Elon is so yesterday.

I like this one.

Dang the leaks are not even complete. Probably only a page or two at most for a lot of users. Be grateful Pleroma is fucking slow!

Mastodon has too much bloat and technical debt.

We are so back.

Guys today I'm announcing that I'm coming out as transgender.

Oh fuck no, Mastodon is a disaster compared to Pleroma. Pleroma is just suffering from a few bad choices due to severe autism. It can definitely be saved, it's just that nobody will.

Fun fact, Rebased is not vulnerable to the rich media vuln because the MR I proposed 2 years ago (and merged into Rebased) sanitizes the HTML: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3401/diffs#21b5f6a680dc114e2d13c5405e9f12aa00a7f29c_0_40

My man. The attacker set up a fake server disguising itself as a nostr bridge. It has nothing to do with the actual nostr bridge.

https://media.gleasonator.com/75d168237864100fe78b99cbacdd41786e0e10d87f7c82fe9665c84661d9c6ca.webm

Click 👉 https://yourmom.zip

So now that Breath of the Wild 2 is released is the COVID-19 pandemic finally over?

Not allowing users to upload literally every type of file on purpose.

Lessons learned:

1. Always host user uploads on a separate domain.

2. Don't use Pleroma FE.

3. Mastodon was right.

Nope. It hits /api/v1/accounts/lookup where the username is the OAuth token encoded to look like a Nostr pubkey @ mostr.fedirelay.xyz. This causes your server to make a federation request where they simply monitor the logs and pull the token out of the username... absolutely nuts. Read the code. https://i.poastcdn.org/4ed28ef4fa5e18bfa5c1f75a5c1cc759f7b718c0b600e7e2fcc6d0cdb0215f15.txt

You know, Hermes, like The Messenger. I just thought it was interesting after getting all this spam from "python-requests" in my logs.

Just curious, what were you building here? Looks like a Pleroma bot script that was trying to do some particular action 9988 times.

Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:

yoursite.com/media -> media.yoursite.com yoursite.com/proxy -> proxy.yoursite.com

To do this, add the following configuration to your site:

config :pleroma, Pleroma.Upload,

base_url: "https://media.yoursite.com"

config :pleroma, :media_proxy,

base_url: "https://proxy.yoursite.com"

You will need to add DNS records for the subdomains. For media, it’s recommended to use an S3 bucket (or equivalent). For the proxy, you can simply point the DNS to the same server, and edit your Nginx file. A sample Nginx file is here: https://termbin.com/tj7q You’re on your own setting up letsencrypt, etc.

Here’s what does NOT work:

A CSP one-liner in Nginx. That’s not how CSP works. CSP affects the page it was loaded on, not other resources. This is straight up misinformation.

Disabling the media proxy on its own. The media proxy does appear to be vulnerable, but it cannot be the only action you take.

Because I get bitches while you're thinking about Glussy.

location /api/pleroma/admin { return 403; }

location /api/v1/pleroma/admin { return 403; }

Good afternoon, chaos.