I posted this image on LinkedIn as well, and the stats there tells me that Cisco is in fact now the third most common employing company among the viewers... (only beaten by AWS and Microsoft)
@bagder does this qualify as code bloat? the user agent header is completely arbitrary and can be set to anything.
I mean why single out curl. Shouldn’t the nmap default user agent be in there too? etc etc
@bagder so the exploit just needs an update to include setting the user agent header to something else right, and it could be one of many many many different strings.
@bagder But you see, curl -A "anonymous" is now considered unauthorized access of a computer system and is illegal according to the Computer Fraud and Abuse Act.
@colin_mcmillen@bagder wait, you can dump the config without authentication of any kind, which includes the devices password hashes, and somehow you can just pass those hashes back to authenticate to the device?
No, that all tracks with the sophistication of this “fix”.
@foosel@bagder I can well believe it, from the company that once broke their website by somehow removing every lowercase "t" from their HTML... Though that was about a decade earlier!
@root42@nullcolaship@foosel@bagder Interesting that it still renders as a website of sorts with all letters 't' removed. I wonder which letters are the most redundant ones in this metric.
@cd_home@root42@nullcolaship@foosel@bagder It is pretty funny - it's just that most of the HTML tags for content (h1-6, a, p, div) don't have the letter t, while a lot of stuff in the head (title, script, style) do.
Add comment