lemmy
lemmy copied to clipboard
Admin was removed either by bug or exploit.
I am admin of lemmy.world. Suddenly I was missing the 'admin' icon in the top menu. I checked, I also wasn't listed on the home page as 'admin'.
I then checked the database, the 'admin' column was 'f' for my account. There's nothing in the modlog about it, and nothing in the mod_add table. The 3 other admins are trusted and they are asleep (US timezone).
I have fixed it by updating the person table. But this could be a serious bug or security exploit.
@Nutomic sorry for ping, but seems urgent
Why do already-running sites have their /setup URL available?
Even when not logged-in?
https://lemmy.ml/setup
Why do already-running sites have their /setup URL available?
Even when not logged-in?
This isn't related to this issue. It is possibly on purpose for transparency, since the configuration can be inferred anyway.
This seems similar to #3075, basically a local user is fetched over federation and overwritten. There are checks in place that a user is only federated from its home instance (lemmy.world in your case) so its not a security issue. However it will set the admin
and local
columns to false if it happens.
To fix it needs a check here that person.id
is not equal to the local domain.
FMHY instance has experienced a similar issue. The @admin user is no longer an admin. It seems to corralate with a user named admin in another instance getting banned
Same thing happened to my instance. In my case, I suspect this was caused by my accidentally submitting the Create User form instead of the Login form (populated with admin user/pass).
Edit: One other candidate: when I went into postgres to fix this, I saw a second user named admin who had come across from a federated server.
Not that I don't appreciate that you're probably overloaded, guys, but this seems potentially really really really bad, no?
I feel this id significant Who should I send a working proof to?
At least one exploit that could drop admin rights form any user (open signup / captcha enabled) has been fixed in 0.18