Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776). Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access. The root cause of this bug is the incorrect use of == to match the password hash: if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) The fix is to use === for the comparison. This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability.

Mantis Bug Tracker

MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases. MantisBT has bee...

#CVE_2025_47776 #infosec #cybersecurity

I would be glad to donate to the #Python project, but doing so requires me to divulge my name and contact information as per their 501(c)(3) charitable organisation status: "Contact information is required for tax reporting purposes and will be shared only with the US government." Considering the current status of the US government, I don't feel comfortable doing this. Are there some other ways to donate to Python project without getting the US government involved? -

Python Software Foundation Blog

The PSF has withdrawn a $1.5 million proposal to US government grant program

In January 2025, the PSF submitted a proposal to the US government National Science Foundation under the Safety, Security, and Privacy of Op...

-

Donation for the PSF – Python Software Foundation

@npub1vv84...6fhk

IRC is working just fine. As always.

A lot of services that are supposedly running in EU are currently having significant issues due to AWS US-EAST-1 being impacted. But surely this is just some dependencies that are down and all our data is really stored in EU. Right? https://health.aws.amazon.com/health/status

#Signalapp appears to have some issues. The desktop app appears "offline" and messages are not going through, EDIT: This likely is an outage resulting from AWS US-EAST-1 having some issues: https://health.aws.amazon.com/health/status Many services are impacted. See https://downdetector.com/

AlphaPhoenix's video about the home-built 2 billion fps camera is one of the coolest videos for a long time. The premise is so simple that anyone (even people without degrees) can follow and understand it. Educational and cool as heck! #alphaphoenix #science #physics

While the latest #ChatControl proposal didn't proceed to a vote, the proponents of the interception of all chat traffic will undoubtedly continue their efforts to get the law passed - like they have for years now. It will resurface shortly, disguised and modified but effectively pushing for the same end result: removal of end-to-end encryption. We must stay vigilant and continue to fight for our freedoms. #StopChatcontrol #privacy

Broadcom has stopped delivering automated updates to #VMware Fusion and Workstation. All updates have to be downloaded and installed manually from the Broadcom Support Portal (as a side note: This portal is one of the worst corporate "support" websites I've seen in the last decade). This is terrible. It will lead to tens of thousands of VMware installations remaining vulnerable to trivially exploitable flaws, for example, local privilege escalation via CVE-2025-41244

Support Portal

Support Content Notification - Support Portal - Broadcom support portal

BTW, Please note that to fix CVE-2025-41244 you must now manually download the correct VMware Tools package from the support portal, unpack the zip, mount the ISO image, and then execute the setup.exe from the mounted ISO image. There is currently no VMware releases that include the fixed VMware Tools, so if you create any new VMs you MUST install the update manually to each new VM. Did I already mention this is terrible? #enshittification #infosec #cybersecurity

Aleksanteri Kivimäki - the person who mercilessly extorted psychotherapy centre patients with the leaked patient data - has been released from prison. Generally, I feel that the Finnish justice system is doing a fairly good job, but in this case, I feel like this is just outright wrong. This person should have served full time and not be considered a first-time offender. #vastaamo #vastaamopsychotherapycenter

Many moons ago, a friend ran an SSH honeypot that had a unique feature: when the attacker gained "access" to the system, he could then send responses to the interactive commands the attackers executed over an IRC channel. One day, some attacker popped in, and he started to taunt them live. Often, the attackers were just throwing in some copypasta and weren't actually checking the responses. This one time, the attacker realised what was going on and was quite amused, and started to chat back, sending fake commands to see if he would get obvious human responses back (Note: that this was well before generative AI). This went on for some time, and some kind of a connection was formed. The attacker would come back to chat with my friend, logging in over SSH to this honeypot. Eventually, the attacker divulged other means to communicate with him. He told me he was a bored Romanian guy who ran a kind of academy for young hacking talent. They'd gain access to some box, install their SSH bruteforcer (random IPv4 addresses and fixed password lists), and rinse and repeat. Eventually, the attackers seemed to stop and disappear. My friend contacted them and asked what had happened: maybe they had been caught by authorities? No such luck. Apparently, they had discovered some addictive online game that was more interesting. Threat actor group defeated by Candy Crush.