• db0@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    I’m really curious how someone can exploit a script that is meant to be running locally with no external facing interface

  • Emotet@slrpnk.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    4 months ago

    Ah. So Lemmy with version 0.19.4+ allows users to set a custom thumbnail URL for a post, which can be set to pretty much anything resembling a valid link, especially a link to another image in the local pictrs db and trigger a deletion of both when a minimum age check is passed.

    Also this:

    Except that the field allows some funny URLs e.g. https://t.t/;';'%22;...[:%3C%3E?]%27;%20yaba%20daba%20doo, if this is an issue too is not confirmed

    Relevant XKCD