Kevin BeaumontFor anybody wondering what the Mastodon security issue is - CVE-2023-36460, you can send a toot which makes a webshell on instances that process said toot. #CVE202336460 #TootRoot
Benjamin@GossiTheDog Well that's less than ideal...
Julie moved to @@GossiTheDog That is fantastic!
๐ธ lily ๐ณ๏ธโโง๏ธ 
ฮธฮ โ & โ@robotfactory @GossiTheDog i take it that's sarcasm or you're impressed that such a bug is even possible
gravitos 
@tauon @GossiTheDog @robotfactory there is not a single impossible bug if whoever makes software does not know what they are doing. i've seen a TTS service that literally passed text you fed it into a bash shell, and someone could just ask it to say
$(cat /etc/passwd) and that would spit actual passwd lines out
Andrei Kucharavy@gravitos @tauon @GossiTheDog @robotfactory
I was literally having a conversation with a junior about scenarios we are testing and for about 30 minutes the conversation revolves around ยซ this is not a realistic scenario, people cannot be possibly be doing this ยป.
@andrei_chiffa what scenarios are those? i will be glad to go and do some weird stuff in someone's software for science
p.s. no data leakages
@gravitos @tauon @GossiTheDog @robotfactory people putting unsanitized SQL databases behind LLM chat front-ends.
@andrei_chiffa that's like the first thing that comes to some people's minds - like, i've even seen a joke... actually, one two xkcd comics directly referring to this. that means something!
Biggles 20X6!@GossiTheDog that seems bad
VJmes ๐ค
Jay Little@GossiTheDog You are kidding, right? If that's true, that's absolutely bonkers. Wow.
Edd@GossiTheDog well now I'm *real* glad I took a late lunch to patch within 15 mins of release
Renaud Chaput@GossiTheDog FYI we will publish the advisories in a few hours.
Those come from a pentest by Cure53, sponsored by Mozilla. We will most probably publish the full report at some point.
Those come from a pentest by Cure53, sponsored by Mozilla. We will most probably publish the full report at some point.
Csepp ๐ข@renchap @GossiTheDog Are other AP implementations also going to get an audit?
@csepp @GossiTheDog No idea, this was funded by Mozilla, most probably because they are preparing to launch their instance.
Thom Slattery@GossiTheDog So can we use the vulnerability to patch itself...
Efi (nap pet) ๐ฆ๐ค
ScaredyCat@GossiTheDog lol wut?!
Miicat_47
Cenobyte 
@GossiTheDog Thanks for the info. Definitely a critical upgrade. I will be updating here as soon as possible.
Steve Scott@GossiTheDog They've really cocked up the docker image build, the latest tag is currently pointing at 3.5.9, after briefly pointing at 4.0.5. Great fun!
Brian@GossiTheDog Updated both my instances. Are there any checks out to verify it wasnโt exploited?
fuomag9@brian @GossiTheDog you should probably check for strange files and your logs
Untitled Goose Name@GossiTheDog So you could send a toot to get root and steal some loot? But if you patch and reboot, itโll be moot?
Matt Palmer@goosname @GossiTheDog oh you're a hoot!
Hacker Memes@GossiTheDog from toot to root
Tim@GossiTheDog a root toot?
@GossiTheDog Jesus Christ
@GossiTheDog wait what the fuck how does that work
Gabbo the wafrn dev guy@[email protected] @[email protected] allow me to explain
https://www.youtube.com/watch?v=5HqPVigNCkY
'How did you do that?' - 'Fuck you that's how.' [Hellsing]
Zorin =^o.o^=@GossiTheDog I wonder if this means it's theoretically possible to send a toot that will hotfix affected instances. :)
Cody Evans@GossiTheDog Thanks for the info, just updated my instance to v4.1.3
shellsharks@GossiTheDog #tootroot? Genius ๐. You coin this yourself (https://cyberplace.social/@GossiTheDog/110667416012211236)? It's about to make the list --> https://shellsharks.com/designer-vulnerabilities
Kevin Beaumont (@[email protected])
For anybody wondering what the Mastodon security issue is - CVE-2023-36460, you can send a toot which makes a webshell on instances that process said toot. #CVE202336460 #TootRoot
Joe Cooper ๐บ๐ฆ ๐@GossiTheDog the very open web has arrived.
Dark Sage Torunka 
@GossiTheDog welp I am very, VERY glad that I decided to patch immediately. This is worse than Drupalgeddon.
Frost, แแแแแ แฑ ๐บโ๏ธ
@GossiTheDog yIKES so it's an actual security fix, not a Facebook trojan horse or whatever shit? That's good to know, we can install it now.
(Yeah, we do /not/ trust Gargron anymore.)
makemake@GossiTheDog pleromachads we canโt stop winning
Dave Aitel@GossiTheDog PPL need to be carefully running GRSEC on these things.
Fritz Adalis@FritzAdalis @GossiTheDog I'm actually not sure... I would annoy the team but I am pretty annoying....
EthanRDoesMC@GossiTheDog itโs always input sanitizing. there are no new problems in CS itโs all just input
Yazad@GossiTheDog thank you for sharing this. How does one check if the instance they are on is patched?
The Evil Microwizard
Matt@GossiTheDog on the sending instance or receiving instance?
Tom
6543@GossiTheDog Mozilla.social @social still has v4.1.2 ๐ฎ
Mewsse โ๏ธ@GossiTheDog Is there any way to check if alternatives like Pleroma are affected ?