Last week, I wrote about how Joshua Aaron's ICEBlock app, which allows people to anonymously report ICE sightings within a 5-mile radius, is – unfortunately, and despite apparent good intentions – activism theater. This was based on Joshua's talk at HOPE where he made it clear that he isn't taking the advice
uh… So that’s it, the apache server version? That’s all? I looked at the critical cve’s for that version, and honestly, they’d require a pretty specific setup to be abused if I understood them correctly. Most of them were various DoS with no information disclosure, and the only spooky one I saw require the server to have scripts the server is allowed to execute, but outside of the normal url mapping. Which then would have to be disclosing some info or doing something spooky. The rest seem to require the attacker to control the app behind the apache2 server.
Would be better to upgrade, of course, but it looks nowhere near as bad as the blog author makes it sound.
The actual vulnerability doesnt matter, its the way the guy handled it and keeps handling everything. He is just not mentally and technically equipped to run a project like this. He is completely out of his depth.
The only thing he should be doing is publishing his source code and handing the project over to people that know how to deal with things like this. But he just really wants to play the hero instead of actually making sure that people can effectively avoid ICE.