Unauthorized users and notes have appeared

interfluidity · January 8, 2025, 11:58pm

My version of HedgeDoc is: 1.9.9

What I expected to happen:

The only user I have registered is me, via the manage_users command. allowEmailRegister and allowAnonymous are both set to false in config.json. I expected that I would be the only user, and the only person who could start new notes.

What actually happened:

Unauthorized notes, and two new unauthorized users have appeared. (Google found one of the unauthorized notes. Browsing the postgresdb revealed the unauthorized users in the Users table.

I already tried:

I think I should be able to delete the users with manage-users --del. With that delete the notes they’ve made as well? Is it okay to manually delete those from the database if not?

Mostly, what should I do to figure out or close whatever loophole these users exploited to create accounts? Has anyone else has unauthorized users created under these settings?

Thank you!

sheogorath · January 9, 2025, 12:23am

Hello,

That sounds indeed like something went wrong. We are not aware of any loopholes that could be exploited that way (otherwise they would be fixed).

Have you had a closer look at the user? Did they have a profile int heir account (ehich would indicate an SSO user) or did they have a password and an email address?

Are you sure that registration was always disabled? Have the notes stopped appearing after deleting the user?

The best way to react to such a situation is to create a database dump and then mitigate the situation by deleting the user and the notes. This allows you to investigate the behaviour of the attacker a bit further.

Also a quick reminder that there is a newer version of HedgeDoc available.

Greetings
Sheogorath