@thisismissem @pixelfed @certbund @cert_eu Even if...

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

Having an insecure Webserver-Sided Application up and running is just begging for trouble and will get costly as every hoster & ISP I know will bill the customer in question for the costs of having to intervene due to their criminally gross neglect...

And those bills will get very big quickly, espechally when they had to deal with a shitload of fallout from other sources, like having to undo getting blocklisted for spam and so forth...

Like 13 February at 3:43 | Wall-to-wall | Open on infosec.space

3 comments

Emelia 👸🏻

@kkarhan please just wait for the full disclosure on the 25th; I know you're trying to be helpful but you're misunderstanding the type of vulnerability.

13 February at 6:05 | Open on hachyderm.io

Kevin Karhan :verified:

@thisismissem okay...

I do accept amd understand #ResponsibleDisclosure and why people should first fix it...

Needless to say said CERTs should be made aware as their publications & feeds are also being read by Hosters who may also have the ability to scan their customers' systems and notify them as well or if necessary forcibly shut down vulnerable instances before they get hacked...

13 February at 6:09 | Open on infosec.space

Emelia 👸🏻

@kkarhan there's already a CVE and a security advisory on github. For now it's not necessary as far as I know for CERT to be involved

13 February at 6:12 | Open on hachyderm.io