source:
https://github.com/holo-gfx/mangadex/
from 4chan
Discussion 1
```
https://github.com/holo-gfx/mangadex/blob/b82f99b3ad0ce6312d673aebdfb3883320b2eb46/src/Model/Guard.php#L213
This is how they compromised staff accounts.
Mangadex like the bunch of retards they are store session tokens as sha256 hashes and use them for session tokens.
Literal fucking retards
```
```
why is this dumb?
the readme says it was a PHP RCE
```
```
You only need DB access to be able to "" as every account on the site so what likely happened was that the attacker compromised one of their db servers and got db access then dumped and used the admin session tokens to as one of the admins.
Aka all user sessions are currently compromised and they could mass change passwords.
```
```
so tokens should be stored in web server memory or something?
```
```
They shouldn't be stored at all in the first place.
You can generate and verify them with public/private encryption and you only need to keep a reference to them in the db for session invalidation.
They should also have a short expiry and be refreshed on a regular basis to keep them constantly rotating.
```
Discussion 2
```
https://github.com/holo-gfx/mangadex/blob/b82f99b3ad0ce6312d673aebdfb3883320b2eb46/ajax/actions/chapters.actions.req.php#L765
No validation against if a file within an upload zip file is actually an image file. Was just doing a validation against the file extension. That's pretty stupid. Their zip uploading process basically allowed anyone to take a php file and rename it as an image, zip it and upload it without any issue.
```
P.S uploaded for education purposes and backup before deleted by github (maybe)
use at your own risk
> They shouldn't be stored at all in the first place.
This is a bit disingenuous. Client-side signed session tokens wouldn't have saved them here; the PHP RCE would have just as well given them access to some secret key that the web application uses for signing session tokens, which would've meant an attacker could've forged their own session tokens (unless I misunderstand HMAC. The RCE would also made it trivial to listen to authenticated requests and just grab the sessions that way). Besides, if they had access to the DB, they essentially already could do anything you can do through the website's interface anyway, and much more. There are a few massive oofs they did though:
- never rotating sessions (rightfully pointed out in the posts). This is ultimately not what brought them down, it just means they have something that functions like a plaintext password stored in the DB. Was the compromise kept more quiet, they would've been quite useful.
- happily writing user-provided files with executable permissions. A popular way to pwn phpBB2 forums back in the day was to abuse people setting their upload directories to chmod 777, which meant any PHP you managed to get into there somehow would be executed if you requested its url.
- not checking mimetypes (also rightfully pointed out in the posts)
- using PHP and its fucked ecosystem, which leads to issues like having an HTTP request execute new code you placed wherever.
- having their PHP configured so that it will execute files of any extension as php, but honestly if you even let anyone get that far you're already in ultra spicy territory
Ok it's starting to sound more and more like the attacker compromised some old copy of the database inadvertently left running on an old server, in which case the parts about snooping requests or changing the DB don't apply, but I think they could still forge sessions with the secret key if client-side sessions were used (and probably have ways to pivot onto the new server e.g. through ssh keys used for transferring stuff over, particularly if they're passwordless ones for automated backups)
Sounds like either that's what they did or yet another RCE is in the up-to-date codebase, with the immediate re-hack after rotated sessions.
Cheekykoala use your extensive knowledge of The Code, contact Holo and save mangadex from themselves. I need to read The End Of Goldfish Kingdom I have no time for these downtimes.
Comments - 12
Astral
Interruptor
UselessBoy
Ingenioussubs
twi
Igoor
StazCherryBlood
gzpz
CheekyKoala
CheekyKoala
Neeichi
Interruptor