source:
https://github.com/holo-gfx/mangadex/
from 4chan
Discussion 1
https://github.com/holo-gfx/mangadex/blob/b82f99b3ad0ce6312d673aebdfb3883320b2eb46/src/Model/Guard.php#L213
This is how they compromised staff accounts.
Mangadex like the bunch of retards they are store session tokens as sha256 hashes and use them for session tokens.
Literal fucking retards
why is this dumb?
the readme says it was a PHP RCE
You only need DB access to be able to "login" as every account on the site so what likely happened was that the attacker compromised one of their db servers and got db access then dumped and used the admin session tokens to login as one of the admins.
Aka all user sessions are currently compromised and they could mass change passwords.
so tokens should be stored in web server memory or something?
They shouldn't be stored at all in the first place.
You can generate and verify them with public/private encryption and you only need to keep a reference to them in the db for session invalidation.
They should also have a short expiry and be refreshed on a regular basis to keep them constantly rotating.
Discussion 2
https://github.com/holo-gfx/mangadex/blob/b82f99b3ad0ce6312d673aebdfb3883320b2eb46/ajax/actions/chapters.actions.req.php#L765
No validation against if a file within an upload zip file is actually an image file. Was just doing a validation against the file extension. That's pretty stupid. Their zip uploading process basically allowed anyone to take a php file and rename it as an image, zip it and upload it without any issue.
P.S uploaded for education purposes and backup before deleted by github (maybe)
use at your own risk
Comments - 12
Astral
Nice.
Interruptor
lol doki does not dissapoint
UselessBoy
lmao.
Ingenioussubs
lel
twi
posting in epic thread
Igoor
I love to hoard leaked source codes, thx
StazCherryBlood
epiko
gzpz
https://github.com/holo-gfx/mangadex/archive/main.tar.gz
https://github.com/holo-gfx/mangadex/archive/main.zip
CheekyKoala
This is a bit disingenuous. Client-side signed session tokens wouldn’t have saved them here; the PHP RCE would have just as well given them access to some secret key that the web application uses for signing session tokens, which would’ve meant an attacker could’ve forged their own session tokens (unless I misunderstand HMAC. The RCE would also made it trivial to listen to authenticated requests and just grab the sessions that way). Besides, if they had access to the DB, they essentially already could do anything you can do through the website’s interface anyway, and much more. There are a few massive oofs they did though:
CheekyKoala
Ok it’s starting to sound more and more like the attacker compromised some old copy of the database inadvertently left running on an old server, in which case the parts about snooping requests or changing the DB don’t apply, but I think they could still forge sessions with the secret key if client-side sessions were used (and probably have ways to pivot onto the new server e.g. through ssh keys used for transferring stuff over, particularly if they’re passwordless ones for automated backups)
Sounds like either that’s what they did or yet another RCE is in the up-to-date codebase, with the immediate re-hack after rotated sessions.
Neeichi
ishygddt
Interruptor
Cheekykoala use your extensive knowledge of The Code, contact Holo and save mangadex from themselves. I need to read The End Of Goldfish Kingdom I have no time for these downtimes.