About the recent attack

[bitfreak!]

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.

I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?

My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.

But the first attack was facilitated by a flaw in the SMF software, which allowed the attackers to install backdoors in the first place. It sounds to me like the method used in the 2011 attack is not fully understood even now, but some people suspect the avatar system was exploited. It seems to me like the attacker is using an undocumented flaw in the SMF software.

[1715394029]

1715394029

[1715394029]

1715394029

[1715394029]

1715394029

[1715394029]

1715394029

[QuestionAuthority]

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.

I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?

My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.

But the first attack was facilitated by a flaw in the FMS software, which allowed the attackers to install backdoors in the first place. It sounds to me like the method used in the 2011 attack is not fully understood even now, but some people suspect the avatar system was exploited. It seems to me like the attacker is using an undocumented flaw in the SMF software.

That's not true:

The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames and eventually purchased a donor account, using it to gain access to various user accounts and change their names, including that of the administrator, Satoshi.

Theymos verified that this is correct.

[Welsh]

Glad it's back up. I lost a lot of contact with the Bitcoin world because all other Bitcoin forums are not active enough.

[bitfreak!]

The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames

So the original flaw used to exploit the forum software in 2011 was fixed and the only reason the attacker succeeded this time was because they left behind backdoors (which were removed and then replaced)? If that's the case (and the forum software has been re-installed with fresh files) then we should be secure. But personally I wouldn't be against upgrading to a newer version of SMF.

[Maged]

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.

I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written.

Theymos reviewed a diff between the files from a fresh SMF install and our setup. Therefore, we effectively reinistalled and re-applied our modifications. Theymos then went on to do a full code review and only re-enabled the absolute minimum functionality for the forum to operate.

If you had access to the moderation tools, you'd realize just how much is missing...

[r3wt]

have you checked to make sure that image sanitazation is working properly?

[QuestionAuthority]

The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames

If the original flaw used to exploit the forum software in 2011 was fixed and the only reason the attacker succeeded this time was because they left behind backdoors (which were removed and then replaced)? If that's the case (and the forum software has been re-installed with fresh files) then we should be secure. But personally I wouldn't be against upgrading to a newer version of SMF.

Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.

The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the package manager, smiley sets, newsletter and edit members or groups with the vulnerable bound post parameters local path url, username, url, emails & title. Exploitation requires low user inter action & privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin/mod/user) or stable (persistent) manipulation of the web application context.

Package Manager > Download New Packages > FTP Information Required (Listing)

<dd>
<input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
<label for="ftp_port">Port:&nbsp;</label>
<input type="text" size="3" name="ftp_port" id="ftp_port" value="21"
class="input_text" />

URL: http://127.0.0.1:133...5f26c102fff9626



Smiley Sets > Add

<tr class="windowbg" id="list_smiley_set_list_0">
<td style="text-align: center;"></td>
<td class="windowbg">Akyhne's Set</td>
<td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong="">
akyhne</strong>/...</td>

Review: Newsletter > Add

<input name="email_force" value="0" type="hidden">
<input name="total_emails" value="1" type="hidden">
<input name="max_id_member" value="13" type="hidden">
<input name="groups" value="0,1,2,3" type="hidden">
<input name="exclude_groups" value="0,1,2,3" type="hidden">
<input name="members" value="" type="hidden">
<input name="exclude_members" value="" type="hidden">
<input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"="">
</form>
</div>
<br class="clear" />
</div>

Edit Membergroups & User/Groups Listing

<h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
><ifram
</h3>
</div>
<div class="windowbg2">
<span class="topslice"><span></span></span>
 

[bitfreak!]

Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.

It seems like you are referring to the same vulnerabilities referenced in this thread:

http://www.simplemachines.org/community/index.php?topic=482530.0

The SMF Project Manager had this to say about it:

this is, essentially, BS...

not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section...  and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly.

Not that I really care if we update or not, because I can understand the advantages and disadvantages of both actions. But I would like to see something happen to make this forum a bit more secure.

[theymos]

SMF v2.0.2 has many vulnerabilities.

Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license.

[QuestionAuthority]

Securing the forum requires fewer people with access not upgrading to an unknown quantity. At least using an older version means most of the vulnerabilities are known.

[r3wt]

SMF v2.0.2 has many vulnerabilities.

Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license.

iirc the latest build is 2.0.5 and is quite secure....

[Welsh]

SMF v2.0.2 has many vulnerabilities.

Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license.

iirc the latest build is 2.0.5 and is quite secure....

It's got more features which are means more vulnerabilities. He's right, it's more than likely better to stay on this version. Although, upgrading to a different forum system may be better but would require more downtime and more hassle. 

[MagicBit15]

My forum is back thank god. I felt so empty without my BTC talk  .

Great work theymos!!

[joesmoe2012]

I'm all for an upgrade. Also, why do we need ads seeing as we have a huge fund to pay for the forum? They are really annoying.

[surebet]

The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?

Revealed as explained or used? I'd would probably be a mixture of courtesy, "wtf the two year old backdoor still works" factor and just sharing knowledge.

Yes, that was a scray run, hopefullyw on't happen again.  Any *cough* um, accusations of who attacked?

Are you the same surebet that's a member of this exploit database site http://1337day.com that has a private section containing SMF exploits?

No.

[repentance]

The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?

Why not reveal it?  It was going to be discovered eventually by those trying to fix the forum and revealing that a two year old backdoor was used made it more difficult for theymos to claim it was some new, previously unheard of exploit.  There's some lulz to be had when you tell someone how you did something just after it happens and it still takes them days to find and fix the problem.

[surebet]

As a side note is there any new restrictions on avatars now, namely the ability to change them?

I have a 80x80 gif I'd like to use that comes out to either 21 or 28k depending, no mention in the usercp about restrictions.

[tspacepilot]

So, if there are so many problems with SMF, why does thermos still use it?  There must be some open-source forum software that could be used.   At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use.  Right? 

[Swordsoffreedom]

2011 Wow that is an old exploit, whoever broke into the system bided their time executing that code.

[HellDiverUK]

Well, this could well be coincidence, but someone's been trying very hard to get in to my iCloud account the past day or so.  The iCloud username is the same as the email I used here (a GMail account).

I've reset both the GMail and iCloud account passwords, and put double auth on the GMail, but it's annoying getting "iForgot" emails every 15 minutes...