The linked article takes a lot of words to get to the point, which is that "WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software." will deserialize arbitrary user-supplied Java objects. To exploit that, you just provide a serialized class from commons-collections which (by design) executes the class's code during its deserialization process.
If your application doesn't whitelist the classes it deserializes from an untrusted user, you deserve everything you get.
Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?
Yes, but the program failing to validate the input is bash itself. Not your code.
As soons as you get to #!/bin/bash you're exploited. Doesn't matter how careful your script code is.
This is really, really bad. Does your home router have any cgi scripts that use bash? This remote exploit can be triggered with a query parameter.
Google Reader was the only reason to be logged in to Google on my normal browser (like a lot of people, I use a separate browser for Gmail, Facebook, and the other companies that exist to track your browsing habits)
Now I use tt-rss, and Google have no idea which links I click any more.
From the linked thread:
"When I began work here in 2004, this system was completely orphaned... The only thing it's been connected to since 2004 has been my personal computer (laptop)."
Way to spend (by my reckoning) 10,000 kWh of electricity.
Forking the implementiation (Weston): cool. Like forking a browser. Existing web pages should continue to work, and maybe you'll expose/fix some bugs.
Forking the API (Wayland): NOT COOL. That is like forking HTML. Everyone has to rewrite their web pages now.
They've already become very hard to find, and I doubt there's ever going to be a 'touch' one.
Sigh. Like 16:9, looks like horrible glossy screens are all we will be offered from now on.
My company does this. It's assumed by our IT department that 'fixing' Internet Explorer (plus some lame wiki instructions for Firefox users to install the bogus CA cert) is enough. Now try using Subversion, or cURL, or Yum, or Java+Maven. None of it works without trial and error configuration.
It's political. The EU would have used polymer notes when introducing the Euro, but they were lobbied by their existing (paper) banknote manufacturers.
Slashdot Mirror
The linked article takes a lot of words to get to the point, which is that "WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software." will deserialize arbitrary user-supplied Java objects. To exploit that, you just provide a serialized class from commons-collections which (by design) executes the class's code during its deserialization process. If your application doesn't whitelist the classes it deserializes from an untrusted user, you deserve everything you get.
Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?
Yes, but the program failing to validate the input is bash itself. Not your code.
As soons as you get to #!/bin/bash you're exploited. Doesn't matter how careful your script code is.
This is really, really bad. Does your home router have any cgi scripts that use bash? This remote exploit can be triggered with a query parameter.
Google Reader was the only reason to be logged in to Google on my normal browser (like a lot of people, I use a separate browser for Gmail, Facebook, and the other companies that exist to track your browsing habits) Now I use tt-rss, and Google have no idea which links I click any more.
From the linked thread: ... The only thing it's been connected to since 2004 has been my personal computer (laptop)."
"When I began work here in 2004, this system was completely orphaned
Way to spend (by my reckoning) 10,000 kWh of electricity.
Forking the implementiation (Weston): cool. Like forking a browser. Existing web pages should continue to work, and maybe you'll expose/fix some bugs.
Forking the API (Wayland): NOT COOL. That is like forking HTML. Everyone has to rewrite their web pages now.
They've already become very hard to find, and I doubt there's ever going to be a 'touch' one. Sigh. Like 16:9, looks like horrible glossy screens are all we will be offered from now on.
My company does this. It's assumed by our IT department that 'fixing' Internet Explorer (plus some lame wiki instructions for Firefox users to install the bogus CA cert) is enough. Now try using Subversion, or cURL, or Yum, or Java+Maven. None of it works without trial and error configuration.
It's political. The EU would have used polymer notes when introducing the Euro, but they were lobbied by their existing (paper) banknote manufacturers.