On Thursday, October 17, 2019 05:25:46 AM to...@tuxteam.de wrote: > On Thu, Oct 17, 2019 at 11:08:34AM +0200, to...@tuxteam.de wrote: > > [...] > > > [1] https://news.ycombinator.com/item?id=19507225 > > Sorry. That link forces you through Twitter. Here are better > ones: > > https://old.lwn.net/Articles/784758/ > > https://www.bleepingcomputer.com/news/security/cisco-botches-fix-for-rv320 > -rv325-routers-just-blocks-curl-user-agent/
After readiing (or skimming, as the case may be), some of these links, I have a few reactions (after LMAO). I am disappointed that this was not more widely publicized at the time (or even now) (I hadn't heard about it, or didn't understand it until now). Cisco should be a laughingstock and in some kind of hall of shame based on what I've read. ((Not) "fixing" a security problem by using a regex to prevent access to their routers via curl (while still allowing access (and the exploit) with any non-curl user string.
