• 0 Posts
  • 5 Comments
Joined 1 year ago
cake
Cake day: October 18th, 2023

help-circle
  • Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.

    We generally spend a couple of days to a week before finding something critical allowing RCE.