UBB.Developers Forums UBB.threads 6 Bug Reports ExtremeForums Hacked !

Hi,

www.extremeforums.org from Poil has been hacked and I hope Poil had a good db backup cause it looked like they just dropped the DB.

I really feel sorry for Poil and hope he can recover fast, but shouldn't we look into how this has happenend so some script kiddiez don't get too much fun and start dropping a lot of DB's ...

[]http://www.artenovo.com/extreme_forums.gif[/]

Heads Up Poil !!!

Hi,

Driving in the car I was thinking again about this and another little accident that happened here at Threadsdev and I must say it took me 2 minutes to hack into my own TestForum and alter the database.

I'll send a PM to Scream with the full details, but it's damn simple ... and actually a little bit frightening ...

There are a couple of things that can be dangerous to allow. One being HTML enabled in forums and the other is accepting file attachments with a .php extension. Not sure if either of these was used but I've sent an email off to the posted email addresses so we'll see.

Poil was also running a pretty hacked version so it's also possible that there was an exploit introduced with some of the stuff that he was working on. Hopefully we'll get some more info.

I think that the adminstrative option of sending direct sql commands to the server should be 'disablable' from the config file. If you manage to get to the administrative menu -- doesn't matter how, although a certain advisory issued earlier this year comes to mind for no reason -- you can easily alter/drop whatever databases the threads user has priviledges on. Of course you can destroy stuff with the other (delete related) admin functions but that requires a little more effort from the attacker.

Does the default setting of the PHP version of threads allow users to upload .php attachments?

Scream, would there be any drawbacks in having UBBThreads use a user who doesn't have create/drop privaleges?

The default setting only allows .gif,.jpg and .txt attachments.

Not allowing DROPs would be fine and a good idea. CREATEs are sometimes used when alterting a table when upgrading to a new version so this one might be a problem from time to time.

Well, I assumed for upgrading, you'd need a full account. I was just asking about during regular operations.