Hey Josef,
Nice one, thank you. Good thing I'm running noscript.
BTW, what is the real and proper fix for this kind of attacks? To me
it sounds like the web-browser itself shouldn't be able to send any
requests with a JS loaded from one website to other hosts.
--
Be free, use free (http://www.g
January 12, 2018 11:07 PM, "Paul Fertser" wrote:
> Hey Josef,
>
> Nice one, thank you. Good thing I'm running noscript.
>
Note that you technically don't need to use javascript to make the request -
see https://bouk.co/blog/hacking-developers/ for a plain -based version.
> BTW, what is the r
On Fri, Jan 12, 2018 at 10:28 PM, Josef Gajdusek wrote:
>
> Suggested fix: https://github.com/antirez/redis/blob/
> 8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758
>
>
I ported the Redis fix to OpenOCD, please review:
http://openocd.zylin.com/4335
Although honestly I think this i
I don’t think that just blocking HTTP verbs is good enough. Let’s consider some
more examples.
Example 1: Alice spends lots of time on IRC. She’s also interested in embedded
systems, so she runs OpenOCD. Bob has a file to send her, so they start an IRC
CTCP session. Bob configures his IRC clien
On 14.01.2018 18:01, Christopher Head wrote:
none of the above attacks would work if you had to, say, type a password before
OpenOCD would accept your Telnet (or GDB, or TCL, or …) session.
If OpenOCD would require a password it also needs a safe channel to
transfer it. Drop telnet and use a ss
On 14.01.2018 20:06, Tomas Vanek via OpenOCD-devel wrote:
On 14.01.2018 18:01, Christopher Head wrote:
none of the above attacks would work if you had to, say, type a
password before OpenOCD would accept your Telnet (or GDB, or TCL, or
…) session.
If OpenOCD would require a password it also nee
On January 14, 2018 11:06:04 AM PST, Tomas Vanek via OpenOCD-devel
wrote:
>If OpenOCD would require a password it also needs a safe channel to
>transfer it. Drop telnet and use a ssh library instead?
Randomly generate it a print it to stdout at startup? Put it in the config
file? Neither of th
On 14.01.2018 20:06, Tomas Vanek via OpenOCD-devel wrote:
> On 14.01.2018 18:01, Christopher Head wrote:
>> none of the above attacks would work if you had to, say, type a
>> password before OpenOCD would accept your Telnet (or GDB, or TCL, or
>> …) session.
> If OpenOCD would require a password it
January 14, 2018 6:03 PM, "Christopher Head" wrote:
> I don’t think that just blocking HTTP verbs is good enough. Let’s consider
> some more examples.
>
> Example 1: Alice spends lots of time on IRC. She’s also interested in
> embedded systems, so she runs
> OpenOCD. Bob has a file to send her
Hi Josef,
On Sun, Jan 14, 2018 at 08:28:51PM +, Josef Gajdusek wrote:
> Related: Some recursors have "DNS rebinding protection", which should filter
> this.
> My OpenWRT router seems to have this enabled, the Google 8.8.8.8 nameservers
> do not.
Not that it's really important, but the proje
On 14.01.2018 20:38, Tomas Vanek via OpenOCD-devel wrote:
> On 14.01.2018 20:06, Tomas Vanek via OpenOCD-devel wrote:
>> On 14.01.2018 18:01, Christopher Head wrote:
>>> none of the above attacks would work if you had to, say, type a
>>> password before OpenOCD would accept your Telnet (or GDB, or
On January 14, 2018 12:37:53 PM PST, Michael Schwingen
wrote:
>How about a safe mode that disallows "dangerous" commands (eg. those
>that call external programs)? This would be a bit like "-dSAFER" on
>ghostscript, which disallows certain commands when processing untrusted
>input.
That sounds aw
On 15.01.2018 03:26, Christopher Head wrote:
> On January 14, 2018 12:37:53 PM PST, Michael Schwingen
> wrote:
>> How about a safe mode that disallows "dangerous" commands (eg. those
>> that call external programs)? This would be a bit like "-dSAFER" on
>> ghostscript, which disallows certain com
On January 16, 2018 6:24:31 AM PST, Michael Schwingen
wrote:
>Limiting file access to a list of configured directories should be
>enough.
>However, if you really need this, you can get that now by running
>OpenOCD in firejail.
Firejail looks like it might help. I’m not sure file access or local
14 matches
Mail list logo