Critics Mastodon “TootRoot” Vulnerability Allows Server Hijacking

Critics Mastodon “TootRoot” Vulnerability Allows Server Hijacking

Mastodon is an open-source self-hosted social networking service company that is maintained as a non-profit. The platform is similar to Twitter, with a lot more features, and is privacy-focused.

It works as a federated model with contributors from all over the world, and its repository rests on GitHub.

Mastodon was launched in 2016 by its creator Eugen Rochko. However, it gained extreme popularity only after the acquisition of Twitter by Elon Musk in 2022. The platform has 1.8 million active users, as posted d by its creator.

Image: Eugen Rochko posting about 1.8 million active users

Critical “TootRoot” Vulnerability

As per reports, Mastodon has recently fixed five high, moderate, and critical severity vulnerabilities which posed a potential threat to the platform. Most critical one of them was called “TootRoot” in which threat actors can create a backdoor on the servers by sending crafted media files.

These media files cause the media processing code to create arbitrary files on any location on the server. This functionality can be exploited by threat actors to create a web shell on the server that acts as a backdoor. 

An Individual security researcher Kevin Beaumont investigated this vulnerability and posted about the severity of this vulnerability. This vulnerability has the CVE as CVE-2023-36460.

Kevin Beaumont about CVE-2023-36460

Other Vulnerability Patches

In addition to this, four other vulnerabilities were patched which include, 

Blind LDAP injection in login allows the attacker to leak arbitrary attributes from the LDAP database 

XSS through oEmbed preview cards 

Denial of Service through slow HTTP responses

Verified profile links can be formatted in a misleading way

Few of these were found during penetration testing by the Cure53 team. The penetration testing was initiated by Mozilla.

These vulnerabilities need to be fixed from the server side hence, individual users don’t have any action to perform other than check if the servers are patched to the latest version.

These vulnerabilities are fixed in the 3.5.9, 4.0.5, and 4.1.3 versions of Mastodon.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

The post Critics Mastodon “TootRoot” Vulnerability Allows Server Hijacking appeared first on Cyber Security News.

   Read More 

Cyber Security News