1.7.8 Version banner but not linked to github

On my (docker) 1.7.6 version, I get a banner telling me there is an update to 1.7.8, but when I go to docker hub to update, I don’t see it. I then go to the base YOURLS github page and there is not a 1.7.7 or 1.7.8 release at all. Is there a reason these new versions are not showing up in github and thus docker? The banner has this as the link to download, which is not from github, but does look legit.

Thanks for opening this thread, @jhollowe!

Can you share a screenshot?
That is not normal, as 1.7.8 is not released yet (same for 1.7.7).

I was recently looking in the DB and the yourls_options.core_version_checks seems to be where this is coming from. Here’s the contents in the DB with newlines added for readability (freshly created from the docker yourls:1.7.6)

O:8:"stdClass":4:{s:15:"failed_attempts";i:0;s:12:"last_attempt";i:1587361967;s:11:"last_result";O:8:"stdClass":2:{s:6:"latest";
s:284:"1.7.8<script>$(".notice").css("border-width","2px").html("
<p style=\"font-weight:bold\"><a href=\"https://api.yourls.org/assets/YOURLS-1.7.8.zip\">YOURLS version 1.7.8</a> is available. Please update <a href=\"https://api.yourls.org/assets/YOURLS-1.7.8.zip\">here</a>!</p>"); 
</script>";s:6:"zipurl";s:56:"https://api.github.com/repos/YOURLS/YOURLS/zipball/1.7.8";}
s:15:"version_checked";s:5:"1.7.6";}

I came here to report the same thing! I’m attaching a screenshot of what I see in my admin. The message links to: https://api.yourls.org/assets/YOURLS-1.7.8.zip

Yeah, I posted a similar screenshot and info, but the post seems to have be flagged by the spam bot and hidden (edit: now visible). I found the message is coming from the auto-updater info in the DB

Indeed. Yet https://api.yourls.org/core/version/1.0/ reports 1.7.6, as it should. I’ll have a look, thanks for the heads up.

Fixed. Bad news is api.yourls.org was compromised. I’ve changed every credential to the server and reverted any code to what it should be. If anyone has downloaded binary from the “1.7.8 available” message, overwrite with latest release files (1.7.6) or current master.

As a note, you can run the below command on your database (the the yourls database) to delete the incorrect update information and remove the banner (assuming you have the default DB schema):

UPDATE yourls_options SET option_value='' WHERE option_name='core_version_checks';

and thanks @ozh for the super fast response and fix. Well done!

Dear @ozh, can you please say, how long the fake ZIP file was downloadable?

According to server logs, the first archive was downloaded [19/Apr/2020:15:28:02 -0700] and the last [20/Apr/2020:12:25:20 -0700]

Ok, thanks!
Since we operate more than one instance (great tool by the way): Can say somthing about the content of the ZIP file? For example, did it contain malware?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.