Just rebuilt one of my Discourse forums and when I load it in the browser, the following message shows up in a popup:
You’ve been hacked by a plugin! by w3shi(Hackerone)-S.Lakshmi Vignesh(RCE-POC)
Holy… What is going on? One of the plugins I use was compromised?
Any chance you used the migrate password plugin? Or another plugin from the discoursehosting repository?
Looks like this forum was affected too Am I hacked? or not - Forum Management - Suggestions - DxO Forum
Yes, it’s in the list. And the only one from discoursehosting.
I remember that it needs to be active to allow “old” users to login, correct?
But now the question is more if the installation was compromised or if it’s just showing this message. Site is down at the moment to be safe for now.
Along with that plugin, here’s the list what I’m using:
just remove anything referring to discoursehosting
Google Translate of the French forum post:
A pseudo-security researcher retrieved an old Git repository for a plugin used by the forum and hijacked it to simply display this message.
The repository in question (GitHub - discoursehosting/discourse-migratepassword: A touch of security) has been inspected and no malicious code is present (it’s simply a proof of concept).
This repository had actually changed its URL (it is now available at GitHub - communiteq/discourse-migratepassword: Support migrated password hashes) and the user simply recreated the discoursehosting/discourse-migratepassword repository, which previously redirected to communiteq/discourse-migratepassword, to place unrelated code there. We were using the old URL, which is why we were affected.
If that’s true, okay… I changed the url of the plugin to communiteq and am rebuilding at the moment. But I have to look into this more (as I am not a programmer, I can’t be 100% sure).
This is a Github vulnerability in an exploit class called “Repojacking”.
We recommend everyone to check their Github plugin URLs and rename each and every instance of discoursehosting to communiteq
We had to rename our company from Discoursehosting to Communiteq in 2019.
If that happens, Github automatically redirects URLs to github repositories to their new location, until someone creates a repository with the same name. At that moment the new repository will take preference.
Github used to mark such repositories as “retired” and prohibited creating a repository with the same name.
A previous exploit is described here. Apparently that fix is no longer effective.
We have filed a Github abuse report and will try to take this repository down with all available means.
At this moment the compromised plugin only shows a message and leaves a harmless file in /tmp.
So nothing bad has happened - yet. It is important to change your plugin URL before you rebuild.
wow it can catch the end user out easily, one of the main disadvantages of not using discourse.org official hosting.
If either
angusmcleod (Angus McLeod) · GitHub or merefield (Robert) · GitHub
accounts ceased to exist
then a first sub-path would be exposed, so there would be a clone command sitting in my app.yml for a rebuild to execute
To mitigate the potential impact for users of the standard install, we’ve added code to detect github.com/discoursehosting/ and abort any rebuilds/upgrades.
The error will look something like
---
ERROR: The configuration file containers/app.yml contains references to a compromised github organization: github.com/discoursehosting
Please remove any references to this organization from your configuration file.
For more information, see https://meta.discourse.org/t/374703/6
---
Thank you David!