"In the Who Cares Era, the most radical thing you can do is care." – @dansinker
https://dansinker.com/posts/2025-05-23-who-cares/
A small slide deck for a 15 minute impulse talk at Cycon 2025 in Talinn: https://docs.google.com/presentation/d/1_3Iu74UijAjfSLHzqWDkDEaIwoB6WBSo9-mY5e0u0HM/edit?usp=drivesdk
vBulletin with a perfect 10 and PoC. Happy Tuesday. 🥳
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern.
https://nvd.nist.gov/vuln/detail/CVE-2025-48827
sev:CRIT 9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code.
🆕 New blog post! It's a rather short one, nothing crazy. Just wanted to share a random finding I made recently. 🤷♂️
'Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation'
this is it -- GOOD INTERNET magazine is LIVE, BABY~ 🥂 🎊 🥳
https://goodinternetmagazine.com/
https://goodinternetmagazine.com/
https://goodinternetmagazine.com/
i present the spring 2025 issue of GOOD INTERNET, featuring stories by @binarydigit, @internetarchive, @Leilukin, @greg, @surprisetalk, and SO MUCH MORE!
with only 6.5 hours to go before my surgery, the website is now launched! you can order physical or digital copies of the magazine! :) there are some initial stories on the website now, but more are coming over the next week, so keep an eye on your RSS feeds!!
‼️quick note: pre-ordered print editions will begin shipping out this week (!!!) and digital editions will go out this week as well to emails!
🙏 THANK YOU SO MUCH to EVERYONE who helped with this. thank you to the contributors (like @robb/ @echofeed, & @adam/ @omgdotlol). thank you to the writers, thank you to everyone who thought about this project, shared it with others, and got the word out. i am so so so stoked to bring y'all this.
🕛 issue 2 is in the fall! :) get your submission ideas in!!
#html #css #web #indieweb #smallweb #socialmedia #internet #enshittification #website #webdev #webdesign #neocities #indie #zine #coding #code #personalweb #blog #blogging
The two #curl CVEs we publish today are both rated medium and affect QUIC connections when curl is built to use wolfSSL
Hiroki Kurosawa reported both and he is rewarded 2540 USD for each from the curl bug-bounty.
With these two, the total bug-bounty payout from #curl now exceeds 90,000 USD over the last few years.
https://curl.se/docs/bugbounty.html
(thanks to IBB for sponsoring our bug-bounty program!)
The WAPBackMachine works! There are lots of WAP sites in the waybackmachine. It seems that the WBM crawler actually followed links on WAP sites, despite them not being HTML, which means that there is a lot to find if you know where to look!
This is hilarious 😅
A #SouthPark episode got aired with Russian dub "accidentally" in Hungary
Spent way too long figuring out why a payload wouldn't work.