Hello and welcome to the Friday, December 2, 2022 edition of the Sansonet Stormer's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Well, let's start today with an interesting vulnerability in the Quarkas Java framework.

This is open source that's created by Redhead,

and it's meant to allow you to edit, manage code in serverless environments and containers.

Now, the problem here is that this particular environment also listens on the loopback interface

in order to receive messages about the code, help you with the migration of databases

and the like, and the HTTP server listening on a loopback does not really use any access controls.

This is something that we have seen many, many times before, most notable, like in some

Ethereum wallets.

And the problem now is that if the developer, while using Quarkas is visiting a malicious

website, JavaScript on that website, would be able to send a request cross-origin

because you can always send a simple request cross-origin.

And this particular web service here does not implement any protections against that.

So it doesn't have any cross-ed request forgery tokens or authentication, anything like

this, to prevent these simple cross-origin requests.

Like I said, common problem with web servers, web services listening on loopback because

developers often assume that, well,

nobody from the outside can connect to it. True, but you can always send requests via the

user's web browser. And then we got an interesting vulnerability in the free BSD ping utility.

Maybe not interesting because of its impact,

...