[03:03] <bluesabre> JackFrost: That's unpleasant.
[03:03] <JackFrost> That's some seriously bad crap..
[03:04] <JackFrost> bluesabre: I spoke up in #canonical-sysadmin
[03:04] <bluesabre> JackFrost: much appreciated.
[03:05] <JackFrost> Kudos go to tomreyn for getting this handled last time, seems Canonical is having a bad time right now...
[03:05] <bluesabre> Is it just our server(s?) or more widespread?
[03:06] <JackFrost> Likely just wp being terrible...
[03:06] <JackFrost> ANd outdated.
[03:08] <bluesabre> Oof.
[03:14] <genii> wordpress?
[03:19] <JackFrost> yeah.
[03:24] <JackFrost> Taking a look at the dev server, just to be on the safe side. :P
[04:12] <tomreyn> https://gf.dev/wordpress-security-scanner says it's WP 5.8.1. if correct, it would be potentially affected by two SQLi vulnerabilities. also, the 'openid' plugin hasn't seen much love lately.
[04:12] <JackFrost> I just updated staging.xubuntu.org and contest. to current, on openid and WP itself.
[04:16] <tomreyn> https://staging.xubuntu.org/wp-login.php prints a warning
[04:20] <JackFrost> Yep.
[04:20] <tomreyn> and contest has directory indexes enabled https://contest.xubuntu.org/wp-content/uploads/
[04:23] <JackFrost> Both do..
[04:25] <tomreyn> oh yes. alright, bedtime for me. hopefully tcuthbertcan's patches can get reviewed + merged soon.
[04:27] <JackFrost> tomreyn: Disabled, if someone wanted them on, well they can be turned back on.
[04:39] <tomreyn> quttera's url normalization is just terrible. they try to prevent you scanning the same site twice in half an hour, but just changing the url to upper case or adding "www." in front works around that.
[04:40] <tomreyn> and i just logged in to https://xubuntu.org/wp-admin/index.php using my tomreyn SSO user name - not sure i should be able to do so.
[04:42] <JackFrost> I don't have any powers there, I can only login because of xubuntu-team.
[04:46] <tomreyn> me neither, not that any are visible anyways (and i'm not going beyond that). the bed really calls now. ;-) ttyl.
[04:47] <JackFrost> Sleep well.
[21:16] <knome> tomreyn, i don't think there is a way to stop people from creating acounts and logging in to xubuntu.org (as subscribers) as we're using the openid login, but it's a long time i *actually* worked with this, so who knows if i misremember or something has changed since
[21:17] <knome> JackFrost, given the situation, would you like to be added to ~xubuntu-website to gain some power?
[22:48] <JackFrost> Well...Not precisely, but I guess yeah.
[22:49] <knome> pleia2, maybe you could grant JackFrost access to -website?)
[22:55] <tomreyn> knome: looks like the privileges granted to the average user logging in via SSO are very limited, so it probably doesn't really change much in terms of making it easier to escalate privileges from there (compared to no login)
[22:56] <knome> tomreyn, as i said, "subscriber", so basically it means they'll have an "account" registered, but that's about it
[22:56] <tomreyn> still, any user added this way seems to end up on the database, which could be a problem if the DB grows too large (e.g. due to a malfunctionaing spam bot) or privacy.
[22:56] <knome> as i see it, the main purpose of this is that maintainers can create posts that only registered users can see
[22:56] <tomreyn> oh "subscriber" is the role, sorry, i'm not so familiar with those.
[22:56] <knome> (ofc we don't use that functionality, but..)
[22:57] <knome> np
[22:57] <knome> well the spammers need to have launchpad accounts
[22:57] <knome> that limits it a bit
[22:57] <tomreyn> so the openid only works against this provider?
[22:58] <knome> again it's a long time since i've checked, but i'm pretty sure there is another (canonical created) plugin that limits it to launchpad, yes
[22:58] <knome> in a way or another
[22:58] <tomreyn> anyways, a mostly theoretical discussion at this point, and not the actual cause of these problems, i guess
[22:59] <knome> sure, i don't see this as a problem
[22:59] <knome> the revision history showed that the spammy edits were done by the "admin" (ID 1) user
[22:59] <knome> which is the easy target for spammers/hackers, since if user ID 1 exists, it's almost always an admin user
[22:59] <tomreyn> so it's possibly still the same problem as early december
[23:01] <knome> i think it's even on the WP website that if you want to "harden" your installation, you should add another user and remove the user ID 1 right after setting your site up
[23:01] <knome> because then automated attacks which try to use this knowledge to their benefit will simply fail
[23:02] <knome> ...but at least when xubuntu.org was set up, canonical didn't have that practice
[23:06] <tomreyn> i also remember reading this somewhere about wordpress basics
[23:06] <pleia2> yeah, let's see
[23:06] <tomreyn> also something about renaming the user
[23:08] <pleia2> I have done the thing
[23:09] <knome> pleia2, thank you! <3
[23:10] <knome> tomreyn, i don't think renaming the user helps, as its ID is still 1, which can be used for the attacks
[23:12] <knome> and if you create another user and delete the first one, you don't need to rename ;)
[23:12] <knome> (also, it's really handy to remove the first user as then you get rid of all the nonsense default content at once ;))
[23:13] <knome> (disclaimer: a sizeable amount of my work is understanding wordpress)
[23:20] <JackFrost> pleia2, knome: Thanks, I'll stay away from actually touching content. :>
[23:20] <pleia2> :)
[23:20] <pleia2> thanks for keeping an eye on things
[23:21] <JackFrost> ...I still hesitate to reboot that server. :P
[23:21] <JackFrost> knome: Speaking of which, I have admin on contest (IIRC?) but not staging.  Plz2fix?
[23:21] <pleia2> haha
[23:22] <pleia2> I'm around most weekdays during the day, just ping me to see if I'm around when you do a reboot in case of emergency ;D
[23:23] <JackFrost> Oh dear, it also emails you on reboots doesn't it?
[23:23] <pleia2> yeah
[23:24] <pleia2> I have monitoring on it, but it doesn't page me or anything (just email, I'll sleep through it :))
[23:24] <JackFrost> I try to do kernel reboots late so few people notice.
[23:25] <knome> JackFrost, i went ahead and gave you admin @staging, but... now i notice it's also using openid, so you should get all the admin powers with the -website membership
[23:26] <JackFrost> Ah, righty.