Has it been all disabled or just in sigs?
**tests**
If it's all, I guess it's since that redirect thingy...
Okay, so we have some locked threads and scarce information about someone using the img tags to grab cookies. There doesn't seem to be any discussion about it or updates and since this place is inhabited by UBB owners I think that's pretty bad.
I think that we deserve more than a couple words and locked threads. If there is a threat then let us know. If there is an interim fix then give it to us. If you have nothing then let us know that.
Stay tuned. A fix is being worked on right now and an official announcement is forthcoming.
In the mean time you may disable the IMG code on your sites if you are concerned.
Forgot to mention....if your password here was the same as your FTP, Admin, or User accounts on your own web sites shame on you. Go change them as well, and use a unique password for each!
The IMG tag was disabled to be 110% sure that the compromise could not be reproduced while I was developing a filter. Now that the filter has been developed, the IMG tag will be re-enabled, though not in signatures.
6.2.1.1 will be released shortly with the additional filtering.
Can we have the info on exactly what is different so that we can implement without disturbing the hacked boards?
The fix is a little too complicated to post here, unfortunately. However, the changes should not interfere with many existing hacks. The changes are limited to:
- lib_posting's signature appending area
- lib's check_html
- lib's imageize and related routines
You do NOT need to disable the IMG tag on your board unless you are concerned that someone might try this. I highly doubt that he'll try it anywhere else.
Not until I am 200% sure that the filters work.
Oh, I thought they're gone forever!
quote:
Originally posted by Charles Capps:
Not until I am 200% sure that the filters work.
That'll be forever then -- it's impossible to be 200% sure .
Does this bug affect UBB 5?
Just wondering...
Mmmm... a variant of it, sure. This EXACT issue is specific only to post 6.1.0 UBBs. UBB5 has not been updated in over one year. In that year+, dozens of security issues have been uncovered. Those using UBB5 need to be very cautious.
quote:
Powered by Infopop Corporation
Ultimate Bulletin BoardTM 6.2.2 Development Beta 15.1
I wonder what the .1 added?
who exactly caused this trouble?
I obviously take a different view to this sort of behavior? If it happened on my board I know alot of people would be seriously p*****, it's obviously very different over here in the UK, sense of humour and tolerance!
note to remember.
that was self censored btw, before someone has has ago at me, jeesh
quote:
Originally posted by Wando™:
who exactly caused this trouble?
It makes no difference, and it doesn't concern you, so stop asking. Your other thread was already closed for asking once, so you'd think that you'd learn after one time...
I think it does concern me, as I'm a license owner and someone is hacking UBB's
They'll be releasing bew versions for 6.2x tonight I believe... grab a copy of the latest now and tonight again when they release - then file compare the changes in.
Wando -
A fix is being worked on and should be done soon if not already as I type this. Relax. No more information is usually provided...
thanks Greg and Allen. Matt don't over react
(looks like tomorrow night I've got no choice but to beyond compare to the latset version(why do people get their kicks mucking around with others good work???))
well I've locked down my board for the night, I've too much to lose there I'm afraid.
6.2.1
.1 is now available in the Member's Area.
Yeah I was wondering what the hell happened, all my questions have been answered. The fix is in 6.2.1.1 right?
The new version was made for the fix.
quote:
Originally posted by dende:
The new version was made for the fix.
I thought so.
Better upgrade.
I deserve a rolleyes.
crazy guy.
Exactly.
Just wondering, what files have changed from 6.2.1 to 6.2.1.1?
And you didn't just download the Upgrade Only zip because...? Sheesh.
quote:
Originally posted by Sub Zero:
Lord Dexter: check here
Thanks Sub Zero.
CC, what about those of us on 6.1.0.4? Can you release a patch for us?
Unfortunately the changes rely on routines only present in the 6.2 series...
Sigh, will have to talk to someone about looking at this then for me. Even if it is 1 person who found it there might be more down the road unfortunatly. Expecialy on the type of board I run tends to attract stuff like this a times.