Following a full code audit and penetration test, this version delivers security and performance fixes that patch potential exploits with low-to-medium severity. It is strongly recommended to upgrade to PeepSo 2.3.0 as soon as possible. Gecko Theme 184.108.40.206 is also released alongside.
About a week ago VDE Medical Software shared the results of a penetration test performed by Blue Frost Security for him. The report made us aware of a few small & medium issues and omissions that let the testers perform some unexpected actions in their testing environments. Although the bugs were not extremely severe and the replication of these bugs required pretty specific (and insecure) server setup in some cases, we took the matter very seriously.
We fixed a potential path traversal exploit in Photos by completely removing the “download” feature and the related code. The AJAX endpoint used for the feature did not properly verify input, allowing a potential attacker to access files outside of the photos folder. Following this discovery we also performed a full internal audit of all parameters passed via GET and POST and used to manipulate the file system in any way and as a precaution added a tighter server-side MIME type checking for Audio & Video uploads.
Following a discovery of a few potential SQL injection opportunities related to the sorting parameters, we implemented a new way to pass parameters that can only match a certain set of values (for example
$sort can only be
desc). We also ran a full audit of all parameters passed to SQL queries: changed their type to
int where applicable, forced a set of accepted data is possible and double checked nothing risky is happening otherwise.
Three PeepSo AJAX endpoints had issues with permissions checks – either not performing them properly, or failing to halt the execution after detecting the lack of privileges. A potential attacker could do one of three things to someone else’s profile by exploiting the AJAX calls directly with good knowledge of how APIs work:
- change profile fields
- change preferences
- post ons stream even if theoretically disabled
There was no exposure of critical profile information (e-mails, passwords etc) as these are handled with different logic. Nothing could be changed without proper access rights, which is why this issue was labeled with medium severity.
Disabling Server Side Calls
The administrator is now able to disable link previews if he or she is worried that the users might exploit it to perform Server Side Request Forgery (SSRF). Essentially, when a link is embedded your server calls the target website to gather some information about it. A person with bad intentions can use your server as a proxy to execute scripts or look for exploits in another website by hiding behind your server calls. If you don’t have a high level of trust in your users or the legal situation forces you to have incredibly paranoid security standards, you should consider disabling embeds. If SSRF is worrying you, you should also not use Audio & Video, since embedding media also performs a server-side call and the aforementioned setting does not disable that.
E-mail Domain Whitelists And Blacklists
The UserLimits plugin now allows the administrator to define which e-mail domains are allowed (whitelist) or disallowed (blacklist), giving some rudimentary “first line of defence” filter for new registrations. Unrelated to security, the UserLimits plugin can now also limit the users’ ability to repost based on the same familiar old rules.
Other New Features And Improvements
PeepSo 2.3.0 was built on top of the unreleased code originally planned for 2.2.7, so some new features and improvements made it into 2.3.0 along with the major security effort.
Mentions (Formerly Tags) CSR
To put this into perspective. Average load on our own production server with PeepSo 2.2.7 was oscillating between 0.15 – 0.75. After we started using PeepSo 2.3.0 average load dropped to: 0.10 – 0.65. That’s about 15 – 30% improvement on average. If you’re not really a numbers person, just see the graph below.
Utilising CSR To Build Human Readable Previews
As we move away from server-side parsing, it is increasingly difficult to build a human friendly post preview without all the MarkDown, Mentions, etc. in it. Since our CSR engine has access to the final parsed content, it now passes the final result back to the server to store as a human readable cache (after stripping all HTML). Later we will be able to use these “humanised” previews in OpenGraph tags, notifications previews etc.
Messages UI Redesign
Messages view was something we wanted to change for a long time. We never had a chance to get it done, though. There was always something. Finally, we did manage to squeeze a UI update in this release. It works great not only on desktop view, but also on mobile devices like iPads.
We improved the Two Factor Authentication plugin detection to cover both free and premium versions, fixed PeepSo CSR (Client Side Rendering) interfering with blog titles containing the # character, improved searching of pinned group posts and a few minor visual
Gecko Theme 220.127.116.11
As usual, each PeepSo release is accompanied with a release of our Gecko theme. This release brings you new options per page that allow you to Hide header, Hide header menu & Hide footer. Again, that’s per page, so you’ll see those options in the right column, when editing a particular page. On the new options front, we also added a possibility to: hide header widget under icon on mobile view (Admin > Gecko > General tab).
We managed to also improve PeepSo group colors in Gecko Dark mode as well as fixed a wrong footer position on mobile devices. See the full changelog for both PeepSo and Gecko theme.
Thank you again @peepso_user_16479 for sharing the results of the security audit with us, and helping us build a better and safer product for everyone.
Don’t have the Bundle but you would like to have access to all current and future plugins hassle-free?
Check our offer!