Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: MOD Implementation
 leak in pm_members.asp! (succefull hack)		  New Topic  Topic Locked
 Printer Friendly
Previous Page | Next Page
Author Previous Topic Topic Next Topic
Page: of 3

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 02 January 2006 :  06:32:41  Show Profile  Visit MarcelG's Homepage
quote:
Originally posted by HuwR

remove the part about dbsfiles, not sure why that was added to be honest, it is not in my original file.

Done!
quote:
Originally posted by HuwR

I would then add some extra checks in uploadengine.asp to make sure it is not being fired from a remote machine

Not sure how to do that....?

quote:
Originally posted by HuwR

you could also remove script permissions in IIS from any directories that can be uploaded to, that way even if they do upload a script they won't be able to execute it
Good tip ; will forward that one to my host (sr_erick).
portfolio - linkshrinker - oxle - twitter
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts
Posted - 02 January 2006 :  06:50:08  Show Profile  Visit HuwR's Homepage
you could add a check to ensure that http_referrer was oxle.com, but that would be a problem for people using NIS or add some asp code to your pop_upload.asp that writes a cookie and then check the cookie value in uploadengine (obviously don't make this new code publicly available )
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 02 January 2006 :  07:56:57  Show Profile  Visit MarcelG's Homepage
I'm still not entirely sure that pop_upload.asp had the leak they used to reset the password....I simply cannot figure out how they did it....grrr

Anyway, I mailed you a link to my logfile.
portfolio - linkshrinker - oxle - twitter
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 02 January 2006 :  08:11:28  Show Profile  Visit MarcelG's Homepage
He also tried this sql injection:
pm_members.asp (private messages)
	strSql = strSql & " WHERE " & strMemberTablePrefix & "MEMBERS.M_NAME LIKE '" & Request("M_NAME") & "%' "
portfolio - linkshrinker - oxle - twitter
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 02 January 2006 :  08:23:41  Show Profile  Visit MarcelG's Homepage
Update ; it looks like the last file exploited before the succesfull password reset was pm_members.asp.....
portfolio - linkshrinker - oxle - twitter
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 02 January 2006 :  14:00:36  Show Profile  Visit MarcelG's Homepage
I 'patched' my board using the following steps:
  1. changed the Session(strCookieURL & "Approval") thing (config.asp, and all pages that use it)

  2. installed IP gate, and blocked the subnet used by this hacker.

  3. changed pm_members.asp and pop_upload.asp to only be accessible for registered members.

  4. changed pm_members.asp and pm_pop_members.asp, (replaced all instances of Request("M_NAME") by ChkString(Request("M_NAME"), "SQLString")
portfolio - linkshrinker - oxle - twitter
Edited by - MarcelG on 02 January 2006 14:29:26
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 02 January 2006 :  14:32:16  Show Profile  Visit MarcelG's Homepage
BTW ; perhaps it's just me, but the private messages mod I'm using has almost no checks for SQL injections....
portfolio - linkshrinker - oxle - twitter
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts
Posted - 02 January 2006 :  14:39:21  Show Profile  Visit HuwR's Homepage
just emailed you to say it was pm_members not pop_upload that was you leak, sorry been out all day and only just got your emailed log
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 02 January 2006 :  14:56:23  Show Profile  Visit MarcelG's Homepage
quote:
Originally posted by HuwR

just emailed you to say it was pm_members not pop_upload that was you leak, sorry been out all day and only just got your emailed log
No problem. I discovered that myself too, the hard way.
The Private Messages mod requires a lot of manual patching....
portfolio - linkshrinker - oxle - twitter
Go to Top of Page

Ranko
Junior Member

400 Posts
Posted - 03 January 2006 :  08:35:46  Show Profile
quote:
Originally posted by MarcelG

Well, I just changed all instances of the "15916941253" thing, and removed all files that have that string in them from the source-viewer page (so that for future referal, the hacker cannot look it up.)

I haven't made any changes to pop_upload.asp and uploadengine.asp yet...

Do you have alist of files where that needs to be changed.

Ditto for

quote:
changed the Session(strCookieURL & "Approval") thing (config.asp, and all pages that use it)


And do you have a list of stuff you had to change in PM mod?
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts
Posted - 03 January 2006 :  08:41:52  Show Profile  Visit HuwR's Homepage
Ranko,

the main thing is to fix the leaks in the PM Mod that is how they got into MarcelG's admin account, changing the Session(strCookieURL & "Approval") is not strictly necesary, but obviously adds an extra degree of security to forum if someone trys to spoof the http headers.
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 03 January 2006 :  09:04:11  Show Profile  Visit MarcelG's Homepage
quote:
Originally posted by Ranko
Do you have alist of files where that needs to be changed.

Nope ; I used BK ReplaceEM (freeware find&replace tool), to find and replace all instances of 15916941253 by another 11-digit number.
I then re-uploaded all files in the forumdirectory.
quote:
And do you have a list of stuff you had to change in PM mod?

Well, I haven't got a list yet, but what I did was find all isntances of request( and request.form( and made sure their values were passed through the chkstring function, as SQLString.
portfolio - linkshrinker - oxle - twitter
Edited by - MarcelG on 03 January 2006 09:04:33
Go to Top of Page

Ranko
Junior Member

400 Posts
Posted - 03 January 2006 :  17:05:49  Show Profile
quote:
Originally posted by HuwR
the main thing is to fix the leaks in the PM Mod that is how they got into MarcelG's admin account, changing the Session(strCookieURL & "Approval") is not strictly necesary, but obviously adds an extra degree of security to forum if someone trys to spoof the http headers.

Well I am mostly asking for a nice list of stuff to patch up in the PM mod, as that is (I think) one of the more popular mods (according to SnitzBitz).
Go to Top of Page

Ranko
Junior Member

400 Posts
Posted - 03 January 2006 :  17:07:39  Show Profile
BTW, is there any reason it is an 11 digit number, and would it hurt if I was to change it into a (wild example) 100 digit number?
Go to Top of Page

golfmann
Junior Member

United States
450 Posts
Posted - 03 January 2006 :  21:22:57  Show Profile  Visit golfmann's Homepage
Thanks both of you...
I've changed pm members and crossing fingers :)
Go to Top of Page
Page: of 3 Previous Topic Topic Next Topic  
Previous Page | Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.52 seconds. Powered By: Snitz Forums 2000 Version 3.4.07