|
|
|
|
Joined: Nov 2001
Posts: 52
Power User
|
|
Power User
Joined: Nov 2001
Posts: 52 |
Hi, www.extremeforums.org from Poil has been hacked and I hope Poil had a good db backup cause it looked like they just dropped the DB. I really feel sorry for Poil and hope he can recover fast, but shouldn't we look into how this has happenend so some script kiddiez don't get too much fun and start dropping a lot of DB's ... [] http://www.artenovo.com/extreme_forums.gif[/] Heads Up Poil !!!
|
|
|
|
|
Joined: Nov 2001
Posts: 52
Power User
|
|
Power User
Joined: Nov 2001
Posts: 52 |
Hi,
Driving in the car I was thinking again about this and another little accident that happened here at Threadsdev and I must say it took me 2 minutes to hack into my own TestForum and alter the database.
I'll send a PM to Scream with the full details, but it's damn simple ... and actually a little bit frightening ...
|
|
|
|
|
Joined: May 1999
Posts: 3,039
Guru
|
|
Guru
Joined: May 1999
Posts: 3,039 |
There are a couple of things that can be dangerous to allow. One being HTML enabled in forums and the other is accepting file attachments with a .php extension. Not sure if either of these was used but I've sent an email off to the posted email addresses so we'll see.
UBB.threads Developer
|
|
|
|
|
Joined: May 1999
Posts: 3,039
Guru
|
|
Guru
Joined: May 1999
Posts: 3,039 |
Poil was also running a pretty hacked version so it's also possible that there was an exploit introduced with some of the stuff that he was working on. Hopefully we'll get some more info.
UBB.threads Developer
|
|
|
|
|
Joined: May 1999
Posts: 90
Member
|
|
Member
Joined: May 1999
Posts: 90 |
I think that the adminstrative option of sending direct sql commands to the server should be 'disablable' from the config file. If you manage to get to the administrative menu -- doesn't matter how, although a certain advisory issued earlier this year comes to mind for no reason  -- you can easily alter/drop whatever databases the threads user has priviledges on. Of course you can destroy stuff with the other (delete related) admin functions but that requires a little more effort from the attacker.
|
|
|
|
|
Joined: Feb 2002
Posts: 6
Lurker
|
|
Lurker
Joined: Feb 2002
Posts: 6 |
Does the default setting of the PHP version of threads allow users to upload .php attachments?
|
|
|
|
|
Joined: Oct 2000
Posts: 60
Power User
|
|
Power User
Joined: Oct 2000
Posts: 60 |
Scream, would there be any drawbacks in having UBBThreads use a user who doesn't have create/drop privaleges?
|
|
|
|
|
Joined: May 1999
Posts: 3,039
Guru
|
|
Guru
Joined: May 1999
Posts: 3,039 |
The default setting only allows .gif,.jpg and .txt attachments.
UBB.threads Developer
|
|
|
|
|
Joined: May 1999
Posts: 3,039
Guru
|
|
Guru
Joined: May 1999
Posts: 3,039 |
Not allowing DROPs would be fine and a good idea. CREATEs are sometimes used when alterting a table when upgrading to a new version so this one might be a problem from time to time.
UBB.threads Developer
|
|
|
|
|
Joined: Oct 2000
Posts: 60
Power User
|
|
Power User
Joined: Oct 2000
Posts: 60 |
Well, I assumed for upgrading, you'd need a full account. I was just asking about during regular operations.
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
|
badfrog
somewhere on the coast of Maine
Posts: 94
Joined: March 2007
|
|
|
Forums63
Topics37,575
Posts293,932
Members13,824
| |
Most Online6,139
Sep 21st, 2024
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|
|
|
