UBB.Developers Forums General Discussion Chit Chat ubb 6 = easy to hack?

dose anyone know how easy ubb 6.05 is to get into? one of my members can get a admin pass and change stuff in the cp on his own free will, the guys a nice guy, but last time he dident listen to the admins and i banned him he went right in took out his ip and took over the forum , its really anoying! >.< he always sets custom titles for people!, can any body help me out?

Any idea if he's creating a new admin account (making an existing normal member into an admin) or using an existing admin account?

nope he usein a admin acount thats already there, ive tried changeing all the pass on the acounts and he still gets in.. -_-

obvious Q: does he have FTP access?

do you allow HTML in forums/sigs or have codebuttons installed?

he as no ftp acess, hes only a normal member :-/ he clames to "hack" tho, yes i do allow html in my forums but not in the sigs and i dont have codebuttons installed

Are you on apache?
If so, grab his IP and ban him with an .htaccess file.

If he's grabbing passwords, I suspect a hack is messing up. Many hacks are not security conscious

qasic

yet another reason to not allow html in posting.

Yea, I would take a guess its the html in posts thing.

One person on tribalwar forums (VBB, same principle I guess), managed to setup some code, that when the topic was opened by anybody, it managed to send their cookies or some form of info to another server, whereupon that person could simply view the passwords.

However, the TW forums have the passwords encrypted so it wasn't a complete take-over..

That'd make a good hack.. is it not possible to have something done so the passwords are encrypted?

yes but not cross platform.

crypt() function can be used, but you cant send the passwords back to users. it is a one way thing... so, it is not suitable for a forum member system...

But there are some modules for this job...

[ August 12, 2001: Message edited by: jeologic ]

Soul - thats something that is very hard to do, and i would doubt that the person who did it was actually "stealing" the cookies, rather than running some html code in the posts, or exploiting a hole in vB. but vB does use MD5 encoded passwords so its not a big deal to leak them out like that.

jordo,

Passwords in vB are stored in plain text, just like UBB. However, there is a hack for vB which encrypts passwords though.

Creating such a function in UBB isn't hard but Ted has decided not to do it (although us hackers can )

qasic

heh oh. i thought it was a standard feature. very usefull nonetheless, would be something good to see as a hack.

If AL is talking about who I think he is, This person hacked my forum too and I didn't have HTML in posting. I think he uses some password revealer or something like that to get Admins passes.

i'd be interested to see how this is being done. if html is turned on, then that explains it, but otherwise a stock ubb is (as far as we know) secure.

hmmm

Not at all. It's 100% susceptible to a brute-force attack- there's no flood checking on logging in (which there should be).

AL, at the very least, do this to your files:

[code][/code]

And replace "viewpw" with something unique+non-guessable to you- "pilot", "tomato", whatever. Now, even if this guy hacks in, he's not going to be able to see all your members' passwords (which should be the default behaviour). But, YOU can see them, because you know what the secret "in" word is.. to view a members' password, open their profile as usual, and add "&(yourword)=true" to the url of the profile, and hit enter.

So, if you didn't change my code, and if the URL looks like:

http://www.myubb.com/cp.cgi?ubb=get_profile_for_admin&u=00006479

Change it to:

http://www.myubb.com/cp.cgi?ubb=get_profile_for_admin&u=00006479[b]&viewpw=true[/b]

This will reload the page, and let you see the users' password. (note that you should change "viewpw" to something else, just incase any potential hackers are reading this)

Obviously this won't stop him hacking in in the first place, but it does let you breate if/when he does, knowing that he's not able to get everyone elses' passwords. For this reason, I suggest that you don't tell ANY other admins/anyone else what your secret replacement word for "viewpw" is- they don't have any legitimate reason for needing a members password.

On another note, have you changed all the passwords on your admins' email accounts? If they were the same as the UBB passwords at any point, he may have access to your email, and so to get the latest admin password, he just needs to use the "forgot my password" feature, then check your email.

[ August 13, 2001: Message edited by: Borg ]

There's always gonna be some kind of security flaw... I mean, I'd like floodcheck on logging in too, but..

waah! I'll add it to the already-large UBB Powertools list...

[*] Alter member NAME + other profile properties
[*] Alter member NUMBER
[*] Register new member from control panel
[*] Allow staff to search/search all forums
[*] Prevent double posting
[*] Mark unread from date
[*] Vink-version updates
[*] UBB Code adder
[*] Ban list thing
[*] Memberlist backup
[*] CP meta refresh time
[*] Forgotten password reminder / question
[*] Notes on users
[*] Destroy inactive users
[*] Logging options for staff
[*] Login bruteforcer protection
[*] 'Member passwords not viewable'

[ August 13, 2001: Message edited by: Borg ]

"Powertools" - yep, thas the one...

Sounds cool, ell.

Thanks. At least the bottom item's done... but I shudder how many 1-line changes this uber-hack is gonna run into. o_O

I have no idea what he uses, I think he uses some hack tools to do it because this Person I know is one good hacker, And he seems to hack forums with ease, I have no idea how he does it I can con him into telling me...

qasic if u could make ausch a hack id really be gratefull, he is now givein people back postin rights that were takein, were havein a war on spam or something,and i cant bann spamers -_- i couldent get him banned form the server but thanks to all that have rpelyed, my server is ganna work on something tonight

Anime-loo,

Do you have access to server logs and the such?

Furthermore, have you upgraded to 6.1? 6.1 now includes such tools as admin logging - this should help greatly as to how your hacker hacked in (if the person did it via control panel).

I know it's a pain not to have hacks and such but security should always be your top concern. My advice would be this.

1) Upgrade to 6.1 and install NO HACKS.

2) Kill all admins except yourself. And I mean ALL admins.

3) Make sure you FTP passsword is secure. Change it. Make sure no one else has access to your FTP.

4) Protect cp.cgi with a .htaccess and .htpasswd. Make sure the l/p for these files is at least > 10 characters long.

5) Check access to cp.cgi in your logs.

This should be sufficient to thwart most common hackers. If this doesn't seem to help, please e-mail me and I'll see if I can stop this loser

qasic

[ August 14, 2001: Message edited by: qasic ]

ok i still wanna stay with 6.05, im ganna have him banned form the server, ill go to 6.1 soon tho

[ August 14, 2001: Message edited by: Anime-loo ]

Yeah, but can he just change his IP and get back in AL?

post edited by admin

the chit chat forum is not an area for security discussions or malicous advice. thankyou

[ August 16, 2001: Message edited by: cal ]

These problems no longer exist in ubb 6.x

The information you posted is only of use for breaking into early series 5 boards.

If you have any further queries, contact me directly. Thread closed.