Latest News

Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the downstream request body on cache hits. This allows an attacker to craft malicious HTTP/1.1 requests which could lead to request smuggling or cache poisoning. This flaw was corrected in commit fda3317ec822678564d641e7cf1c9b77ee3759ff by ensuring that the downstream request body is always drained before a connection can be reused. See [the blog post](https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/) for more information.

### Summary When using the `fiber.Ctx.BodyParser` to parse into a struct with range values, a panic occurs when trying to parse a negative range index ### Details `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality ### Reproducing Take a simple GoFiberV2 server which returns a JSON encoded version of the FormData ```go package main import ( "encoding/json" "fmt" "net/http" "github.com/gofiber/fiber/v2" ) type RequestBody struct { NestedContent []*struct { Value string `form:"value"` } `form:"nested-content"` } func main() { app := fiber.New() app.Post("/", func(c *fiber.Ctx) error { formData := RequestBody{} if err := c.BodyParser(&formData); err != nil { fmt.Println(err) re...

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

The emerging threat group is the latest to adopt the combo attack tactic, which Black Basta and other groups already are using to gain initial access for ransomware deployment.

On today’s episode of ‘Uncanny Valley,’ we discuss how WIRED was able to legally 3D-print the same gun allegedly used by Luigi Mangione, and where US law stands on the technology.

Insurance experts weigh in on how the recent barrage of attacks against UK retailers could affect premium rates and policy requirements, as well as how to work toward improving risk assessment.

Global crackdown: Operation RapTor leads to 270 arrests, millions seized as law enforcement targets dark web drug, weapon, and crypto vendors.

Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.

The mission is to gather information that could help Russia in its war against Ukraine.

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing a massive 184 million login credentials, likely collected…