There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Boomkop3 ,

Welp, I guess sandboxing a browser that has a sandbox might still be a good idea

tyler ,

The article literally doesn’t explain the vulnerability at all.

drwho ,
@drwho@beehaw.org avatar

Everybody who could explain it well is at Hacker Summer Camp right now.

floofloof , (edited )

It keeps promising to, then goes off into more ChatGPT-style rambling. It’s a bad article. This one is more informative:

oligo.security/…/0-0-0-0-day-exploiting-localhost…

sirico ,
@sirico@feddit.uk avatar

hunter2 Wow it works!

dan , (edited )
@dan@upvote.au avatar

Seems like a TCP/IP stack issue rather than a browser issue… 0.0.0.0 is not supposed to be a valid address (in fact, no IPv4 address with 0 as the first octet is a valid destination IP). The network stack should be dropping those packets.

0.0.0.0 is only valid in a few use cases. When listening for connections, it means “listen on all IPs”. This is a placeholder that the OS handles - it doesn’t literally use that IP. Also, it’s used as the source address for packets where the system doesn’t have an IP yet (eg for DHCP). That’s it.

drwho ,
@drwho@beehaw.org avatar

I’m inclined to agree. This looks like a misunderstanding of RFC 5735.

dan ,
@dan@upvote.au avatar

From that RFC:


<span style="color:#323232;">0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
</span><span style="color:#323232;">network.  Address 0.0.0.0/32 may be used as a source address for this
</span><span style="color:#323232;">host on this network; other addresses within 0.0.0.0/8 may be used to
</span><span style="color:#323232;">refer to specified hosts on this network ([RFC1122], Section
</span><span style="color:#323232;">3.2.1.3).
</span>

(note that it only says “source address”)

which was based on RFC 1122, which states:


<span style="color:#323232;">We now summarize the important special cases for Class A, B,
</span><span style="color:#323232;">and C IP addresses, using the following notation for an IP
</span><span style="color:#323232;">address:
</span><span style="color:#323232;">
</span><span style="color:#323232;">    { <Network-number>, <Host-number> }
</span><span style="color:#323232;">
</span><span style="color:#323232;">or
</span><span style="color:#323232;">    { <Network-number>, <Subnet-number>, <Host-number> }
</span><span style="color:#323232;">
</span><span style="color:#323232;">...
</span><span style="color:#323232;">
</span><span style="color:#323232;">(a)  { 0, 0 }
</span><span style="color:#323232;">
</span><span style="color:#323232;">This host on this network.  MUST NOT be sent, except as
</span><span style="color:#323232;">a source address as part of an initialization procedure
</span><span style="color:#323232;">by which the host learns its own IP address.
</span><span style="color:#323232;">
</span><span style="color:#323232;">See also Section 3.3.6 for a non-standard use of {0,0}.
</span>

(section 3.3.6 just talks about it being a legacy IP for broadcasts - I don’t think that even works any more)

TehPers , (edited )

While I agree, it makes connecting to localhost as easy as http://0:8080/ (for port 8080, but omit for port 80).

I worry that changing this will cause more CVEs like the octal IP addresses incident.

Edit: looks like it’s only being blocked for outgoing requests from websites, which seems like it’ll have a much more reasonable impact.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •