Analysing SMF 2 RC2 Security

Bass Junkie · June 16, 2010, 08:44:13 PM

Hi Guys,

We are currently running SMF 2.0 RC2, and have had a breach of security in an ex-admin being able to view topic that they do not have the permissions to view. We have run through the groups and forum permission settings and could not find any obvious back-doors, FTP/MySQL and CPanel passwords have been changed. Does anyone have any ideas or other things we could check for potential back-doors that were placed by the previous admin, or any other things we can do to ensure the security of sensitive data?

Thanks

Mick. · June 16, 2010, 08:47:01 PM

Make sure the board "he" read is not available to "regular" members. In admin--->forums---->boards.

Its likely that board is viewable by non-admins.

Bass Junkie · June 16, 2010, 08:51:18 PM

Yeah, regular users definitely cannot view this board.

Mick. · June 16, 2010, 08:54:04 PM

Quote from: Bass Junkie on June 16, 2010, 08:51:18 PM
Yeah, regular users definitely cannot view this board.

Do you have a "regular" account for testing purposes? See if you can gain access to such board as a regular.

Bass Junkie · June 16, 2010, 09:02:57 PM

Yeah, definitely secure for regular members, we have over 1000 members and only about 12 are authorised to view this area, which is why we're assuming the ex-admin is responsible for the leak. I'm concerned that he's left a file somewhere that was doing SQL injections somewhere, not sure if there are any particular tables that I should be looking for for consistency.

Antechinus · June 16, 2010, 09:20:56 PM

Ok this might seem like a dumb question but why are you on RC2? RC3 plugged quite a few security holes., many of which involved use of admin accounts.

Personally I'd start with an upgrade. IF he has left a file somewhere this should sort it, if you do the upgrade by deleting the current files and loading clean ones. I often do them this way as it ensures a clean setup for test sites.

The only files and folders you need to keep are Settings.php and Settings_bak.php (of course) plus your Attachments folder. All the rest can be replaced by the upgrade files and folders, or after the upgrade in the case of mods and smileys. If you have a lot of custom smileys and don't want to reinstall those you can keep that folder as well and just check it for anything that isn't a smiley.

This will sort all SMF files so there will be no question about them. Other files on your site would still have to be checked somehow.

Bass Junkie · June 16, 2010, 09:26:34 PM

Main reason we haven't done that yet is we have an extension that was custom built for RC2 (uses the eRepublik API system). Definitely sounds like it's the way to go, upgrading to RC3 - I'll deliver an ultimatum to the owners of the site - they paid a fair bit of money for the extension but at this stage might be best to simply scrap it.

Antechinus · June 16, 2010, 09:29:05 PM

Ok well the other option, if it wont totally bollix things, is to temporarily do the same trick but with RC2 files.

vbgamer45 · June 16, 2010, 09:30:00 PM

Or you can probably just get the extension updated there were not too many changes mod wise from RC2 to RC3

Bass Junkie · June 16, 2010, 09:36:18 PM

Yeah I'll probably be able to update the mod myself I'll just have to pull time from my paid job

Thanks for the help guys, given me a few ideas to go forward with.

YogiBear · June 17, 2010, 04:50:37 AM

You say he's an ex-admin so presumably now a regular member. Check the Additional Membergroup settings in his account and you may find the administrator field is ticked. An effective back door method of disguising an admin as a regular member.

Bass Junkie · June 17, 2010, 06:28:27 PM

Nah he's IP banned, but we know he uses Tor and creates new accounts now and then. Upgraded to RC3, so now we just wait and see if the problem resurfaces

Thanks for your help guys.

News:

Analysing SMF 2 RC2 Security