Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Tuesday, 11-Mar-2025 07:46:14 JST daniel:// stenberg://

We got another "critical vulnerability" on #curl reported. I figured you might enjoy it.
"The authentication mechanism in cURL does not properly restrict the number of failed authentication attempts, allowing an attacker to brute-force credentials"
Yawn. Away, away you go.

In conversation about 3 months ago from mastodon.social permalink
- GreenSkyOverMe (Monika) repeated this.
- Embed this notice
  Xilokar (xilokar@mamot.fr)'s status on Thursday, 24-Apr-2025 07:17:34 JST Xilokar
  in reply to
  
  @bagder
  Well,
  What the hell if you can't rely on the client side to implement security checks?
  
  In conversation about 2 months ago permalink
- Embed this notice
  abeltramo (abeltramo@mastodon.social)'s status on Thursday, 24-Apr-2025 07:17:39 JST abeltramo
  in reply to
  
  @bagder you should obviously `rm -rf /` after five "403 Forbidden" returned.
  
  In conversation about 2 months ago permalink
- Embed this notice
  thepwnicorn (thepwnicorn@infosec.exchange)'s status on Thursday, 24-Apr-2025 07:17:53 JST thepwnicorn
  in reply to
  
  @bagder curl is client-side software ffs.
  
  In conversation about 2 months ago permalink
- Embed this notice
  young man yells at the cloud (bamboombibbitybop@mastodon.social)'s status on Thursday, 24-Apr-2025 07:17:57 JST young man yells at the cloud
  in reply to
  
  @bagder my coffee maker just lets me keep pouring, even when my mug is full!
  
  In conversation about 2 months ago permalink
- Embed this notice
  DJGummikuh (djgummikuh@mastodon.social)'s status on Thursday, 24-Apr-2025 07:18:23 JST DJGummikuh
  in reply to
  
  @bagder these sound like the same breed of people that complain that they can try passwords on multiple Pages AT THE SAME TIME without those pages magically restricting them. These guys really are just good for one thing in life and that is being ridiculed 😅
  
  In conversation about 2 months ago permalink
- Embed this notice
  craignicol (craignicol@glasgow.social)'s status on Thursday, 24-Apr-2025 07:18:27 JST craignicol
  in reply to
  
  @bagder clearly you need to record all attempts on the Blockchain so that curl can verify it's not being used for a distributed password attack 🤦
  
  In conversation about 2 months ago permalink
- Embed this notice
  rtn (rtn@chaos.social)'s status on Thursday, 24-Apr-2025 07:18:35 JST rtn
  in reply to
  
  @bagder Wait. What? Curl doesn't log all usage in a centralized database so this can be tracked? Omg. O.o 😁
  
  In conversation about 2 months ago permalink
- Embed this notice
  Daniel Spilker (daspilker@mastodon.online)'s status on Thursday, 24-Apr-2025 07:19:33 JST Daniel Spilker
  in reply to
  
  @bagder That should be reported upstream to the keyboard manufacturers.
  
  In conversation about 2 months ago permalink
- Embed this notice
  GreenSkyOverMe (Monika) (greenskyoverme@ohai.social)'s status on Thursday, 24-Apr-2025 07:19:43 JST GreenSkyOverMe (Monika)
  in reply to
  - Daniel Spilker
  @daspilker 😂
  
  In conversation about 2 months ago permalink
- Embed this notice
  LiquidParasyte (liquidparasyte@pawb.fun)'s status on Thursday, 24-Apr-2025 07:19:50 JST LiquidParasyte
  in reply to
  
  @bagder ...brute force cURL? isn't it explicitly a user-side tool?
  
  In conversation about 2 months ago permalink
- Embed this notice
  Joel Takvorian 🦬 (jotak@framapiaf.org)'s status on Thursday, 24-Apr-2025 07:22:10 JST Joel Takvorian 🦬
  in reply to
  
  @bagder and when you implement the fix, please also obfuscate it so bad actors can't just fork curl to remove it. Thanks 😘
  
  In conversation about 2 months ago permalink
- Embed this notice
  Nordern (nordern@chaos.social)'s status on Thursday, 24-Apr-2025 07:22:20 JST Nordern
  in reply to
  
  @bagder I bet you don't even add two-factor authentication to servers that don't support it natively 😡
  
  In conversation about 2 months ago permalink
- Embed this notice
  hisold (hisold@toot.io)'s status on Thursday, 24-Apr-2025 07:22:42 JST hisold
  in reply to
  
  @bagder It would be funny if he added "... Which allows curl to be used for hacking purposes making it illegal und German law § 202c StGB"
  
  In conversation about 2 months ago permalink
- Embed this notice
  Bonkers (bonkers@nerdculture.de)'s status on Thursday, 24-Apr-2025 07:22:45 JST Bonkers
  in reply to
  
  @bagder Linux command line is extremely dangerous and used by hackers !!!
  
  In conversation about 2 months ago permalink
- Embed this notice
  Marek (mark22k@layer8.space)'s status on Thursday, 24-Apr-2025 07:23:03 JST Marek
  in reply to
  
  @bagder "curl can act as a server?"
  
  In conversation about 2 months ago permalink
- Embed this notice
  Michelle Hughes (megamichelle@a2mi.social)'s status on Thursday, 24-Apr-2025 07:23:57 JST Michelle Hughes
  in reply to
  
  @bagder
  Curl does not properly detect whether the user has evil in their heart.
  
  In conversation about 2 months ago permalink
- Embed this notice
  AndyK1970 (andyk1970@mastodon.online)'s status on Thursday, 24-Apr-2025 07:23:59 JST AndyK1970
  in reply to
  
  @bagder haha!
  A bit like saying "I found a dangerous flaw in my car, the traffic light down the street is not working so this car could enter the intersection in a dangerous way."
  
  In conversation about 2 months ago permalink

Public

Conversation

Notices

Feeds