source:
https://github.com/holo-gfx/mangadex/
from 4chan
Discussion 1
```
https://github.com/holo-gfx/mangadex/blob/b82f99b3ad0ce6312d673aebdfb3883320b2eb46/src/Model/Guard.php#L213
This is how they compromised staff accounts.
Mangadex like the bunch of retards they are store session tokens as sha256 hashes and use them for session tokens.
Literal fucking retards
```
```
why is this dumb?
the readme says it was a PHP RCE
```
```
You only need DB access to be able to "login" as every account on the site so what likely happened was that the attacker compromised one of their db servers and got db access then dumped and used the admin session tokens to login as one of the admins.
Aka all user sessions are currently compromised and they could mass change passwords.
```
```
so tokens should be stored in web server memory or something?
```
```
They shouldn't be stored at all in the first place.
You can generate and verify them with public/private encryption and you only need to keep a reference to them in the db for session invalidation.
They should also have a short expiry and be refreshed on a regular basis to keep them constantly rotating.
```
Discussion 2
```
https://github.com/holo-gfx/mangadex/blob/b82f99b3ad0ce6312d673aebdfb3883320b2eb46/ajax/actions/chapters.actions.req.php#L765
No validation against if a file within an upload zip file is actually an image file. Was just doing a validation against the file extension. That's pretty stupid. Their zip uploading process basically allowed anyone to take a php file and rename it as an image, zip it and upload it without any issue.
```
P.S uploaded for education purposes and backup before deleted by github (maybe)
use at your own risk