{"title":"Hello world","url":"https://nullcathedral.com/posts/2026-02-10-hello-world/","created_at":"2026-02-10T00:00:00Z","updated_at":"2026-02-10T00:00:00Z","description":"About this blog and the author behind it.","word_count":696,"reading_time":3,"tags":["meta"],"content_text":"Oh hi, you found my blog, welcome. Most of the bugs I find start with “I wonder if…” or “What happens when…”. This blog is a record of following those threads through real systems until something breaks or I run out of ideas. If that sounds like your kind of reading, it’s probably worth adding to your feed reader.\nWho I am# I go by NULLCATHEDRAL (sometimes _NULL).\nI grew up sending net send messages across the network and checking if /install directories were left exposed on random sites. Spending hours in WPE Pro trying to figure out how to dupe items in obscure MMOs and writing game cheats to hook functions I didn’t fully understand. Modding game clients, running private game servers out of my bedroom. I learned more about networking and memory management trying to keep a private server stable and “cheat-proof” than I ever did in a classroom.\nAt some point that tinkering turned into a career. I’ve worked as a penetration tester for most of it. The only part I don’t love is report writing, but that’s the deal.\nThis blog is the other side of that: stuff I poke at on my own time because I got curious, not because someone’s paying me to. The bugs I like most hide in forgotten attack surface1 and custom protocols with hard-coded or homebrew crypto. Most of the work is reading source code and commit logs. Understand how it’s supposed to work, then think about how it might not. Test it, be wrong, read more code, repeat. I’d rather be in the code than running scanners. Vendors don’t want to share their source, so half the time you end up engineering your way in just to start the actual research.2 That part is sometimes more fun than the bugs themselves. Nothing for weeks, then 48 hours straight when something clicks. Sometimes the thread goes nowhere and I’ve spent a weekend staring at something that was never vulnerable in the first place.\nOn disclosure# Vendors get 120 days to patch. Full technical details go up the day a fix drops. Anyone with a diff tool can figure out what changed anyway, and the window between “patch released” and “exploit in the wild” keeps shrinking. Withholding the writeup doesn’t protect anyone. It just means defenders have less context than attackers.\nGood vendors make the process rewarding. Bad ones ghost you completely. But timing still matters. Dropping an exploit on Christmas Day when every sysadmin is offline isn’t disclosure, it’s a head start for attackers.3 So I try to work with vendors to ensure patches and disclosures land on days where people can actually patch, this is a case-by-case thing.\nThe blog# The Roundcube post is what most posts here will look like. Found a bug, here’s how it works and how to fix it. A writeup without a PoC is just a story, for me at least.\nI’ve got a few more writeups waiting on vendor patches. Before this blog they would usually end up in text files or not get written at all. Having a place to publish them is reason enough to keep it going. Subscribe via the feeds to know when new posts go up, or find me in #nullcathedral on Libera.Chat and any of the contact methods.\nOh, and if you already have me in your reader from the previous post, hello! Thanks for that.\nIf you find this blog interesting, shoot me an email. I enjoy the interaction and I’d find it interesting to hear what you’re working on!\nDebug endpoints left in production, deprecated API versions still routed, legacy admin panels, features the current dev team doesn’t even know exist. They survive because they’re not in anyone’s scope and scanners don’t know to look for them. ↩︎\nPulling application bits and binaries off a server through an arbitrary file read, decompiling .NET assemblies, that sort of stuff. Source-assisted testing helps me find the things that actually matter. ↩︎\nMongoBleed. An Elastic Security researcher dropped a working exploit for a decade-old MongoDB memory leak on Christmas Day. Over 200k instances on the internet exposed. Merry Christmas to every MongoDB admin on the planet. ↩︎\n","content_markdown":"\nOh hi, you found my blog, welcome. Most of the bugs I find start with \"I wonder if...\" or \"What happens when...\". This blog is a record of following those threads through real systems until something breaks or I run out of ideas. If that sounds like your kind of reading, it's probably worth adding to your feed reader.\n\n## Who I am\n\nI go by NULLCATHEDRAL (sometimes _NULL).\n\nI grew up sending `net send` messages across the network and checking if `/install` directories were left exposed on random sites. Spending hours in WPE Pro trying to figure out how to dupe items in obscure MMOs and writing game cheats to hook functions I didn't fully understand. Modding game clients, running private game servers out of my bedroom. I learned more about networking and memory management trying to keep a private server stable and \"cheat-proof\" than I ever did in a classroom.