Submitted by 7666 on Mon, 04/29/2024 - 09:59

About a week ago I received an email from Parth Narula regarding my security.txt file on my main domain. I replied back somewhat snarkily, stating that the information he requested was in the details of the file already. I didn't hear back immediately, but just yesterday I received an absolute flood of emails detailing security vulnerabilities that Parth purported to find. While some were complete bogus, there were two that struck me as potential issues:

  • Pomf will not strip JS found in PDF files, violating my policy of not being able to upload directly executable files. What the risk of this considering PDFs are in a sandbox and natively support JS execution I'm not quite sure, outside of arbitrary code execution on a client browser. Parth believes it can be turned into a full XSS, but I'm still waiting for that PoC. Pomf does have very limited security headers in place because it is meant to be used as a method to access files remotely, so there isn't even a CSP vs. something like Pleroma which has a very detailed CSP. I don't have a fix for this yet, but I can fast track if someone wants to try to turn it into an XSS.

  • Pleroma's password reset email rate limiting doesn't work, either due to a configuration fuckup on my end or because of a bug in Pleroma. Parth and I probably requested 30 password resets in a row between both of our accounts, when the rate limit by default (and now forced in my configuration by exporting the DB config, adding password_reset: {1800000, 5} to :rate_limit, and re-importing it) was supposed to be 5 inside 30 minutes per user. Impact could range from just being annoying, to causing availability issues by getting my email relay or even account nuked. I was able to fix this by 403'ing the endpoint the password reset page uses. No password resets for anyone. Just use a password manager.

I will admit, I underestimated the little guy from India. Whether it be from sheer force of will or luck, he did find a few things that I'd consider problematic. For his efforts, Parth received 10 Steam keys of his choice. He also requested his LinkedIn be posted, so here it is: https://in.linkedin.com/in/parth-narula-86283821a

-7666