Hello, I'm Michael

Software Developer / Problem Solver / Open Source Contributor

Privilege Escalation Exploits in Cobbler's API

Posted on August 2, 2018

TL;DR: There are several privilege escalation vulnerabilities in Cobbler’s XMLRPC API. There are also many endpoints that are not validating the auth tokens passed to them. As a result, the API is effectively unauthenticated. Consider using a firewall to restrict access to the /cobbler_api endpoint. [Read More]

README badges are vulnerabilities

Posted on June 22, 2018

TL;DR: Badges are not magic. They are just image hotlinks, and therefore you need to be able to trust the third party who serves them. [Read More]

Building Bots to mend Broken Badges (or how to get your GitHub account suspended)

Posted on March 8, 2018

TL;DR: Many badges were broken since they were using the shuttered pypi.in site. I wrote a bot that could fix these and automatically submit pull requests with the changes. And then I had my GitHub account suspended. Do not make automatic unsolicited pull requests. [Read More]