Once upon a time there was a HTML attribute called Id. She had graduaded from the W3 University, specialized in specifying a unique identifier for an HTML element. For her sister, Class, it was much easier to make friends, as she was able to hang out with multiple elements at the same time. Eventually, Id was almost entirely forgotten, and everyone started to invite only Class to every web site party.

One day the testers were thinking it would be nice if there was someone who could give unique identifiers to HTML elements. They hired Mr. Data-Testid from Nonstandardistan for the job despite he was not formally qualified. Unemployed and sad, Id lived unhappily ever after.

(The moral of the story: there is no need to reinvent the wheel.)

#webdevelopment

Track changes in the CVE database (CVEProject / cvelistV5) `tail -f` style, also printing changes in the CVSS 3.1 scores. Written using only the Python Standard Library, the only external requirement being the Git binary.

#cve #cvelist #vulnerabilities #cvss #opensource

https://github.com/oh2fih/Misc-Scripts/blob/main/bin/follow-cvelist.py

CVE-Search v5.1.0 fixes bugs, improves interoperability with the CveXplore library and makes it easier to retry incomplete updates from the NVD API. Read the changelog carefully.

https://github.com/cve-search/cve-search/releases/tag/v5.1.0

Let's Encrypt has made implementing DANE even more difficult. The root CA is no longer included in the chain, and the intermediates may change without notice. To address these issues, I wrote a script that automates TLSA record creation from the published intermediates.

#letsencrypt #dane #tlsa #certificatepinning

https://github.com/oh2fih/Misc-Scripts/blob/main/bin/letsencrypt-tlsa.sh

After some work on bug fixes & improvements for CVE-Search & CveXplore both finally have new releases. 🎉

https://github.com/cve-search/cve-search/releases/tag/v5.0.2

Valid characters in hostnames are `a-z`, `A-Z`, `-` and `.`. POSIX usernames can contain these and `_`. Windows is very liberal allowing also `' ! # ^ ~` – of which only `'` is problematic.

Yet, OpenSSH fixes CVE-2023-51385 by blacklisting shell metacharacters rather than whitelisting the possible characters. These functions are even named `valid_hostname()` & `valid_ruser()`, that are not semantically correct. This coding style attracts new vulnerabilities!

https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a

How much easier it would be to fight these scams if the hotel industry including Booking.com stopped treating credit card information just like the scammers do. It is getting harder and harder to book accommodation because hotels seldom support protection technologies (Verified by Visa, MasterCard SecureCode or Amex SafeKey) but would like to charge the credit card the old-fashioned way. The rush on the final stage also resembles awful lot like the normal operation of legitimate booking sites.

https://www.kaspersky.com/blog/booking-com-hacked-hotel-accounts-scam-customers/50109/