Conversation
Notices
-
Embed this notice
Date of Breach: April 2025
Environment: FreeBSD (EOL), PHP (legacy), Ghostscript/ImageMagick
Stack: Yotsuba-based imageboard software
Key Failures
– Running EOL FreeBSD and unsupported PHP
– Allowed .pdf uploads on legacy boards (/po/, /tg/)
– No MIME type checks or extension whitelisting
– Executed unfiltered input via eval(), system(), shell_exec()
– No sandboxing, no disable_functions, SSH exposed
Relevant Code Samples
postfilter.php:
PHP:
shell_exec("some_command $file");
system("convert $file output.png");
HTMLPurifier.standalone.php (line 21864):
PHP:
$result = eval("\$var = $expr;");
InterchangeBuilder.php (line 127):
PHP:
$directive->default = $this->varParser->parse(
$hash->offsetGet('DEFAULT'),
$directive->type
);
Attack Flow
1. PDF uploaded via board with legacy file support
2. Content read by vulnerable parser or CLI processor
3. Payload reaches eval() or system()
4. Shell command executed (e.g. reverse shell, SSH key injection)
5. Attacker escalates to root via misconfig
How They Could've Prevented It
Bash:
freebsd-update fetch install
pkg update && pkg upgrade
reboot
Then:
– Remove all
eval(), shell_exec(), system()
– Enforce:
Code:
disable_functions = system, exec, shell_exec, passthru, popen, proc_open, eval
– Validate uploads via mime_content_type()
– Disable PDF uploads
– Drop web user privileges, isolate SSH
Conclusion
No zero-day. No fancy exploit. Just years of tech debt, lazy security, and root via a PDF. Completely avoidable.
Forest of Enchantment
meso
opal
All GNU social JP content and data are available under the 