| Author |
 Topic  |
|
Davio
Development Team Member
Jamaica
12217 Posts |
 Posted - 24 April 2002 : 12:48:24
|
And to also voice my opinion, I think it is in good reason that we don't post the exploit here on the forums. Anyone who see it posted here can just go to the Show Off Your Forums forum, pick a url to someone's forum and use the exploit.
How many Snitz users check these security sites for bugs in their forum? Compare that to how many of our Snitz users will know about the exploit of we posted it here. Those security sites are targeted mostly at hackers, so they can find out the latest security holes in the software. If we posted here, even a kid who is new to the web could use the exploit, knowing nothing about databases and asp. And it would reach a wider audience of users who know other users that uses the Snitz forums. And it also would be unwise for us to post the exploit when we didn't release any official fix for it.
We have a general mailing list setup for users who don't visit the forum often. If you signed up to that list, you will be alerted of any security related fixes we release along with any other general announcements that we want to get across to our users. The link is in my signature.
This would have been avoided if that user didn't go telling the whole world about the exploit.
«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists ! |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 24 April 2002 : 12:49:19
|
You are absolutely right Richard. Anyone who really cared to help you contact the Dev team get a fix to the problem, instead of informing all the would be hackers about the oportunities to really wreack havoc with other people's forums.
I cannot see what pleasure can come from compromising anyone else's forums. What sort of reward is that? They would get real apreciation if they helped avoiding problems to people's site's. Like this they should only get our contempt.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 24 April 2002 : 12:55:54
|
We've had a whole 334 people read the Security Bug-Fix for this particular fix.
At last count v3.3.03 has been downloaded 114,759 times.
That's a pretty big difference. |
|
|
|
Hamlin
Advanced Member
United Kingdom
2386 Posts |
|
|
work mule
Senior Member
USA
1358 Posts |
Posted - 24 April 2002 : 15:19:13
|
[Warning - This is a classic Work Mule post which means it's quite lengthy and may not have a point to it. If you have a short attention span then move on and spare yourself, I'll understand.  ]
For anyone who programs web applications, it's a challenging life I must say. Not only do we have the challenge of writing something that works the way it's intended to, but we also have to be thinking of how to "break" or "exploit" our own code at the same time. I don't know about the rest of you, but I have all I can do with just making things work.
Even after a couple of years of doing this stuff, I'm still learning new things all the time. I guess I was somewhat aware of this sort of thing, but seeing the exploit in action is different from just reading about it. (seeing is believing  ) While part of me was in the "oh crap" mode, a part of me was in the "oh wow, didn't know you could do that" mode. So now guess what?! My head is spinning from thinking about all the past things I've written and currently have in production. Asking myself, what else is vulnerable to this sort of thing.
quote:
Those security sites are targeted mostly at hackers, so they can find out the latest security holes in the software.
I don't want to turn this into a discussion about hacking, but I will say this. As a developer, you have to be aware of things like this. When you get down to it, it's not just about Snitz, but any application you build/use. The worst thing any web developer can do is be oblivious to this sort of thing. You can't think that because you don't know (or want to know about it) you won't be affected by it.
quote:
Anyone who really cared to help you contact the Dev team get a fix to the problem, instead of informing all the would be hackers about the oportunities to really wreack havoc with other people's forums.
Makes me think of an article I just read this morning, where they quoted Kevin Mitnick (infamous hacker of years past):
"The more serious problem is people who find a hole and keep it to themselves," says Mitnick. "That's what I used to do. Back in my day, it wasn't about the prestige you got for finding a hole. It was what you could do with it."
quote:
We have a general mailing list setup for users who don't visit the forum often.
I signed up on a mailing list for Snitz when I first started using Snitz and I never received any mail from it. This might be a new list you're referring to, but if I haven't visited, how would I know I need to join a new list.
quote:
If you signed up to that list, you will be alerted of any security related fixes we release along with any other general announcements that we want to get across to our users.
Unfortuneately, I think there's a misconception among people that once you download/install an application that unless you encounter any problems as a user, you don't need to support or maintain it. Install and walk-away mentality. Look at all the webservers that are still vulnerable to exploits known for years. It's a shame.
Anyways...
I do agree that we don't want every visitor to Snitz to see the details of the exploit. This is understandable. However being not only a user, but someone who has done serious modifications to it and released a few mods in the past, I'd like to know what the exploits are. MOD developers who aren't familiar with the exploits could unknowingly code something which is open to the exploit. While MODs aren't part of the official download, it still reflects upon the product.
