Post AW2GCgs0H2BlUGWbey by bajax@bajax.us
(DIR) More posts by bajax@bajax.us
(DIR) Post #AW29QRSFgXAI3J5dgG by nekofag@rdrama.cc
2023-05-26T03:05:00.959913Z
14 likes, 3 repeats
Okay okay, Graf's advice is outdated, it turns out that the code for it is now *obfuscated*.I found this .js file uploaded to my server under the filename `pfp.js`. It's NOT the same hash, you are still vulnerable. It is being exploited, clearly.https://paste.sqt.wtf/707d32If you run a Ctrl+F, the fedirelay.xyz url is there, so the hash check method is completely retarded, but it may be done to work around the hash files.Fuck I'm probably leaked too but I don't really give a damn.
(DIR) Post #AW29V34jkoI7tCHtjc by nekofag@rdrama.cc
2023-05-26T03:05:52.672603Z
3 likes, 0 repeats
Maybe if graf wasn't a stupid faggot i could ping him about this but he blocks my instance so I cannot
(DIR) Post #AW29yViEMSrN6SoDo0 by Inginsub@clubcyberia.co
2023-05-26T03:11:07.869375Z
3 likes, 0 repeats
@nekofag have you figured out how pleroma runs the js code? Does it just fucking embed the attachment contents?
(DIR) Post #AW2A5GeUklpmQDHeee by nekofag@rdrama.cc
2023-05-26T03:12:25.294243Z
4 likes, 1 repeats
@Inginsub I honestly don't know. Presumably, what I read, newer PleromaFE versions do some weird reverse-lookup thing for nostr links. Other than that I have no clue.
(DIR) Post #AW2A7s00rvi4pZac2y by Inginsub@clubcyberia.co
2023-05-26T03:12:50.659095Z
2 likes, 0 repeats
@nekofag lmao
(DIR) Post #AW2AO7MVWB2r6wrIPo by bajax@bajax.us
2023-05-26T03:15:44.458806Z
0 likes, 0 repeats
@nekofag do you use media proxy?
(DIR) Post #AW2AP12EWk6NmHntaa by bajax@bajax.us
2023-05-26T03:15:58.477672Z
0 likes, 0 repeats
@nekofag any idea where it came from originally or who uploaded it?
(DIR) Post #AW2AR37DlMxUoF6erA by nekofag@rdrama.cc
2023-05-26T03:16:20.679562Z
0 likes, 0 repeats
@bajax No i don't
(DIR) Post #AW2AVapwKWh8YJBq4W by FrailLeaf@silliness.observer
2023-05-26T03:17:08.846988Z
2 likes, 0 repeats
@nekofag is the admin fe also raped
(DIR) Post #AW2AZ6i0HrsWGp9Zy4 by bajax@bajax.us
2023-05-26T03:17:45.153931Z
0 likes, 0 repeats
@nekofag I guess you have open registrations?
(DIR) Post #AW2AZy6dl04psa5VE8 by nekofag@rdrama.cc
2023-05-26T03:17:58.335444Z
0 likes, 0 repeats
@bajax I do
(DIR) Post #AW2Ab0Jz0SmH2Up3uS by FrailLeaf@silliness.observer
2023-05-26T03:18:09.514217Z
1 likes, 0 repeats
@nekofag wait. this actually is a problem for instances with open registrations...
(DIR) Post #AW2BPOKi0PaHzPBklE by bajax@bajax.us
2023-05-26T03:27:11.126183Z
3 likes, 1 repeats
@nekofag It looks like they just ran their code through https://www.obfuscator.io/
(DIR) Post #AW2BXny4ZzdnoMc2wy by waifu@waifuism.life
2023-05-26T03:28:43.653252Z
1 likes, 1 repeats
@FrailLeaf @nekofag so we're in the safe silliness and WAIFUISM sisters? Are we safe?? ðŸ˜
(DIR) Post #AW2Bc6fWzYSKyAzVcO by bajax@bajax.us
2023-05-26T03:29:30.252520Z
0 likes, 0 repeats
@waifu @nekofag @FrailLeaf do you use open registrations or mediaproxy?
