Post AW2dRQRdvF35ppBr84 by dcc@annihilation.social
(DIR) More posts by dcc@annihilation.social
(DIR) Post #AW2d5lr3dkOJrjkgmu by lain@lain.com
2023-05-26T08:36:47.446572Z
37 likes, 39 repeats
I found out how the attack works, it indeed depends on mediaproxy, so if you don't use it you are safe.You are also safe if you add this code to your nginx. location ~ ^/(media|proxy) { add_header Content-Security-Policy "script-src 'none';";Updates and fixes incoming, but this will fix the issue right away. There is a certain aspect of social engineering here, it will not just attack you by seeing an image inside pleroma-fe.
(DIR) Post #AW2d8vifQ68hKTKkvA by Arwalk@noagendasocial.com
2023-05-26T08:38:02Z
0 likes, 0 repeats
@lain what's happening?
(DIR) Post #AW2dAiTFeIlKonyVns by mint@ryona.agency
2023-05-26T08:37:15.970838Z
1 likes, 1 repeats
@lain What about sandbox CSP? Does it have the same effect as script-src 'none'?https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
(DIR) Post #AW2dET5CnoyMFhW6Ai by dcc@annihilation.social
2023-05-26T08:39:00.965297Z
3 likes, 0 repeats
@lain cc @splitshockvirus non media proxy bros we keep winning :dude_smug:
(DIR) Post #AW2dJ26kWTMS2RPpMu by lain@lain.com
2023-05-26T08:39:06.148740Z
2 likes, 0 repeats
@mint yes, i think so
(DIR) Post #AW2dMN453tDpu6l7Ro by splitshockvirus@mstdn.starnix.network
2023-05-26T08:40:24Z
1 likes, 0 repeats
@dcc @lain so it would seem
(DIR) Post #AW2dRQRdvF35ppBr84 by dcc@annihilation.social
2023-05-26T08:41:21.519649Z
1 likes, 0 repeats
@splitshockvirus @lain idk i still dont get why anyone would put that on
(DIR) Post #AW2dipLEbu2tyPUTRY by hakui@tuusin.misono-ya.info
2023-05-26T08:44:31.444790Z
4 likes, 1 repeats
@lain no mediaproxy keeps winning :smug1:
(DIR) Post #AW2eFeoglLlet3vENk by lain@lain.com
2023-05-26T08:49:53.321580Z
2 likes, 0 repeats
@mint tested it and it indeed fixes it
(DIR) Post #AW2ePhiAr1jSlGfKDo by fristi@akkos.fritu.re
2023-05-26T08:52:16.309592Z
1 likes, 0 repeats
@lain yuy am safe :akko_fistup: Thanks lain :meowHeart:
(DIR) Post #AW2eWGXyFYP2XU1QK8 by lain@lain.com
2023-05-26T08:52:52.902982Z
4 likes, 1 repeats
@hakui mediaproxy is literally killing people
(DIR) Post #AW2edhy8h4Flc8oKcC by VD15@pl.valkyrie.world
2023-05-26T08:54:46.903656Z
4 likes, 0 repeats
@lain @hakui Where was mediaproxy on 9/11, huh?
(DIR) Post #AW2eg0gi4IHOFUkvnk by hj@shigusegubu.club
2023-05-26T08:54:23.585598Z
3 likes, 1 repeats
@lain @hakui billions must proxy
(DIR) Post #AW2fl35CgtIL4yBAye by hakui@tuusin.misono-ya.info
2023-05-26T09:07:19.999008Z
2 likes, 0 repeats
@VD15 @lain the dancing mediaproxy incident
(DIR) Post #AW2g0wrTacB6PvL8TI by shpuld@shpposter.club
2023-05-26T09:08:43.683657Z
0 likes, 0 repeats
@lain @mint I thought that was in default nginx configs already, it was in mine t least. wonder how it got left out by poast
(DIR) Post #AW2gDmX7IkrU9Hw7FY by lain@lain.com
2023-05-26T09:11:21.680492Z
3 likes, 0 repeats
@shpuld @mint it's not in the default, i think you might have it because we had this issue in /media, quick-fixed it via nginx, then also added the fix to pleroma directly, but not fixing it for /proxy because that probably didn't exist yet.
(DIR) Post #AW2gMYBe0gvAGE4eJ6 by hj@shigusegubu.club
2023-05-26T09:13:41.130924Z
0 likes, 0 repeats
@shpuld @lain @mint poast had some its own weirdness related to multiple frontends and such
(DIR) Post #AW2gSvlnF3XT8j1azY by pomstan@xn--p1abe3d.xn--80asehdb
2023-05-26T09:15:11.771016Z
1 likes, 0 repeats
@hj @lain @mint @shpuld poast had some its own weirdness related togleasoyware
(DIR) Post #AW2gsoshTZj7IvbH5U by pomstan@xn--p1abe3d.xn--80asehdb
2023-05-26T09:19:50.600016Z
2 likes, 0 repeats
@roboneko @dcc @lain @splitshockvirus @mint the only thing you can recover from that is probably just my ip which you can use for uh… telling my employer that I’m following straight shota bot, in which case you will probably get replied with “based”
(DIR) Post #AW2gtAy7M78Fo6IuaO by dcc@annihilation.social
2023-05-26T09:19:56.338084Z
1 likes, 0 repeats
@roboneko @lain @splitshockvirus yet im not at risk of getting my server hacked :cat_sit_2:
(DIR) Post #AW2hafB6ufRPx77M8W by ringo@noagendasocial.com
2023-05-26T09:27:52Z
0 likes, 0 repeats
@lain @ringo@talk-here.com interesting. so it was an injection attack using a malformed or corrupted file, which was actually a base64 encoded script ?
