oss-sec mailing list archives
Re: rclone data exflitration / unauthorized API use
From: Solar Designer <solar () openwall com>
Date: Wed, 27 Jun 2018 11:40:47 +0200
Hi Daniel, On Tue, Jun 26, 2018 at 05:56:18PM -0700, oss-security-list () contactdaniel net wrote:
Due to it's reliance on vulnerable upstream vendor SDKs & APIs, all current versions of 'rclone' are subject to a variety of attacks. This vulnerability is an instance of a class of security vulnerabilities that affect a wide variety of software. Any API which has clients perform actions on arbitrary URLs chosen by the API server will lead to this class of attack becoming a concern. Current Google Cloud Storage SDKs/APIs, Backblaze B2 APIs, and Yandex Disk APIs are affected. No CVE is presently assigned. Further details at: https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/
We have a policy here that while list postings may refer to external URLs, they must be complete on their own, and yours is not. Please see: http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines I'm attaching a text export of your blog post to this message. Next time, please do something like this on your own. Thanks, Alexander
Attachment:
restless-vuln.txt
Description:
Current thread:
- rclone data exflitration / unauthorized API use oss-security-list (Jun 27)
- Re: rclone data exflitration / unauthorized API use Solar Designer (Jun 27)