Email or username:

Password:

Forgot your password?
Emelia πŸ‘ΈπŸ»

58.5% of @pixelfed servers still have a critical vulnerability left unpatched.

I'll just highlight something: the vulnerability allows a third-party to gain administrative control over your instance if you don't update.

You really want to update as soon as possible, there's a reason this is a 9.9/10 vulnerability score.

#Pixelfed

16 comments
Emelia πŸ‘ΈπŸ»

To the 208 @pixelfed servers that have upgraded so far, thank you!

Kevin Karhan :verified:

@thisismissem @pixelfed Consider reporting it to @certbund & @cert_eu ...

Maybe once it's acknowledged then hosters will intervene because they don't want shit to get abused for malware...

Emelia πŸ‘ΈπŸ»

@kkarhan @pixelfed @certbund @cert_eu this vulnerability just gives administrative access over the pixelfed software, not to the underlying hardware.

Kevin Karhan :verified:

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

Having an insecure Webserver-Sided Application up and running is just begging for trouble and will get costly as every hoster & ISP I know will bill the customer in question for the costs of having to intervene due to their criminally gross neglect...

And those bills will get very big quickly, espechally when they had to deal with a shitload of fallout from other sources, like having to undo getting blocklisted for spam and so forth...

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

Emelia πŸ‘ΈπŸ»

@kkarhan please just wait for the full disclosure on the 25th; I know you're trying to be helpful but you're misunderstanding the type of vulnerability.

Kevin Karhan :verified:

@thisismissem okay...

I do accept amd understand #ResponsibleDisclosure and why people should first fix it...

Needless to say said CERTs should be made aware as their publications & feeds are also being read by Hosters who may also have the ability to scan their customers' systems and notify them as well or if necessary forcibly shut down vulnerable instances before they get hacked...

Emelia πŸ‘ΈπŸ»

@kkarhan there's already a CVE and a security advisory on github. For now it's not necessary as far as I know for CERT to be involved

Matrix9180 :ruby: :rust:

@thisismissem @pixelfed hmmm... maybe I can white knight this shit and be the hacker that breaks in, upgrades their instance and leaves lol. Like jailbreakme back in the day. Lol

Emelia πŸ‘ΈπŸ»

@matrix9180 @pixelfed lucky not a vulnerability that gives you shell access as far as I know.

Matrix9180 :ruby: :rust:

@thisismissem @pixelfed that's good at least. Still enough access to set a global notice to everyone that their instance hasn't been upgraded and has been compromised and is still vulnerable. And urge them to pester their admins until it happens...

Anil

@thisismissem @matrix9180 @pixelfed I'm curious how the CVE score is so high without RCE possibilities? escalation of privileges is usually in the 5-6ish range

Matrix9180 :ruby: :rust:

@nil @thisismissem @pixelfed yeah, something is fishy... Critical is usually reserved for "oops all root access on the host" vulns...

Matrix9180 :ruby: :rust:

@nil @thisismissem @pixelfed yep, but I suppose it could be that high because it maybe exposes everyone's info. Going to get some rest but I'll probably see what they fixed and go from there lol

Emelia πŸ‘ΈπŸ»

@nil @matrix9180 @pixelfed so yeah, base score is 9.9 β€” though nist's calculator is more explanatory than GitHubs, overall score ended up being 8.4 with all the other factors

Go Up