There are a lot of functions that are written and while some deal with the aesthetics, others deal with preventing exploits and malicious users from doing damage. I would guess that there are a lot of people don't know why certain functions exist. So when they should be using a function, they don't and thus open a hole.
While I'm sure that details of exploits like this are probably discussed in the developers forums for the official developers, there's still a lot of MOD developers who should/need to also be informed. I'd like to think that a private forum for known/established MOD developers where stuff like this could be discussed would be helpful.
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 24 April 2002 : 15:54:16
|
I did send out a notice to the sf2k-general List.
There is currently 458 members to that list. If you want, you can e-mail me the address you used to sign up and I can check and make sure you are still signed up.
You should also be able to access the mailarchives here:
https://sourceforge.net/mailarchive/forum.php?forum_id=1062 |
|
|
|
speedway
New Member
88 Posts |
Posted - 24 April 2002 : 17:28:43
|
quote:
sf2k-general List
That's how I found out about the update.
Just to clarify things, I did / do not want to know how to hack the fourm just wanted to test all was ok with the update I did.
Anyway, checked the sorting on the members page etc. and searching for members and of course logging in and logging out all is fine.
Thanks again.
Snitz V3.3
SQL Server 7
IIS4 |
|
|
|
acemi
Starting Member
16 Posts |
Posted - 25 April 2002 : 08:14:13
|
quote:
If those people really wanted to help, then they would contact the authors about problems before posting to places like bugtraq.
I tried to contact with you posting a bug report to DEV Bug Reports (open) in this forum at 17th April but I couldn't get any response.
acemi
|
|
|
|
Leonhard
Starting Member
Germany
3 Posts |
Posted - 25 April 2002 : 09:14:47
|
Hi,
I use v 3.3.03 and Access as database. I fixed "members.asp" as Richard wrote here and I inserted in "post.asp" on line#162 this as Richard wrote anywhere else:
if not(chkForumAccess(strRqForumID,MemberID)) then Go_Result "You do not have access to post to this forum" end if
I did it manually because I translated the code to German.
BUT I think bugs with closed forums and those forums which are reserved for listed users only are still alive:
You can duplicate the bug I mean this way: Login as Admin to a closed forum, reply to a message there, copy the URL and logout. After that copy the URL to your browser address field. You will now have access to the closed forum and the TOPIC REVIEW, too. I do not use closed forums but I tested it. I use only forums which are reserved for listed users and can duplicate this bug the same way.
Do you have any hint for me?  Are there any other fixes to correct the bugs in post.asp or members.asp or somewhere else I described? I get mad of it! 
Thank you in advance for your replies and hints to fix the bugs. Or did't I fix all known bugs 
Please remember I have to replace all code manually as I translated parts of it into German.
cu
Leo
P.S. My version you'll find here:
http://www.band-unity.de/bands/forum
|
|
|
|
makumbeiro
Starting Member
23 Posts |
Posted - 25 April 2002 : 11:20:48
|
I don't want to go off on a tangent here , but after installing the patch, I get the following error message from /members.asp:
quote:
Microsoft VBScript compilation error '800a03f4'
Expected 'If'
/forum/members.asp, line 59
if trim(chkString(Request.QueryString("method"),"SQLString")) <> "" then SortMethod = trim(chkString(Request.QueryString("method"),"SQLString"))end ifSearchName = trim(chkString(Request("M_NAME"),"SQLString"))if SearchName = "" then SearchName = trim(chkString(Request.Form("M_NAME"),"SQLString"))end if srchUName = trim(chkString(Request("UserName"),"SQLString"))srchFName = trim(chkString(Request("FirstName"),"SQLString"))srchLName = trim(chkString(Request("LastName"),"SQLString"))srchInitial = trim(chkString(Request("INITIAL"),"SQLString")) if IsNumeric(srchUName) <> True then srchUName = "1"if IsNumeric(srchFName) <> True then srchFName = "0"if IsNumeric(srchLName) <> True then srchLName = "0"if IsNumeric(srchInitial) <> True then srchInitial = "0" mypage = trim(chkString(request("whichpage"),"SQLString"))
----------------------------------------------------------------------------------------------------------------------------------------------------^
Did I miss anything???
maku
Edited by - makumbeiro on 25 April 2002 11:40:38 |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 25 April 2002 : 12:37:49
|
quote:
quote:
If those people really wanted to help, then they would contact the authors about problems before posting to places like bugtraq.
