Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Not a vulnerability in Java Commons Library (Score 5, Informative) 115

The linked article takes a lot of words to get to the point, which is that "WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software." will deserialize arbitrary user-supplied Java objects. To exploit that, you just provide a serialized class from commons-collections which (by design) executes the class's code during its deserialization process. If your application doesn't whitelist the classes it deserializes from an untrusted user, you deserve everything you get.

Comment Re:Exploit depends on not validating input? (Score 1) 399

Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?

Yes, but the program failing to validate the input is bash itself. Not your code.
As soons as you get to #!/bin/bash you're exploited. Doesn't matter how careful your script code is.

This is really, really bad. Does your home router have any cgi scripts that use bash? This remote exploit can be triggered with a query parameter.

Comment Own goal for Google (Score 1) 132

Google Reader was the only reason to be logged in to Google on my normal browser (like a lot of people, I use a separate browser for Gmail, Facebook, and the other companies that exist to track your browsing habits) Now I use tt-rss, and Google have no idea which links I click any more.

Slashdot Top Deals

I don't want to be young again, I just don't want to get any older.