Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Community Forums
 Suggest forum.snitz.com Content
 Lots of security bug in Snitz forum		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

cBacala
Starting Member

3 Posts
Posted - 17 January 2003 :  02:21:01  Show Profile
Hi all,
Current Snitz forum version has lots of security bug that normal hacker can attach and kill the forum in a minute. That's true. If you think that it's not true, I can prove it to you !

All bug comes from security feature name "SQL Injection". Hacker can inject some SQL code to execute very easy.

cBacala

Nathan
Help Moderator

USA
7664 Posts
Posted - 17 January 2003 :  02:47:34  Show Profile  Visit Nathan's Homepage
The snitz team have been very careful to design code that prevents SQL injections. There is only one known security vounerability in the current forum. You will find the fix for that bug here as well as in the security related bug fixes forum.

If you know of any other spacific places that snitz is vounerable to SQL injections please send an email detailing the problem to Richard Kinser.

Thank you for you interest in the security of Snitz Forums 2000.
Nathan Bales
CoreBoard | Active Users Download
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 17 January 2003 :  03:06:56  Show Profile
since when is "SQL Injection" a security feature?

how are you going to "attach" the forum?

what is a "normal hacker"?

how do you "kill" something that isn't alive?
Go to Top of Page

Nathan
Help Moderator

USA
7664 Posts
Posted - 17 January 2003 :  03:27:35  Show Profile  Visit Nathan's Homepage
Richard, I believe cBacala doesn't speak english fluently. In such a case, those gramatical/word use mistakes are perfectly resonable.
Nathan Bales
CoreBoard | Active Users Download
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 17 January 2003 :  03:32:27  Show Profile
and you think coming on here and posting "Lots of security bugs in Snitz forum" is reasonable? Especially without any proof whatsoever?
Go to Top of Page

seahorse
Senior Member

USA
1075 Posts
Posted - 17 January 2003 :  03:40:51  Show Profile  Visit seahorse's Homepage
cBacala,

You aren't the first person who has brought up the SQL injection issue.

Have you tried your attack against a test v3.4 forum yet or is this a theoretical vulnerability?

I'm sure that if you could email Richard with an SQL injection exploit that can "kill" the forum, he would be more likely to believe that a security bug exists.
Ken
===============
Worldwide Partner Group
Microsoft
Go to Top of Page

cBacala
Starting Member

3 Posts
Posted - 17 January 2003 :  03:51:03  Show Profile
I am not a hacker. I use snitz forum v4.3 (lasted) and found these bug.
Do you want me to kill some thing in this forum to prove that ?

Some thing I can do:
- Become Administrator
- Delete all forum topic
- . . .
Edited by - cBacala on 17 January 2003 03:57:00
Go to Top of Page

OneWayMule
Dev. Team Member & Support Moderator

Austria
4969 Posts
Posted - 17 January 2003 :  03:59:45  Show Profile  Visit OneWayMule's Homepage  Send OneWayMule an ICQ Message
That would help noone.
But, as Nathan said above, you could help to improve Snitz Forums and send Richard Kinser all info about this bug.
My MODs:
Birthdays - Custom Policy - F.A.Q. Administration - Forum Rules - Guestbook
Links Manager - MyOwnGoogle - Profile Views - Search Log - WebSearch

Useful stuff:
Forum and MOD Installation - MOD Installation Guide - Snitz v3.4.05 Readme - Free ASP Hosts - Support Snitz
Go to Top of Page

makumbeiro
Starting Member

23 Posts
Posted - 17 January 2003 :  04:40:47  Show Profile
You are either against us or on our side. If you know something, send an email to Richard using the button in his post, and we will all appreciate your community spirit and your willingness to contribute to the integrity of Snitz and of forums in general. You don't need to "kill" something to "prove that," you need only send Richard an email--that would be the right and moral thing to do.

Otherwise, we will assume that you are either a hacker or a wannabe hacker.
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts
Posted - 17 January 2003 :  05:34:34  Show Profile  Visit HuwR's Homepage
quote:
Originally posted by cBacala

I am not a hacker. I use snitz forum v4.3 (lasted) and found these bug.
Do you want me to kill some thing in this forum to prove that ?

Some thing I can do:
- Become Administrator
- Delete all forum topic
- . . .


If you think you can become an admin here, then do so, and if you think you can delete all the forums, then do that as well.
Go to Top of Page

Deleted
deleted

4116 Posts
Posted - 17 January 2003 :  07:37:13  Show Profile
cBacala, you mention v4.3... Do you mean v4 beta 03 by that?

If so, as you can see it is NOT the latest version of Snitz Forums 2000. It is a BETA version for an internationalized version, NOT to be used in a production environment, except for testing purposes. v4beta03 was based on v3.3.03, which HAD those security related bugs. These bugs are corrected in v3.3.04 and v3.3.05, and we also coded the necessary changed to be downloaded. You can find these patches and download links here: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=16673

Latest version of Snitz Forums 2000 is v3.4.03 and has only one problem related security the fix of which can be found in the security bugs forum. Next international BETA, namely v4 beta 04 is under development and based on v3.4.03 with all known fixes applied.
Stop the WAR!
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.14 seconds. Powered By: Snitz Forums 2000 Version 3.4.07