Packagist.org maintainer account takeover
Scary stuff, but handled very well by the Packagist team.
Read more [blog.packagist.com]
Posts tagged with vulnerability
Beg Bounties
Troy Hunt with a good piece on people asking money in order to disclose a vulnerability. I get a lot of these too.
Read more [www.troyhunt.com]
Join 9,500+ smart developers
Every month I share what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.
No spam. Unsubscribe anytime. You can also follow me on X.
Improving Ignition's security
A few days ago, you might have received a Dependabot security warning on Ignition concerning a remote code execution vulnarablity. This post on the Flare blog explains why most people shouldn't be effected by this.
Read more [flareapp.io]
Extended validation is broken
In a new article on his blog Ian Carroll shows that it's quite easy to trick users into thinking that they're connected to the right site.
Extended validation ("EV") certificates are a unique type of certificate issued by certificate authorities after more extensive validation of the entity requesting the certificate. In exchange for this more rigorous vetting, browsers show a special indicator like a green bar containing the company name, or in the case of Safari completely replace the URL with the company name. ... Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for "Stripe, Inc", that was legitimately issued by Comodo.
https://stripe.ian.sh/
iTerm2 leaks everything you hover in your terminal via DNS requests
iTerm2, a populair terminal app, contained a very bad security issue. Everything you hover over was being checked if it was a clickable url. To determine if it's a valid url, the hovered over string was being checked against DNS server. So if you hover over a password, or a secret key or whatever it sent out to the internet. Obviously this is a big problem. It's fixed in the latest version. So if you use iTerm2 and haven't updated it recently, be sure to do it now! The problem is fixed in version 3.1.1.
iTerm2's leak issue was first discovered ten months ago. iTerm2's creator initially reacted by adding an option to iTerm 3.0.13 that allowed users to disable DNS lookups. The feature remained turned on by default for new and existing installations.Dutch developer Peter van Dijk, software engineer for PowerDNS, a supplier of open-source DNS software and DNS management service, re-reported this feature and this time around, he pointed out some of the severe privacy leaks not included in the first bug report.
"iTerm sent various things (including passwords) in plain text to my ISP's DNS server," van Dijk wrote flabbergasted in a bug report he filed earlier today.
This time around, George Nachman, iTerm2's maintainer, understood the severity of the issue right away and released iTerm2 3.1.1 to fix the problem within hours. He also apologized for enabling this feature by default without analyzing possible consequences in more depth.
Hacking a PHP site
In the beginning of the summer the Belgian company PHPro held a cool hacking contest. The persons the could hack a special site that they had set up could win a prize. Yesterday they published an interesting article on how that site could be hacked. The site was also hacked in ways that the developers of the company did not anticipate.
Since this contest started out as an internal project, we've put a lot of focus on the flow on how to hack the website. It was just a little side project to inform our colleagues that some small mistakes can end up in a big catastrophe. By focussing on the flow of the hackme contest, we forgot to secure the application for malicious contestants. Off course, this was something that fired back to us on the first days of the competition. Here is a little write-up of the problems we've encountered and how we fixed them.