for some context on why 3.8k active users across 27 instances running firefish is a statistic that scares me so much, both as an administrator and as a developer, you must know that there is a publicly known sql injection vulnerability in firefish. this isn't a private issue, this isn't patched, this is a flaw in unmaintained software that could be exploited at any point. the only reason i don't call it a 0-day is because nobody has bothered to exploit it. to be very clear, a hypothetical actor, at any point in time they wished, could collect a list of every vulnerable firefish instance and run a malicious payload against each one. a threat actor could, for instance, open fedidb.com and filter by firefish, write down all the domains, and execute a shell command that blows them up, and perhaps, given that these instances contain publicly exposed personal information, one could argue that it is within your moral imperative, as someone who is capable of bringing this about, to decommission every firefish instance currently operating by force, before someone else weaponizes this to dump your personal information from them. perhaps as well someone could purchase the expired firefish.dev domain and set up a fake registry so that instances that auto-update their container images would automatically implode. perhaps someone could use the XSS vulnerability present in all firefish instances to spearfish admins and make them delete all user accounts. perhaps someone could use the SSRF vulnerability to brute force self-hosters' router passwords and add them to botnets. perhaps someone could create an event in the history of the fediverse that will be remembered for years to come. perhaps someone could take action right now. perhaps
❤️4💜1
1
1
1
1