I have a Kutt implementation.
Actually it only had ONE link in use.
Tonight I received a take-down notice because a malicious link had been inserted into the system's database.
Along with 4 others.
I have :
- deleted the links
- reset user password
- ensured API access is not on.
But how did they get the 5 bad links into the database??
I tried to check the access.log for apache and nginx.
But they are zero-length. Is logging not automatic ?
- how do I check how they did this ?
- any other remedial or preventive action I should take ?
@timconsidine that's quite concerning! Default-on registration is mentioned in the Kutt docs, maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
Registration is enabled by default. This can be disabled by settings DISALLOW_REGISTRATION=true in /app/data/env
@infogulch yes ! Surprised me.
I normally check when installing an app.
But seems I did not on this.
Would certainly recommend all other users of Kutt to check
/app/data/to disallow registrations.
Going to open a github issue to set this to disabled as a default.
Kinda ridiculous that I have to do a postgres terminal query to check users.
If they support users, they should support some admin function to view users, delete, block etc etc.
maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
The Problem is you need to have registration enabled by default, because otherwise you can't sign up on the first run.
Already added a PR for a post install note.
@timconsidine this got me too. was looking for a shortener i could iframe into a client dashboard so through kutt up. I don't know how bad or if im still infected but a day or two after setting it up, all my links started to time out - they were being blocked by my browser. at the same time, I lost admin access on a totally different wp site :S i deleted kutt before i thought to investigate.
definitely reminded me as to the importance of security. i still cant get my orginal link shortener (installed on a lamp stack) to work - im worried i got the domains banned or something
@plains-digital may not be be as bad as you think
I appealed against some blocks and responded to incoming abuse notifications and got it cleaned up.
Kutt works well so don't be afraid to try it again - just turn off registrations.