RIAA took down youtube-dl

26 October 2020

Few days ago the popular content download software “youtube-dl” was taken down by RIAA. They left a notice in the GitHub-Repository that youtube-dl violates copyrights. In my opinion this is a shame. With youtube-dl it was possible to download any content from youtube. That means you were also able to legally download content that was not protected by any content license. If we start to take down youtube-dl because we could also use it to download content illegally, then we should also take down all the browsers. We could also use browsers to illegally download content.

Read more..

10 July 2020, one of the best “alternative” social media platforms of the entire internet, will shutdown and discontinue. I don’t have a facebook or twitter account, but I really loved that I’ll miss it. The following message is from the soup-kitchen:

Read more..
Creative Contact Form: Directory Traversal (CVE-2020-9364)

9 March 2020

Identifier: AIT-SA-20200301-01
Target: Creative Contact Form (for Joomla)
Vendor: Creative Solutions
Version: 4.6.2 (before Dec 03 2019)
CVE: CVE-2020-9364
Accessibility: Remote
Severity: High
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)


Creative Contact Form is a responsive jQuery contact form for the Joomla content-management-system.

Read more..
OpenVPN: updating /etc/resolv.conf

26 December 2019

OpenVPN comes with example-scripts to update /etc/resolv.conf using “resolvconf” or systemd-resolvconf. I don’t use one of them therefore I modified the script so that it simply changes /etc/resolv.conf directly. I placed a variable “IMMUTEABLE” in this script. If IMMUTEABLE is set to 1, this script will change the fileattribute of /etc/resolv.conf to immuteable. In that way it is possible to prevent other programms like dhcp-clients to change /etc/resolv.conf while openvpn is running. I know, it’s a little bit hacky, but it works for me. The full source can be downloaded at

Read more..
HackADay: A Christmas-Machine(Merry Christmas)

21 December 2019

This year I want to send you merry christmas by creating a blog-entry for a raspberry pi christmas project. The “christmas-machine” displays merry christmas and wishes for the “christkind” on a tft display for the raspberry. It is possible to send christmas wishes using a web applications that can be accessed via wifi. I placed this installation at the coffee-kitchen in the office and it was very nice to see that my colleges had a lot of fun with it.

Blesses for “Brother Patrick” who spent me that wonderful Joy-IT TFT display.

Read more..
BSides 2019: Code diving for pop chains

11 December 2019

bsides vienna 2019 talk

I gave a talk at the BSides 2019 Vienna about PHP Object Injection. Here is the abstract of this talk:

Read more..
OkayCMS: Unauthenticated remote code execution

2 December 2019

Identifier: AIT-SA-20191129-01
Target: OkayCMS
Vendor: OkayCMS
Version: all versions including 2.3.4
CVE: CVE-2019-16885
Accessibility: Local
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)


OkayCMS is a simple and functional content managment system for an online store.

Read more..
FreeRadius: Privilege Escalation via Logrotate

2 December 2019

Identifier: AIT-SA-20191112-01

Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)


FreeRadius is a modular Open-Source RADIUS suite.

Read more..
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti