Previous Thread
Next Thread
Print Thread
Hop To
#33126 01/30/2002 7:28 PM
Anonymous
Unregistered
Anonymous
Unregistered
I'm a registered WWWThreads user, and received the e-mail message included at the bottom of this message. Not sure which forum is correct to ask this, but what's going on guys?

-rh

Date: 30 Jan 2002 23:13:03 -0000
To: henri@connection.se
Subject: huh? can u see me
From: info@threadsdev.com

Hello

Infopop admin's : I did help u to solve u'r UBBThreads bugs problems , &u promised me by license , but in fact u did not maintain u'r promise , and we don't need it !!
Because we already have all u'r customers License Number and password !! .

Have good one , and say huh?


CompuMe, RootExtractor
irc.dal.net : Channel : #root@localhost

#33127 01/30/2002 7:47 PM
Anonymous
Unregistered
Anonymous
Unregistered
Currently we are in the process of terminating the mail processes running on ThreadsDev.com

At this time, it would appear that it's only the email info from threadsdev.com and not license or password information.

Thank you - we are working on the problem at this time.

Regards,

Brett Harris
Infopop Corporation

#33128 01/30/2002 8:29 PM
Anonymous
Unregistered
Anonymous
Unregistered
I received one too.

So what does that mean? Our email information was obtained?

http://www.redhotsweeps.com - Best contest/sweepstakes site on the net.

#33129 01/30/2002 8:39 PM
Anonymous
Unregistered
Anonymous
Unregistered
It appears that someone obtained your email information ONLY, from threadsdev.com.

The email is incorrect when it says that they got your license. It does not appear that it would have been possible for them to have obtained that information.

Thanks for your patience in this. As soon as we figure out what happened, we'll let you know.

Kristi Miller
Infopop Customer Support
Get Customer Support Here

#33130 01/30/2002 8:55 PM
Anonymous
Unregistered
Anonymous
Unregistered
No, he did not find license information as he thought he did. We do not keep license information in a database someone can reach. He got an old email list of wwwwthreads customers and sent an email to you all. That's all he got.

Here is how he did it and how you can protect yourself.

A: There was a problem in beta 1 of version 5.5 that disabled the upload file filters.

B: Threadsdev.com did not update their board.

C: This person used that lack of filters to upload a php script using the uploads feature to gain access to the config file. He then uploaded a Mysql manager and gained the userlist for the board.

What that got him: A list of usernames and email addresses. He did not get passwords, they are encrypted. He did not get license numbers.

Formerly when you bought a wwwthreads board Rick added your registration to his old support board automatically. Your email address was also added. This is the list he got. The old list of wwwthreads owners and the old email address list.

Please let me reassure you that passwords are encrypted in the database. They cannot be read. Let me also reassure you that at no time were your license numbers or Member Area passwords at risk. Contrary to this fellows claims they are not kept on a server that has beta software living on it and public access.

How do you prevent such a thing?

If you are on UBBThreads 5.5 beta 1 update to 5.5. Make sure that if you have uploads enabled that you are prohibiting .php, , php3, .phtml, exe, .bat, .pl, and .cgi files being uploaded.

We sincerely apologize to anyone that recieved this email.

Honor The Victims

#33131 01/30/2002 10:22 PM
Anonymous
Unregistered
Anonymous
Unregistered
I got the same email.
>>There was a problem in beta 1 of version 5.5 that disabled the upload file filters.<<

I sent scream a bug report about this very problem a month ago and he said he had fixed it in 5.5. This bug dates back to and is in effect in all, ALL, php versions of wwwthreads if you use do not allow these file types filter. I sent in detailed info on this problem before the beta of 5.5 was released.
Problems like this or I should say the lack of fixing problems like this is the reason I switched to a different forum package.

[b]Extreme VB Forums -[/b] Visual Basic Help

#33132 01/30/2002 11:09 PM
Anonymous
Unregistered
Anonymous
Unregistered
It seems like you guys are minimizing what happened a bit. First of all, if they got a list of all of the email addresses of your users, they then have a great hit list of sites to go through and hack right?

Second, it seems pretty likely that this vulnerability affects more than the single version listed on your site.

Third, has anyone at infopop gone through and done a security audit of the code?

[This message was edited by lumpy on 30 Jan 02 at 07:24 PM.]

#33133 01/30/2002 11:24 PM
Anonymous
Unregistered
Anonymous
Unregistered
Beleive me I am not trying to minimize this at all. What I am doing is trying to explain that contrary to the email that was sent this person does NOT have any license or password data.

I sincerely tried to explain what happened and how best to make sure it does not happen to you.

The audit is being done as part of the rework for UBBThreads 6.

Bob I don't know what you sent to Rick before I got involved, all I can do is keep aware of issues that come to me and make sure they are taken care of.

Honor The Victims

#33134 01/30/2002 11:28 PM
Anonymous
Unregistered
Anonymous
Unregistered
Yeah -- I can see what youre saying, and why you said it. However, with unix administration in my background I am curious about how you guys know the extent of their access.

From the description of the problem it sounds as though this remote user was able to arbitrary user level commands, and there are very few systems that will withstand a malicious local user. Infopop's software is a great example of that -- last i checked it required lots of loose permissions on files.


Im not trying to be annoying here -- I am just concerned. For most sites, the standard reaction to system level compromises is to reinstall.

[This message was edited by lumpy on 30 Jan 02 at 07:37 PM.]

#33135 01/30/2002 11:49 PM
Anonymous
Unregistered
Anonymous
Unregistered
Well, since I don't use wwwthreads and haven't for at least the last 3ish years, how about you purging my information from your databases? I don't really like the fact that something I don't even remember using years ago coming back to haunt me now.

http://www.redhotsweeps.com - Best contest/sweepstakes site on the net.

#33136 01/31/2002 12:01 AM
Anonymous
Unregistered
Anonymous
Unregistered
Umm guys I understand what is going on... However this is kind of very disturbing just knowing you all had this bug in your code... Ummm... I honestly have no idea what to say except you need to do a massive notification to ALL of your clients with alot of details on what has happened and how this user did what he did and how to fix it. Cause this is really making me hesitant to use your PHP software anymore...

Billy S.

#33137 01/31/2002 12:03 AM
Anonymous
Unregistered
Anonymous
Unregistered
Lumpy I understand your concern.

I know that their level of access did not reach the license info because it is not kept on that server, the server with the license doesn't allow conections outside of localhost, and there was not possible way he could have reached it. I don't store license information on a server that someone from outside my office has any access to. Threadsdev.com and otehr websites that we host are on their own server eintirely on their own. Even if he were to gain root he wouldn't get licenses. All that was on that server and available to be had was the user database from the old wwwthreads message board. We imported the users from Scream's old board into this one so Scream's old users would not have to reregister.

What it comes down to is that if you were once registered on Scream's old board you got an email.

How he did it? He uploaded a php script that read off the config.php.inc file, then uploaded a php mysql script and used the password from the conf file. From there he changed the password and logged into the admin area of the threads board. Then he emailed all of you folks and emptied the tables out.


How do we prevent it? We need to make sure that php, perl and other scripts don't get uploaded, that they can't be executed. We need to make sure everyone has that filter turned on and working. We need to find a way to make sure that the config script just cannot be read. You know the last part will be hard to do if it is even able to be done. The scripts themselves have to read this file in order to connect to the database.

Honor The Victims

#33138 01/31/2002 12:07 AM
Anonymous
Unregistered
Anonymous
Unregistered
Chris, it got purged for us. <img border="0" title="" alt="[Frown]" src="images/icons/frown.gif" />

Datal, I would love to, but see above. I have the list of current UBBThreads owners and will email them. However there were some 9 thousand people registered to that board. Many of them got the email but are not customers or have not updated their email addresses in our Member Area. I'll be sending word to everyone I can.

You can also be sure that once I get the threadsdev site back up and running there will be announcements made there as well.

Honor The Victims

#33139 01/31/2002 12:57 AM
Anonymous
Unregistered
Anonymous
Unregistered
Hrmm..

How about instead of storing any file by a user supplied name, it is given a generated name and when linked to in the site, sent as a different filename based on an internal listing of user supplied name versus generated name?

The list you gave above will work on php3 and php, but what if the web server gets ".php4" as a valid extension added one day.. or ".php5" sometime in the future...

Battling the list of invalid extensions seems like the hard way to fight the battle.

#33140 01/31/2002 1:32 AM
Anonymous
Unregistered
Anonymous
Unregistered
>>Bob I don't know what you sent to Rick before I got involved, all I can do is keep aware of issues that come to me and make sure they are taken care of.<<
David,
I sent an email and private message to Rick over at threadsdev. Ricks response was that he had just found the bug before I alerted him of it.
I gave a detailed explanation of what I was able to do to exploit this. If this person had a bit more knowledge of how to exploit this bug he could do far more than he did. In my test I was able to take complete control of a partners server after I tested it on mine. I wanted to make sure it just wasn't another bug with IIS.
Again, this bug exists in every version of php threads and if you allow uploads, your server can be compromised. The reading of the config file and getting data from mysql is just a small crack in the dam.

