|
Hey, I accidentally erased the previous Site Problems thread because I am an idiot. Here's what I had written in it: Hey everyone, a bit of an update on the situation. What happened? An attacker found a way to do what is called an HTML Injection into UER. This means that they compelled UER to execute their code in the browser.
What did this get them? The attacker was able to steal the login session of three users. They did not get the account password, or any other personal details.
How did we respond? I immediately rotated our cookie signing key, thereby invalidating all sessions. This is why you had to log in again. The sessions the attacker stole are no longer valid. Was any personal data leaked? No. The attacker was theoretically able to pretend to be one of the 3 users, but they don't appear to have done so. What are we doing to prevent this in the future? UER wasn't using best principles to stop remote code exploits. I've switched these on now, blocking most external scripts from loading, and have already spent hours working to get rid of all inline scripts throughout UER. This will make UER more secure and prevent this kind of attack from happening again. Sorry for the trouble, we'll get this sorted!
huskies - such fluff. |
|
I have an archived copy of the original thread. I was lucky/forgetful enough to not close out a tab of the old one so if anyone wants the html file for it, I could give it to you.
I will stop procrastinating tomorrow... |
|
Update: I've now spent many more hours replacing every single inline script on UER (for example)
<div onclick="alert('hello')"> |
With that done, I've disabled inline scripts entirely. This means that even if another HTML injection attack point is found, which is possible, it will be impossible to inject a script. This should go a long way to protecting the site against this kind of attack. Please let me know if you see any odd or broken behaviour on the site.
[last edit 4/20/2023 5:20 AM by Avatar-X - edited 1 times]
huskies - such fluff. |
|
Thanks Av! I think I can speak for all of us when I say we really appreciate your work to keep UER functional and secure.
"Sorry, I didn't know I'm not supposed to be here," he said, knowing full well he wasn't supposed to be there. |
|
I appreciate all of Av's efforts to keep this site running when so many other sites have become abandoned.
In order to use your head, you have to go out of your mind. |
|
Posted by Radio2600 I appreciate all of Av's efforts to keep this site running when so many other sites have become abandoned.
|
We can umbex websites now?! I love the 21st century.
|
|
Thanks Av !! Appreciate all your efforts
"if you are not selfish enough to make yourself happy, you have nothing of value to offer the world." |
|
Love your dedication to the site AV. Thanks!
RIP Blackhawk |
|
Thank you so much Av!
I will stop procrastinating tomorrow... |