ate all the Oreos posted:

does NPM still let you delete packages you own completely from the service? i remember a while ago someone had a tantrum and deleted a package that was depended on by like, every other package and broke most of everything because NPM just lets you do that poo poo

ate all the Oreos posted:

does NPM still let you delete packages you own completely from the service? i remember a while ago someone had a tantrum and deleted a package that was depended on by like, every other package and broke most of everything because NPM just lets you do that poo poo

Chris Knight posted:

lol developers https://github.com/ChALkeR/notes/blob/master/Gathering-weak-npm-credentials.md


...

quote:

At least one password was significantly inappropriate — to the extent that one wouldn't want that to be linked to them online and could be publicly blamed in that case (i.e. not just a swearword). Don't use offensive passwords — those could (and in this case were) leaked to the public in cleartext.

fins posted:

I really want to know what that one was!

Cocoa Crispies posted:

you can't omit the part of the idiocy where the package was "left-pad", which adds spaces to the beginning of a string to pad it out to a certain length

flakeloaf posted:

what's a nubian

fishmech posted:

actually a bunch of the conservative christians are leaving it ever since they decided to outright allow gays, and founding lovely splinter groups like camp life or whatever

ate all the Oreos posted:

does NPM still let you delete packages you own completely from the service? i remember a while ago someone had a tantrum and deleted a package that was depended on by like, every other package and broke most of everything because NPM just lets you do that poo poo

anthonypants posted:

https://twitter.com/maybekatz/status/872552185459908608

the npm community's reaction is mostly "oh, that's good, it shows that people are learning!" a few people believe that a repo full of garbage is at best worrying, and at worst would make it harder to find useful modules. that person above got mad at me when i said that their 'eh, works for me' reaction was defeatist and apathetic, because they apparently work for npm. also i learned that npm has employees, somehow.

BangersInMyKnickers posted:

I'm looking at Symantec CSP for some industrial control stuff and it seems nice in that it brings selinux-like restrictions to windows-applications but it does it through Symantec kernel drivers and it seems like if you're a determined attacker you're just going to go after that privileged surface instead. I'm already doing the patching/emet/applocker/endpoint firewall route and I'm really on the fence if I am gaining anything with this or if there is another way to accomplish it that is less risky. I can always yell at the software vendor to stop running everything at system and start using the OS integrity levels but that is going to take year.'

I dunno, just spitballing.

anthonypants posted:

https://twitter.com/maybekatz/status/872552185459908608

the npm community's reaction is mostly "oh, that's good, it shows that people are learning!" a few people believe that a repo full of garbage is at best worrying, and at worst would make it harder to find useful modules. that person above got mad at me when i said that their 'eh, works for me' reaction was defeatist and apathetic, because they apparently work for npm. also i learned that npm has employees, somehow.

Notorious b.s.d. posted:

guys, we did it. we located the worst haircut.

also this is officially the grimdark cyberpunk future

cinci zoo sniper posted:

have you not gone outside in half a decade or something

Notorious b.s.d. posted:

Rufus Ping posted:

https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php

spender

Notorious b.s.d. posted:

how is it better than the windows-native mac framework provided by microsoft

https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648%28v=vs.85%29.aspx

quote:

Hacking Sony’s SIEA for fun and unreleased games

I began working on a game for the PlayStation at some point in 2016. A key part of releasing a game on an SIEA console is the global product proposal (“GPP”) approval process. Depending on the studio, they’ll submit details of their upcoming games months to years before they are released, and ensure SIEA has no objection to the game’s content. This happens on a web portal all publishers have access to.

It was when I went to download my own global product proposal when I began noticing severe security issues with the ColdFusion-powered site. The issues found could have led to the release of hundreds in-development games and unannounced concepts (and thousands of documents in total) to me and anyone else who tried. All issues found — described below — were responsibly disclosed to Sony’s vulnerability reporting program and fixed in a reasonable amount of time. All third-party data was erased after testing. No bounties (or t-shirts) were given by Sony.

It is hard to understate the critical nature of this site. These documents contain detailed information about upcoming releases, including concept art, detailed story lines, and release dates. I was able to successfully pull the GPP for NBA 2k18, among others, which was quite detailed about its features and release dates.

It’s clear nobody has audited the codebase for security issues. Further, the act of getting access to it is not difficult — SIEA liberally accepts companies to publish on their platforms. The site is luckily IP whitelisted, but this does little against a determined attacker.

