CVE-2010-5048: Remote code execution

Original release date: 09/05/2010
Last revised: 09/05/2010
Source: #sicp

Overview
progscrape changeset 42a310936c21c8896dd12b7bf2d9b0df2b07aa1c, as distributed on github.com starting on 9/5/10, contains an externally introduced modification (Trojan Horse) in the recently added threading code which allows remote attackers to execute arbitrary commands.
Description
Changesets 2e404d09524324d9433b9e560c95a40d7686349e and earlier are not affected.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5
Impact Subscore: 6.4
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References

External Source: MrVacBob
Hyperlink: http://twitter.com/mrvacbob/status/23031573891

External Source: Confirm
Hyperlink: http://twitter.com/Cairnarvon/status/22961802948

>>30
Did you test them at the same time (so they both have the same number of posts to scrape)?
On the same day, yes. The half-dozen or so posts /prog/scrape had to scrape that the Seshup one didn't won't make a huge difference.

Also, the C# one takes about half as much time as multi-threaded /prog/scrape when you only have about 30 threads to update.
Ridiculous lie. I know you're desperate to get people to try your scraper, Hotaru, but if it ever outperformed /prog/scrape (which I sincerely doubt), it definitely doesn't now.

What I'm actually curious about is the performance of the Postgres scraper. But not curious enough to install PostgreSQL.