SMF Support > SMF 1.1.x Support
Known security issue?
Forte:
Today, my forum had an issue involving someone who claimed to be a hacker, who seems to have just signed up into the admin position. Is there any security issue in 1.1.16 that allows something like this, or is there something I need to do to to make sure my database is secure?
live627:
No known security issues in 1/1/16.
Did he have db access before? When did you upgrade? Can you give us a list of installed mods?
Forte:
This guy was a completely random person, so no, he didn't have database access, and my host doesn't provide access logs. I updated my forum to 1.1.16 shortly after the update went live, and my currently installed mods are as follows:
1. Locked Topic Color 1.0
2. Age and Gender Board Filter 1.2.1
3. Additional Membergroups on Profile 1.1.2
4. Profile_Visitors 3.0
5. SMF 1.0.17 / 1.1.9 / 2.0 RC1 Update 1.0
6. Enhanced Profile 1.1.5
7. Custom Profile Field Mod 3.19
8. Simple Award System 2.0.0b
9. SMF 1.0.13 / 1.1.5 / 2.0 b3.1 Update 1.0
10. Dynamic_Memberlist 1.1.1
11. SMF 1.0.18 / 1.1.10 / 2.0 RC1-2 Update 1.0
12. Admin Ban Button in Post 1.0
13. AjaxInlineMessagePreview 2.0
14. Global Headers Footers 1.4
15. No More Ugly Avatar Scrollbars 1.0
16. Avatar on Member List 1.0
17. Colorized Membergroups 1.0
18. SMF 1.0.15 / 1.1.7 Update 1.0
19. Banlist 1.0
20. Avatar Online Offline 1.0
21. Ultimate Profile 0.9.1
22. SMFShop 3.1.1
23. Allow TAB in Postbox 1.1
24. Additional Polls 1.2.2
25. SMF 1.0.21 / 1.1.13 Update 1.0
26. Add Stars To Profile 1.0.1
27. Bot Buster 1.1
28. Profile User Action 1.1
29. Default Avatar 1.3
30. SMFChess 1.0
31. Add IP2Location to Track IP 1.3
32. nneonneo's AJAX ShoutBox 1.22
33. Avatars at Index Mod 1.5
34. Spam Me Not Mod 1.02
35. SMF 1.0.17 / 1.1.9 / 2.0 RC1 Update 1.0
36. Anti Bot: Unrecognizable Form 1.1
37. Admin Ban Button in Post 2.0
38. Profile Music 1.0
39. Crowns 1.1
40. SMF 1.0.14 / 1.1.6 Update 1.0
41. ColorizePost 2.0
42. SMF 1.0.20 / 1.1.12 Update 1.0
43. Default Avatar 1.4
44. SMF 1.1.14 Update 1.0
45. SMF 1.0.22 / 1.1.16 Update 1.0
46. Manage Members Membergroups 1.0.0
47. Password Protect Boards 0.2
48. SMF 1.1.15 Update 1.0
49. SMF 1.0.16 / 1.1.8 Update 1.0
50. Inline Hover Spoiler 1.5
51. SMF 1.1.15 Update 1.0
52. [HTML] Permission Mod 1.01
53. SMF 1.0.19 / 1.1.11 Update 1.0
MrPhil:
Is there any evidence that they actually did get in as admin, or could they just be bluffing, to extort something from you? If they did get in, do you run any other applications on your site? They could have security holes (make sure you're at their latest levels). Perhaps your host has a server security hole (if you rule out everything else, be sure to let your host know). A hacker could be getting in by stealing passwords so they can get on to your forum or your site. Run a virus and spyware scan on all PCs you use to administer your site, and then change all passwords (site access, FTP, forum account, other applications, database) and make sure your PC firewall is enabled. Find and disable the admin access of this user, and look for backdoors and other hacks they may have installed.
Forte:
Since I had been removed from my admin position, and the new user's usergroup was my admin group, I would consider that evidence, although the only thing the "hacker" did was lock some topics and demote me alone. It was easily fixed from the database itself, but none of my moderators or assistant admins were touched in the slightest. I checked on the other users on my forum who have the power to adjust usergroups, and none of them have shown to be online in the past few weeks, so it doesn't seem to be a prank.
I have heard of there being problems with security when you allow forms to be posted that can parse HTML, so I've decided that there is the potential that the mod that allows users to use HTML tags on a by-permission basis may have been the lapse in security that allowed that to happen. If there's a precedent for this from someone using that mod or a similar mod, I would be interested in hearing about it.
Navigation
[0] Message Index
[#] Next page
Go to full version