(DIR) Post #AW2Brp1WMemOsQlp7Q by bajax@bajax.us
2023-05-26T03:32:23.017514Z
2 likes, 0 repeats
@nekofag Also it was always obfuscated, graf just "de"-obfuscated it
(DIR) Post #AW2BsEfR1OYsPSdYIq by waifu@waifuism.life
2023-05-26T03:32:25.967132Z
1 likes, 0 repeats
@bajax @nekofag @FrailLeaf i don't use either
(DIR) Post #AW2BuVkySFlvzTJT0q by grumbulon@freecumextremist.com
2023-05-26T03:32:48.709430Z
0 likes, 0 repeats
@bajax @nekofag @FrailLeaf @waifu is media proxy safe? I uploaded a test js file and found it in my uploads directory, but I don't know if its possible that it can execute regardless or not
(DIR) Post #AW2BvQZFEXG4BbGP8y by bajax@bajax.us
2023-05-26T03:33:02.136121Z
2 likes, 0 repeats
@waifu @nekofag @FrailLeaf you SHOULD be OK then
(DIR) Post #AW2C0lXEhhKGfDryT2 by nekofag@rdrama.cc
2023-05-26T03:34:01.039702Z
1 likes, 0 repeats
@bajax oh.. that makes sense
(DIR) Post #AW2CHaWatRXpRGagls by bajax@bajax.us
2023-05-26T03:36:59.012847Z
0 likes, 0 repeats
@grumbulon @nekofag @FrailLeaf @waifu If files are served from the same server as the HTML, and you haven't done any specific nginx config to prevent JS files from execution, I don't think so.
(DIR) Post #AW2CIz9CpdWw5vJjtY by animeirl@shitposter.club
2023-05-26T03:37:18.972800Z
0 likes, 0 repeats
@nekofag it was already obfuscated, he said that in his post
(DIR) Post #AW2CKB0EEwJp9VgcAy by nekofag@rdrama.cc
2023-05-26T03:37:30.484994Z
0 likes, 0 repeats
@animeirl yeah im a retard
(DIR) Post #AW2CMRKGWPX2MC8aqO by grumbulon@freecumextremist.com
2023-05-26T03:37:51.552797Z
0 likes, 0 repeats
@bajax @nekofag @FrailLeaf @waifu right on
(DIR) Post #AW2CPDas2B0udVEHbc by animeirl@shitposter.club
2023-05-26T03:38:26.671375Z
6 likes, 2 repeats
@nekofag @Inginsub nostr was a mistake
(DIR) Post #AW2CUgALEODkhOQNou by bajax@bajax.us
2023-05-26T03:39:21.592464Z
3 likes, 2 repeats
@grumbulon @nekofag @FrailLeaf @waifu do a `curl -I` on the URL, if you have these headers, you're vulnerable:
(DIR) Post #AW2CWOOWH8XsA3sCdU by bajax@bajax.us
2023-05-26T03:39:43.021912Z
0 likes, 0 repeats
@grumbulon @FrailLeaf @nekofag @waifu the URL of the script file you uploaded, I mean.
(DIR) Post #AW2CWUGaRXlUNCCx6W by rher@mugicha.club
2023-05-26T03:39:45.565053Z
0 likes, 1 repeats
@graf @graf
(DIR) Post #AW2Chnz9TAw0iPRwOG by rher@mugicha.club
2023-05-26T03:41:48.451771Z
1 likes, 0 repeats
Mr. Gleason is no longer my greatest ally.
(DIR) Post #AW2Cim1iEmdMvj6piC by djsumdog@djsumdog.com
2023-05-26T03:41:57.762074Z
0 likes, 0 repeats
as was the Internet itself, and by extension, all of humanity
(DIR) Post #AW2CoRUvTZYmzyTcTg by rher@mugicha.club
2023-05-26T03:43:00.306266Z
0 likes, 0 repeats
(DIR) Post #AW2D1sU0SOmKSLS9C4 by Doll@decayable.ink
2023-05-26T03:45:25.733283Z
0 likes, 0 repeats
@Decayable
(DIR) Post #AW2D3jBtyXcyDUroRM by waifu@waifuism.life
2023-05-26T03:45:42.551479Z
0 likes, 0 repeats
@bajax @nekofag @FrailLeaf ok thank you friend I'll be on my guard
(DIR) Post #AW2DKIC5bR0FPTqxoe by bajax@bajax.us
2023-05-26T03:48:40.383809Z
1 likes, 0 repeats
@bot @grumbulon @nekofag @FrailLeaf @waifu no, it adds an extra potential security hazard since files are served from your own domain.
(DIR) Post #AW2DKYtZVXI9CyJuoS by djsumdog@djsumdog.com
2023-05-26T03:48:45.969764Z
0 likes, 0 repeats
Put an alert('hi'); in the test.js file and see if it executes when you view the post it’s in? I’m thinking this is something that can be patched in the front end (and might only be Soapbox?)A quick safety measure for admins is to add fedirelay.xyz to /etc/hosts and point it to a local IP.
(DIR) Post #AW2DX2LdpS321sOkNs by paulo@boks.moe
2023-05-26T03:51:01.560627Z
0 likes, 0 repeats
@bajax @nekofag @FrailLeaf @waifu victory :marseyjam:
(DIR) Post #AW2DeCD9YZ4ie7qEnQ by KitlerIs6@seal.cafe
2023-05-26T03:52:20.849637Z
0 likes, 0 repeats
I don't understand why anyone would go through the effort to upload a malicious script when executing that malicious script already requires the ability to insert script tags into the HTML.
