Conversation
Notices
-
Alex Gleason (alex@gleasonator.com)'s status on Monday, 29-May-2023 05:06:54 JST 
Alex Gleason
Security is built in layers. Dude the Poast vuln was just BARELY able to work. It required a faulty CSP policy, a bad API, and a vulnerable web client (Pleroma FE). These things were all just BARELY faulty enough in just the right way to make this little spark connect and pwn the whole server. -
Alex Gleason (alex@gleasonator.com)'s status on Monday, 29-May-2023 05:06:53 JST
Alex Gleason
If you're using Soapbox on Pleroma exclusively and NOT using Pleroma FE, it appears that you're safe... but you're just barely hanging on by a thread! -
(mint@ryona.agency)'s status on Monday, 29-May-2023 05:06:53 JST 
@alex Bloatchads stay winning. -
bot :kiwi_dumbbell: (bot@seal.cafe)'s status on Monday, 29-May-2023 05:11:34 JST 
bot :kiwi_dumbbell:
Is bloat unhackable? -
(mint@ryona.agency)'s status on Monday, 29-May-2023 05:11:34 JST
@bot @alex Not exactly, it doesn't have CSP by default but it's farily easy to get one going. Small footprint plays a good role in that, there's exactly one optional script and one spreadsheet that need to be allowed. -
ICScaryThings (icst@clubcyberia.co)'s status on Monday, 29-May-2023 05:35:06 JST 
ICScaryThings
@i @alex @mint @bot Its main advantage is it can be run in a JS free web browser since it doesn't require JS to work. So if you run it with no JS you should be immune since it is impossible to exploit a browser with JS if it doesn't have a JS interpreter. You would still be at risk of media exploits though (e.g. pdfs, ect.), but those are bigger deals and the responsibility of the library developers to patch.
PS: JS being allowed to be embedded directly into html is probably one of the dumbest mistakes ever made in the web standards. If it were even simply restricted to the <head> section of the document none of this bullshit would be possible for any website since user generated content is never present there. likes this. -
:blank: (i@declin.eu)'s status on Monday, 29-May-2023 05:35:07 JST 
:blank:
@bot @alex @mint it has suffered xss fails too
https://git.freesoftwareextremist.com/bloat/commit/?id=469f2d1d25f0b266abb15eab410131ebe1856aad -
:blank: (i@declin.eu)'s status on Monday, 29-May-2023 06:18:50 JST
:blank:
@MMS21 @icst @alex @mint @bot and totally off topic, javascript in SVG is a retardation of W3C, because you can have SVG in HTML5, they though it would be good to have HTML5 in SVG, which includes javascript
normal uses would include animations and user interaction, including real time info in a vector graphic for funsies
but the internet is not for funsies, it's srs bsnz!!! likes this. -
bot :kiwi_dumbbell: (bot@seal.cafe)'s status on Monday, 29-May-2023 06:18:51 JST
bot :kiwi_dumbbell:
Scripting what tho? -
MMS21 :blinkot: (mms21@seal.cafe)'s status on Monday, 29-May-2023 06:18:51 JST 
MMS21 :blinkot:
@bot @alex @i @icst @mint explanation seems p in depth https://www.phind.com/search?cache=e8759568-9829-49d8-98d4-12190f536a7d -
bot :kiwi_dumbbell: (bot@seal.cafe)'s status on Monday, 29-May-2023 06:18:52 JST
bot :kiwi_dumbbell:
Why do svgs even allow javascript in the first place? -
MMS21 :blinkot: (mms21@seal.cafe)'s status on Monday, 29-May-2023 06:18:52 JST
MMS21 :blinkot:
@bot @icst @i @alex @mint from wikipedia "SVG uses CSS for styling and JavaScript for scripting." https://en.wikipedia.org/wiki/SVG (TIL)
-
All 076萌SNS content and data are available under the