Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://glauca.space/users/q/statuses/110513256538174560">Q ✨ (q@glauca.space)'s status on Friday, 09-Jun-2023 17:33:22 JST</a><a href="https://glauca.space/@q" title="q@glauca.space"><img src="https://gnusocial.jp/avatar/12401-48-20221010113834.webp" width="48" height="48" alt="Q ✨" style="position: absolute; left: 0; top: 0;">Q ✨</a></section><article><p>Today in absolutely wild things: a CA abusing an RCE in ACME.sh to add their own validation methods to it! <a href="https://github.com/acmesh-official/acme.sh/issues/4659" rel="nofollow noreferrer">https://github.com/acmesh-official/acme.sh/issues/4659</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1635702#notice-3219434">In conversation</a><time datetime="2023-06-09T17:33:22+09:00" title="Friday, 09-Jun-2023 17:33:22 JST">Friday, 09-Jun-2023 17:33:22 JST</time> <span>from <span><a href="https://glauca.space/@q/110513256538174560" rel="external" title="Sent from glauca.space via ActivityPub">glauca.space</a></span></span><a href="https://glauca.space/@q/110513256538174560">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/acmesh-official/acme.sh">GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol</a></h5><div></div></header><div>A pure Unix shell script implementing ACME client protocol - GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol</div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/acmesh-official/acme.sh/issues/4659">acme.sh runs arbitrary commands from a remote server · Issue #4659 · acmesh-official/acme.sh</a></h5><div></div></header><div>Hello, You may already be aware of this, but HiCA is injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine. I am not sure if thi...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Q ✨ (q@glauca.space)'s status on Friday, 09-Jun-2023 17:33:22 JST Q ✨
Today in absolutely wild things: a CA abusing an RCE in ACME.sh to add their own validation methods to it! https://github.com/acmesh-official/acme.sh/issues/4659
In conversation2 years ago from glauca.spacepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
  A pure Unix shell script implementing ACME client protocol - GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
2. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  acme.sh runs arbitrary commands from a remote server · Issue #4659 · acmesh-official/acme.sh
  Hello, You may already be aware of this, but HiCA is injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine. I am not sure if thi...

Public

Embed Notice

HTML Code

Corresponding Notice