I tried to contact with you posting a bug report to DEV Bug Reports (open) in this forum at 17th April but I couldn't get any response.
acemi
Seeing as how this is your first post here, I wonder how that is possible? |
|
|
|
pweighill
Junior Member
United Kingdom
453 Posts |
Posted - 25 April 2002 : 12:38:26
|
quote:
However being not only a user, but someone who has done serious modifications to it and released a few mods in the past, I'd like to know what the exploits are. MOD developers who aren't familiar with the exploits could unknowingly code something which is open to the exploit.
The main thing that all developers should remember is to validate all user input (and non user input paramters as well) to make sure they are vaild before going anywhere near a database statement.
e.g. Make sure that all text is not longer than the size of the database field.
Check that dates are valid dates.
Check that number fields just contain numbers.
and so on.
Also, pass all strings that are going to be used in SQL statments through the chkString(strdata,"SQLString") function.
To make sure that numbers are numbers, you can do something like cdbl(strdata)
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 25 April 2002 : 12:53:35
|
quote:
Hi,
I use v 3.3.03 and Access as database. I fixed "members.asp" as Richard wrote here and I inserted in "post.asp" on line#162 this as Richard wrote anywhere else:
if not(chkForumAccess(strRqForumID,MemberID)) then Go_Result "You do not have access to post to this forum" end if
I did it manually because I translated the code to German.
BUT I think bugs with closed forums and those forums which are reserved for listed users only are still alive:
You can duplicate the bug I mean this way: Login as Admin to a closed forum, reply to a message there, copy the URL and logout. After that copy the URL to your browser address field. You will now have access to the closed forum and the TOPIC REVIEW, too. I do not use closed forums but I tested it. I use only forums which are reserved for listed users and can duplicate this bug the same way.
Do you have any hint for me? Are there any other fixes to correct the bugs in post.asp or members.asp or somewhere else I described? I get mad of it!
Thank you in advance for your replies and hints to fix the bugs. Or did't I fix all known bugs
Please remember I have to replace all code manually as I translated parts of it into German.
cu
Leo
P.S. My version you'll find here:
http://www.band-unity.de/bands/forum
This thread is meant to discuss the Bug Fix in members.asp.
The bug fix in post.asp that you are referring to is here:
http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=17599
make sure that they code looks exactly like it does in that post (it should not all be on the same line, it should be on 3 different lines) and it should be placed right underneath that other code. If you still have problems, please post a new topic about it in the Help: General / Current Version forum. |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 25 April 2002 : 12:55:12
|
quote:
I don't want to go off on a tangent here , but after installing the patch, I get the following error message from /members.asp:
quote:
Microsoft VBScript compilation error '800a03f4'
Expected 'If'
/forum/members.asp, line 59
if trim(chkString(Request.QueryString("method"),"SQLString")) <> "" then SortMethod = trim(chkString(Request.QueryString("method"),"SQLString"))end ifSearchName = trim(chkString(Request("M_NAME"),"SQLString"))if SearchName = "" then SearchName = trim(chkString(Request.Form("M_NAME"),"SQLString"))end if srchUName = trim(chkString(Request("UserName"),"SQLString"))srchFName = trim(chkString(Request("FirstName"),"SQLString"))srchLName = trim(chkString(Request("LastName"),"SQLString"))srchInitial = trim(chkString(Request("INITIAL"),"SQLString")) if IsNumeric(srchUName) <> True then srchUName = "1"if IsNumeric(srchFName) <> True then srchFName = "0"if IsNumeric(srchLName) <> True then srchLName = "0"if IsNumeric(srchInitial) <> True then srchInitial = "0" mypage = trim(chkString(request("whichpage"),"SQLString"))
----------------------------------------------------------------------------------------------------------------------------------------------------^
Did I miss anything???
The code is all bunched up, which causes errors. In your file it needs to look exactly like the code does that you copy from here. (same spacing, same # of lines, etc...) |
|
|
|
acemi
Starting Member
16 Posts |
Posted - 25 April 2002 : 13:37:44
|
quote:
Seeing as how this is your first post here, I wonder how that is possible?
Because I used the nickname "Emrah" to post the bug report but this post is not approved and now, I can't see my post. Could you say me why you delete this post?
|
|
|
|
Topic |
|
Forum Locked
Topic Locked