(DIR) Post #AW2hrbtkMT2Ohc4pUG by shpuld@shpposter.club
2023-05-26T09:29:41.829677Z
1 likes, 0 repeats
@lain @mint icic, anyway thanks for investigstion and updates, nice to know that we're safe
(DIR) Post #AW2i3veEl2aRQkhENk by lain@lain.com
2023-05-26T09:32:31.697746Z
2 likes, 0 repeats
@ringo @ringo no, i'm deliberately unclear here about the exact details because i want to give people a few more hours to add that line to nginx before people with lots of free time start trying to exploit it.Generally, the average pleroma user should be safe, even if they use mediaproxy. the likelihood that someone who isn't specifically attacked and tricked into clicking something will trigger this exploit is very low.
(DIR) Post #AW2ia91KZgdsAfrN8C by ringo@talk-here.com
2023-05-26T09:38:54.682850Z
0 likes, 0 repeats
@lain @ringo rodger, copy. what's the clean equivalent for apache, btw? dirty would be to just change the ownership of the mediaproxy folder to an unprivileged user, but. that's not really the best way.also, on the last bit- thats great news, and thanks.
(DIR) Post #AW2ii2W4dmmyJd0KRM by dcc@annihilation.social
2023-05-26T09:40:20.392169Z
1 likes, 0 repeats
@ringo @lain @ringo when i have time tomorrow i will get a apche version for ya
(DIR) Post #AW2iod8pNmDNdyH2US by ringo@talk-here.com
2023-05-26T09:41:29.669689Z
1 likes, 0 repeats
@dcc @lain @ringo thanks brother.i want to add all the xss stuff to that too, because it doesn't like running correctly in prod.secret.exs, for whatever reason, at all.
(DIR) Post #AW2jqI4imFAUqDhzZQ by dushman@asbestos.cafe
2023-05-26T09:53:05.382135Z
0 likes, 0 repeats
@dcc @lain @splitshockvirus oh my god it's the mpv man
(DIR) Post #AW2qg420psYK4KVp5s by Suiseiseki@freesoftwareextremist.com
2023-05-26T11:09:36.139715Z
0 likes, 0 repeats
@roboneko >to prevent remote instances from harvesting metadata on local users who are passively browsingThat is why you use Tor Browser - you can browse whatever you want and all the remote instances can see that is that someone is using Tor.
(DIR) Post #AW2r3uWbpfEFXEC7yy by latte@froth.zone
2023-05-26T11:13:57.932622Z
0 likes, 0 repeats
@lain @sam Akkoma is likely also vulnerable.
(DIR) Post #AW3AhPI3HQRzNGvrjk by MechaSilvio@poa.st
2023-05-26T14:53:57.878586Z
0 likes, 0 repeats
@lain Out of curiosity, any idea why the browser ran the file if it was a .txt?
(DIR) Post #AW3BhZpICt1G0Q7pcO by anonaccount@poa.st
2023-05-26T15:05:10.600699Z
1 likes, 0 repeats
@MechaSilvio @lain Originally it was uploaded as a JavaScript file, it was renamed for safety.
(DIR) Post #AW3DUJP89TkVDYgt4y by MechaSilvio@poa.st
2023-05-26T15:25:12.177321Z
0 likes, 0 repeats
@anonaccount @lain Now it makes sense
(DIR) Post #AW3Ipv4Rntb3tF8gHg by feld@bikeshed.party
2023-05-26T16:24:44.322230Z
2 likes, 0 repeats
If you use Varnish:sub vcl_backend_response { if (bereq.url ~ "^/proxy/") { set beresp.http.Content-Security-Policy = "sandbox"; }}Also clear your MediaProxy cache, because serving the cached variant will have the old header without the CSP rule
(DIR) Post #AW3RKpHQBOjEXaSJxg by clemenceau@cutewaifu.enjoyer.network
2023-05-26T18:00:26.017075Z
0 likes, 0 repeats
@lain @feld thanks for this. Any idea what a similar directive for Caddy be? This is the relevant section of their docs:https://caddyserver.com/docs/caddyfile/directives/header
(DIR) Post #AW3TYuQI3dcSSDRmqm by feld@bikeshed.party
2023-05-26T18:24:51.036080Z
0 likes, 0 repeats
your-domain.com { # Your existing configuration here route /specific-path* { header /custom-header "Custom-Header-Value" }}this was sourced from ChatGPT but looks like something I've done before.
(DIR) Post #AW3Yj4raaxyjV6ssGu by sjw@bae.st
2023-05-26T19:23:14.177725Z
0 likes, 0 repeats
@lain might also addproxy_hide_header Content-Security-Policy;