Conversation

Notices

1. LS (lain@lain.com)'s status on Monday, 29-May-2023 18:30:07 JST LS

   • Alex Gleason
   • :btrfly: anime graf mays 🛰️🪐
   PLEROMA ADMINS READ THIS, AKKOMA TOO
   
   Another important pleroma security post: @alex and @graf found ANOTHER injection bug, and this one was probably used for the attack. I think that single user instances are probably not affected, but I wouldn't want to risk it. Move your media and proxy to a subdomain as alex initially recommended, it's not complicated and takes 15 minutes, and eliminates this whole class of bugs.
   
   Fix is being worked on, but just do the media/proxy thing now so you'll never have to worry about this again.
   
   https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
   • GNU social JP管理人, xianc78 and cool_boy_mew and 2 others like this.
   • Udon repeated this.
   •  (mint@ryona.agency)'s status on Monday, 29-May-2023 19:28:18 JST 

     in reply to

     • Alex Gleason
     • :btrfly: anime graf mays 🛰️🪐
     @lain @alex @graf >Move your media and proxy to a subdomain
     Yeah I'm not doing that. There's six mirrors across different networks, all of which would need to have subdomains configured somehow, even the one that is a plain IPv6 without domain (moving it to different port like I did with bloat?). Old media would still dangle in the same dir unless you introduce more overhead by putting redirects.
     Speaking of media, here's my setup:
     >mediaproxy is disabled as it doesn't play well with upstream proxies, the state of HTTP adapters in Erlang/Elixir is abysmal and you all know it
     >nginx serves media directly from Pleroma's upload dir, bypassing Cowboy, Oban and other shit
     >since nginx doesn't analyze file contents, it sends the MIME type that is corresponding to extension, so you can't load js file uploaded as txt because it'll be text/plain or octet-stream (don't remember if that's also a default pleroma behavior or not)
     >as for .js uploads themselves, they all return 403, that was one of the first things I did after the initial hack
     So far I don't see how it can be exploited if there's no way to access any scripts that aren't part of frontend, due to the basic 403, CORS/CSP block on subdomain or otherwise.
   • zxcvfadsf (zxcvfadsf@shitposter.club)'s status on Monday, 29-May-2023 22:56:31 JST zxcvfadsf

     in reply to

     • 御shp :blobshp:
     @shpuld @lain You also need to block the /media path on the main domain
   • Moon (moon@shitposter.club)'s status on Monday, 29-May-2023 22:56:31 JST Moon

     in reply to

     • 御shp :blobshp:
     • zxcvfadsf
     @zxcvfadsf @shpuld @lain I should not have anything on SPC's however I am gonna add this as an additional safety measure.
     cool_boy_mew likes this.
   • 御shp :blobshp: (shpuld@shpposter.club)'s status on Monday, 29-May-2023 22:56:32 JST 御shp :blobshp:

     in reply to
     @lain if I just changed media to use subdomain media.shpposter.club, which maps to the same server, without configuring any proxy stuff, doesn't that do the trick already? all media you'll see on the tl will have a different domain
   • CrunkLord420 (crunklord420@rdrama.cc)'s status on Monday, 29-May-2023 23:31:19 JST CrunkLord420

     in reply to

     • Alex Gleason
     • 
     • :btrfly: anime graf mays 🛰️🪐
     @mint @alex @lain @graf lmao "displaying images on a website is too complicated and it keeps injecting javascript so just host all your images on a different domain instead".
     
     I wrote my own MIME detection crap in Rust in a few hours, optional ffmpeg integration for codec detection. Apparently no Elixir dev can do this.
     
     THE ABSOLUTE STATE OF WEBDEVS!!!!!!!!
      likes this.
   • Moon (moon@shitposter.club)'s status on Monday, 29-May-2023 23:31:22 JST Moon

     in reply to

     • Alex Gleason
     • 
     • :btrfly: anime graf mays 🛰️🪐
     • CrunkLord420
     @crunklord420 @alex @lain @graf @mint separate domain for user content should be standard for all web apps