alt Hacker NewsI found a way to escape their shell (so you can run whatever you want), if you're not verified, it involves multiple steps to archive this. I mailed them 2x to their membership address, but since today no reaction. I asked also in their IRC.
Just a question to HN: should I wait more, try again? Or should I simply publish the vulnerabilities somewhere? If yes, where? It's my first time that I found a vulnerability at my own, not sure how to deal with that.
Replies
Don't publish. You already notified them, your shell escape isn't a big deal, publishing it will only be a pain for the volunteers running the service.
I think you should create some visible but harmless nuisance using this shell escape, so that it's likely to get noticed, but doesn't damage anyone's valuable data.
Perhaps just run "bash -c 'stress --cpu 64 ; echo fix your shell escape'"l " or something like that.
Definitely wait at least a few months if you've not already. There are legal risks with these kinds of things and some orgs move slowly.
I did it too but TBH as I used small tools such as tcc, jimsh, eforth+muxleq, sacc, smu, catpoint+pointtools, compilers from https://t3x.org... I didn't care a lot on the rest, I'm pretty happy with my current account.
You can do a lot with S9 Scheme and the Unix API/syscalls it supports.
You shall wait. It's a volunteer powered system and while the ops are silent and terse in their mails, they're nice people.
Their plate is already quite full and they operate a whole universe of services, so cut them some slack.
It's not an ordinary service which is exposed to internet trying to turn a profit. They run SDF, two Mastodon instances, a mail server, a Git server, trying to salvage/keep alive living computer museum (SDF Vintage Systems), etc. etc.