Email or username:

Password:

Forgot your password?
All posts Emelia's posts Post Back to profile
Top-level
Kevin Karhan

@thisismissem @pixelfed Consider reporting it to @certbund & @cert_eu ...

Maybe once it's acknowledged then hosters will intervene because they don't want shit to get abused for malware...

13 February at 3:34 | Wall-to-wall | Open on infosec.space
5 comments
Emelia πŸ‘ΈπŸ»

@kkarhan @pixelfed @certbund @cert_eu this vulnerability just gives administrative access over the pixelfed software, not to the underlying hardware.

13 February at 3:38 | Open on hachyderm.io
Kevin Karhan

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

Having an insecure Webserver-Sided Application up and running is just begging for trouble and will get costly as every hoster & ISP I know will bill the customer in question for the costs of having to intervene due to their criminally gross neglect...

And those bills will get very big quickly, espechally when they had to deal with a shitload of fallout from other sources, like having to undo getting blocklisted for spam and so forth...

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

13 February at 3:43 | Open on infosec.space
Emelia πŸ‘ΈπŸ»

@kkarhan please just wait for the full disclosure on the 25th; I know you're trying to be helpful but you're misunderstanding the type of vulnerability.

13 February at 6:05 | Open on hachyderm.io
Kevin Karhan

@thisismissem okay...

I do accept amd understand #ResponsibleDisclosure and why people should first fix it...

Needless to say said CERTs should be made aware as their publications & feeds are also being read by Hosters who may also have the ability to scan their customers' systems and notify them as well or if necessary forcibly shut down vulnerable instances before they get hacked...

13 February at 6:09 | Open on infosec.space
Emelia πŸ‘ΈπŸ»

@kkarhan there's already a CVE and a security advisory on github. For now it's not necessary as far as I know for CERT to be involved

13 February at 6:12 | Open on hachyderm.io
Go Up