Christopher Lemmer Webber is a user on octodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Christopher Lemmer Webber @cwebber

@joeyh posted about two security vulnerabilities he uncovered joeyh.name/blog/entry/two_secu

Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).

But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you

Bálint @szbalint@x0r.be

@cwebber @joeyh hm I never looked into if dns rebinding attacks apply to activitypub implementations, those type of attacks seem to be in vogue these days

Christopher Lemmer Webber @cwebber

@szbalint @joeyh not sure if you saw the Guile vulnerability that we uncovered a while ago where live hacking sessions listening on localhost were vulnerable to confused deputy attacks through browsers and etc (notably, also activitypub instances that don't heed this advice) that allowed arbitrary code execution lists.gnu.org/archive/html/gui

localhost-only ain't

· Web · 2 · 1
octodon.social powered by Mastodon