Ik heb zojuist een van mijn Discourse-forums opnieuw opgebouwd en wanneer ik het in de browser laad, verschijnt de volgende melding in een pop-up:
Je bent gehackt door een plugin! door w3shi(Hackerone)-S.Lakshmi Vignesh(RCE-POC)
Heilig… Wat is er aan de hand? Een van de plugins die ik gebruik is gecompromitteerd?
Any chance you used the migrate password plugin? Or another plugin from the discoursehosting repository?
Looks like this forum was affected too Am I hacked? or not - Forum Management - Suggestions - DxO Forum
Yes, it’s in the list. And the only one from discoursehosting.
I remember that it needs to be active to allow “old” users to login, correct?
But now the question is more if the installation was compromised or if it’s just showing this message. Site is down at the moment to be safe for now.
Along with that plugin, here’s the list what I’m using:
verwijder alles wat verwijst naar discoursehosting
Google Translate van het Franse forum:
Een pseudo-beveiligingsonderzoeker heeft een oude Git-repository van een plugin die door het forum wordt gebruikt, opgehaald en gekaapt om simpelweg dit bericht weer te geven.
De betreffende repository (GitHub - discoursehosting/discourse-migratepassword: A touch of security) is geïnspecteerd en er is geen kwaadaardige code aanwezig (het is simpelweg een proof of concept).
Deze repository had zijn URL daadwerkelijk gewijzigd (hij is nu beschikbaar op GitHub - communiteq/discourse-migratepassword: Support migrated password hashes) en de gebruiker heeft simpelweg de discoursehosting/discourse-migratepassword repository opnieuw aangemaakt, die voorheen doorverwees naar communiteq/discourse-migratepassword, om daar ongerelateerde code te plaatsen. Wij gebruikten de oude URL, daarom werden we getroffen.
Als dat waar is, oké… Ik heb de url van de plugin naar communiteq veranderd en ben momenteel aan het herbouwen. Maar ik moet dit nog verder onderzoeken (aangezien ik geen programmeur ben, kan ik niet 100% zeker zijn).
This is a Github vulnerability in an exploit class called “Repojacking”.
We recommend everyone to check their Github plugin URLs and rename each and every instance of discoursehosting to communiteq
We had to rename our company from Discoursehosting to Communiteq in 2019.
If that happens, Github automatically redirects URLs to github repositories to their new location, until someone creates a repository with the same name. At that moment the new repository will take preference.
Github used to mark such repositories as “retired” and prohibited creating a repository with the same name.
A previous exploit is described here. Apparently that fix is no longer effective.
We have filed a Github abuse report and will try to take this repository down with all available means.
At this moment the compromised plugin only shows a message and leaves a harmless file in /tmp.
So nothing bad has happened - yet. It is important to change your plugin URL before you rebuild.
wow it can catch the end user out easily, one of the main disadvantages of not using discourse.org official hosting.
If either
angusmcleod (Angus McLeod) · GitHub or merefield (Robert) · GitHub
accounts ceased to exist
then a first sub-path would be exposed, so there would be a clone command sitting in my app.yml for a rebuild to execute
To mitigate the potential impact for users of the standard install, we’ve added code to detect github.com/discoursehosting/ and abort any rebuilds/upgrades.
The error will look something like
---
ERROR: The configuration file containers/app.yml contains references to a compromised github organization: github.com/discoursehosting
Please remove any references to this organization from your configuration file.
For more information, see https://meta.discourse.org/t/374703/6
---
Thank you David!
Hallo Discourse-gemeenschap,
Ik wil me oprecht verontschuldigen voor de verstoring die is veroorzaakt door mijn acties met betrekking tot de plugin-repository. Bij het proberen te benadrukken van een beveiligingsprobleem, heb ik ernstige fouten gemaakt die in strijd waren met de gedragscode.
In de toekomst zal ik ervoor zorgen dat mijn acties voldoen aan de praktijken voor verantwoorde openbaarmaking en ik waardeer de kans om hiervan te leren.
Nogmaals, het spijt me echt voor de veroorzaakte verstoring.
Thank you for your apologies.
The next not-so responsible thing was not reaching out to me or CDCK privately when you gave up the handle, because in the past three hours, someone else could have seen your post and registered it.
I have now regained control over the old Github handle. And thank you for doing the right thing eventually, and for pointing out that Github does not protect redirects anymore for the fifth time (last time was the fourth time: “This discovery marks the fourth time an alternate method has been identified for performing Repojacking”)
I suggest you approach Github and collect your bounty!
Mijn oprechte excuses voor al het veroorzaakte ongemak! En dank u voor uw begrip @RGJ!.
Welkom bij de community en bedankt voor het oplossen van alles.
You should basically assume that nothing is safe, which doesn’t work well either.
Just a few days ago it came to light that one of the developers behind some ESLint Prettier package’s NPM account was compromised and they published new compromised versions of some popular packages:
These packages were then referenced in other packages, because many claim that you should always update to the latest versions.
After I saw this thread I suggested a feature to introduce signature validation of plugins/theme components while updating them: Plugin and theme component signing
That would not stop a compromised key, but at least make part of the supply chain more trustworthy. In the end it is still possible that compromised third party libraries are pulled in. Additional dependencies are not really visible.
I’m not sure this still works. I had a plugin pointing to the compromised github URL and the error message during rebuild just said it failed to pull the repository, with some further detail about a gem version or something. (Can’t paste the exact info as it’s too far back in my scrollback from all the other noise during subsequent builds.)
Looks like the URL/repository doesn’t exist at all now, which is good (at least until someone else re-creates it) but the error message would’ve saved a lot of time.
Inderdaad, @RGJ heeft nu de controle over de github-organisatie terug, dus we hebben het tijdelijke foutbericht verwijderd.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.