This week Jonathan chats with Bill Shotts about The Linux Command Line! That’s Bill’s book published by No Starch Press, all about how to make your way around the Linux command line! Bill has had quite a career doing Unix administration, and has thoughts on the current state of technology. Watch to find out more!
Continue reading “FLOSS Weekly Episode 864: Work Hard, Save Money, Retire Early”
This week Jonathan chats with Olaf Andreas Schulte and Lars Kiesow about Opencast, the video management system for education. What does Opencast let a school or university accomplish, how has that changed over the last decade, and what exciting new things are coming? Watch to find out!
Continue reading “FLOSS Weekly Episode 863: Opencast: That Code Is There For A Reason”
This week Jonathan chats with Toke Hoiland-Jorgensen about CAKE_MQ, the newest Kernel innovation to combat Bufferbloat! What was the realization that made CAKE parallelization? When can we expect it in the wild? And what’s new in the rest of the kernel world? Watch to find out!
Continue reading “FLOSS Weekly Episode 862: Have Your CAKE And Eat It Too”
This week Jonathan chats with Nicholas Adams about OpenRiak! Why is there a Riak and an OpenRiak, which side of the CAP theorem does OpenRiak land on, and why is it so blazingly fast for some operations? Listen to find out!
Continue reading “FLOSS Weekly Episode 861: Big Databases With OpenRiak”
This week Jonathan and Randal chat with Jose Valim about Elixir! What led Jose to create this unique programming language? What do we mean that it’s a functional language with immutability?
Continue reading “FLOSS Weekly Episode 860: Elixir Origin Story”
There’s something immensely satisfying about taking a series of low impact CVEs, and stringing them together into a full exploit. That’s the story we have from [Mehmet Ince] of Prodraft, who found a handful of issues in the default PostHog install instructions, and managed to turn it into a full RCE, though only accessible as a user with some configuration permissions.
As one might expect, it all starts with a Server Side Request Forgery (SSRF). That’s a flaw where sending traffic to a server can manipulate something on the server side to send a request somewhere else. The trick here is that a webhook worker can be primed to point at localhost by sending a request directly to a system API.
One of the systems that powers a PostHog install is the Clickhouse database server. This project had a problem in how it sanitized SQL requests, namely attempting to escape a single quote via a backslash symbol. In many SQL servers, a backslash would properly escape a single quote, but Clickhouse and other Postgresql servers don’t support that, and treat a backslash as a regular character. And with this, a read-only SQL API is vulnerable to SQL injection.
These vulnerabilities together just allow for injecting an SQL string to create and run a shell command from within the database, giving an RCE and remote shell. The vulnerabilities were reported through ZDI, and things were fixed earlier this year. Continue reading “This Week In Security: PostHog, Project Zero Refresh, And Thanks For All The Fish”
This week Jonathan chats with Jonathan Thomas about OpenShot, the cross-platform video editor that aims to be simple to use, without sacrificing functionality. We did the video edit with OpenShot for this episode, and can confirm it gets the job done. What led to the creation of this project, and what’s the direction it’s going? Watch to find out!
Continue reading “FLOSS Weekly Episode 859: OpenShot: Simple And Fast”
