lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard

Admin was removed either by bug or exploit.

Open ruudschilders opened this issue 1 year ago • 9 comments

I am admin of lemmy.world. Suddenly I was missing the 'admin' icon in the top menu. I checked, I also wasn't listed on the home page as 'admin'.

I then checked the database, the 'admin' column was 'f' for my account. There's nothing in the modlog about it, and nothing in the mod_add table. The 3 other admins are trusted and they are asleep (US timezone).

I have fixed it by updating the person table. But this could be a serious bug or security exploit.

ruudschilders avatar Jun 13 '23 08:06 ruudschilders

@Nutomic sorry for ping, but seems urgent

krestenlaust avatar Jun 13 '23 08:06 krestenlaust

Why do already-running sites have their /setup URL available?

Even when not logged-in?

https://lemmy.ml/setup

RocketDerp avatar Jun 13 '23 13:06 RocketDerp

Why do already-running sites have their /setup URL available?

Even when not logged-in?

This isn't related to this issue. It is possibly on purpose for transparency, since the configuration can be inferred anyway.

krestenlaust avatar Jun 13 '23 17:06 krestenlaust

This seems similar to #3075, basically a local user is fetched over federation and overwritten. There are checks in place that a user is only federated from its home instance (lemmy.world in your case) so its not a security issue. However it will set the admin and local columns to false if it happens.

To fix it needs a check here that person.id is not equal to the local domain.

Nutomic avatar Jun 13 '23 21:06 Nutomic

FMHY instance has experienced a similar issue. The @admin user is no longer an admin. It seems to corralate with a user named admin in another instance getting banned

rhld16 avatar Jun 14 '23 16:06 rhld16

Same thing happened to my instance. In my case, I suspect this was caused by my accidentally submitting the Create User form instead of the Login form (populated with admin user/pass).

Edit: One other candidate: when I went into postgres to fix this, I saw a second user named admin who had come across from a federated server.

dcx avatar Jun 18 '23 18:06 dcx

Not that I don't appreciate that you're probably overloaded, guys, but this seems potentially really really really bad, no?

binwiederhier avatar Jun 20 '23 16:06 binwiederhier

I feel this id significant Who should I send a working proof to?

BlueEther avatar Jun 24 '23 09:06 BlueEther

At least one exploit that could drop admin rights form any user (open signup / captcha enabled) has been fixed in 0.18

BlueEther avatar Jun 24 '23 22:06 BlueEther