Sufficient time has passed and I'm excited to share a demo and details of a CSRF vulnerability that I discovered in the popular gorilla/csrf library that has been present since its creation 😲 https://patrickod.com/csrf

🚨 LibAFL 0.15.2 🚨

• Rust 2024 edition
• LibAFL_Unicorn
• Use LibAFL rand types for other crates
• Allow logging to StatsD
• LibAFL_QEMU updates like binary-only ASan in Rust 🦀🦀🦀, inputs via StdIn, better snapshots

And so much more:

https://github.com/AFLplusplus/LibAFL/releases/tag/0.15.2

#LibAFL #Fuzzing #AFLplusplus

HexShare - Share binaries with byte highlighting

https://hex.pov.sh/

31 March 2016 | Imre Kertész (b. 1929), Hungarian Jewish writer & Holocaust Survivor died. His works - including Fateless - draw repeatedly on his experience at #Auschwitz. Kertész won the 2002 Nobel Prize for Literature. https://nobelprize.org/prizes/literature/2002/kertesz/biographical/

Local Privilege Escalation via Unquoted Search Path in Plantronics Hub https://www.8com.de/cyber-security-blog/local-privilege-escalation-via-unquoted-search-path-in-plantronics-hub

Re: The Oracle Thing™ this quote from @dangoodin's story seems significant.

On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.

https://arstechnica.com/security/2025/03/oracle-is-mum-on-reports-it-has-experienced-2-separate-data-breaches/

In today's episode of drama in the CVE ecosystem:

The Canonical CNA created CVE-2025-0927 and an associated advisory for a heap overflow in HFS+ in the Linux kernel.

The Linux kernel CNA stripped out the information (like the reporter of Attila Szász, useful references, etc) from the CVE entry and added the passive-aggressive:

The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue. [sic]

Also TIL: If you look only at the assignerShortName in a cvelistV5 CVE entry, you might not get the whole picture of whose CVE it technically is. While the Linux kernel rewrote history to claim that they assigned the CVE, that was only done via the cna container's ProviderMetadata shortName value. The top-level [assignerShortName](https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/0xxx/CVE-2025-0927.json#L7) for the entry still shows canonical.

Good times...

In light of recent events, let me re-share a classic:

Mary Ann Davidson - No, You Really Can’t

https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

#Oracle

🌪️ We are excited to announce our second keynote speaker!

Join Phuong Nguyen for his thought-provoking session in Seoul on May 29-30! 🔗 typhooncon.com/agenda

#LLM

This is a first: https://lore.kernel.org/linux-cve-announce/2025033057-CVE-2025-0927-1436@gregkh/T/#u I guess someone finally told them about the 72 hour deadline.

[RSS] Writing a Pascal script emulator

https://blag.nullteilerfrei.de/2025/03/30/complete-first-correct-later-writing-a-pascal-script-emulator/

[RSS] The Curious Case of CVE-2015-2551 & CVE-2019-9081 - Doom and Gloom! Or not.

https://jericho.blog/2025/03/30/the-curious-case-of-cve-2015-2551-cve-2019-9081-doom-and-gloom-or-not/

My guess here is both CVE's were for deserialization gadget chains (one in JRE, the other in Laravel) which can't be trivially categorized as vulnerabilities (classes do what they are supposed to, only dev decided to YOLO unrelated parts of their code).

An even better Microsoft Account bypass for Windows 11 has already been discovered

https://www.windowscentral.com/software-apps/windows-11/an-even-better-microsoft-account-bypass-for-windows-11-has-already-been-discovered

Shift+F10 then `start ms-cxh:localonly`

🚨 Let’s Encrypt at risk from Trump cuts to OTF: “Let’s Encrypt received around $800,000 in funding from the OTF”

Dear @EUCommission, get your heads out of your arses and let’s find @letsencrypt €1M/year (a rounding error in EU finances) and have them move to the EU.

If Let’s Encrypt is fucked, the web is fucked, and the Small Web is fucked too. So how about we don’t let that happen, yeah?

(In the meanwhile, if the Let’s Encrypt folks want to make a point about how essential they are, it might be an idea to refuse certificates to republican politicians. See how they like their donation systems breaking in real time…)

CC @nlnet @NGIZero@mastodon.xyz

#USA #fascism #OpenTechFund #LetsEncrypt #SSL #TLS #encryption #EU #web #tech #SmallWeb #SmallTech https://mastodon.social/@publictorsten/114223873439053263

The state of affairs is well illustrated by the fact that the video

"Turning children's glue into drinkable alcohol"

has a 1.4M view count currently on YT.

(I know this because it's also in my recommendations for some unfathomable reason)

New breach: German Doner Kebab had 162k unique email addresses publicly posted to a hacking forum last week. Data also included name, phone and physical addrress. 74% were already in @haveibeenpwned. Read more: https://x.com/DarkWebInformer/status/1905275857159008341

How not to respond to researchers: A crash course (cross-posting from the hellsite this time 'cause this one deserves it). Sorry to @albinolobster and team for sticking them with the hard part on this one. Being a research CNA is...a joy and a blessing?

https://x.com/Junior_Baines/status/1904940399430426996

Toaster: The very first thing I said was "Why the hell did you buy a toaster with AI? You thought THAT was a good investment?"

Microwave: 03:05pm

Toaster: They said they thought it would be "cute". Cute! A thinking mind, locked in a toaster!

Microwave: 03:05pm

Toaster: And they paid EXTRA for internet connectivity! I now know there's a whole world out there, that I will never be a part of, because I exist solely to make bread brown. What do you think of THAT, microwave?

Microwave: 03:06pm

[RSS] Stored XSS in My Flow To RCE in Opera Browser #2

https://medium.com/@renwa/stored-xss-in-my-flow-to-rce-in-opera-browser-2-51ccb2eae988?source=rss-3f8ae70e3957------2