Snitz Forums 2000 - F-Secure claims "silent"

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Community Forums

Community Discussions (All other subjects)

F-Secure claims "silent"

New Topic

Topic Locked

Printer Friendly

Author

Topic

SiSL
Average Member

Turkey
671 Posts

Posted - 29 December 2007 : 07:48:57

http://www.f-secure.com/weblog/archives/00001336.html

"but the web forum software had an unannounced security patch silently released by the vendor nine days ago" it says...

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 29 December 2007 : 08:02:47

quote:
[...]Not only was an improved fix recommended but there was also discussion that potential extensions to the forum might be vulnerable as well.

Turns out that's exactly what happened to us. While the main forum itself was patched it was the private messaging module that made the defacement possible. (Exploit code for this vulnerability is publically available.) We have now patched that too, and have checked through all other extensions to ensure that they are okay, and as said, the server is up and running again.

Ehm...is this the 'normal' private messages mod ? Perhaps Image can shed some light on this, as the guys at F-Secure are using Image Forums 2001.

I'm quite keen on finding out what leak is available in the PM mod.

portfolio - linkshrinker - oxle - twitter

Podge
Support Moderator

Ireland
3776 Posts

Posted - 29 December 2007 : 08:23:01

Same here.

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 29 December 2007 : 08:33:46

Maybe f_secure needs to subscribe to the security announcements here... It was hardly silent, but they needed to be listening.

Snitz 3.4 Readme | Like the support? Support Snitz too

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 29 December 2007 : 08:40:54

Regarding the PM mod, it's quite easy to find leaks... just search for all Request statements and handle it from there.

The mods issues are serious, because who is responsible for them? Who posts issues about them? We deal only with base code forums. Who tells us which mod version Image code uses? Image is so keen on bashing our code here, but just doesn't handle his own security fixes...

Snitz 3.4 Readme | Like the support? Support Snitz too

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 29 December 2007 : 09:16:21

Mmmm, I recall that oxle was hacked some time ago, also via the PM mod....I think I triplechecked all request statements back then, but I'll start over again....just to be sure.

Just wondering : isn't there a piece of software that can perform this task ? Simply checking the sourcecode and checking for leaks...?

portfolio - linkshrinker - oxle - twitter

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 29 December 2007 : 09:19:06

I don't know of any code that does this, I do it manually.

Check the discussion on the Dev Team forum.

Snitz 3.4 Readme | Like the support? Support Snitz too

Topic

New Topic

Topic Locked

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.48 seconds.