infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

[RSS] Detecting and Mitigating the Apache Camel Vulnerability CVE-2025-27636

https://www.akamai.com/blog/security-research/march-apache-camel-vulnerability-detections-and-mitigations
this post | permalink
Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE

https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
this post | permalink
The Tomcat RCE is pretty fun, fortunately requirements look quite unusual. I'll write this up soonish, but first I have some hardware to fix...
this post | permalink
@ra6bit IME pentest can facilitate those things, e.g. I think every pentester has a story when the clients first inventory was compiled because it was needed for pentest scoping. Ofc this is far from ideal, but at least drives things in the right direction
this post | permalink
@wdormann signed, Dwayne Elizondo Mountain Dew Herbert Camacho
this post | permalink
[RSS] CVE-2024-28989: Weak Encryption Key Management in Solar Winds Web Help Desk

https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2024-28989-weak-encryption-key-management-solar-winds-web-help-desk/qq
this post | permalink
This is the fix commit for CVE-2025-24813, looks pretty straightforward:

https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c

Given Tomcat's downstream supply chain I'd be surprised if this didn't end up in KEV...
this post | permalink
[oss-security] CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

https://seclists.org/oss-sec/2025/q1/197

"If all of the following were true, a malicious user was able to perform remote code execution:

- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)

- application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack"
this post | permalink
[RSS] Exploiting Neverwinter Nights

https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights
this post | permalink
@cR0w mandatory hymn: https://www.youtube.com/watch?v=9IG3zqvUqJY
this post | permalink
Next Page