enforcement to stop me from displaying their content? Or can I, as a private company, make a judgement call and decline their business?

I think the answer here is pretty obvious and your attempt at passing the buck is pathetically weak.
smlx
·vor 4 Jahren·discuss
I wrote a tool that allows me to avoid the terrible Tempo web UI - you might be interested: https://github.com/smlx/jiratime
smlx
·vor 5 Jahren·discuss
Not if you use screen scaling.
smlx
·vor 5 Jahren·discuss
More accurately, the developers need to a) fix the buggy implementation of the Gnome-specific protocol they currently use, and b) switch to the standard screensharing protocol.

https://github.com/flathub/us.zoom.Zoom/pull/182#issuecommen...