My Kutt was hacked! How? Check yours!!
I have a Kutt implementation.
Actually it only had ONE link in use.
Tonight I received a take-down notice because a malicious link had been inserted into the system's database.
Along with 4 others.
I have :
- deleted the links
- reset user password
- ensured API access is not on.
But how did they get the 5 bad links into the database??
I tried to check the access.log for apache and nginx.
But they are zero-length. Is logging not automatic ?
- how do I check how they did this ?
- any other remedial or preventive action I should take ?
I just noticed my Kutt supports account signup from the login page.
I did not think this was in operation.
And the system does not give any option to show users who may have signed up. Bizarre.
How can I check other users ?
OK I checked postgres user table.
3 dodgy entries in there.
So user sign up was active not disabled as I thought.
infogulch last edited by
@timconsidine that's quite concerning! Default-on registration is mentioned in the Kutt docs, maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
Registration is enabled by default. This can be disabled by settings DISALLOW_REGISTRATION=true in /app/data/env
@infogulch yes ! Surprised me.
I normally check when installing an app.
But seems I did not on this.
Would certainly recommend all other users of Kutt to check
/app/data/to disallow registrations.
Going to open a github issue to set this to disabled as a default.
Kinda ridiculous that I have to do a postgres terminal query to check users.
If they support users, they should support some admin function to view users, delete, block etc etc.
maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
The Problem is you need to have registration enabled by default, because otherwise you can't sign up on the first run.
Already added a PR for a post install note.
@girish Perhaps we should consider looking at all apps across the portfolio for open signups (like VaultWarden which bit me a few weeks back) and disable them as part of our app onboarding?
@doodlemania2 registration is almost always disabled by default. But some apps like Kutt won't allow anyone to sign up, if registration is disabled.