| Author |
 Topic  |
|
mcse007
New Member
USA
66 Posts |
 Posted - 24 May 2001 : 10:23:00
|
I think this guy was able to read your database.
Do you have your database inside or outside the site directory?
I am assuming you're using Access.
By the way, DO NOT assume this was done from the outside. ISP employees can be very anal sometimes.
Regards,
www.mcse007.com
www.sqldatabases.com
www.accesstopic.com
Edited by - mcse007 on 24 May 2001 10:24:21 |
 |
|
|
webshorts
New Member
USA
96 Posts |
Posted - 24 May 2001 : 10:30:39
|
I'm using a SQL database on the same server. It's my own dedicated server, and I know the only other three people with Access.
My assumption now is that I installed SP2, which, for some idiot reason, removed hotfixes that were released *before* SP2. I re-ran my Hotfix Checker, reinstalled the missing hotfixes, and the hacker hasn't been back in.
The reason I initially assumed it was a forum problem, is because the forum was the only thing affected. If I were a hacker, and made my way into a sites SQL, I would have added some bogus news stories to the front page to let people know what I'd done. He could have changed my entire site navigation, and messed up all my script descriptions (it's all in the SQL), but the only thing he touched was the forum.
Anyway, I think if he could still get in, he would have tried by now, just to prove he could.
Daniel Short
Chief Designer,
Web Shorts Site Design
Free DHTML at DHTMLShock.com
JavaScript and DHTML forum, powered by Snitz |
|
|
|
sarmadys
Starting Member
8 Posts |
Posted - 28 May 2001 : 17:09:41
|
Hello
I have tested this :
If you have admin scripts addresses such as email setup and type them without login then you are able to change everything without any passwords !!!
Is this true???
Regards
Mac
|
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 29 May 2001 : 00:20:39
|
quote:
If you have admin scripts addresses such as email setup and type them without login then you are able to change everything without any passwords !!!
You mean a page like http://forum.snitz.com/forum/admin_config_email.asp ?
No, even if you know that url and type it in, you'll be asked for a username + password.
But, if you do that once, you''ll be able to get to that page without retyping you username and password during the rest of the session. If you close all the browserwindows and then return to that page after the session as timed out you'll have to re-enter username and password.
Unless you've switched off secure cookie mode (never do that!).
Pierre
Join the Snitz WebRing |
|
|
|
Bear
Starting Member
6 Posts |
Posted - 30 May 2001 : 17:32:00
|
Hi there...
Something you may wish to do is run through the secure IIS5 utility mentioned elsewhere. Also, in IISADMIN for your webserver properties, TURN OFF PARENT PATHS. A lot of malformed requests allow browsers to view your entire file system on the system drive, and many use the ../.. pathing to accomplish this combined with strange encoding of requests.
Yes, there were some hot fixes for things like this, but I watched users try different types of requests aimed at accomplishing the same thing. Some were successful, even after the hotfixes. Most weren't. I removed the help files and MDAC stuff that microsoft suggested, but they would go for other well-known directorys... Once there, they could navigate fairly freely.
Bottom line - parent pathing turned off stops this. If you choose to do this, you'll need to make some very minor mods to your scripts. Many include parent pathing for includes. They read something like:
<include file="../config.asp">
which needs only be changed to <include virtual="/<rootdirpath>/config.asp"> where root dir path can be typed in, or set as a constant in the config.asp file itself. (APPL_PHYSICAL_PATH doesn't seem to work here, but then I didn't try very hard. It was easier to find files in the forum directory and subs using windows2000 search for files containing text looking for "../" strings.)
So guys, if I broke anything here, slap me down. If I made any horrendous errors, blame the ozone layer. Otherwise, ya'all might think about using virtual pathing to let people turn off the otherwise security-nightmarish parent pathing.
Bear
Edit: P.S. = get BlackIce Defender for your webserver if you don't already have a good firewall in place (or even if you do, since packet-filter firewalls are akin to picket fences - skinny people and dogs still get through.) BlackIce traps all sorts of known attacks and suspicious activity, including the strangely encoded HTTP GETS....
Edited by - Bear on 30 May 2001 17:34:44 |
|
|
|
brkonthru
Development Team Member
Jordan
69 Posts |
Posted - 30 May 2001 : 18:22:46
|
Bear,
I have not used Black Ice, but I'm an avid Zone Alarm Pro user, how do you compare Zone Alarm Pro with blackice?
http://www.jeeran.com - free hosting for Arabs and Muslims |
|
|
|
sarmadys
Starting Member
8 Posts |
Posted - 01 June 2001 : 17:28:56
|
Ok
I fixed my setup problems using below connection string
"DSN=dsnname"
And well it took only 6 hours before it is hacked by one of visitors of above message !!!!
Thanks a lot ! only 6 hours is a good record.
Some parts of database including users, categories and boards, messages etc. are changed.
I think this is because I have not used any password for database is it?
By the way they are replaced by a "Brasilian or portugal" message board's contents and users.
So it seems I must put "snitz" away what I was proud of finding it or you have a better suggestion ? ( I really want to have a stable message board )
Regards,
|
|
|
|
sarmadys
Starting Member
8 Posts |
Posted - 01 June 2001 : 17:54:11
|
Hello
Once again about hacking matter.
It seems no files or databases are modified !!!!!!
So I can just think about DSN connection. Is this possible for someone else to change my DSN name to point to another database?
Regards,
Mac
|
|
|
|
brkonthru
Development Team Member
Jordan
69 Posts |
Posted - 01 June 2001 : 18:28:23
|
Did you secure your database with a password?
http://www.jeeran.com - free hosting for Arabs and Muslims |
|
|
|
webshorts
New Member
USA
96 Posts |
Posted - 06 June 2001 : 11:11:23
|
Just wanted to let everyone know that I found an additional security breach, that is actually part of the forum. The vulnerability is in the version I'm currently using (not even sure what it is), but it doesn't work in the latest beta's. I've sent the exploit to Gor, but if anyone else (that works on the Snitz forum, I won't publicize it), wants me to send it to them, I will.
Daniel Short
Chief Designer,
Web Shorts Site Design
Free DHTML at DHTMLShock.com
JavaScript and DHTML forum, powered by Snitz |
|
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 06 June 2001 : 12:04:16
|
quote:
Just wanted to let everyone know that I found an additional security breach, that is actually part of the forum. The vulnerability is in the version I'm currently using (not even sure what it is), but it doesn't work in the latest beta's. I've sent the exploit to Gor, but if anyone else (that works on the Snitz forum, I won't publicize it), wants me to send it to them, I will.
I want to know... I use it on some Intranet and one Internet site. And because this site use private forum, any bug with that is a real consern for me!
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
webshorts
New Member
USA
96 Posts |
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 06 June 2001 : 15:35:31
|
quote:
I didn't say I had a fix, only an exploit, which I will only provide to the forum development team, so that they can repair it.
But at the same time, before any new release, I would like to know, tu put a fix for myself!
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 06 June 2001 : 15:44:44
|
webshorts,
you can safely assume that Tteal will not divulge any info, so maybe you could mail him the details, he does not always go with the latest version because of Mods, and may help with a fix :)
|
|
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 07 June 2001 : 09:22:07
|
quote:
you can safely assume that Tteal will not divulge any info, so maybe you could mail him the details, he does not always go with the latest version because of Mods, and may help with a fix :)
More likley I gonna have to do a source diff for next release... I did TOO much change...
So much, I can't even do my MOD without installing a new install each time.
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
Topic |
|
Forum Locked
Topic Locked
