BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//bsidesluxembourg-2026//talk//WDFHHV
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-bsidesluxembourg-2026-WDFHHV@pretalx.com
DTSTART;TZID=CET:20260507T144500
DTEND;TZID=CET:20260507T152000
DESCRIPTION:CFITSIO is a NASA-maintained library widely used for reading an
 d writing FITS (Flexible Image Transport System) data across astronomy\, a
 strophotography\, and scientific software. The raw data behind the stunnin
 g images from Hubble and Webb telescopes — and even from casual backyard
  observatories — is stored in FITS format. CFITSIO is often embedded dee
 p inside larger applications and services. One of its core features\, **Ex
 tended Filename Syntax (EFS)**\, turns what appears to be a simple filenam
 e into a powerful **mini-language** supporting virtual files\, filtering\,
  filesystem interaction\, and network access.\n\nThis talk presents origin
 al security research into CFITSIO’s Extended Filename Syntax and shows h
 ow it quietly expands the attack surface of applications that rely on defa
 ult CFITSIO APIs. I will demonstrate how EFS can be abused to enable multi
 ple high-impact security primitives\, including arbitrary file operations\
 , server-side request forgery\, protocol-level manipulation\, and unintend
 ed data exposure.\n\nThese issues are not classic memory corruption bugs\,
  but abuses of legitimate\, documented features that are enabled by defaul
 t and inherited by third-party software without explicit awareness or thre
 at modeling. This research builds on earlier CFITSIO vulnerabilities I pre
 viously reported and highlights how feature-rich parsing logic can turn fi
 lenames into a **supply-chain attack surface**.
DTSTAMP:20260412T024700Z
LOCATION:Workshops and Stage - Gernsback (C1.05.02)
SUMMARY:When Filenames Become Attack Surfaces: Weaponizing NASA’s CFITSIO
  Extended Filename Syntax - Adrian Denkiewicz
URL:https://pretalx.com/bsidesluxembourg-2026/talk/WDFHHV/
END:VEVENT
END:VCALENDAR