hosts" breaks the Substack editor

(scalewithlee.substack.com)

601 points scalewithlee | 1 comments | 25 Apr 25 13:48 UTC | HN request time: 0s | source

Show context

Null-Set ◴[25 Apr 25 15:04 UTC] No.43794314[source]▶

This looks like it was caused by this update https://developers.cloudflare.com/waf/change-log/2025-04-22/ rule 100741.

It references this CVE https://github.com/tuo4n8/CVE-2023-22047 which allows the reading of system files. The example given shows them reading /etc/passwd

replies(1): >>43794513 #

mrspuratic ◴[25 Apr 25 15:20 UTC] No.43794513[source]▶

>>43794314 #

AFAICT it's also (though I'm very rusty) in ModSecurity, if XML content processing is enabled then rules like these will trip:

    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data"
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" ...

where the referenced files contain the usual list of *nix suspects including the offending filename (lfi-os-files.data, "local file inclusion" attacks)

The advantage (whack-a-mole notwithstanding) of a WAF is it orders of magnitude easier to tweak WAF rules than upgrade say, Weblogic, or other teetering piles of middleware.

replies(1): >>43798450 #

1. julik ◴[25 Apr 25 20:59 UTC] No.43798450[source]▶

>>43794513 #

So that's why immediately when I hear "WAF" I read "...and the site will break in weird and exciting ways due to arbitrary, badly developed heuristics outside of your control, every odd day of every even week" - I remember the glory days of shared hosting and mod_security.

Turns out the hunches were right all along.

↑