自称 HiCA (及其关联产品 Quantum CA)创始人的 GitHub 用户 xiaohuilam (Bruce Lam) 回应称,利用此漏洞的意图是使一般的 CA 签发过程能整合进 ACME.sh,并且 HiCA 从未利用此漏洞执行恶意代码。Bruce 也提到其已经关闭 HiCA 项目直到调查结束。

https://github.com/acmesh-official/acme.sh/issues/4659#issuecomment-1584414218

thread: /4231

#HiCA
GitHub
acme.sh runs arbitrary commands from a remote server · Issue #4659 · acmesh-official/acme.sh
Hello, You may already be aware of this, but HiCA is injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine. I am not sure if thi...
 
 
Back to Top