Email or username:

Password:

Forgot your password?
Top-level
Emelia πŸ‘ΈπŸ»

@kkarhan @pixelfed @certbund @cert_eu this vulnerability just gives administrative access over the pixelfed software, not to the underlying hardware.

4 comments
Kevin Karhan :verified:

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

Having an insecure Webserver-Sided Application up and running is just begging for trouble and will get costly as every hoster & ISP I know will bill the customer in question for the costs of having to intervene due to their criminally gross neglect...

And those bills will get very big quickly, espechally when they had to deal with a shitload of fallout from other sources, like having to undo getting blocklisted for spam and so forth...

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

Emelia πŸ‘ΈπŸ»

@kkarhan please just wait for the full disclosure on the 25th; I know you're trying to be helpful but you're misunderstanding the type of vulnerability.

Kevin Karhan :verified:

@thisismissem okay...

I do accept amd understand #ResponsibleDisclosure and why people should first fix it...

Needless to say said CERTs should be made aware as their publications & feeds are also being read by Hosters who may also have the ability to scan their customers' systems and notify them as well or if necessary forcibly shut down vulnerable instances before they get hacked...

Emelia πŸ‘ΈπŸ»

@kkarhan there's already a CVE and a security advisory on github. For now it's not necessary as far as I know for CERT to be involved

Go Up