We need to talk about lack of validation
Developers of Discourse, the popular open source forum software, have patched a security flaw that could result in an attacker achieving remote code execution (RCE) on vulnerable systems.
The root cause of the problem stems from a validation bug in the upstream aws-sdk-sns gem, Discourse’s AWS notification webhook handler.
This lack of validation in subscribe_url values makes it possible for an attacker to achieve RCE through malicious requests.
Users are advised to update to Discourse versions 2.7.9 or later, where possible.
An alternative workaround offering some protection is possible by blocking requests with a path starting /webhooks/aws at an upstream proxy, as explained in a security alert posted to GitHub.
YOU MAY ALSO LIKE Node.js sandboxes are open to prototype pollution