Ryan BaumannMar 23, 2024
I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
NVD - CVE-2023-36460

Show threadRyan BaumannMar 23, 2024
You can find the Truth Social source code here: https://help.truthsocial.com/legal/open-source/
Show threadRyan BaumannMar 23, 2024
Here's the Mastodon commit for fixing CVE-2023-36460: https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440
Merge pull request from GHSA-9928-3cp5-93fm · mastodon/mastodon@dc8f1fb

* Fix attachments getting processed despite failing content-type validation * Add a restrictive ImageMagick security policy tailored for Mastodon * Fix misdetection of MP3 files with large cover ...

GitHub
Show threadRyan BaumannMar 23, 2024
Theoretically, anyone with internet access would have been able to put two and two together to exploit this vulnerability since its public disclosure in July of 2023. But I'm sure nobody, and certainly not state actors, would have an interest in exploiting the security of a social network owned and used by a presidential candidate (who now stands to profit billions of dollars from its sale to the public)
Show threadHeliograph
@ryanfb good work Ryan  
Mar 23, 2024 at 9:25pmWeb