Previous Thread
Next Thread
Print Thread
Hop To
Joined: Nov 2021
Posts: 28
Likes: 1
I
Newbie
Newbie
I Offline
Joined: Nov 2021
Posts: 28
Likes: 1
Greetings . . .

The support folks over at Ipower have taken our web-presence down because of a Phishing attack that apparently originated from our site. The details can be found over at Netcraft:
https://incident.netcraft.com/685581256719/redirect_graph.html

Based on the URL it appears to involve changepfrefs.inc.php. I was just out in the filesystem. None of the php files have been touched since our upgrade back in February. So the codebase doesn’t appear to have been compromised.

Please advise on (if you can) on how to stop the offending redirects. Ipower will not put our site back online until we can assure them that this is fixed.

Regards,
Keith
Tech Services Admin,
Inliners International

Joined: Jul 2006
Posts: 116
Likes: 4
P
Member
Member
P Offline
Joined: Jul 2006
Posts: 116
Likes: 4
A quick workaround for this issue

Open /ubb/scripts/changeprefs.inc.php in an editor and replace the following line near at the end:
Code
header("Location: $curl");

with:
Code
	if( substr( $curl, 0, 2 ) == "//" ) {
	    header("Location: $curl");
	}

This will add an additional check for the curl parameter

Last edited by Philipp; 08/25/2022 12:45 PM. Reason: Updated code with better solution
1 member likes this: InlinersAdmin
Joined: Nov 2021
Posts: 28
Likes: 1
I
Newbie
Newbie
I Offline
Joined: Nov 2021
Posts: 28
Likes: 1
Thanks for the quick turn on a patch/fix. Working with Ipower technicians to get us back online.

Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
Tentative for v8 we've actually rejiggered the library /libs/html.inc.php


Prior:
Code
		// If they aren't logged in, or just logged out, give them the proper message
		if ((empty($user['USER_DISPLAY_NAME']) || !$userob->is_logged_in) || ($bypass)) {
			$sfu = "";
			if ($config['SEARCH_FRIENDLY_URLS'] == "1") {
				$sfu = "?";
			} else {
				$sfu = "&";
			}
			$ocurl = urlencode(get_current_url());
			$welcome = "<a href=\"" . make_ubb_url("ubb=login", "", true) . "$sfu" . "ocu=$ocurl\" rel=\"nofollow\"><i class=\"fas fa-sign-in-alt fa-fw\" aria-hidden=\"true\"></i> {$ubbt_lang['BUTT_LOGIN']}</a>";
		} else {
			$welcome = "{$user['USER_DISPLAY_NAME']}";
		}


New:
Code
		// If they aren't logged in, or just logged out, give them the proper message
		if ((empty($user['USER_DISPLAY_NAME']) || !$userob->is_logged_in) || ($bypass)) {
			if ($ubb != "login" && $ubb != "start_page" && $ubb != "logout") {
				$sfu = "";
				if ($config['SEARCH_FRIENDLY_URLS'] == "1") {
					$sfu = "?";
				} else {
					$sfu = "&";
				}
				$ocurl = $sfu . "ocu=" . urlencode(get_current_url());
			}
			$welcome = "<a href=\"" . make_ubb_url("ubb=login", "", true) . $ocurl . "\" rel=\"nofollow\"><i class=\"fas fa-sign-in-alt fa-fw\" aria-hidden=\"true\"></i> {$ubbt_lang['BUTT_LOGIN']}</a>";
		} else {
			$welcome = "{$user['USER_DISPLAY_NAME']}";
		}

The above coding is stock in v7.5.5, but on November 22nd, 2023 on the thread Google Third-Party Spam Warning a set of code was implemented to throw a forum error when a 3rd party URL is detected.

Last edited by Gizmo; 11/22/2023 7:19 PM.

I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Dec 2011
Posts: 6
E
Stranger
Stranger
E Offline
Joined: Dec 2011
Posts: 6
I have gotten hit also, assume this will also fix it?

My phishing is: http://domain/ubbthreads.php?ubb=changeprefs&what=style&value=5&curl=http://inter-national-events.com/FNlnPKo2h.dbm?oEyfVuVPKEWDH=CXmKMWogabQWp19k1brq020w5801fg0c017e3091hxtpee7rv9

so am planning to change based on the above note: if( substr( $curl, 0, 2 ) == "//" ) {
header("Location: $curl");
}

Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
My previous post is the official patch from v8, I believe one of them exists in v7.7.5.


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Ruben), 476 guests, and 111 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)