Conversation

Notices

1. :blank: (i@declin.eu)'s status on Saturday, 05-Aug-2023 19:13:34 JST :blank:
   more releases soon
   https://git.pleroma.social/pleroma/pleroma/-/issues/3185
   •  repeated this.
   •  (mint@ryona.agency)'s status on Saturday, 05-Aug-2023 19:13:33 JST 

     in reply to
     @i They already did one.
     https://git.pleroma.social/pleroma/pleroma/-/commit/4099ddb3dc5840fa10cff743d87464acf7898a80
   • :blank: (i@declin.eu)'s status on Saturday, 05-Aug-2023 20:00:31 JST :blank:

     in reply to
     gonna guess this one's related to the frontend download/unzip feature, you could replace the captcha binary and call it through the api even if registration is disabled, so only cum.salon/btrfly would be affected
      likes this.
   •  (mint@ryona.agency)'s status on Saturday, 05-Aug-2023 20:32:28 JST 

     in reply to
     @i Alright, let's see.
     dist.zip
   •  (mint@ryona.agency)'s status on Saturday, 05-Aug-2023 20:48:50 JST 

     in reply to

     • 
     @i Tried a bunch of other zip slips to either overwrite the favicon or add another static html to nukie's instance, didn't work. Maybe it needs something more complicated than basic ../../../.
   • :blank: (i@declin.eu)'s status on Saturday, 05-Aug-2023 20:51:39 JST :blank:

     in reply to

     • 
     @mint 14:48:55.143 [error] Illegal path: ../../favicon.png, extracting in ./
     
     if only you could replace Pleroma.Config.get!([:instance, :static_dir] as the janny...
      likes this.
   •  (mint@ryona.agency)'s status on Monday, 07-Aug-2023 19:00:23 JST 

     in reply to
     @i As expected.
     https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3935/diffs
   • :blank: (i@declin.eu)'s status on Monday, 07-Aug-2023 19:14:20 JST :blank:

     in reply to

     • 
     @mint oh lol, read over https://paraxial.io/blog/elixir-rce yesterday but didn't think to search for it in pleroma, epic
      likes this.