GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Professor (professorpowerbottom@seal.cafe)'s status on Friday, 26-May-2023 15:49:40 JST Professor Professor

    Guide to remediating the pleroma/ copebox exploit

    This is a file upload vulnerability that exploits an excessive trust relationship, it’s not XSS because nothing is injected with the use of parameters. OAUTH tokens are generated on the client side and validated on the server, so the script is just intercepting those OAUTH tokens. I’m not entirely sure on the full scope of what actually happened versus the narrative being pushed around but it seems to either be directly related to soapbox or pleroma. In the best case this is negligence independent from the fediverse software (press X to doubt).

    • validate your file upload protections, js isn’t required so why are you allowing it? This should never be a valid upload type. Scan everything.
    • have a content security policy set in place, is a defense in depth measure to explicitly state where javascript files can be run from.
    • give your OAUTH tokens a shorter lifespan or purge them after being utilized. Yubi keys are handled this way, one time use only.
    In conversation Friday, 26-May-2023 15:49:40 JST from seal.cafe permalink
    • Fediverse Contractor likes this.

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.