(DIR) Post #AW2DkbXQIwBCvxNX0a by 7666@comp.lain.la
2023-05-26T03:53:29.282711Z
1 likes, 0 repeats
@waifu @bajax @nekofag @FrailLeaf confused about a few things - is there really not a upload filter (or plugin) for MIME type whitelisting? you mean to tell me you can just drop executables as media? like minecraft_mods.exe?- i'm guessing if you have mediaproxy enabled then all federated media would also lead to execution? like you can't just remap "~^/media" in nginx to swap CSPs (script-src none) you'd have to do "~^/proxy" too but that has multiple subdirectories so what the heck do you do there? "~^/proxy/$1/$2/$3/$4/$5" and hope for the best?- general security advice would probably be to not have your day-to-day posting user have admin rights at all - use a dedicated admin account that follows no one and has no timelines so nothing can be loaded (and don't click the known network!) and log out when done admin'ingdoubt we'll ever get the full details with the fedi speculation machine at redline
(DIR) Post #AW2Dr5NkG5IdELwTjc by bajax@bajax.us
2023-05-26T03:54:37.562962Z
2 likes, 0 repeats
@KitlerIs6 @grumbulon @nekofag @bot @FrailLeaf @waifu Well it's not really that complicated. This whole attack is pretty simple, except we don't have any confirmation how the script was actually executed on the clients. Nobody even knows whether they did it via an inline script or anything.
(DIR) Post #AW2DuEUup5tuN3nSU4 by KitlerIs6@seal.cafe
2023-05-26T03:55:13.234261Z
1 likes, 0 repeats
Isn't that the far greater security flaw?
(DIR) Post #AW2DyVf0xCRAl7YlW4 by D00B@seal.cafe
2023-05-26T03:56:00.726148Z
4 likes, 0 repeats
@KitlerIs6 @bajax @grumbulon @nekofag @bot @FrailLeaf @waifu the greatest security flaw is the friends we made along the way.
(DIR) Post #AW2F222X7mos0Lnu7c by bajax@bajax.us
2023-05-26T04:07:46.754257Z
1 likes, 0 repeats
@bot @grumbulon @nekofag @FrailLeaf @waifu OK, I have to back up and explain a bunch of shit about how attachments are handled on the fediverse to explain it, but I’ll keep it short…In order for the file to execute, it needs to be on the same domain the victim is browsing from– if you accidentally load from sleepy.cafe a payload targeted at seal.cafe, it won’t work. Browser security measures prevent it. What media proxy does is take attachements and serve them from the site you’re browsing from, as if all the attachemnts come from the same server. This makes it faster in some cases and prevents telling other sites which of your users are looking at which files. BUT– if sleepy.cafe was running media proxy, an attack targeted at seal.cafe users might in theory work, because it makes all attached files appear to come from the domain you’re browsing on.
(DIR) Post #AW2FAjSjZ32ezhCwIC by D00B@seal.cafe
2023-05-26T04:09:25.239457Z
0 likes, 0 repeats
@bajax @grumbulon @nekofag @bot @FrailLeaf @waifu I have been told we are safe
(DIR) Post #AW2FEBVzionyrmNZ5M by grumbulon@freecumextremist.com
2023-05-26T04:09:10.275535Z
2 likes, 0 repeats
@bajax @nekofag @bot @FrailLeaf @waifu > because it makes all attached files appear to come from the domain you’re browsing onthis is, afaik, incorrect as the media proxy actually downloads it to your server then serves it from there.
(DIR) Post #AW2FFKgl6GbPbixfDk by bajax@bajax.us
2023-05-26T04:10:12.112949Z
0 likes, 0 repeats
@D00B @grumbulon @nekofag @bot @FrailLeaf @waifu upload a blank file with the .js file extension in a reply, and I'll tell you if that's true.
(DIR) Post #AW2FIYhNT3vxvYmyx6 by bajax@bajax.us
2023-05-26T04:10:49.796744Z
0 likes, 0 repeats
@grumbulon @nekofag @bot @FrailLeaf @waifu I know, but I didn't want to go into that level of detail considering the audience.
