packages_versions), str (build_request .
defaults), str (build_request .
rootfs_size_mb), str (build_request .
So, by creating a collision of the packages’ hash, we can produce the same cache key even if the packages are different.
ConclusionIn this article, I explained how I could compromise the sysupgrade.openwrt.org service by exploiting the command injection and the SHA-256 collision.
2 часа назад @ flatt.tech