Date of Breach: April 2025
Environment: FreeBSD (EOL), PHP (legacy), Ghostscript/ImageMagick
Stack: Yotsuba-based imageboard software

Key Failures
– Running EOL FreeBSD and unsupported PHP
– Allowed .pdf uploads on legacy boards (/po/, /tg/)
– No MIME type checks or extension whitelisting
– Executed unfiltered input via eval(), system(), shell_exec()
– No sandboxing, no disable_functions, SSH exposed

Relevant Code Samples

postfilter.php:
PHP:

shell_exec("some_command $file");
system("convert $file output.png");


HTMLPurifier.standalone.php (line 21864):
PHP:

$result = eval("\$var = $expr;");


InterchangeBuilder.php (line 127):
PHP:

$directive->default = $this->varParser->parse(
$hash->offsetGet('DEFAULT'),
$directive->type
);


Attack Flow

1. PDF uploaded via board with legacy file support

2. Content read by vulnerable parser or CLI processor

3. Payload reaches eval() or system()

4. Shell command executed (e.g. reverse shell, SSH key injection)

5. Attacker escalates to root via misconfig

How They Could've Prevented It
Bash:

freebsd-update fetch install

pkg update && pkg upgrade

reboot


Then:

– Remove all
eval(), shell_exec(), system()

– Enforce:
Code:

disable_functions = system, exec, shell_exec, passthru, popen, proc_open, eval


– Validate uploads via mime_content_type()

– Disable PDF uploads

– Drop web user privileges, isolate SSH

Conclusion
No zero-day. No fancy exploit. Just years of tech debt, lazy security, and root via a PDF. Completely avoidable.