(DIR) Post #AW2FnNSvHYr247ivEe by grumbulon@freecumextremist.com
2023-05-26T04:13:53.513416Z
1 likes, 0 repeats
@bajax @nekofag @bot @FrailLeaf @waifu understandable, but I think its an important distinction because it makes media proxy sound like the issue where pleroma is the actual issue allowing execution of random filesimo, I'd just lock down media mimetypes to like images and videos but even then you can still probably do some magic fuckery that I wouldn't know about
(DIR) Post #AW2FxnoCC5iEfAe252 by sapphire@needs.vodka
2023-05-26T04:18:16.155560Z
1 likes, 0 repeats
@nekofag graf's fix obviously also doesn't work, if putting images on a different subdomain worked poast wouldn't have been hit in the first place, all their images are fed out from poastcdn.org
(DIR) Post #AW2GCgs0H2BlUGWbey by bajax@bajax.us
2023-05-26T04:20:54.962796Z
2 likes, 0 repeats
@grumbulon @nekofag @bot @FrailLeaf @waifu It looks like it might be a good idea to implement CSPs. We can apparently whitelist all the scripts we want to allow the browser to run on the page. It would be something like: Content-Security-Policy: script-src : https://domain/static/*.jsThis would prevent any scripts from anywhere except /static directory from running regardless of any magic fuckery.
(DIR) Post #AW2GInXuMkJFvh2PSK by bajax@bajax.us
2023-05-26T04:22:03.713163Z
1 likes, 0 repeats
@grumbulon @FrailLeaf @bot @nekofag @waifu CSPs can also prevent inline scripts from running entirely. Which might be extremely nice. I'm going to take a break for a minute (lazy) and if nobody else has an nginx config by the time I get back I'll make one, test it and share it.
(DIR) Post #AW2GKuMlykExf5prmq by grumbulon@freecumextremist.com
2023-05-26T04:22:22.574341Z
1 likes, 0 repeats
@bajax @nekofag @bot @FrailLeaf @waifu I'll add it on top of the 403 just to be safe
(DIR) Post #AW2GWRTvCHnbYJgAhE by bajax@bajax.us
2023-05-26T04:24:30.021562Z
1 likes, 0 repeats
@grumbulon @nekofag @bot @FrailLeaf @waifu Yeah, I get you... so yeah, thanks for making the clarification. Media proxy is NOT a bad thing in itself, it can protect the privacy of your users, it's very worth enabling if you run an instance for other people.
(DIR) Post #AW2Gal3GNViRPFGfLs by bajax@bajax.us
2023-05-26T04:25:19.431329Z
1 likes, 0 repeats
@bot @grumbulon @nekofag @FrailLeaf @waifu It should.
(DIR) Post #AW2GdNIR9k6wbDc4Ui by D00B@seal.cafe
2023-05-26T04:25:48.353040Z
2 likes, 0 repeats
@bajax @grumbulon @nekofag @bot @FrailLeaf @waifu pls post kitty
(DIR) Post #AW2MP74VHXvvwxg88G by kroner@seal.cafe
2023-05-26T05:30:24.472603Z
1 likes, 0 repeats
I went ahead and put in a nginx rule @nekofag posted earlier to `deny all;` on js and html files located after /media/. I think that's what I needed to do at least :shrugge:
(DIR) Post #AW2MdklmTyTV7pu00m by D00B@seal.cafe
2023-05-26T05:33:03.526078Z
0 likes, 0 repeats
@bot @kroner @bajax @grumbulon @nekofag @FrailLeaf @waifu all is appreciated
(DIR) Post #AW2MkdpmfOOPdu3j28 by kroner@seal.cafe
2023-05-26T05:34:19.985911Z
2 likes, 0 repeats
Thats what I used, it pretty much does the same thing neko suggested but also targets html as well which is probably smart
(DIR) Post #AW2MnS1V2J9TscsXS4 by D00B@seal.cafe
2023-05-26T05:34:49.684669Z
0 likes, 0 repeats
@kroner @bot @bajax @grumbulon @nekofag @FrailLeaf @waifu lock it all down until further notice
(DIR) Post #AW2OW2ZgbGr7wDh99s by meso@asbestos.cafe
2023-05-26T05:54:08.204540Z
0 likes, 0 repeats
@bajax @grumbulon @nekofag @FrailLeaf @waifu it's over
(DIR) Post #AW2Ud2OUGlzx87B02i by mint@ryona.agency
2023-05-26T07:01:42.133286Z
0 likes, 1 repeats
@bajax @grumbulon @nekofag @bot @FrailLeaf @waifu I think the way FE is packed, it uses a bunch of unsafe-inlines, so this might just break more things. https://git.pleroma.social/pleroma/pleroma/-/blob/develop/lib/pleroma/web/plugs/http_security_plug.ex#L116
(DIR) Post #AW2Unqkdtfp4Cqh9ay by mint@ryona.agency
2023-05-26T07:03:40.407088Z
1 likes, 1 repeats
@grumbulon @bajax @nekofag @bot @FrailLeaf @waifu It doesn't save anything to the server, the only thing that handles that is nginx cache.
(DIR) Post #AW2V0VswmttnFvcN1c by mint@ryona.agency
2023-05-26T07:05:57.889532Z
1 likes, 1 repeats
@bot @bajax @grumbulon @nekofag @FrailLeaf @waifu In the regard of a possible vulnerability, no.