| Author |
 Topic  |
|
|
Addicted2HD
Starting Member
21 Posts |
 Posted - 21 January 2008 : 14:21:49
|
Hi,
I had an unauthorized admin register this morning on version 3.4.06. Luckily the person who watches the board caught this before anything malicious was done, at least as far as we can tell. The only thing that was done was turn BB code off and HTML code on. This broke some links on the main forum page but all has been restored and the offending user has been locked out. The situation seems to be contained.
I have a couple of questions.
1. What can I do to make sure this situation is contained?
2. What can I do to ensure this doesn't happen again? I read another topic from June/August 2007 time frame that said version 3.4.03 had security issues that allowed such activity but I'm running the latest version I think.
TIA,
Scott |
|
|
AnonJr
Moderator
United States
5768 Posts |
|
|
Addicted2HD
Starting Member
21 Posts |
Posted - 21 January 2008 : 14:29:11
|
Thanks for the reply. Of course after I submitted my post I saw the sticky for the "If you've been hacked recently" topic. I was trying to be efficient and do a search for what I was looking for information on and never saw the sticky until after I posted.
Security patch has been applied. Now I'll go check the other stuff out like the shut down message and other settings.
Thanks,
Scott |
 |
|
|
philwhite
Starting Member
Germany
47 Posts |
Posted - 23 January 2008 : 22:22:47
|
I got hit last night and applied the patches, deleted the user and so on. One strange thing remains.
One Question. What is the JumpBoxChanged Application Variable? This was timestamped a few minutes after the hack. Having removed the iframe (yes, I had one), this has now changed to the current time.
|
Phil White |
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 24 January 2008 : 00:59:07
|
| There's a JumpBox application variable, but not a JumpBoxChanged (at least not in a base install). What's the value of that variable when you go to Forum Variables Information in the Admin Options, or does it still show up on the list? |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
philwhite
Starting Member
Germany
47 Posts |
Posted - 24 January 2008 : 07:21:35
|
Yes, it still shows up. It had a timestamp a few minutes after the member joined and now has a timestamp of the time I eliminated the iframe from the forum description.
I'm running 3.4.05 and as far as I'm aware (it's a long time ago), I only have the PM and IPGate mods installed over the top.
It's right at the end of the list along with "down" (lowercase) with a value of false and "DownMessage" with no contents.
It's used in inc_jump_to.asp, pop_delete.asp and post_info.asp.
Right at the start of inc_jump_to.asp there is the following code
if IsEmpty(Application(strCookieURL & "JumpBoxChanged")) then
strJumpBoxChanged = Session(strCookieURL & "JumpBoxDate")
else
strJumpBoxChanged = Application(strCookieURL & "JumpBoxChanged")
end if
if IsEmpty(Session(strCookieURL & "JumpBox")) or (strJumpBoxChanged > Session(strCookieURL & "JumpBoxDate")) then
Dim strSelectBox
if allAllowedForums = "" or isNull(allAllowedForums) then
...
In the other two files, there are several occurrences of
Application(strCookieURL & "JumpBoxChanged")= DateToStr(strForumTimeAdjust)
(2 in pop_delete and 6 in post_info)
These lines are in the original, unmodded distribution I picked up at the end of 2004, so I assume they are okay.
|
Phil White |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
philwhite
Starting Member
Germany
47 Posts |
Posted - 24 January 2008 : 07:44:59
|
| Thanks. |
Phil White |
|
|
|
cobrachen
Starting Member
48 Posts |
Posted - 24 January 2008 : 12:52:35
|
A question:
If I turn on the feature that all new account has to be activated before use, is it possible a hacker can create an account without activation by using SQL injection or code?
Thanks. |
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 24 January 2008 : 13:45:35
|
Hopefully not, considering that all values are/should be sanitized before interacting with the database. Of course, the occasional bug is found. If and when they are, just make sure to keep up to date with the latest fixes.
But to answer your question, yes it is possible (nobody can 100% guarantee bug-free software), but highly unlikely. |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
cobrachen
Starting Member
48 Posts |
Posted - 24 January 2008 : 13:52:58
|
| Thank you very much for your quick answers. I believe this feature at least can be one layer of detection to help the whole security issues. |
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 24 January 2008 : 14:49:08
|
| You're welcome. |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
| |
Topic |
|
Topic Locked
