Nostr Web Client

nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m new pleroma vuln dropped btw

nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 yeah, XXE. Means anything that can submit an XML document that the server parses can read arbitrary files on the server, same as the other issue. Actually worse if this doesn’t require Auth. XXE is fixed by not using a shit and brain-damaged parsers, which nobody should be using. This is straight outta 2004.

Abandon hope, all ye who enter. Pleroma is fucked and was made by retards.

Reply to this note

Please Login to reply.

Discussion

Alex Gleason 2y ago

Can you explain the actual attack surface tho

Webfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.

dog's best friend 2y ago

The XML parser we're using is the most mature one in the ecosystem and comes with Erlang, but they apparently didn't care to disable this by default.