vulnerability Archives - Include Security Research Blog

Working with vendors to “fix” unfixable vulnerabilities: Netgear BR200/BR500

May 19, 2022May 19, 2022 — IncludeSec

By Erik Cabetas In the summer of 2021 Joel St. John was hacking on some routers and printers on his IncludeSec research time. He reported security vulnerabilities to Netgear in their BR200 router line (branded as “Netgear Insight Managed Business Router”). During subsequent internal analysis by Netgear, they found that the BR500 line was also … Read more

Drive-By Compromise: A Tale Of Four Wifi Routers

December 19, 2022September 30, 2021 — IncludeSec

One of the bugs that was reported on fairly extensively had to do with this lovely page, hidden in the device’s webroot:

Dependency Confusion: When Are Your npm Packages Vulnerable?

March 9, 2021February 18, 2021 — Nick Fox, Tech Review by Juan Picado (Verdaccio) and Jason Kielpinski

This post follows up on the recent blog post by Alex Birsan which highlighted serious problems with how some programming language package managers (npm, RubyGems, and Python’s pip) resolve and install dependencies. Alex described possible causes for pip and RubyGems, but the details regarding npm were a bit less clear so we sought to help … Read more