fsebugoutzone.org:9999

       Post AW2JMWYJmx0SFKhKi0 by neganeko@ryona.agency
 (DIR) More posts by neganeko@ryona.agency
 (DIR) Post #AW2H14CBp8y4JEzKCm by 7666@comp.lain.la
       2023-05-26T04:30:05.523106Z
       
       3 likes, 3 repeats
       
       so at this point (assuming graf isn&#39;t full of shit) i&#39;ve de-admined my main account, made a new dedicated admin account, and added a script-src none CSP map for &quot;~^/media&quot;there&#39;s definitely more to this hack story though - no explanation on how the JS was executed, and no clarification on whether or not JS incoming from a mediaproxy would also be affected by the same &quot;bug&quot;i am surprised by the lack of upload filtering outside the stock MRFs though, there could definitely be a file type or extension blacklist/whitelist MRF added to prevent basic malicious shit from getting in like executables (unless you want to pretend your instance is a file upload service)
       
 (DIR) Post #AW2HWirUg5nFPVP0ym by splitshockvirus@mstdn.starnix.network
       2023-05-26T04:35:45Z
       
       0 likes, 0 repeats
       
       @7666 too right I&#39;m gonna go ahead and isolate admin privileges as well.
       
 (DIR) Post #AW2HeMHOWQYlgo9sWG by 7666@comp.lain.la
       2023-05-26T04:37:10.797402Z
       
       0 likes, 0 repeats
       
       @splitshockvirus honestly surprised this isn&#39;t a recommended idea considering the prevalence of token theft!it&#39;s like browsing the internet as root or running 24/7 as domain admin
       
 (DIR) Post #AW2IRxH1leNSc8dVMe by splitshockvirus@mstdn.starnix.network
       2023-05-26T04:46:07Z
       
       0 likes, 0 repeats
       
       @7666 It&#39;s been looming in the back of my mind.Having a seperate browser or browser profile (if that&#39;s even secure) for the admin would help.Having a jump box or tunnel to the API or AdminFE would help.  Having AdminFE on a separate machine than pleroma might be a good idea.Like I&#39;m thinking about this, there&#39;s a bunch of other things you can do to secure this, but all of them are just going to make the admining more complex, and we&#39;d rather just rely on &quot;trust&quot; in the developers to write secure code.  Which lol they are not going to do that it&#39;s a web application.
       
 (DIR) Post #AW2IjHb1SiWWZAFddg by 7666@comp.lain.la
       2023-05-26T04:49:17.095201Z
       
       0 likes, 0 repeats
       
       @splitshockvirus i think privilege compartmentalization is enough, considering the software itself was fine, just the environmentals around it led to secret loss. if i wanted to be turbo paranoid i could also run a job to wipe oauth tokens for that specific account in the DB every hour too.
       
 (DIR) Post #AW2J6KkJuu30zoak1g by neganeko@ryona.agency
       2023-05-26T04:52:29.079594Z
       
       0 likes, 1 repeats
       
       @7666 @splitshockvirus &gt; i could also run a job to wipe oauth tokens for that specific account in the DB every hour too.by the time you&#39;re wiping a hostile oauth token someone already potentially had access by definition. maybe you get lucky and they were slow to exploit it maybe notnot that creds should be valid indefinitely (obviously they shouldn&#39;t) but expiring them doesn&#39;t fix the issue here
       
 (DIR) Post #AW2JEDQ12nMSaRqvlg by 7666@comp.lain.la
       2023-05-26T04:54:52.680330Z
       
       0 likes, 0 repeats
       
       @neganeko @splitshockvirus general hygiene thing, akin to privileged access management. no it would not fix this particular issue though
       
 (DIR) Post #AW2JMWYJmx0SFKhKi0 by neganeko@ryona.agency
       2023-05-26T04:55:28.924524Z
       
       0 likes, 1 repeats
       
       @7666 &gt; file type or extension blacklist/whitelistdon&#39;t you need to go and sniff the file contents itself? probably easier to set paranoid headers for anything that isn&#39;t whitelisted and perform file validation for whitelisted stuffquickly devolves into the tired exif debate tho. do you want server code parsing stuff, do you want to inconvenience users, etc
       
 (DIR) Post #AW2Jg7ZONonUYVXqZE by 7666@comp.lain.la
       2023-05-26T04:59:55.497164Z
       
       0 likes, 0 repeats
       
       @neganeko honestly a rudimentary extension based filter would be 95% effective for the mediaproxy if we&#39;re expecting browsers to use extensions as hints on how to open something (like a .js file), that way you don&#39;t even need to open it, just read the filename
       
 (DIR) Post #AW2MZoTEmSf3RfLkES by nyx@social.xenofem.me
       2023-05-26T05:31:35.686919Z
       
       0 likes, 0 repeats
       
       @7666 thanks for the heads up, this is good advice for admins