Re: Guile security vulnerability w/ listening on localhost + port (with fix)

Hi! On Fri 14 Oct 2016 23:55, Lizzie Dixon <_...@lizzie.io> writes: > I know it's a late kudo but still -- great investigation and writeup, thank you for digging in to this one :) Andy

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

Hi Christopher, On 10/16, Christopher Allan Webber wrote: > So, I guess this will work from a public site as well? Yes! The HTML I mentioned in my post is available here: (Though note that it won't work

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

Christopher Allan Webber writes: > browsers do and don't allow, but I'm stunned that a browser will let a > request from some http://foo.example/ to http://localhost:37146/, even > for just a GET. It seems like there are all sorts of daemons you can > exploit that way. This can be pretty useful

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

Lizzie Dixon writes: > Hi, > > On 10/11, Christopher Allan Webber wrote: >> The default in Guile has been to expose a port over localhost to which >> code may be passed. The assumption for this is that only a local user >> may write to localhost, so it should be safe. Unfortunately, users >>

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

Hi, On 10/11, Christopher Allan Webber wrote: > The default in Guile has been to expose a port over localhost to which > code may be passed. The assumption for this is that only a local user > may write to localhost, so it should be safe. Unfortunately, users > simultaneously developing Guile

Re: Guile security vulnerability w/ listening on localhost + port (with fix)

On Tue, 2016-10-11 at 09:01 -0500, Christopher Allan Webber wrote: > The Guile team has just pushed out a new commit on the Guile stable-2.0 > branch addressing a security issue for Guile.  There will be a release > shortly as well.  The commit is > 08c021916dbd3a235a9f9cc33df4c418c0724e03, or for