@bagder AI slop for sure given their last comment

@bagder who would build openssl on their android 11 phone with temux? Not saying its impossible but its either weirdly detailed or crazy magic

@bagder next iteration; i wouldn’t wonder.

someone pointing out that curl’s sourcecode can be downloaded freely off the internet, so someone could put malicious code in it, compile it and … run it

@bagder@mastodon.social keylog callback? 😱 they're putting keyloggers in the openssl! 😱

@bagder works as intended...

@bagder cat and more have the same security bug, I've been told.

@bagder As long as you don't accept redirects to file:// I can't see it 🥲 😂

you should use that as description in the man page

“FILE Read or write arbitrary local files.”

(Did they even notice they could write files?)

@bagder next, you will be telling me if I pipe the output of curl to sudo bash, then an attacker in control of the remote website has RCE! 😵

@bagder is someone passing user-supplied URLs to curl in a cgi-bin script?

https://hackerone.com/reports/3242087

@bagder lol

@bagder

DOOOOOOM

@bagder

Really?
But finally it's the same shit as last week...🤷‍♂️
But even then I couldn't motivate Linus to fix the "root is able to mess up something" bug...🤪

We should fix "su" and "sudo" by adding 10 random questions about sensible terminal commands and their syntax - before asking for the password...🙈

@bagder 😂

@bagder please don't feed a troll

@bagder Same as 'arbitrary command execution' via sudo with ALL=NOPASSWD:ALL?

@bagder @GossiTheDog haha, maybe we should enable a „10Cent fee per bug filed and if the bug turns out to be legitimate real bug, then it gets refunded.“

This way AI slop stuff would either stop or start funding the project haha

@bagder if it gets too much, "reports of shame" wall? It is kind of a funny report. I don't mean for well-meaning people, but it seems like AI and such might make these kinds of reports problematic.

@bagder <grr> for security reasons I've switched to files:// urls instead

@bagder Is it April first already? User has access to file, user has access to run curl, user has access to file via curl.

"Severity Critical (9 ~ 10)"

@bagder Next up: "Arbitrary File Read via http(s):// in cURL", because it's documents, i.e. files

@bagder In other news, I just disclosed a bug with zsh because when I have access to a machine running zsh I can use it to access files. I'm testing now to see if Bash has the same issue. If so then there may be a pattern and I'll test other shells

@bagder actually I see more and more people in this industry that can’t distinguish between a client and a server

@bagder Stop! (AI ban) hammer time! (?)

Like, this is that detailed yet that incredibly stupid I cannot imagine this to be human-made

@bagder ask for confirmation with two testcases you have decided to use

/etc/passwd and /etc/shadow, make sure to note that both work for any user on your system when using curl 👿

@bagder You should demand a reverse bug bounty of not less than 1000€. That's how stupid this is.
Just wait until they find out you can download files from any given URL with curl.

@bagder the slop never stops

@bagder Security in most companies seems to have been evolved over the years more in a blocker of everyday work than an actual mitigator of real risks.

I sadly fear that's intrinsic in the nature of the job. You have to showcase you are doing something or your job would be deemed unnecessary (until an actual security issue happens people can't see the value of prevention) and once real reasonable issues are exhausted, people start inventing problems.

@bagder Does a banlist exist to block fake security reporters on large scale yet?

@bagder Doesn't work in Debian, so it's respecting file permissions properly. Tried it with a few root only files.

They also use passwd as an example, but that file is intentionally world readable anyway on most (all?) Linux distributions.

@bagder 100% AI slop to make some quick bucks 🤣

@bagder Seems like another fabolous example for your upcoming talk about Artificial Interference (in bug bounty programmes).

@bagder "This behavior enables an attacker with the ability to run cURL commands to read arbitrary files (...)" mmm yeah pretty sure that's not true

@bagder

That's a feature, not a bug 😆😂🤦‍♂️

@bagder Impact:
An attacker […] can read any local file that the user […] has permission to access,

ah.....mhmmmm.... I see 🤔😂

@bagder you're clearly lacking a sandbox to defend against this 🫣

@bagder what if you (them)... sanitize your input???

@bagder thanks, this was the laugh I needed today 😂😂😂