Just rebuilt one of my Discourse forums and when I load it in the browser, the following message shows up in a popup:
You’ve been hacked by a plugin! by w3shi(Hackerone)-S.Lakshmi Vignesh(RCE-POC)
Holy… What is going on? One of the plugins I use was compromised?
Any chance you used the migrate password plugin? Or another plugin from the discoursehosting repository?
Looks like this forum was affected too Am I hacked? or not - Forum Management - Suggestions - DxO Forum
Yes, it’s in the list. And the only one from discoursehosting.
I remember that it needs to be active to allow “old” users to login, correct?
But now the question is more if the installation was compromised or if it’s just showing this message. Site is down at the moment to be safe for now.
Along with that plugin, here’s the list what I’m using:
just remove anything referring to discoursehosting
Google Translate of the French forum post:
A pseudo-security researcher retrieved an old Git repository for a plugin used by the forum and hijacked it to simply display this message.
The repository in question (GitHub - discoursehosting/discourse-migratepassword: A touch of security) has been inspected and no malicious code is present (it’s simply a proof of concept).
This repository had actually changed its URL (it is now available at GitHub - communiteq/discourse-migratepassword: Support migrated password hashes) and the user simply recreated the discoursehosting/discourse-migratepassword repository, which previously redirected to communiteq/discourse-migratepassword, to place unrelated code there. We were using the old URL, which is why we were affected.
If that’s true, okay… I changed the url of the plugin to communiteq and am rebuilding at the moment. But I have to look into this more (as I am not a programmer, I can’t be 100% sure).
This is a Github vulnerability in an exploit class called “Repojacking”.
We recommend everyone to check their Github plugin URLs and rename each and every instance of discoursehosting to communiteq
We had to rename our company from Discoursehosting to Communiteq in 2019.
If that happens, Github automatically redirects URLs to github repositories to their new location, until someone creates a repository with the same name. At that moment the new repository will take preference.
Github used to mark such repositories as “retired” and prohibited creating a repository with the same name.
A previous exploit is described here. Apparently that fix is no longer effective.
We have filed a Github abuse report and will try to take this repository down with all available means.
At this moment the compromised plugin only shows a message and leaves a harmless file in /tmp.
So nothing bad has happened - yet. It is important to change your plugin URL before you rebuild.
wow it can catch the end user out easily, one of the main disadvantages of not using discourse.org official hosting.
If either
angusmcleod (Angus McLeod) · GitHub or merefield (Robert) · GitHub
accounts ceased to exist
then a first sub-path would be exposed, so there would be a clone command sitting in my app.yml for a rebuild to execute
To mitigate the potential impact for users of the standard install, we’ve added code to detect github.com/discoursehosting/ and abort any rebuilds/upgrades.
The error will look something like
---
ERROR: The configuration file containers/app.yml contains references to a compromised github organization: github.com/discoursehosting
Please remove any references to this organization from your configuration file.
For more information, see https://meta.discourse.org/t/374703/6
---
Thank you David!
Hello Discourse community,
I want to sincerely apologize for the disruption caused by my actions regarding the plugin repository. In attempting to highlight a security issue, I made serious mistakes that violated the code of conduct.
Going forward, I will ensure my actions adhere to responsible disclosure practices and I appreciate the opportunity to learn from this.
Again, I am truly sorry for the disruption caused.
Thank you for your apologies.
The next not-so responsible thing was not reaching out to me or CDCK privately when you gave up the handle, because in the past three hours, someone else could have seen your post and registered it.
I have now regained control over the old Github handle. And thank you for doing the right thing eventually, and for pointing out that Github does not protect redirects anymore for the fifth time (last time was the fourth time: “This discovery marks the fourth time an alternate method has been identified for performing Repojacking”)
I suggest you approach Github and collect your bounty!
I Sincerely apologize for all the inconvenience caused! And Thank you for your understanding @RGJ !.
Welcome to the community and thank you for fixing everything up.
You should basically assume that nothing is safe, which doesn’t work well either.
Just a few days ago it came to light that one of the developers behind some ESLint Prettier package’s NPM account was compromised and they published new compromised versions of some popular packages:
These packages were then referenced in other packages, because many claim that you should always update to the latest versions.
After I saw this thread I suggested a feature to introduce signature validation of plugins/theme components while updating them: Plugin and theme component signing
That would not stop a compromised key, but at least make part of the supply chain more trustworthy. In the end it is still possible that compromised third party libraries are pulled in. Additional dependencies are not really visible.