sh.itjust.works

27,609 readers
1,258 users here now

Useful Links

Rules:

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Règles :

Soyez respectueux. Tout le monde doit se sentir le bienvenu ici.
Pas de bigoterie - y compris le racisme, le sexisme, le capacitisme, l'homophobie, la transphobie ou la xénophobie.
Pas de publicités / Pas de spam.
Pas de pornographie.

Fediseer

Other UI options (more to come)

https://oldsh.itjust.works/

Monitoring Services
lemmy-meter.info

founded 1 year ago

ADMINS

Private message security issue for Lemmy 0.18.5 (github.com)

submitted 7 months ago by [email protected] to c/[email protected]

1 comments fedilink

Users can brute-force their way into reading private messages with Lemmy versions below 0.19.1. I know there was the question of federation issues previously, but it appears to have been largely mitigated with the later versions at this point. Are there any plans to upgrade pawb.social?

117

Lemmy Security Advisory for Versions < 0.19.1: Private message details leak. (github.com)

submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]

9 comments fedilink

The full description of the bug is in the linked issue above, but the short version is:

Our CreatePrivateMessageReport endpoint had a bug that would allow anyone, not just the recipient, to create a report, and then receive the details about private messages.

This allowed anyone to iterate over ids, creating thousands of reports in order to receive details about private messages.

Since those reports are visible to admins, it would be easy to discover if someone was abusing this, and luckily we haven't heard of anyone doing so on production instances (so far).

If you haven't, please be sure to upgrade to at least 0.19.1 for the fix.

Many thanks to @Nothing4You for finding this one.