נפרצת על ידי תוסף

זה עתה בניתי מחדש אחד מפורומי ה-Discourse שלי וכאשר אני טוען אותו בדפדפן, ההודעה הבאה מופיעה בחלון קופץ:

נפרצת על ידי תוסף! מאת w3shi(Hackerone)-S.Lakshmi Vignesh(RCE-POC)

קדוש… מה קורה? אחד התוספים שאני משתמש בהם נפרץ?

Any chance you used the migrate password plugin? Or another plugin from the discoursehosting repository?

Looks like this forum was affected too Am I hacked? or not - Forum Management - Suggestions - DxO Forum

Yes, it’s in the list. And the only one from discoursehosting.

I remember that it needs to be active to allow “old” users to login, correct?

But now the question is more if the installation was compromised or if it’s just showing this message. Site is down at the moment to be safe for now.

Along with that plugin, here’s the list what I’m using:

• GitHub - discourse/docker_manager: Plugin for use with discourse docker image
• GitHub - discourse/discourse-adplugin: Official Discourse Advertising Plugin. Install & Start Serving Ads on Your Discourse Forum
• GitHub - discourse/discourse-affiliate
• GitHub - discourse/discourse-ai
• GitHub - discourse/discourse-akismet: give spam a whoopin
• GitHub - pfaffman/discourse-allow-pm-to-staff: Allow private messages to be sent to staff for users who could otherwise not send private messages.
• GitHub - discourse/discourse-animated-avatars: A plugin to add gif avatars in Discourse
• GitHub - discourse/discourse-authentication-validations
• GitHub - discourse/discourse-auto-deactivate: This plugin will automatically deactivate stale users so that they need to recomfirm their email in order to login in again
• GitHub - discourse/discourse-bbcode: vBulletin BBCode plugin
• GitHub - discourse/discourse-bcc: Allows staff members to send individual PMs to many users at once (like email BCC)
• GitHub - discourse/discourse-cakeday: Show a birthday cake emoji beside the names of members on their join anniversary, or their actual birthday -- and a browsable directory of upcoming anniversaries / birthdays.
• GitHub - discourse/discourse-characters-required: Display how many characters are required before a post be made
• GitHub - discourse/discourse-fingerprint: A plugin that computes user fingerprints to help administrators combat internet trolls.
• GitHub - discourse/discourse-follow: A Discourse plugin that lets you follow other users.
• GitHub - LeoDavidson/discourse-forcemoderation: Discourse plugin to force posts by specified usernames through moderation.
• GitHub - discourse/discourse-docs
• GitHub - communiteq/discourse-legal-compliance
• GitHub - merefield/discourse-locations: Tools for handling locations in Discourse
• https://github.com/discoursehosting/discourse-migratepassword.git
• GitHub - discourse/discourse-policy
• GitHub - paviliondev/discourse-post-badges-plugin
• GitHub - communiteq/discourse-private-topics
• https://github.com/discourse/discourse-push-notifications.git
• GitHub - featheredtoast/discourse-pushover-notifications: Pushover notifications for Discourse
• GitHub - discourse/discourse-restricted-replies: Plugin to restrict replies in a category to the OP, and members of a specified group
• GitHub - discourse/discourse-saved-searches: Allow users to save searches and be notified of new results.
• GitHub - discourse/discourse-shared-edits: Shared edits for Discourse
• GitHub - discourse/discourse-signatures: A Discourse Plugin to show user signatures below posts
• GitHub - discourse/discourse-solved: Allow accepted answers on topics
• GitHub - discourse/discourse-staff-alias: Allow staff users to post under an alias
• GitHub - discourse/discourse-steam-login: Allows user authentication with discourse via the Steam user API
• GitHub - singerscreations/discourse-stopforumspam
• GitHub - discourse/discourse-styleguide: Adds a styleguide to Discourse to aid in styling
• GitHub - davidtaylorhq/discourse-telegram-notifications: A plugin for Discourse which allows users to receive their notifications by telegram message
• GitHub - discourse/discourse-templates: A plugin that allows users to use templates to insert frequently used content
• GitHub - discourse/discourse-tooltips: Show tooltips around Discourse on hover, including topic previews
• GitHub - jannolii/discourse-topic-trade-buttons
• GitHub - discourse/discourse-topic-voting: Adds the ability for voting on a topic within a specified category in Discourse.
• GitHub - discourse/discourse-translator
• GitHub - discourse/discourse-user-field-prompt
• GitHub - communiteq/discourse-user-response-times
• GitHub - discourse/discourse-whos-online: A plugin for Discourse which uses the messagebus to display a live list of active users
• GitHub - discourse/discourse-yearly-review: Publishes an automated Year in Review topic

פשוט הסר כל דבר המתייחס ל-discoursehosting

תרגום Google לפוסט בפורום הצרפתי:

חוקר פסאודו-אבטחה אסף מאגר Git ישן עבור תוסף ששימש את הפורום וחטף אותו כדי להציג פשוט את ההודעה הזו.

