[FetLife] Specific Payload makes a Users Posts unavailable ($100 USD)
Original Post:
We discussed this vulnerability during Episode 115 on 31 January 2022
An inability to decode the character in a user’s post, leading to HTTP 500 response.
In particular it looks like its coming from whatever code is processing the markdown, will attempt to decode the html entities contained and when that fails, crash. Its a bit of an interesting area because the ability to abuse this for censorship is definitely present. Though its also a pretty loud error, so if it were attacked in the wild it probably wouldn’t last too long.
As an attack though, these sorts of character encoding issues are somewhat interesting to see popup. Some languages like Python really don’t like dealing with unexpected characters and its easy to miss all the places text gets handled so they can crop up in some high impact locations.