\n\nAt some point that tinkering turned into a career. I've worked as a penetration tester for most of it. The only part I don't love is report writing, but that's the deal.\n\nThis blog is the other side of that: stuff I poke at on my own time because I got curious, not because someone's paying me to. The bugs I like most hide in forgotten attack surface[^attack-surface] and custom protocols with hard-coded or homebrew crypto. Most of the work is reading source code and commit logs. Understand how it's supposed to work, then think about how it might not. Test it, be wrong, read more code, repeat. I'd rather be in the code than running scanners. Vendors don't want to share their source, so half the time you end up engineering your way in just to start the actual research.[^source-access] That part is sometimes more fun than the bugs themselves. Nothing for weeks, then 48 hours straight when something clicks. Sometimes the thread goes nowhere and I've spent a weekend staring at something that was never vulnerable in the first place.\n\n### On disclosure\n\nVendors get [120 days](/about/#disclosure-policy) to patch. Full technical details go up the day a fix drops. Anyone with a diff tool can figure out what changed anyway, and the window between \"patch released\" and \"exploit in the wild\" keeps shrinking. Withholding the writeup doesn't protect anyone. It just means defenders have less context than attackers.\n\nGood vendors make the process rewarding. Bad ones ghost you completely. But timing still matters. Dropping an exploit on Christmas Day when every sysadmin is offline isn't disclosure, it's a head start for attackers.[^mongobleed] So I try to work with vendors to ensure patches and disclosures land on days where people can actually patch, this is a case-by-case thing.\n\n### The blog\n\nThe [Roundcube post](/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/) is what most posts here will look like. Found a bug, here's how it works and how to fix it. A writeup without a PoC is just a story, for me at least.\n\nI've got a few more writeups waiting on vendor patches. Before this blog they would usually end up in text files or not get written at all. Having a place to publish them is reason enough to keep it going. Subscribe via the [feeds](/feeds) to know when new posts go up, or find me in `#nullcathedral` on [Libera.Chat](https://libera.chat/) and any of the [contact methods](/contact).\n\nOh, and if you already have me in your reader from the previous post, hello! Thanks for that.\n\nIf you find this blog interesting, shoot me an email. I enjoy the interaction and I'd find it interesting to hear what you're working on!\n\n[^attack-surface]: Debug endpoints left in production, deprecated API versions still routed, legacy admin panels, features the current dev team doesn't even know exist. They survive because they're not in anyone's scope and scanners don't know to look for them.\n[^source-access]: Pulling application bits and binaries off a server through an arbitrary file read, decompiling .NET assemblies, that sort of stuff. Source-assisted testing helps me find the things that actually matter.\n[^mongobleed]: [MongoBleed](https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb). An Elastic Security researcher dropped a working exploit for a decade-old MongoDB memory leak on Christmas Day. Over 200k instances on the internet exposed. Merry Christmas to every MongoDB admin on the planet.\n","content_html":"\u003cp\u003eOh hi, you found my blog, welcome. Most of the bugs I find start with \u0026ldquo;I wonder if\u0026hellip;\u0026rdquo; or \u0026ldquo;What happens when\u0026hellip;\u0026rdquo;. This blog is a record of following those threads through real systems until something breaks or I run out of ideas. If that sounds like your kind of reading, it\u0026rsquo;s probably worth adding to your feed reader.\u003c/p\u003e\n\u003ch2 id=\"who-i-am\"\u003eWho I am\u003ca href=\"#who-i-am\" class=\"heading-anchor\" aria-label=\"Link to this section\"\u003e\u003cspan aria-hidden=\"true\"\u003e#\u003c/span\u003e\u003c/a\u003e\n\u003c/h2\u003e\n\u003cp\u003eI go by NULLCATHEDRAL (sometimes _NULL).\u003c/p\u003e\n\u003cp\u003eI grew up sending \u003ccode\u003enet send\u003c/code\u003e messages across the network and checking if \u003ccode\u003e/install\u003c/code\u003e directories were left exposed on random sites. Spending hours in WPE Pro trying to figure out how to dupe items in obscure MMOs and writing game cheats to hook functions I didn\u0026rsquo;t fully understand. Modding game clients, running private game servers out of my bedroom. I learned more about networking and memory management trying to keep a private server stable and \u0026ldquo;cheat-proof\u0026rdquo; than I ever did in a classroom.\u003c/p\u003e\n\u003cp\u003eAt some point that tinkering turned into a career. I\u0026rsquo;ve worked as a penetration tester for most of it. The only part I don\u0026rsquo;t love is report writing, but that\u0026rsquo;s the deal.