המאגר הנדון (GitHub - discoursehosting/discourse-migratepassword: A touch of security) נבדק ולא נמצא בו קוד זדוני (זה פשוט הוכחת מושג).

מאגר זה שינה למעשה את כתובת ה-URL שלו (הוא זמין כעת ב-GitHub - communiteq/discourse-migratepassword: Support migrated password hashes) והמשתמש פשוט יצר מחדש את מאגר discoursehosting/discourse-migratepassword, אשר הפנה בעבר ל-communiteq/discourse-migratepassword, כדי למקם שם קוד לא קשור. השתמשנו בכתובת ה-URL הישנה, ולכן הושפענו.

אם זה נכון, בסדר… שיניתי את כתובת ה-URL של התוסף ל-communiteq ואני בונה מחדש כרגע. אבל אני צריך לבדוק את זה יותר (מכיוון שאני לא מתכנת, אני לא יכול להיות בטוח ב-100%).

TL;DR

This is a Github vulnerability in an exploit class called “Repojacking”.

We recommend everyone to check their Github plugin URLs and rename each and every instance of discoursehosting to communiteq

Background:

We had to rename our company from Discoursehosting to Communiteq in 2019.
If that happens, Github automatically redirects URLs to github repositories to their new location, until someone creates a repository with the same name. At that moment the new repository will take preference.

Github used to mark such repositories as “retired” and prohibited creating a repository with the same name.

A previous exploit is described here. Apparently that fix is no longer effective.

We have filed a Github abuse report and will try to take this repository down with all available means.

At this moment the compromised plugin only shows a message and leaves a harmless file in /tmp.
So nothing bad has happened - yet. It is important to change your plugin URL before you rebuild.

wow it can catch the end user out easily, one of the main disadvantages of not using discourse.org official hosting.

If either

angusmcleod (Angus McLeod) · GitHub or merefield (Robert) · GitHub

accounts ceased to exist

then a first sub-path would be exposed, so there would be a clone command sitting in my app.yml for a rebuild to execute

To mitigate the potential impact for users of the standard install, we’ve added code to detect github.com/discoursehosting/ and abort any rebuilds/upgrades.

• Fail rebuild for config files containing compromised github organisat… · discourse/discourse_docker@7889fe3 · GitHub

• Fail rebuild for config files containing compromised github organisat… · discourse/docker_manager@f568625 · GitHub

The error will look something like

---
ERROR: The configuration file containers/app.yml contains references to a compromised github organization: github.com/discoursehosting
Please remove any references to this organization from your configuration file.
For more information, see https://meta.discourse.org/t/374703/6
---

Thank you David!

קהילת Discourse שלום,

אני רוצה להתנצל בכנות על השיבוש שנגרם על ידי פעולותיי בנוגע למאגר התוספים. בניסיון להדגיש בעיית אבטחה, עשיתי טעויות חמורות שהפרו את קוד ההתנהגות.

להלן, אוודא שפעולותיי יעמדו בנהלי גילוי אחראי ואני מעריך את ההזדמנות ללמוד מכך.

שוב, אני באמת מצטער על השיבוש שנגרם.

@w3shi

Thank you for your apologies.

_{The next not-so responsible thing was not reaching out to me or CDCK privately when you gave up the handle, because in the past three hours, someone else could have seen your post and registered it.}

I have now regained control over the old Github handle. And thank you for doing the right thing eventually, and for pointing out that Github does not protect redirects anymore for the fifth time (last time was the fourth time: “This discovery marks the fourth time an alternate method has been identified for performing Repojacking”)

I suggest you approach Github and collect your bounty!

אני מתנצל עמוקות על כל אי הנוחות שנגרמה! ותודה על ההבנה @RGJ !.

ברוכים הבאים לקהילה ותודה על התיקון של הכל.

You should basically assume that nothing is safe, which doesn’t work well either.

Just a few days ago it came to light that one of the developers behind some ESLint Prettier package’s NPM account was compromised and they published new compromised versions of some popular packages:

These packages were then referenced in other packages, because many claim that you should always update to the latest versions.

After I saw this thread I suggested a feature to introduce signature validation of plugins/theme components while updating them: Plugin and theme component signing

That would not stop a compromised key, but at least make part of the supply chain more trustworthy. In the end it is still possible that compromised third party libraries are pulled in. Additional dependencies are not really visible.

I’m not sure this still works. I had a plugin pointing to the compromised github URL and the error message during rebuild just said it failed to pull the repository, with some further detail about a gem version or something. (Can’t paste the exact info as it’s too far back in my scrollback from all the other noise during subsequent builds.)

Looks like the URL/repository doesn’t exist at all now, which is good (at least until someone else re-creates it) but the error message would’ve saved a lot of time.

אכן, @RGJ חזר כעת לשליטה בארגון ה-github, ולכן הסרנו את הודעת השגיאה הזמנית.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.