Our team's security researcher @leonwxqian discovered a SQLite remote code execution vulnerability. This vulnerability can be triggered remotely by accessing a web page, affecting all software that uses Chromium or SQLite. Details can be found at https://blade.tencent.com/magellan/index_en.html ….
-
-
Cool discovery. But can you confirm that it really affect all software that uses SQLite? Chromium makes sense as most software using it probably allows attacker to execute some script or render arbitrary HTML, but SQLite?
1 reply 0 retweets 0 likes -
I'd imagine that it affects any software that uses SQLite, *and* in a way that allows an attacker to craft an arbitrary query (otherwise there's no attack vector). Which bizarrely includes Chromium (via Web SQL Database): https://caniuse.com/#feat=sql-storage … https://en.wikipedia.org/wiki/Web_SQL_Database …
2 replies 0 retweets 1 like
For example, here's the crash in sqlite itself. I'd imagine that any app that allows such queries to make their way to sqlite would be affected.pic.twitter.com/XPY7uEE8CK
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.