programming.dev

9,003 readers
379 users here now

Welcome Programmers!

programming.dev is a collection of programming communities and other topics relevant to software engineers, hackers, roboticists, hardware and software enthusiasts, and more.

The site is primarily english with some communities in other languages. We are connected to many other sites using the activitypub protocol that you can view posts from in the "all" tab while the "local" tab shows posts on our site.

๐Ÿ”— Site with links to all relevant programming.dev sites

๐ŸŸฉ Not a fan of the default UI? We have alternate frontends we host that you can view the same content from

โ„น๏ธ We have a wiki site that communities can host documents on

โš–๏ธ All users are expected to follow our Code of Conduct and the other various documents on our legal site

โค๏ธ The site is run by a team of volunteers. If youre interested in donating to help fund things such as server costs you can do so here

๐Ÿ’ฌ We have a microblog site aimed towards programmers available at https://bytes.programming.dev

๐Ÿ› ๏ธ We have a forgejo instance for hosting git repositories relating to our site and the fediverse. If you have a project that relates and follows our Code of Conduct feel free to host it there and if you have ideas for things to improve our sites feel free to create issues in the relevant repositories. To go along with the instance we also have a site for sharing small code snippets that might be too small for their own repository.

๐ŸŒฒ We have a discord server and a matrix space for chatting with other members of the community. These are bridged to each other (so you can interact with people using matrix from discord and vice versa.

Fediseer

founded 1 year ago
ADMINS
snowe
erlingur
Ategon
nibblebit
bugsmith
UlrikHD
recursive_recursion
Octavia
Automod
AnotherSnaggen
listing: all - local
search
1
29
Private message security issue for Lemmy 0.18.5 (github.com)
 
 

Users can brute-force their way into reading private messages with Lemmy versions below 0.19.1. I know there was the question of federation issues previously, but it appears to have been largely mitigated with the later versions at this point. Are there any plans to upgrade pawb.social?

2
119
Lemmy Security Advisory for Versions < 0.19.1: Private message details leak. (github.com)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]
11 comments fedilink
 
 

The full description of the bug is in the linked issue above, but the short version is:

Our CreatePrivateMessageReport endpoint had a bug that would allow anyone, not just the recipient, to create a report, and then receive the details about private messages.

This allowed anyone to iterate over ids, creating thousands of reports in order to receive details about private messages.

Since those reports are visible to admins, it would be easy to discover if someone was abusing this, and luckily we haven't heard of anyone doing so on production instances (so far).

If you haven't, please be sure to upgrade to at least 0.19.1 for the fix.

Many thanks to @Nothing4You for finding this one.

view more: next โ€บ