UBB.Developers Forums UBB.threads 7 Development How Do I? Hacker can attack 6.1.1

Today, my website got hacked.

Apparently they sent me PM with sender username: $Sender and subject: $Subject, and message: $Mess

And all administrator and moderators got this PM.


The page that got hacked was the front page using IIP 5.1

They deleted the content on the page index.php, and change it to their group's name.

IIP 6.0 B1 is using the get_input function of threads to avoid variable contamination as much as possible.

Actually... I'm not exactly sure how what you describe could be done from IIP. How do you know the entry point was IIP?

JustDave

I am not sure what was the entry point.
But the page which was hacked was the front page which is the IIP.

I will upgrade the system soon.

That's my point though. If they had the ability to delete they could have deleted much more but chose to only delete your index page and put up something of their own. This doesn't signify that the entry point is through that page though. They would need admin access to send a mass pm. There is no function of IIP that does this. The deleting and uploading of another index is also something that IIP isn't capable of. If the attack consisted of making posts under other's names in the shout box or taking in votes for users that say they hadn't voted I would be more inclined to think that the fault is indeed with IIP and the index page. The occurances you described though are not functions found in IIP.

[]JustDave said:
IIP 6.0 B1 is using the get_input function of threads to avoid variable contamination as much as possible. [/]

I hope that means you're getting rid of the code that "manually registers" all the globals.

[]Dave_L said:

I hope that means you're getting rid of the code that "manually registers" all the globals. [/]



Yep, gone.

One thing I was thinking though is that once the variables have their values set with get_input we should cycle through the global arrays and set everything to empty strings. This way if someone is running with globals on then any additional information that may have been entered is removed. Hope this made sense... lol (am I thinking correctly?)

Sounds like a really good idea.

Updated.

The intruder got into the admin server and changed all the index.html/index.php

So this attack has nothing to do with the Ubbthreads and the IIP.



Regards

That's good to hear. But it is true that the current and earlier IIP packages are less secure since they need the register globals to be on. (or in some of the later cases the globals are artificially populated)

I am rectifying this though with 6.0

Cool, looking forward to 6