Conversation

Notices

1. Embed this notice
   Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 23:27:04 JST Alex Gleason
   New Pleroma vuln dropped: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/264/diffs
   
   Yes, this is a new one that isn't the same as the one from yesterday.
   
   I don't completely understand the impact of this one, but you need to upgrade your server again. It seems bad but I'm not sure exactly how to exploit it.
   • Embed this notice
     Doughnut Lollipop 【記録係】:blobfoxgooglymlem: (tk@bbs.kawa-kun.com)'s status on Saturday, 05-Aug-2023 23:29:25 JST Doughnut Lollipop 【記録係】:blobfoxgooglymlem:

     in reply to
     @alex I can be your external entity if you're vulnerable. :blobfoxwinkmlem:
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 23:30:10 JST Alex Gleason

     in reply to
     Side-note: I don't think an XML parser is even needed on the Fediverse anymore. Everything is in JSON. This is unfortunate.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 23:36:08 JST Alex Gleason

     in reply to

     • David Bucienski :verified:
     • gvs
     @DavidB @gvs I'm saying the fact there's a security vulnerability that lets you access the entire filesystem because we still support XML because of the Fediverse in 2017 is unfortunate.
   • Embed this notice
     David Bucienski :verified: (davidb@noagendasocial.com)'s status on Saturday, 05-Aug-2023 23:36:09 JST David Bucienski :verified:

     in reply to

     • gvs

     @gvs @alex ya, ditto. Why?
     XML seems like a heavier lift than json.

   • Embed this notice
     Sexy Moon (moon@shitposter.club)'s status on Saturday, 05-Aug-2023 23:36:11 JST Sexy Moon

     in reply to

     • gvs
     @gvs @alex yes, there is a release
   • Embed this notice
     gvs (gvs@rebelbase.site)'s status on Saturday, 05-Aug-2023 23:36:12 JST gvs

     in reply to
     Why is that unfortunate?
   • Embed this notice
     gvs (gvs@rebelbase.site)'s status on Saturday, 05-Aug-2023 23:36:15 JST gvs

     in reply to
     Is there a Pleroma update that fixes this already?
   • Embed this notice
     DDroid (d-droid@poa.st)'s status on Saturday, 05-Aug-2023 23:40:21 JST DDroid

     in reply to
     @alex Lotta gay vulnerability shit going on recently
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 23:40:21 JST Alex Gleason

     in reply to

     • DDroid
     @D-Droid That's one way to put it.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 23:42:06 JST feld

     in reply to
     Mastodon still supports it too, FYI
     
     https://github.com/mastodon/mastodon/blob/79936c584f54a9c901f38b8c6507016209221cf0/app/lib/webfinger.rb
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 23:42:13 JST Alex Gleason

     in reply to

     • burner
     @burner Akkoma patched it first.
   • Embed this notice
     burner (burner@norwoodzero.net)'s status on Saturday, 05-Aug-2023 23:42:21 JST burner

     in reply to
     I run Akkoma, is that affected/updated yet?
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 23:43:17 JST Alex Gleason

     in reply to

     • feld
     @feld I wonder if GNU Social still uses it, since there are like 2 GNU Social servers still online. Even they have managed to modernize things.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 23:43:49 JST feld

     in reply to

     • feld
     Looks like Mastodon's XML parsing library Nokogiri has this functionality disabled by default if anyone is wondering.
     Alex Gleason and Doughnut Lollipop 【記録係】:blobfoxgooglymlem: like this.
   • Embed this notice
     DDroid (d-droid@poa.st)'s status on Saturday, 05-Aug-2023 23:44:01 JST DDroid

     in reply to
     @alex Weird it’s a bunch of things happening at once but I suppose that’s how it happens
     Alex Gleason likes this.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 23:46:19 JST feld

     in reply to
     I think this is an important audit we should make as a community so we can free ourselves of this cruft.
     
     If anyone out there has information about this being required by something on the Fediverse I'd like to know. I'll try to do some research on it this weekend...
     Doughnut Lollipop 【記録係】:blobfoxgooglymlem: likes this.
   • Embed this notice
     Sexy Moon (moon@shitposter.club)'s status on Saturday, 05-Aug-2023 23:46:25 JST Sexy Moon

     in reply to

     • feld
     @alex @feld I know they did a lot of work but before it was revived I Was familiar with the code and you basically couldn't remove ostatus support
   • Embed this notice
     Doughnut Lollipop 【記録係】:blobfoxgooglymlem: (tk@bbs.kawa-kun.com)'s status on Saturday, 05-Aug-2023 23:47:34 JST Doughnut Lollipop 【記録係】:blobfoxgooglymlem:

     in reply to

     • feld
     @alex @feld Sort of. The latest GSv3 and v2 are in incomplete states. The former wasn't really usable, and the latter has some broken functionality. I found that out while setting up diatom.social .
   • Embed this notice
     Matt Hamilton [Maryland] (eriner@noagendasocial.com)'s status on Saturday, 05-Aug-2023 23:51:00 JST Matt Hamilton [Maryland]

     in reply to

     • anime graf mays ?️?

     @graf @alex yeah, XXE. Means anything that can submit an XML document that the server parses can read arbitrary files on the server, same as the other issue. Actually worse if this doesn’t require Auth. XXE is fixed by not using a shit and brain-damaged parsers, which nobody should be using. This is straight outta 2004.

     Abandon hope, all ye who enter. Pleroma is fucked and was made by retards.

   • Embed this notice
     anime graf mays ?️? (graf@poa.st)'s status on Saturday, 05-Aug-2023 23:51:01 JST anime graf mays ?️?

     in reply to

     • Matt Hamilton [Maryland]
     @alex @eriner new pleroma vuln dropped btw
     Alex Gleason repeated this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 23:52:36 JST Alex Gleason

     in reply to

     • anime graf mays ?️?
     • Matt Hamilton [Maryland]
     @eriner @graf Can you explain the actual attack surface tho
     
     Webfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.
   • Embed this notice
      (mint@ryona.agency)'s status on Saturday, 05-Aug-2023 23:56:10 JST 

     in reply to

     • anime graf mays ?️?
     • Matt Hamilton [Maryland]
     @graf @alex @eriner Notice how it was resolved by some random akkoma tranny instead of FediUN's task force on paycheck.
     Alex Gleason likes this.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 23:57:08 JST feld

     in reply to

     • anime graf mays ?️?
     • Matt Hamilton [Maryland]
     The XML parser we're using is the most mature one in the ecosystem and comes with Erlang, but they apparently didn't care to disable this by default.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 06-Aug-2023 01:07:38 JST Alex Gleason

     in reply to

     • anime graf mays ?️?
     • Matt Hamilton [Maryland]
     • Winston Smith
     @smith @eriner @graf Nah, a totally different parser (Floki + fast_html) is used for that. HTML5 is not compatible with XML.
   • Embed this notice
     Winston Smith (smith@orwell.fun)'s status on Sunday, 06-Aug-2023 01:07:39 JST Winston Smith

     in reply to

     • anime graf mays ?️?
     • Matt Hamilton [Maryland]
     Statuses can be html (xhtml) code as far I know, maybe the backend needs a parser for it?