Unauthorized users and notes have appeared

interfluidity · January 8, 2025, 11:58pm

My version of HedgeDoc is: 1.9.9

What I expected to happen:

The only user I have registered is me, via the manage_users command. allowEmailRegister and allowAnonymous are both set to false in config.json. I expected that I would be the only user, and the only person who could start new notes.

What actually happened:

Unauthorized notes, and two new unauthorized users have appeared. (Google found one of the unauthorized notes. Browsing the postgresdb revealed the unauthorized users in the Users table.

I already tried:

I think I should be able to delete the users with manage-users --del. With that delete the notes they’ve made as well? Is it okay to manually delete those from the database if not?

Mostly, what should I do to figure out or close whatever loophole these users exploited to create accounts? Has anyone else has unauthorized users created under these settings?

Thank you!

sheogorath · January 9, 2025, 12:23am

Hello,

That sounds indeed like something went wrong. We are not aware of any loopholes that could be exploited that way (otherwise they would be fixed).

Have you had a closer look at the user? Did they have a profile int heir account (ehich would indicate an SSO user) or did they have a password and an email address?

Are you sure that registration was always disabled? Have the notes stopped appearing after deleting the user?

The best way to react to such a situation is to create a database dump and then mitigate the situation by deleting the user and the notes. This allows you to investigate the behaviour of the attacker a bit further.

Also a quick reminder that there is a newer version of HedgeDoc available.

Greetings
Sheogorath

interfluidity · February 26, 2025, 3:23am

Thanks so much for your replay (and my apologies for my late reply).

The users have no e-mail, but JSON profiles, always github.com related. I had github integration enabled in the config. I’ve now disabled it. Would my github integration allow arbitrary github folk to SSO in?

I’m not really sure what the best way is to upgrade my hedgedoc in place. (But I haven’t looked! I’ll try to RTFM!)

Anyway, just using psql to delete the users seemed to work fine. The notes deletions cascaded appropriately. I’m hoping eliminating the github object from config.json remedies all this, but we’ll see.

Thank you so much again for your reply.

ErikMichelson · March 1, 2025, 5:15am

Hi @interfluidity,

yes in fact GitHub auth is rather intended for public instances since anyone can register and use your instance.

As you noted, deleting the users in the database should be sufficient and the related database entries should be deleted by that as well.

For upgrading refer to either the relevant docs for docker installs or manual installs.