undefined | Better HN

0 pointsac2u2y ago0 comments

A vulnerability (not necessarily this one, just hypothesising) could be exploited via a payload result from an outbound request to the internet.

0 comments

MuffinFlavored2y ago

I thought when the OP of this comment thread said locally they meant like, it isn't exposed to the Internet

ac2uOP2y ago

"exposed" as a word does a lot of heavy lifting here. When someone is asking me casually "hey, is this server exposed to the public internet"?

I take it to mean "can someone connect to it in an inbound manner from the public internet?"

If the answer is no, it doesn't necessarily mean that packets don't have other ways of making their way to the server, for example, a service running locally could have a webhook mechanism that fires events to an internet-accessible server whenever certain events happen.

You might trust the services you're sending requests to as part of that, but they could become compromised and send exploits as a response. Other vulnerabilities could be services running locally but that reach out to the internet to check for updates... more surface area to exploit.

If the OP was asking "I'm running this locally and I've set up my machine and firewalls to disallow any packets outside of the loopback interface", then the risk of the unpatched server is certainly reduced, but they could still be affected by another piece of software running on the same machine with internet access that is compromised first.

Anything beyond an isolated machine with 100% air-gapping is theoretically at risk.

Doesn't mean that the OP's question was a bad question or anything, they can use the answer to know how quickly they should worry about patching based on their own situation and risk tolerance.

thomasfromcdnjs2y ago

Great answer btw.

And yes, that is what I meant. curl hackmeplease.com 57 stack traces down.

j / k navigate · click thread line to collapse