logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

cve.org-disaster.xml (3013B)

    

  1. <!--
  2. Copyright © 2014 Haelwenn (lanodan) Monnier
  3. SPDX-License-Identifier: LAL-1.3
  4. -->
  5. <entry>
  6. <title>The new CVE.org website is a security disaster so I made my own</title>
  7. <link rel="alternate" type="text/html" href="https://hacktivis.me/articles/cve.org-disaster"/>
  8. <id>https://hacktivis.me/articles/cve.org-disaster</id>
  9. <published>2021-10-02T21:26:57Z</published>
  10. <updated>2021-10-02T21:26:57Z</updated>
  11. <link rel="external replies" type="application/activity+json" href="https://queer.hacktivis.me/objects/cc3a9571-23ae-4c0a-9067-bd2c49133271" />
  12. <link rel="external replies" type="text/html" href="https://queer.hacktivis.me/objects/cc3a9571-23ae-4c0a-9067-bd2c49133271" />
  13. <content type="xhtml">
  14. <div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
  15. <p>
  16. 	<code>cve.mitre.org</code>, the <a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE</a> database website I was using instead of NIST's website to avoid a bit of JavaScript started showing <q>NOTICE: CVE website transitioning to new “CVE.ORG” web address. Process to begin in late September 2021 and last one year. (<a href="http://cve.mitre.org/news/archives/2021/news.html#September022021_CVE_Website_Transitioning_to_New_Web_Address_-_CVE.ORG">details</a>)</q> some time ago and I actually tried cve.org few times only to be welcomed by an apprently blank page, fine sure, not deployed yet I guessed. I couldn't be more wrong, I got a more curious look at it today and I noticed it requires JavaScript and by JavaScript I mean an epic disaster.<br />
  17. 	I mean, just look at <a href="https://github.com/CVEProject/cve-website/pulls?q=is%3Apr+security">the security-related Pull Requests on it's github repo</a>.
  18. </p>
  19. <p>
  20. 	And even if there wasn't security issues in their new website, requiring Automatic &amp; Unverified Remote Code to be executed on people's machine for getting security information? What is wrong with you? Do I need to make you assign a <abbr title="Common Vulnerability Scoring System">CVSS</abbr> on this thing?
  21. </p>
  22. <p>
  23. 	As I'd rather not sit idly while this shit seems to be coming, I made <a href="https://hacktivis.me/git/cve-client/">cve-client</a>, a simple script in almost dependency-less perl. It takes a CVE-ID, fetches the JSON for it from their API (haven't found a documentation for it btw) and renders it to plain-text but also Gemtext, the format used by the <a href="https://gemini.circumlunar.space/">Gemini protocol</a>, this way I could make it available for others without having to use my code and they very likely aren't going to receive malware in the process.<br />
  24. 	I made the gemini interface available at <a href="gemini://hacktivis.me/cgi-bin/cve">gemini://hacktivis.me/cgi-bin/cve</a>, feel free to make copies<br />
  25. 	I will maybe make an HTTP version of this at some point so it doesn't only runs on my own disaster-looking gemini-server (stunnel + shell script), which I still have much more confidence in than most of the web.
  26. </p>
  27. </div>
  28. </content>
  29. </entry>