>>We need to find a way to make sure that the config script just cannot be read. You know the last part will be hard to do if it is even able to be done.<<
This is very simple and one of the first thing I do when I use any script. All that has to be done is move the config file above the web root into a chroot jail. Then make sure your scripts run as a user that has read access.
[b]Extreme VB Forums -[/b] Visual Basic Help

[This message was edited by Extrm Bob on 30 Jan 02 at 09:42 PM.]

#33141 01/31/2002 1:32 AM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
It's probably the best idea to use the allow option and only allow certain filetypes. I added the exclude option at user request but you are right in that you never know what new extension might become available that could cause major problems.

-------------------
Rick Baker
UBBThreads developer

#33142 01/31/2002 1:50 AM
Anonymous
Unregistered
Anonymous
Unregistered
Especially when it comes to naming system files.
The only good solution is to make a download script that cross references the user supplied name with a generated one.

Ill try not to pollute this thread with anymore of this discussion, however.


</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by Rick Baker:
It's probably the best idea to use the allow option and only allow certain filetypes. I added the exclude option at user request but you are right in that you never know what new extension might become available that could cause major problems.

-------------------
Rick Baker
UBBThreads developer</font><hr /></blockquote><font size="" face="">

#33143 01/31/2002 7:15 AM
Anonymous
Unregistered
Anonymous
Unregistered
</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by David Dreezer:
If you are on UBBThreads 5.5 beta 1 update to 5.5. Make sure that if you have uploads enabled that you are prohibiting .php, , php3, .phtml, exe, .bat, .pl, and .cgi files being uploaded.
</font><hr /></blockquote><font size="" face="">wherefore is config two line $config['excludefiles'] and $config['allowfiles']
I thinks more than enough one line $config['allowfiles'].
And by default forbid other file types.
I.e. if administrator nothing wrote in line $config['allowfiles']. Then not allowed upload any file.

Sorry my English <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

#33144 01/31/2002 10:27 AM
Anonymous
Unregistered
Anonymous
Unregistered
Those are in two places - config.inc.php and doeditconfig.php

config.inc.php is line 485 and doeditconfig.php is line 324

Please consider restoring the defaults of
</font><blockquote><font size="1" face="">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;">// \$config['excludefiles'] = ".php,.asp,.js,.vbs,.sht,.htm"; [/code]</blockquote><font size="" face="">Regards,

Brett Harris
Infopop Corporation

#33145 01/31/2002 12:23 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
I am definitely all for removing the exclude files option and just going with allowfiles if everyone can live with it. It's definitely the safest way to go because like discussed earlier if you have you are using exclude files and your webhost adds some new extension that you don't know about it could open up a new exploit. A good starting point for allowfiles would just be .txt,.gif,.jpg.zip. Then you could add certain filetypes that you need to let people upload but want cause security issues.

Lumpy, it's not necessarily the filename but the extension that causes the problem. Normally the extensions can't be changed because if they are things like .gif/.jpg files then people upload these so they can link to them from the message itself.

-------------------
Rick Baker
UBBThreads developer

#33146 01/31/2002 1:00 PM
Anonymous
Unregistered
Anonymous
Unregistered
Quick question: Any particular reason for hosting www.threadsdev.com on the same machine that acts as a mail exchanger for infopop?

You should also consider that the attacker could login as any user, using the encrypted passwords from the database. I can't stress enough that this wouldn't have been possible if the passwords were not checked against values stored in cookies. The session method is the only way to go -- I posted an enhancement ideea and some sample pseudocode (that covered exactly the topic of securing the login/administration process) on the threadsdev site but that is history now).

Also, do you remember which are the default passwords (on this board) of the users imported from the wwwthreads database?


PS. I understand your explanation about reg numbers not being stored on threadsdev but I wonder how the public infopop web server is able to verify them when a registered user logs in the 'members area'. This not actually a question -- since I can think of a safe way of doing it -- but a reminder in the event that you haven't

#33147 01/31/2002 1:39 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Razvan,

I have the code that you posted stored on my server and I'm hoping to implement something similar for the 6.0 release.

-------------------
Rick Baker
UBBThreads developer

#33148 02/01/2002 4:11 AM
Anonymous
Unregistered
Anonymous
Unregistered
The threadsdev.com server (Elvis is his name) isn't allowed to make any connections to the server with Member data. None, zero. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Why is Elvis our mail exchanger? Why not? I have all of 20 people here. Why would I need or want to obtain a dedicated server just for 20 people to send mail?

