frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

A webshell and a normal file that have the same MD5

https://github.com/phith0n/collision-webshell
26•shlomo_z•3d ago

Comments

andreareina•3d ago
The normal file doesn't look that normal
o11c•1h ago
Keep in mind that the stated use is cache-poisoning of automated scanners, not fooling humans.
dsab•1h ago
It's a pity that there is no description of what it is supposed to be used for.
chipsrafferty•39m ago
Because there's unlikely to be a use case
h4ck_th3_pl4n3t•33m ago
The answer is likely wordpress, because its default wp_hash algorithm is still MD5.
0points•7m ago
> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

That's only true if you ignore all the details.

As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.

So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.

Source: https://developer.wordpress.org/reference/functions/wp_hash_...

lisper•20m ago
If you don't know, then you aren't the target audience.

But there are two applications: the first is breaking in to a system under some very obscure set of circumstances that you are very unlikely to encounter in the real world. The second is to bump up your karma on HN.

Dwedit•1h ago
Proof of Concept or GTFO issue 0x14 is a PDF document file that can also be run as a NES ROM. The file will display its own MD5 hash in a PDF viewer, and also displays its own MD5 hash in a NES emulator (only first 40KB+16 bytes are actually loaded there)

https://github.com/angea/pocorgtfo#0x14

And yes, documents are not normally supposed to be able to display their own MD5 hash.

Incipient•54m ago
The idea here is you can trigger a server to run the "safe" php file, then send it the webshell version, which passes hash based scanning?
chipsrafferty•39m ago
Yes, but you'd need a situation where:

1. You can upload scripts that get scanned for malicious code 2. These scripts can be executed once deemed "safe" 3. The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

3. Is where the issue is. It should probably always re-scan it and it definitely should not be using MD5.

Baldur's Gate 3 Steam Deck – Native Version

https://larian.com/support/faqs/steam-deck-native-version_121
311•_JamesA_•6h ago•193 comments

Find SF parking cops

https://walzr.com/sf-parking/
649•alazsengul•12h ago•368 comments

Libghostty is coming

https://mitchellh.com/writing/libghostty-is-coming
635•kingori•17h ago•195 comments

Qwen3-VL

https://qwen.ai/blog?id=99f0335c4ad9ff6153e517418d48535ab6d8afef&from=research.latest-advancement...
273•natrys•9h ago•67 comments

A webshell and a normal file that have the same MD5

https://github.com/phith0n/collision-webshell
27•shlomo_z•3d ago•10 comments

Top Programming Languages 2025

https://spectrum.ieee.org/top-programming-languages-2025
123•jnord•7h ago•138 comments

Quadratic memory reductions for Zero-knowledge Proofs

https://github.com/logannye/space-efficient-zero-knowledge-proofs
52•logannyeMD•4h ago•9 comments

Markov chains are the original language models

https://elijahpotter.dev/articles/markov_chains_are_the_original_language_models
337•chilipepperhott•4d ago•118 comments

From Rust to reality: The hidden journey of fetch_max

https://questdb.com/blog/rust-fetch-max-compiler-journey/
168•bluestreak•9h ago•33 comments

Building a better online editor for TypeScript

https://blog.val.town/vtlsp
8•fbuilesv•2d ago•0 comments

Getting AI to work in complex codebases

https://github.com/humanlayer/advanced-context-engineering-for-coding-agents/blob/main/ace-fca.md
327•dhorthy•16h ago•283 comments

Zutty: Zero-cost Unicode Teletype, high-end terminal for low-end systems

https://git.hq.sig7.se/zutty.git
42•klaussilveira•4h ago•8 comments

Greatest irony of the AI age: Humans hired to clean AI slop

https://www.sify.com/ai-analytics/greatest-irony-of-the-ai-age-humans-being-increasingly-hired-to...
42•wahvinci•2h ago•18 comments

Is life a form of computation?

https://thereader.mitpress.mit.edu/is-life-a-form-of-computation/
119•redeemed•10h ago•101 comments

A vibrator helped me debug a motorcycle brake light system

https://bikesafe.me/blogs/news/how-a-vibrator-helped-me-debug-a-motorcycle-brake-light-system
67•mygnu•3d ago•19 comments

Podman Desktop celebrates 3M downloads

https://podman-desktop.io/blog/3-million
120•twelvenmonkeys•10h ago•30 comments

Introduction to Programming Languages

https://hjaem.info/itpl
31•parksb•3d ago•3 comments

NYC Telecom Raid: What's Up with Those Weird SIM Banks?

https://tedium.co/2025/09/23/secret-service-raid-sim-bank-telecom-hardware/
164•coloneltcb•7h ago•109 comments

America's top companies keep talking about AI – but can't explain the upsides

https://www.ft.com/content/e93e56df-dd9b-40c1-b77a-dba1ca01e473
83•1vuio0pswjnm7•3h ago•45 comments

Ask HN: How do you choose languages for building applications?

16•yamapikarya•2d ago•33 comments

Periodic Table of Cognition

https://kk.org/thetechnium/the-periodic-table-of-cognition/
28•garspin•6h ago•4 comments

Always Invite Anna

https://sharif.io/anna-alexei
786•walterbell•15h ago•92 comments

How to draw construction equipment for kids

https://alyssarosenberg.substack.com/p/how-to-draw-construction-equipment
104•holotrope•11h ago•52 comments

Is Fortran better than Python for teaching basics of numerical linear algebra?

https://loiseaujc.github.io/posts/blog-title/fortran_vs_python.html
68•Bostonian•11h ago•65 comments

Launch HN: Strata (YC X25) – One MCP server for AI to handle thousands of tools

124•wirehack•16h ago•62 comments

Apple A19 SoC die shot

https://chipwise.tech/our-portfolio/apple-a19-dieshot/
103•giuliomagnifico•11h ago•51 comments

Context Engineering for AI Agents: Lessons

https://manus.im/blog/Context-Engineering-for-AI-Agents-Lessons-from-Building-Manus
77•helloericsf•9h ago•4 comments

Mesh: I tried Htmx, then ditched it

https://ajmoon.com/posts/mesh-i-tried-htmx-then-ditched-it
211•alex-moon•18h ago•144 comments

How is einx notation universal?

https://einx.readthedocs.io/en/stable/faq/universal.html
20•HiPHInch•2d ago•1 comments

From MCP to shell: MCP auth flaws enable RCE in Claude Code, Gemini CLI and more

https://verialabs.com/blog/from-mcp-to-shell/
134•stuxf•15h ago•37 comments