Downloading GPP documents (Issue A)

The interface allows you to view your own global product proposals and download their associated files. When I looked at the URL used to download the file, I became curious: /FileServer/IPAMaterials/IPA_MATERIALS_IS00006260_1.zip. You may be able to guess what happens next — I decremented the ID in the last part of the URL to IPA_MATERIALS_IS00006259_1.zip, and ended up with someone else’s global product proposal.
As mentioned above, global product proposals, especially of unreleased games, are extremely sensitive, and they were left lying in the web server’s almost fully public filesystem, stored with sequential file names.

Unfortunately, this started a series of insufficient fixes on Sony’s part. After reporting this issue in 2016, Sony silently attempted to fix it and did not notify me. I came back to this in 2017, wondering if it had been fixed, and found that they had added a five digit unique ID to every download URL. Not only was this unique ID not long enough, it did not appear to even be random — they all seemed to be in the 5x,xxx range. Amusingly, they also ended up disclosing the ColdFusion source code of the page when you left off the filename and went to /FileServer/IPAMaterials.

At this point (in April of 2017), I emailed them and informed them that the new fix was not sufficient. I also gave them a 90-day disclosure deadline. They committed to a fix by the end of May, and added a 512-bit unique ID by then.
However, in early June, I discovered that there was a “skeleton key” ID — one that works for every file — after attempting to view a product that didn’t exist. This is explained in more detail below. I reported this to them on June 7th, and it was (finally) fixed shortly after.
Viewing metadata (Issue B)

Above, I mentioned that you are able to view your own global product proposals. The page that lists and shows these proposals fetches the details of a submission with a POST request to ipa_track_submission_details.cfm. The ID of the submission requested is not checked against the current user, allowing anyone to view the metadata of any product proposal.

The identifier for a product proposal, a v_unique_id, is sequentially incremented. This makes guessing and bulk retrieval trivially possible.

The returned data is actually raw HTML, injected into the page after it’s retrieved via an XMLHttpRequest. After this was fixed, there was a weird quirk: querying an ID the user doesn’t have access to would return the expected HTML, but without any data where there normally would be.

However, on these pages without any data, there was still a link to download the proposal — and it returned the same unique ID for every invalid proposal. This unique ID turned out to work for every file. I am guessing that it is the encoded version of 0 (i.e. null), and if the unique ID matches 0 it is allowed to download any file, for testing/internal use.

Viewing a company’s GPPs (Issue C)

Finally, on the page that allows you to view proposals, the client makes a request to ipa_submissions_frontend.cfc in order to find out what GPPs exist for a given company. Unfortunately, the client controls the company identifier used here, again without any validation.
Again, the company ID is sequential and easily guessable. The returned data allows you to enumerate the names and statuses of all the company’s titles — less detailed than the above, but certainly concerning.

quote:

It is hard to understate the critical nature of this site

Subjunctive posted:

It is hard to understate the [...] nature of this s[h]ite

Rufus Ping posted:

https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php

spender

Notorious b.s.d. posted:

guys, we did it. we located the worst haircut.

also this is officially the grimdark cyberpunk future. billion dollar companies employ people who choose to resemble shadowrun campaign art, and computer software is distributed casually by idiots

Rufus Ping posted:

https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php

spender

hackbunny posted:

note how windows is explicitly called out and excluded
windows abi specifies that dynamic stack allocations larger than a page should touch every page, so that the allocation won't skip the guard page

Ur Getting Fatter posted:

anyone use any of those "we scan your paper mail and send it to you via email" services?

it seems like the perfect recipe for identity theft but I'm not living in the states and no longer have someone who can reliably check my mail for me

Ur Getting Fatter posted:

anyone use any of those "we scan your paper mail and send it to you via email" services?

it seems like the perfect recipe for identity theft but I'm not living in the states and no longer have someone who can reliably check my mail for me

effika posted:

I use MyUSPS and got an email the other day that the postal service will start letting you see scans of the address side of everything coming to you in the mail for free.

Not quite as bad as having the content scanned, but at least you'll know if it's worth checking the mail that day.

Notorious b.s.d. posted:

guys, we did it. we located the worst haircut.

also this is officially the grimdark cyberpunk future. billion dollar companies employ people who choose to resemble shadowrun campaign art, and computer software is distributed casually by idiots

anthonypants posted:

is that like for a po box? because that owns

effika posted:

I use MyUSPS and got an email the other day that the postal service will start letting you see scans of the address side of everything coming to you in the mail for free.

Not quite as bad as having the content scanned, but at least you'll know if it's worth checking the mail that day.

Ur Getting Fatter posted:

that owns but I think that only give you a heads up about the sender?

i need someone to actually open my mail which i suppose is the tricky part

flakeloaf posted:

grats on finding a branch of the us government not willing to do deep packet inspection