diff --git a/.github/workflows/build_pages_native.yml b/.github/workflows/build_pages_native.yml index aa0f8ba5..0ed0408c 100644 --- a/.github/workflows/build_pages_native.yml +++ b/.github/workflows/build_pages_native.yml @@ -25,8 +25,10 @@ jobs: uses: actions/setup-python@v4 with: python-version: '3.7' +# - name: install prerequisites +# run: pip3 install html5validator requests && gem install --no-document html-proofer - name: install prerequisites - run: pip3 install html5validator requests && gem install --no-document html-proofer + run: pip3 install requests - name: Update external content run: ./update.sh - name: Clean up stubs @@ -35,8 +37,18 @@ jobs: run: bundle exec jekyll build --future 2>&1 | tee jekyll-build.log - name: "Fix security.txt" run: mkdir _site/.well-known && (cd _site/.well-known && ln -s ../security.txt) && ls -al _site/.well-known +# - name: Test HTML code +# run: ./proof_html.sh - name: Test HTML code - run: ./proof_html.sh + uses: Cyb3r-Jak3/html5validator-action@v7.2.0 + with: + root: _site/ + - name: Upload HTML test report + uses: actions/upload-artifact@v3 + if: success() || failure() # Run even if we had an error + with: + name: html5validator_log + path: log.log - name: rsync deploy uses: burnett01/rsync-deployments@5.2.1 if: ${{ github.ref == 'refs/heads/main' }} diff --git a/_config.yml b/_config.yml index ae89a031..8a4a878a 100644 --- a/_config.yml +++ b/_config.yml @@ -54,7 +54,16 @@ defaults: scope: path: "" # an empty string here means all files in the project values: - layout: "default" + layout: "default" + +compress_html: + clippings: all + comments: [""] + endings: [html, head, body, li, dt, dd, rt, rp, optgroup, option, colgroup, caption, thead, tbody, tfoot, tr, td, th] + profile: false + blanklines: false + ignore: + envs: [] exclude: diff --git a/_posts/2022/22-08-10-Itarian-Full-Disclosure.md b/_posts/2022/22-08-10-Itarian-Full-Disclosure.md index 094bd82a..d20618d8 100644 --- a/_posts/2022/22-08-10-Itarian-Full-Disclosure.md +++ b/_posts/2022/22-08-10-Itarian-Full-Disclosure.md @@ -82,7 +82,7 @@ The Token session cookie can be retrieved by abusing the XSS vulnerability in th Creating and bypassing approval consists of multiple steps. The vulnerability is easily exploited by calling the following three API endpoints in the following order: 1. /procedure/windows/create -2. /procedure/windows/update/id/ +2. /procedure/windows/update/id/\ 3. /procedure/run/device-all The first API call is used to create a procedure, the second is used to add arbitrary Python code and the last API call bypasses approval and pushes the procedure to all devices. These three steps have been automated in a Python POC which can be found [here](https://github.com/DIVD-NL/Itarian-2021-00037/blob/main/POC/CVE-2022-25152-POC.py)