Filippo Valsorda :go: on Nostr: Hypothetically, if an application went out of their way to misuse FilesystemStore by ...
Hypothetically, if an application went out of their way to misuse FilesystemStore by not using its New API and stuffing attacker-controlled data in Session.ID (which is documented as not being safe), they could hit this.
That's *not* what happened to Palo Alto. They wrote their own Store that takes the session ID from a cookie in New without authentication.
Published at
2024-04-17 23:01:47Event JSON
{
"id": "9a3a3a5480b09a30a630cb471be226d9640274a2a6f11ab4df09843119693a9c",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1713394907,
"kind": 1,
"tags": [
[
"e",
"8991c5ef35e9b06b1a770cfb210a00e37393498d6f9e82694da5db315f116e6c",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://abyssdomain.expert/users/filippo/statuses/112289048688985535",
"activitypub"
]
],
"content": "Hypothetically, if an application went out of their way to misuse FilesystemStore by not using its New API and stuffing attacker-controlled data in Session.ID (which is documented as not being safe), they could hit this.\n\nThat's *not* what happened to Palo Alto. They wrote their own Store that takes the session ID from a cookie in New without authentication.",
"sig": "2cab5b1f5c4cb7d280393b221a07d9e21566722eb2209a40f498bb7154913c0e50ad4b5c91c7033579f403d925b12197ae87ededb1519dbde57a6a02e0678acb"
}
