HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dnet

no profile record

Submissions

Unauthenticated RCE as Qsecofr via IBM i Management Central

blog.silentsignal.eu
2 points·by dnet·mês passado·0 comments

comments

dnet
·há 4 meses·discuss
In newer versions, it's disabled by default and you have to do something like this to enable in ~/.ssh/config:

    Host *
    EnableEscapeCommandline yes
dnet
·há 7 meses·discuss
See https://doctorow.medium.com/como-is-infosec-307f87004563

> This is the same failure mode of all security-through-obscurity. Secrecy means that bad guys are privy to defects in systems, while the people who those systems are supposed to defend are in the dark, and can have their defenses weaponized against them.
dnet
·há 10 meses·discuss
I assume the scanner is a separate library/service that receives the contents and returns a boolean safe/malicious result, and the implementation using MD5 to avoid expensive re-scans is an internal detail hidden from the caller.
dnet
·há 11 meses·discuss
While the default is indeed to lock the entire database, it has been an option for 15 years to avoid this: https://www.sqlite.org/wal.html