\u003c/p\u003e\n\u003cp\u003eThis blog is the other side of that: stuff I poke at on my own time because I got curious, not because someone\u0026rsquo;s paying me to. The bugs I like most hide in forgotten attack surface\u003csup id=\"fnref:1\"\u003e\u003ca href=\"#fn:1\" class=\"footnote-ref\" role=\"doc-noteref\"\u003e1\u003c/a\u003e\u003c/sup\u003e and custom protocols with hard-coded or homebrew crypto. Most of the work is reading source code and commit logs. Understand how it\u0026rsquo;s supposed to work, then think about how it might not. Test it, be wrong, read more code, repeat. I\u0026rsquo;d rather be in the code than running scanners. Vendors don\u0026rsquo;t want to share their source, so half the time you end up engineering your way in just to start the actual research.\u003csup id=\"fnref:2\"\u003e\u003ca href=\"#fn:2\" class=\"footnote-ref\" role=\"doc-noteref\"\u003e2\u003c/a\u003e\u003c/sup\u003e That part is sometimes more fun than the bugs themselves. Nothing for weeks, then 48 hours straight when something clicks. Sometimes the thread goes nowhere and I\u0026rsquo;ve spent a weekend staring at something that was never vulnerable in the first place.\u003c/p\u003e\n\u003ch3 id=\"on-disclosure\"\u003eOn disclosure\u003ca href=\"#on-disclosure\" class=\"heading-anchor\" aria-label=\"Link to this section\"\u003e\u003cspan aria-hidden=\"true\"\u003e#\u003c/span\u003e\u003c/a\u003e\n\u003c/h3\u003e\n\u003cp\u003eVendors get \u003ca href=\"/about/#disclosure-policy\"\u003e120 days\u003c/a\u003e to patch. Full technical details go up the day a fix drops. Anyone with a diff tool can figure out what changed anyway, and the window between \u0026ldquo;patch released\u0026rdquo; and \u0026ldquo;exploit in the wild\u0026rdquo; keeps shrinking. Withholding the writeup doesn\u0026rsquo;t protect anyone. It just means defenders have less context than attackers.\u003c/p\u003e\n\u003cp\u003eGood vendors make the process rewarding. Bad ones ghost you completely. But timing still matters. Dropping an exploit on Christmas Day when every sysadmin is offline isn\u0026rsquo;t disclosure, it\u0026rsquo;s a head start for attackers.\u003csup id=\"fnref:3\"\u003e\u003ca href=\"#fn:3\" class=\"footnote-ref\" role=\"doc-noteref\"\u003e3\u003c/a\u003e\u003c/sup\u003e So I try to work with vendors to ensure patches and disclosures land on days where people can actually patch, this is a case-by-case thing.\u003c/p\u003e\n\u003ch3 id=\"the-blog\"\u003eThe blog\u003ca href=\"#the-blog\" class=\"heading-anchor\" aria-label=\"Link to this section\"\u003e\u003cspan aria-hidden=\"true\"\u003e#\u003c/span\u003e\u003c/a\u003e\n\u003c/h3\u003e\n\u003cp\u003eThe \u003ca href=\"/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/\"\u003eRoundcube post\u003c/a\u003e is what most posts here will look like. Found a bug, here\u0026rsquo;s how it works and how to fix it. A writeup without a PoC is just a story, for me at least.\u003c/p\u003e\n\u003cp\u003eI\u0026rsquo;ve got a few more writeups waiting on vendor patches. Before this blog they would usually end up in text files or not get written at all. Having a place to publish them is reason enough to keep it going. Subscribe via the \u003ca href=\"/feeds\"\u003efeeds\u003c/a\u003e to know when new posts go up, or find me in \u003ccode\u003e#nullcathedral\u003c/code\u003e on \u003ca href=\"https://libera.chat/\"\u003eLibera.Chat\u003c/a\u003e and any of the \u003ca href=\"/contact\"\u003econtact methods\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eOh, and if you already have me in your reader from the previous post, hello! Thanks for that.\u003c/p\u003e\n\u003cp\u003eIf you find this blog interesting, shoot me an email. I enjoy the interaction and I\u0026rsquo;d find it interesting to hear what you\u0026rsquo;re working on!\u003c/p\u003e\n\u003cdiv class=\"footnotes\" role=\"doc-endnotes\"\u003e\n\u003chr\u003e\n\u003col\u003e\n\u003cli id=\"fn:1\"\u003e\n\u003cp\u003eDebug endpoints left in production, deprecated API versions still routed, legacy admin panels, features the current dev team doesn\u0026rsquo;t even know exist. They survive because they\u0026rsquo;re not in anyone\u0026rsquo;s scope and scanners don\u0026rsquo;t know to look for them.\u0026#160;\u003ca href=\"#fnref:1\" class=\"footnote-backref\" role=\"doc-backlink\"\u003e\u0026#x21a9;\u0026#xfe0e;\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli id=\"fn:2\"\u003e\n\u003cp\u003ePulling application bits and binaries off a server through an arbitrary file read, decompiling .NET assemblies, that sort of stuff. Source-assisted testing helps me find the things that actually matter.\u0026#160;\u003ca href=\"#fnref:2\" class=\"footnote-backref\" role=\"doc-backlink\"\u003e\u0026#x21a9;\u0026#xfe0e;\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli id=\"fn:3\"\u003e\n\u003cp\u003e\u003ca href=\"https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb\"\u003eMongoBleed\u003c/a\u003e. An Elastic Security researcher dropped a working exploit for a decade-old MongoDB memory leak on Christmas Day. Over 200k instances on the internet exposed. Merry Christmas to every MongoDB admin on the planet.\u0026#160;\u003ca href=\"#fnref:3\" class=\"footnote-backref\" role=\"doc-backlink\"\u003e\u0026#x21a9;\u0026#xfe0e;\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003c/div\u003e\n"}