We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • duckduckgo-locales

    Translation files for <a href="https://duckduckgo.com"> </a>

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • servercert

    Repository for the CA/Browser Forum Server Certificate Chartered Working Group

    The current CAB Forum Baseline Requirements call for "Multi-Perspective Issuance Corroboration" [1] i.e. make sure the DNS or HTTP challenge looks the same from several different data centres in different countries.

    [1] https://github.com/cabforum/servercert/blob/main/docs/BR.md#...

  • list

    The Public Suffix List

    > if a user uploaded something like an html file, you wouldn't want it to be able to run javascript on google.com (because then you can steal cookies and do bad stuff)

    Cookies are the only problem here, as far as I know, everything else should be sequestered by origin, which includes the full domain name. Cookies predate the same-origin policy and so browsers scope them using their best guess at what the topmost single-owner domain name is, using—I kid you not—a compiled-in list[1]. (It’s as terrifying as it sounds.)

    [1] https://publicsuffix.org/

  • gitlab

    https://gitlab.com/gitlab-org/gitlab/-/issues/327121 is the first one, and I'm having trouble locating up the second (possibly due to the search pollution from the first one) but there are a bunch of "Exiftool has been updated to version [0-9.]+ in order to mitigate security issues" style lines in their security releases feed so it's possible they were bitten by upstream Exiftool CVEs

    Anyway, turns out that shelling out to an external binary fed with bytes from the Internet is good fun

  • pykka

    🌀 Pykka makes it easier to build concurrent Python applications.

    A friend of mine recently let the domain used for documentation of Pykka, a Python actor library, expire. Some of course registered the domain, resurected the content and injected ads/spam/SEO junk.

    Since the documentation is Apache License 2.0 there isn't much one can do, other than complain to the hosting about misuse of the project name/branding. But so far we haven't heard back from the hosting provider's abuse contact point (https://github.com/jodal/pykka/issues/216 if anyone is interested).

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Joseph Jastrow and His Duck – or is it a rabbit? (2004)

    1 project | news.ycombinator.com | 8 Oct 2024
  • Sea robins are fish with 'the wings of a bird and multiple legs like a crab'

    1 project | news.ycombinator.com | 4 Oct 2024
  • Why does man print "gimme gimme gimme" at 00:30? (2017)

    2 projects | news.ycombinator.com | 4 Oct 2024
  • Orion, Our First True Augmented Reality Glasses

    2 projects | news.ycombinator.com | 26 Sep 2024
  • What, Me Worry? The Art and Humor of Mad Magazine

    1 project | news.ycombinator.com | 23 Sep 2024