Honor The Victims

#33149 01/31/2002 6:07 PM
Anonymous
Unregistered
Anonymous
Unregistered
Hello,
Wow, threadsdev.com was jacked one day after I registered and decided to switch over from UBB. What a surprise.

Anyway, I was thinking of using UBBThreads because I was planning on providing members' personal home pages. In other words, I was planning to use PHP functions to create sub-domains and allow file uploads. However, after reading this thread, I don't think it'll ever be possible so long I'm using UBBThread, since it's PHP based and malicious users can upload another PHP script to read the UBBThreads' config file.

#33150 01/31/2002 6:26 PM
Anonymous
Unregistered
Anonymous
Unregistered
The actual product had little to do with it - the upload is an identical implementation to webspace, which you are planning on implementing if I can recall from your other thread.

The key is that with a *.php file in place and the correct inclination bad things can happen. In this case the mechanisim of action was the board but in the case of webspace it would be something as simple as FTP...

Regards,

Brett Harris
Infopop Corporation

#33151 02/02/2002 2:06 PM
Anonymous
Unregistered
Anonymous
Unregistered
Anybody else who noticed an intrusion into his ubbthreads installation lately? I though I had disabled the upload of executables, but maybe I once overwrote the config file with an older one.

Anyway, two days ago somebody uploaded a .php file which outputs the config.inc.php file. So he had the database user and password. It seems like he didn't do anything harmful. I just wondered if he was somebody from my community who knows about programming and ubbthreads (relatively improbable) or somebody who knows ubbthreads and searched for vulnerable installations.

nòóx
_____________________
www.dh-rangers.com, www.downhill-board.com

#33152 02/03/2002 4:47 AM
Anonymous
Unregistered
Anonymous
Unregistered
Please re-read the posts on this thread carefully, we noted that uploads pose a threat anytime they are uploaded and I noted the file names and line numbers where you can replace the stock filter to prevent that kind of trouble.

Thanks!

Regards,

Brett Harris
Infopop Corporation

#33153 02/03/2002 5:11 PM
Anonymous
Unregistered
Anonymous
Unregistered
It would be fine if such dangerous vulnerabilities are mailed to the webmasters that they all become aware of them, even if they do not read all the posts on the UBBThreads forums. Or maybe somebody could create a site where these problems are listed and explained and where bugfix are provided. (Maybe not that good, because it's a good resource for possible hackers.

Why I want this? I thought I have secured my board by using only the $config[allowfiles] options with save extensions. But now I discovered that at least my 5.4.1 installation has another upload bug. And I did not found anything about it on the forums. Although I cannot imagine that this hasen't been discussed yet.

The problem is that in addpost.php it is only checked if the uploaded file contains one of the allowed fileextensions, not if it ends with them!

So it's still possible to upload a file like hack.txt.php if you added ".txt" in $config[allowfiles].

</font><blockquote><font size="1" face="">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;">// Let's see if we want this type of file
if ( ($userfile != "none") && ($userfile) ){
if ($config[allowfiles]) {
$checkfile = str_replace(",","|",$config[allowfiles]);
if (!eregi($checkfile,$userfile_name)) {
$html -> not_right("$lang[FILESALLOWED]: $config[allowfiles]",$Cat);
}
}[/code]</blockquote><font size="" face="">I'm no regular expression expert, but replacing the line with the eregi( ) with the following line worked for me:</font><blockquote><font size="1" face="">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"> if (!preg_match ('/(' . $checkfile . ')$/i',$userfile_name)) {[/code]</blockquote><font size="" face="">Again: Please note that this is in my 5.4.1 version. So I do not know how this is handled in newer versions.

nòóx
_____________________
www.dh-rangers.com, www.downhill-board.com

#33154 02/03/2002 5:37 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Yes, this has been fixed in the 5.5 version. Also there is a post in the info board concerning the actual bugfix:

Check this thread

-------------------
Rick Baker
UBBThreads developer

#33155 02/03/2002 5:47 PM
Anonymous
Unregistered
Anonymous
Unregistered
Oh, sorry. Missed that one. I only searched accurately on Threadsdev. Thought this bug was discovered earlier. <img border="0" title="" alt="[Big Grin]" src="images/icons/grin.gif" />

nòóx
_____________________
www.dh-rangers.com, www.downhill-board.com


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
3 members (rootman, Gizmo, Nightcrawler), 562 guests, and 186 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)