←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
601 points scalewithlee | 2 comments | 25 Apr 25 13:48 UTC | HN request time: 0s | source
Show context
arp242 ◴[25 Apr 25 14:26 UTC] No.43793937[source]
Few years ago I had an application that allowed me to set any password, but then gave mysterious errors when I tried to use that password to login. Took me a bit to figure out what was going on, but their WAF blocked my "hacking attempt" of using a ' in the password.

The same application also stored my full password in localStorage and a cookie (without httponly or secure). Because reasons. Sigh.

I'm going to do a hot take and say that WAFs are bollocks mainly used by garbage software. I'm not saying a good developer can't make a mistake and write a path traversal, but if you're really worried about that then there are better ways to prevent that than this approach which obviously is going to negatively impact users in weird and mysterious ways. It's like the naïve /(fuck|shit|...)/g-type "bad word filter". It shows a fundamental lack of care and/or competency.

Aside: is anyone still storing passwords in /etc/passwd? Storing the password in a different root-only file (/etc/shadow, /etc/master.passwd, etc.) has been a thing on every major system since the 90s AFAIK?

replies(2): >>43794029 #>>43796668 #
1. tlb ◴[25 Apr 25 14:34 UTC] No.43794029[source]
It's more that /etc/hosts and /etc/passwd are good for testing because they always exist with predictable contents on almost every system. If you inject "cat /etc/passwd" to various URLs you can grep for "root:" to see if it worked.

So it's really blocking doorknob-twisting scripts.

replies(1): >>43798566 #
2. arp242 ◴[25 Apr 25 21:12 UTC] No.43798566[source]
Oh yeah, I've used it for that purpose. Seems rather silly to block that outright though since you can use many commonly distributed files.