Conversation
Notices
-
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 17:37:09 JST 
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
I found out how the attack works, it indeed depends on mediaproxy, so if you don't use it you are safe.
You are also safe if you add this code to your nginx.
location ~ ^/(media|proxy) {
add_header Content-Security-Policy "script-src 'none';";
Updates and fixes incoming, but this will fix the issue right away. There is a certain aspect of social engineering here, it will not just attack you by seeing an image inside pleroma-fe.- Polychrome :blabcat: likes this.
-
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 17:39:35 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@mint yes, i think so -
Embed this notice
(mint@ryona.agency)'s status on Friday, 26-May-2023 17:39:36 JST 
@lain What about sandbox CSP? Does it have the same effect as script-src 'none'?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 17:50:14 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@mint tested it and it indeed fixes it -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 17:53:17 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@hakui mediaproxy is literally killing people -
Embed this notice
御園はくい (hakui@tuusin.misono-ya.info)'s status on Friday, 26-May-2023 17:53:18 JST 
御園はくい
@lain no mediaproxy keeps winning :smug1: -
Embed this notice
「 Fried Fristi 」 (fristi@akkos.fritu.re)'s status on Friday, 26-May-2023 17:54:22 JST 
「 Fried Fristi 」
@lain yuy am safe :akko_fistup:
Thanks lain :meowHeart:on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this. -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 18:12:14 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@shpuld @mint it's not in the default, i think you might have it because we had this issue in /media, quick-fixed it via nginx, then also added the fix to pleroma directly, but not fixing it for /proxy because that probably didn't exist yet. -
Embed this notice
御shp :blobshp: (shpuld@shpposter.club)'s status on Friday, 26-May-2023 18:12:15 JST 
御shp :blobshp:
@lain @mint I thought that was in default nginx configs already, it was in mine t least. wonder how it got left out by poast -
Embed this notice
御shp :blobshp: (shpuld@shpposter.club)'s status on Friday, 26-May-2023 18:30:39 JST
御shp :blobshp:
@lain @mint icic, anyway thanks for investigstion and updates, nice to know that we're safe on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this. -
Embed this notice
ringo (ringo@noagendasocial.com)'s status on Friday, 26-May-2023 18:32:51 JST 
ringo
@lain @ringo@talk-here.com interesting. so it was an injection attack using a malformed or corrupted file, which was actually a base64 encoded script ?
-
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Friday, 26-May-2023 18:32:51 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@ringo @ringo no, i'm deliberately unclear here about the exact details because i want to give people a few more hours to add that line to nginx before people with lots of free time start trying to exploit it.
Generally, the average pleroma user should be safe, even if they use mediaproxy. the likelihood that someone who isn't specifically attacked and tricked into clicking something will trigger this exploit is very low. -
Embed this notice
Neko McCatface v2023 :verified::makemeneko: (roboneko@bae.st)'s status on Friday, 26-May-2023 20:09:39 JST 
Neko McCatface v2023 :verified::makemeneko:
@splitshockvirus @dcc @lain @splitshockvirus to prevent remote instances from harvesting metadata on local users who are passively browsing. less leakage is nearly always better -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 26-May-2023 20:09:39 JST 
翠星石
@roboneko >to prevent remote instances from harvesting metadata on local users who are passively browsing
That is why you use Tor Browser - you can browse whatever you want and all the remote instances can see that is that someone is using Tor. -
Embed this notice
✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Friday, 26-May-2023 20:09:40 JST 
✙ dcc :pedomustdie: :phear_slackware:
@splitshockvirus @lain i still dont get why anyone would put that on -
Embed this notice
✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Friday, 26-May-2023 20:09:41 JST
✙ dcc :pedomustdie: :phear_slackware:
@lain cc @splitshockvirus non media proxy bros we keep winning :dude_smug: -
Embed this notice
:apa: スプリットショックウイルス † (splitshockvirus@mstdn.starnix.network)'s status on Friday, 26-May-2023 20:09:41 JST 
:apa: スプリットショックウイルス †
-
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 27-May-2023 01:25:00 JST 
feld
If you use Varnish:
sub vcl_backend_response {
if (bereq.url ~ "^/proxy/") {
set beresp.http.Content-Security-Policy = "sandbox";
}
}
Also clear your MediaProxy cache, because serving the cached variant will have the old header without the CSP ruleon-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ likes this. -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 27-May-2023 03:25:10 JST
feld
your-domain.com {
# Your existing configuration here
route /specific-path* {
header /custom-header "Custom-Header-Value"
}
}
this was sourced from ChatGPT but looks like something I've done before. -
Embed this notice
clemenceau (clemenceau@cutewaifu.enjoyer.network)'s status on Saturday, 27-May-2023 03:25:12 JST 
clemenceau
@lain @feld thanks for this. Any idea what a similar directive for Caddy be? This is the relevant section of their docs:
All GNU social JP content and data are available under the