this post was submitted on 17 Jul 2024
79 points (100.0% liked)

Lemmy

12576 readers
2 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

If you are using https://github.com/wereii/lemmy-thumbnail-cleaner please stop and disable it as soon as possible.

We have found a security issue that allows any user to make LTC delete any locally hosted image.

I will be posting more details soon and editing this to include the information.

E: More information here https://github.com/wereii/lemmy-thumbnail-cleaner/issues/10

top 6 comments
sorted by: hot top controversial new old
[–] Emotet 37 points 4 months ago* (last edited 4 months ago) (1 children)

Ah. So Lemmy with version 0.19.4+ allows users to set a custom thumbnail URL for a post, which can be set to pretty much anything resembling a valid link, especially a link to another image in the local pictrs db and trigger a deletion of both when a minimum age check is passed.

Also this:

Except that the field allows some funny URLs e.g. https://t.t/;';'%22;...[:%3C%3E?]%27;%20yaba%20daba%20doo, if this is an issue too is not confirmed

Relevant XKCD

[–] taaz@biglemmowski.win 12 points 4 months ago (1 children)

On point summary.
And I was just about to write that I have confirmed SQLi is not possible to find out I have missed something that might in-turn make it possible! holy hell back to drawing board

[–] Emotet 6 points 4 months ago

Yikes. Thanks for putting in the works and sharing your findings to you and @Nothing4You@programming.dev.

[–] db0@lemmy.dbzer0.com 15 points 4 months ago (1 children)

I'm really curious how someone can exploit a script that is meant to be running locally with no external facing interface

[–] taaz@biglemmowski.win 6 points 4 months ago (1 children)

Post edited with link to more information.

[–] db0@lemmy.dbzer0.com 4 points 4 months ago