| Author |
 Topic  |
|
|
RaveD
Starting Member
7 Posts |
 Posted - 14 August 2009 : 13:46:47
|
A hacker has managed to bypass the approval process and create accounts for himself on my forum.
I am running 3.4.04 with the latest security fixes, except for the one just posted for pop_profile.asp, since it applies to 3.4.07 only.
My site is configured to require administrator approval; however, this hacker created several accounts and started posting immediately. I do not know how he bypassed the approval process.
Any suggestions? |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
RaveD
Starting Member
7 Posts |
Posted - 14 August 2009 : 15:07:04
|
First it seemed he hacked an existing user's account and posted spam.
But then I disabled that account and found several more accounts were created and they posted spam.
It does not appear he gained admin access, or if he did, he did not cause any damage. It seems as if he found a way to bypass the approval process and activate his accounts immediately.
|
 |
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 14 August 2009 : 15:19:56
|
that sounds like some sort of sql injection.
do you have mods installed ?
do you have any other non forum related pages that share the database ?
have you thought of upgrading to the latest version ? |
|
|
|
RaveD
Starting Member
7 Posts |
Posted - 16 August 2009 : 11:27:28
|
quote:
Originally posted by HuwR
that sounds like some sort of sql injection.
do you have mods installed ?
do you have any other non forum related pages that share the database ?
have you thought of upgrading to the latest version ?
Have a couple mods installed but frankly I don't remember which. It has been well over a year since I last updated the forum software. There are no other pages that share the database.
Is there a way to determine if it was an SQL attack vs. exploiting some Snitz vulnerability?
I would like to install the latest version but unfortunately do not have any spare time these days to maintain the software of this forum. |
|
|
|
Jezmeister
Senior Member
United Kingdom
1141 Posts |
Posted - 16 August 2009 : 19:43:45
|
A lot of bots are clever these days, email activation isn't enough to stop them on its own. Perhaps try turning on 'restrict registration' so that only you can activate accounts?
Of course, if they did hack an existing account then that is aside the issue, I'm just taking from a lack of certainty in your post that that may not have been the case! Also, if you haven't updated it in over a year then you can't be up to date on your security updates, although I have to admit I don't know if any recent ones would be vulnerable to something like that anyway. |
|
|
|
RaveD
Starting Member
7 Posts |
Posted - 16 August 2009 : 20:41:32
|
I do have restrict registration turned on.
Honestly it's been awhile since I looked at the forum software, so I can't be sure if this is a MOD or a feature: when a new user registers, I must go to the "Approve pending members" page in order to approve the account. Once approved, the E-mail goes out to the user so they can activate their account.
The issue here is that several accounts were created without this approval process. So it seems like a security flaw being exploited. |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 16 August 2009 : 23:13:28
|
| If its been over a year since you last updated the forum software, then it could be any number of issues... or one of the MODs or some other page that uses the same database. Without knowing more about what has been done (MODs, et al) its hard to say. |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 17 August 2009 : 02:15:51
|
quote:
The issue here is that several accounts were created without this approval process. So it seems like a security flaw being exploited.
Which is why you should upgrade to the latest version |
|
|
|
RaveD
Starting Member
7 Posts |
Posted - 18 August 2009 : 18:40:03
|
I wish it were so easy to upgrade ... it's been so long I forget what MODs are installed and afraid it might take quite awhile to straighten everything out.
I kept current with security updates so I thought I would be safe... |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 18 August 2009 : 18:55:38
|
| Probably getting the server logs could allow you to find out the entry point and patch it, as a intermediate solution. Updating to the latest solution is, still, the recommended strategy. Better be safe than sorry. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 19 August 2009 : 01:51:42
|
| If you are all patched then there is even more reason to upgrade since it may be a MOD at fault not the Snitz base code |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 19 August 2009 : 12:30:00
|
| Or, as mentioned previously, a non-forum page that shares the same database.... |
|
|
| |
Topic |
|
Topic Locked
