seven1m / do-install-button Goto Github PK

The installer does not have a CSRF token, meaning that if a user has authorized the DO install button, clicking anywhere on a third-party website could allow that third party website to launch a VM on behalf of the user.

The attack is:

1. User visits a malicious website evil.com
2. evil.com launches an invisible submit button over the entire page, with a form pointing to your installer's '/install' endpoint and valid values for size/region/agree/url with the url pointing to a repository of their choosing.
3. If/when a user clicks anywhere on the page, it will launch a VM on behalf of evil.com. This might also be achievable by javascript

This attack is mitigated by the fact that DO will email the user their root password, but this is still confusing and dangerous. You should include a CSRF token in the form and check it.

Specifically, see if we can add the Toronto data center

Should rename file to app.yaml to be more like the heroku installer

• mysql-server
• sendmail-base

https://www.digitalocean.com/community/questions/forcing-to-change-password-when-using-api

seven1m/onebody#349

I think it would be nice if the app.yml file could specify a http shell script to run as the root user. It would keep the app.yml file nice and clean and the script could just reside in the repo in question.

Thoughts?

Hi!

I was very very eager to try this out but the application gives me the error "Internal Server Error" at http://installer.71m.us/install. Perhaps it is something at my end?

Thanks!

Your badge doesn't look good with other badges from shields.io. Just have a look: https://github.com/virtkick/virtkick-starter#virtkick-take-cloud-back Any chance to get an alternative badge? shields.io is widespread, all new badges should be aiming to be compatible with them. There are three layouts of their badges, lookup at http://shields.io/.

Currently the installer just selects the first key available (probably based on order of creation).

Both links return 404. What happened?
http://installer.71m.us/button.svg
http://installer.71m.us/install?url=https://github.com/churchio/onebody