bitfreak!
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
October 07, 2013, 09:31:08 PM |
|
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return. I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website? My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software. But the first attack was facilitated by a flaw in the SMF software, which allowed the attackers to install backdoors in the first place. It sounds to me like the method used in the 2011 attack is not fully understood even now, but some people suspect the avatar system was exploited. It seems to me like the attacker is using an undocumented flaw in the SMF software.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
QuestionAuthority
Legendary
Offline
Activity: 2156
Merit: 1393
You lead and I'll watch you walk away.
|
|
October 07, 2013, 09:37:34 PM Merited by vapourminer (1) |
|
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return. I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website? My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software. But the first attack was facilitated by a flaw in the FMS software, which allowed the attackers to install backdoors in the first place. It sounds to me like the method used in the 2011 attack is not fully understood even now, but some people suspect the avatar system was exploited. It seems to me like the attacker is using an undocumented flaw in the SMF software. That's not true: The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames and eventually purchased a donor account, using it to gain access to various user accounts and change their names, including that of the administrator, Satoshi. Theymos verified that this is correct.
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3304
Merit: 4115
|
|
October 07, 2013, 09:41:39 PM |
|
Glad it's back up. I lost a lot of contact with the Bitcoin world because all other Bitcoin forums are not active enough.
|
|
|
|
bitfreak!
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
October 07, 2013, 09:43:20 PM |
|
The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames So the original flaw used to exploit the forum software in 2011 was fixed and the only reason the attacker succeeded this time was because they left behind backdoors (which were removed and then replaced)? If that's the case (and the forum software has been re-installed with fresh files) then we should be secure. But personally I wouldn't be against upgrading to a newer version of SMF.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
October 07, 2013, 09:47:20 PM Merited by vapourminer (1) |
|
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return. I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Theymos reviewed a diff between the files from a fresh SMF install and our setup. Therefore, we effectively reinistalled and re-applied our modifications. Theymos then went on to do a full code review and only re-enabled the absolute minimum functionality for the forum to operate. If you had access to the moderation tools, you'd realize just how much is missing...
|
|
|
|
r3wt
|
|
October 07, 2013, 09:50:53 PM |
|
have you checked to make sure that image sanitazation is working properly?
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
QuestionAuthority
Legendary
Offline
Activity: 2156
Merit: 1393
You lead and I'll watch you walk away.
|
|
October 07, 2013, 09:52:53 PM |
|
The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames If the original flaw used to exploit the forum software in 2011 was fixed and the only reason the attacker succeeded this time was because they left behind backdoors (which were removed and then replaced)? If that's the case (and the forum software has been re-installed with fresh files) then we should be secure. But personally I wouldn't be against upgrading to a newer version of SMF. Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the package manager, smiley sets, newsletter and edit members or groups with the vulnerable bound post parameters local path url, username, url, emails & title. Exploitation requires low user inter action & privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin/mod/user) or stable (persistent) manipulation of the web application context. Package Manager > Download New Packages > FTP Information Required (Listing) <dd> <input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text"> <label for="ftp_port">Port: </label> <input type="text" size="3" name="ftp_port" id="ftp_port" value="21" class="input_text" /> URL: http://127.0.0.1:133...5f26c102fff9626 Smiley Sets > Add <tr class="windowbg" id="list_smiley_set_list_0"> <td style="text-align: center;"></td> <td class="windowbg">Akyhne's Set</td> <td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong=""> akyhne</strong>/...</td> Review: Newsletter > Add <input name="email_force" value="0" type="hidden"> <input name="total_emails" value="1" type="hidden"> <input name="max_id_member" value="13" type="hidden"> <input name="groups" value="0,1,2,3" type="hidden"> <input name="exclude_groups" value="0,1,2,3" type="hidden"> <input name="members" value="" type="hidden"> <input name="exclude_members" value="" type="hidden"> <input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"=""> </form> </div> <br class="clear" /> </div> Edit Membergroups & User/Groups Listing <h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <" ><ifram </h3> </div> <div class="windowbg2"> <span class="topslice"><span></span></span>
|
|
|
|
bitfreak!
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
October 07, 2013, 10:14:51 PM |
|
Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.
It seems like you are referring to the same vulnerabilities referenced in this thread: http://www.simplemachines.org/community/index.php?topic=482530.0The SMF Project Manager had this to say about it: this is, essentially, BS...
not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section... and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly. Not that I really care if we update or not, because I can understand the advantages and disadvantages of both actions. But I would like to see something happen to make this forum a bit more secure.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5348
Merit: 13315
|
|
October 07, 2013, 10:18:14 PM |
|
SMF v2.0.2 has many vulnerabilities.
Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
QuestionAuthority
Legendary
Offline
Activity: 2156
Merit: 1393
You lead and I'll watch you walk away.
|
|
October 07, 2013, 10:26:58 PM |
|
Securing the forum requires fewer people with access not upgrading to an unknown quantity. At least using an older version means most of the vulnerabilities are known.
|
|
|
|
r3wt
|
|
October 07, 2013, 11:26:08 PM |
|
SMF v2.0.2 has many vulnerabilities.
Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license. iirc the latest build is 2.0.5 and is quite secure....
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3304
Merit: 4115
|
|
October 07, 2013, 11:30:46 PM |
|
SMF v2.0.2 has many vulnerabilities.
Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license. iirc the latest build is 2.0.5 and is quite secure.... It's got more features which are means more vulnerabilities. He's right, it's more than likely better to stay on this version. Although, upgrading to a different forum system may be better but would require more downtime and more hassle.
|
|
|
|
MagicBit15
Sr. Member
Offline
Activity: 294
Merit: 250
Let's Start a Cryptolution!!
|
|
October 08, 2013, 12:49:40 AM |
|
My forum is back thank god. I felt so empty without my BTC talk . Great work theymos!!
|
|
|
|
joesmoe2012
|
|
October 08, 2013, 12:53:33 AM |
|
I'm all for an upgrade. Also, why do we need ads seeing as we have a huge fund to pay for the forum? They are really annoying.
|
|
|
|
surebet
|
|
October 08, 2013, 02:11:58 AM |
|
The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?
Revealed as explained or used? I'd would probably be a mixture of courtesy, "wtf the two year old backdoor still works" factor and just sharing knowledge. Yes, that was a scray run, hopefullyw on't happen again. Any *cough* um, accusations of who attacked?
Are you the same surebet that's a member of this exploit database site http://1337day.com that has a private section containing SMF exploits? No.
|
|
|
|
repentance
|
|
October 08, 2013, 02:33:45 AM |
|
The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?
Why not reveal it? It was going to be discovered eventually by those trying to fix the forum and revealing that a two year old backdoor was used made it more difficult for theymos to claim it was some new, previously unheard of exploit. There's some lulz to be had when you tell someone how you did something just after it happens and it still takes them days to find and fix the problem.
|
All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
|
|
|
surebet
|
|
October 08, 2013, 02:44:52 AM |
|
As a side note is there any new restrictions on avatars now, namely the ability to change them?
I have a 80x80 gif I'd like to use that comes out to either 21 or 28k depending, no mention in the usercp about restrictions.
|
|
|
|
tspacepilot
Legendary
Offline
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
|
|
October 08, 2013, 05:45:04 AM |
|
So, if there are so many problems with SMF, why does thermos still use it? There must be some open-source forum software that could be used. At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use. Right?
|
|
|
|
Swordsoffreedom
Legendary
Offline
Activity: 2912
Merit: 1115
Leading Crypto Sports Betting & Casino Platform
|
|
October 08, 2013, 05:50:02 AM |
|
2011 Wow that is an old exploit, whoever broke into the system bided their time executing that code.
|
..Stake.com.. | | | ▄████████████████████████████████████▄ ██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄ ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████ ██ ██████████ ██ ██ ██████████ ██ ▀██▀ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██████ ██ █████ ███ ██████ ██ ████▄ ██ ██ █████ ███ ████ ████ █████ ███ ████████ ██ ████ ████ ██████████ ████ ████ ████▀ ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██ ██ ▀▀▀▀▀▀▀▀▀▀ ██ ▀█████████▀ ▄████████████▄ ▀█████████▀ ▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄ ██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄ █ ▄▀▄ █▀▀█▀▄▄ █ █▀█ █ ▐ ▐▌ █ ▄██▄ █ ▌ █ █ ▄██████▄ █ ▌ ▐▌ █ ██████████ █ ▐ █ █ ▐██████████▌ █ ▐ ▐▌ █ ▀▀██████▀▀ █ ▌ █ █ ▄▄▄██▄▄▄ █ ▌▐▌ █ █▐ █ █ █▐▐▌ █ █▐█ ▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄ ▄██▀▀▀▀█████▀▀▀▀██▄ ▄█▀ ▐█▌ ▀█▄ ██ ▐█▌ ██ ████▄ ▄█████▄ ▄████ ████████▄███████████▄████████ ███▀ █████████████ ▀███ ██ ███████████ ██ ▀█▄ █████████ ▄█▀ ▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀ ▀███████ ███████▀ ▀█████▄ ▄█████▀ ▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
HellDiverUK
|
|
October 08, 2013, 07:19:38 AM |
|
Well, this could well be coincidence, but someone's been trying very hard to get in to my iCloud account the past day or so. The iCloud username is the same as the email I used here (a GMail account).
I've reset both the GMail and iCloud account passwords, and put double auth on the GMail, but it's annoying getting "iForgot" emails every 15 minutes...
|
|
|
|
|