Conversation

Notices

1.  (mint@ryona.agency)'s status on Friday, 26-May-2023 17:43:18 JST 
   Looks like default CSP sandboxing rules were applied to local media but not to mediaproxy. Or does nginx strip it when hitting cache? Regardless, that is the prime :clueless: moment.
   Screenshot_20230526_114011.png
   Screenshot_20230526_114057.png
   • † top dog :pedomustdie: (dcc@annihilation.social)'s status on Friday, 26-May-2023 17:46:07 JST † top dog :pedomustdie:

     in reply to
     @mint non media proxy bros keep winning :sulurp:
      likes this.
   • :blank: (i@declin.eu)'s status on Friday, 26-May-2023 17:48:29 JST :blank:

     in reply to
     @mint 77 years since Von Neumann and still bites us in the ass, data should never be mixed with code 🧹
      likes this.
   •  (mint@ryona.agency)'s status on Friday, 26-May-2023 17:55:14 JST 

     in reply to

     • pomstan
     @pomstan Tricking drunk Stevens into clicking on a mediaproxy-served svg file with embedded js that steals oauth tokens.
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Friday, 26-May-2023 17:55:15 JST pomstan

     in reply to

     @mint so what’s the actual exploit?

   •  (mint@ryona.agency)'s status on Friday, 26-May-2023 17:56:42 JST 

     in reply to

     • pomstan
     @pomstan Correction: not embedded, uploaded to the same host as svg itself and referenced in ti.
   •  (mint@ryona.agency)'s status on Friday, 26-May-2023 18:02:31 JST 

     in reply to

     • pomstan
     @pomstan Not in <img>, it seems, but opening in new tab does execute it.
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Friday, 26-May-2023 18:02:32 JST pomstan

     in reply to

     @mint uh… you can execute js inside svg in <img> tags?

   •  (mint@ryona.agency)'s status on Friday, 26-May-2023 18:07:38 JST 

     in reply to

     • pomstan
     • LS
     • :VD15_0::VD15_1::VD15_2::VD15_3::VD15_4::VD15_5::VD15_6::VD15_7:
     • † top dog :pedomustdie:
     • :blank:
     @pomstan @dcc @i @lain @VD15 CSP sandbox header prevents all JS execution in a loaded file, Pleroma applies it by default to local uploads, but media served over mediaproxy still had the default CSP that includes script-src: self 'unsafe-inline'.
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Friday, 26-May-2023 18:07:39 JST pomstan

     in reply to

     • LS
     • :VD15_0::VD15_1::VD15_2::VD15_3::VD15_4::VD15_5::VD15_6::VD15_7:
     • † top dog :pedomustdie:
     • :blank:

     @mint @VD15 @lain @dcc @i so how is it dependent on mediaproxy then?

   • LS (lain@lain.com)'s status on Friday, 26-May-2023 18:08:58 JST LS

     in reply to

     • pomstan
     • :VD15_0::VD15_1::VD15_2::VD15_3::VD15_4::VD15_5::VD15_6::VD15_7:
     • † top dog :pedomustdie:
     • :blank:
     @mint @dcc @i @VD15 @pomstan it doesn't include unsafe-inline, but it doesn include self
      likes this.
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Friday, 26-May-2023 18:10:52 JST pomstan

     in reply to

     • LS
     • :VD15_0::VD15_1::VD15_2::VD15_3::VD15_4::VD15_5::VD15_6::VD15_7:
     • † top dog :pedomustdie:
     • :blank:

     @mint @dcc @i @lain @VD15 ah, ok, if you have no mediaproxy then they can’t steal origin data from that new tab

     i just still can’t sober up after yesterday

      likes this.
   • bot :kiwi_dumbbell: (bot@seal.cafe)'s status on Saturday, 27-May-2023 01:16:14 JST bot :kiwi_dumbbell:

     in reply to

     • pomstan
     • LS
     • :VD15_0::VD15_1::VD15_2::VD15_3::VD15_4::VD15_5::VD15_6::VD15_7:
     • † top dog :pedomustdie:
     • :blank:
     How did it work if poast has their media on a separate domain?
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 01:16:14 JST 

     in reply to

     • pomstan
     • bot :kiwi_dumbbell:
     • LS
     • :VD15_0::VD15_1::VD15_2::VD15_3::VD15_4::VD15_5::VD15_6::VD15_7:
     • † top dog :pedomustdie:
     • :blank:
     @bot @dcc @i @lain @VD15 @pomstan Local media is separate, yes, but mediaproxy is still accessed from the main one.