fox@vlemmy.nettoTechnology@beehaw.org•Be careful. New platforms invite bad actors.English
6·
1 year agoyup pretty sure
$ cat /etc/passwd
fox:hunter2:1000:1000::/home/fox:/usr/bin/zsh
😉
yup pretty sure
$ cat /etc/passwd
fox:hunter2:1000:1000::/home/fox:/usr/bin/zsh
😉
you don’t need to be root to read /etc/passwd
However, the two Jumpsec Red Team members found that they could go around the restriction by changing the internal and external recipient ID in the POST request of a message, thus fooling the system into treating an external user as an internal one.
so they only do the check on client side. classic.
there is a page about this on the lemmy docs: https://join-lemmy.org/docs/users/05-censorship-resistance.html