Sql Injection

forsakenlad · June 13, 2005, 08:25:18 AM

Hey guys recently I have come across some ruined SMF forums. They had some common problems, It looked like some of their tables were emptied like the members and the messages table. Is there any chance they can be doing this using sql injection through the login page, because when I had checked the logs just before the forum crash there was some weird login activity. I don't think this is a coincidiance because I have seen a lot of incidents like these which one of them is one of my sites. Thanks for any help in return

Ben_S · June 13, 2005, 08:53:05 AM

Could you email the access logs to [email protected]

forsakenlad · June 13, 2005, 08:54:23 AM

In one of the hosts I don't have the access logs but I have the smf_sessions table saved, if you want I can send them, for the other hosts I will try to get the access logs

Grudge · June 14, 2005, 07:29:12 AM

forsakenlad,

Please send whatever you have (error logs, moderation logs, log_online etc) from around that time to the above address. I can't really see how they'd do an SQL injection but better to be safe. Also - it's remarkable that hosts don't have access logs on!

Mr. Knightmare · June 14, 2005, 10:19:45 AM

I had a similar, not so similar problem with SMF 1.0.4, the problem that I had is that suddenly i saw a visitor that was not registered that started moving posts to the administration subforum, and that wasn't soposed to have access. Im really annoyed of what could happend, but i can send you the logs if you want, they arent so much, and one log says that it couldnt send an e-mail to x people. How could he attempted to send an email to somebody from the forum?? Is it because the e-mail notification when somebody moves a post?

Whell, hope sombody can help me.

Grudge · June 14, 2005, 10:22:36 AM

Evil Devil,

Did he actually *move* the posts to another forum - or try to? Don't forget that people can look like they're trying to do things but not succeed. Also - check that you have your guests permissions setup correctly. Logout of your forum and check you can't do anything you don't want guests doing.

Mr. Knightmare · June 14, 2005, 02:43:54 PM

Well, actually, I wasn't there at the moment but others admins said that. But the visitor was registered, i put wrong las post. And yes he moved the posts, and then the admins realized of that and banned him.

The privileges for users and visitors are set ok, and everythings going well now. But I have the mail of the suposed to move the posts, but i didnt have the chance to talk with him, but the others admin says that he said he would only bother that day, and never again. So I am waiting to talk to him so that I can know what really happened. Because all i have now and i am telling you is based on what other admins have said about it.

It's really confusing, and i can not express very well in Enlgish so I can't tell you everything very well, sorry.

But I hope talk to him soon and I give you more details.

Thanks in advance.

forsakenlad · June 15, 2005, 06:30:03 PM

The mail with corrupted database is sent, I will try to get any access logs I can find from other webmasters. The reason for the late reply is, umm "You know it Grudge

"

[Unknown] · June 15, 2005, 09:04:20 PM

As I said via email, the evidence you sent does not lead me to believe any SQL injection ocurred, but I can't know until I get more information - as I requested.

-[Unknown]

forsakenlad · June 16, 2005, 08:15:57 AM

Allright, as stated in the mail I will try to get more information, thanks for your caring

forsakenlad · June 19, 2005, 09:45:29 PM

The information I had given to [Unknown] had let him to believe that ftp/cpanel access was gained somehow and It appears to be true, it was probably guessed, and for other incidents, I have gone through a lot of investigation and have found out that the others were indeed Sql Injection attacks but in both cases The security holes of the Portal/Cms systems which were installed together with SMF had caused the damage... So I apologise from all of you for posting a false security bug... And I will never forgive myself for thinking that SMF might have had a big security hole

dtm.exe · June 19, 2005, 09:49:54 PM

Quote from: forsakenlad on June 19, 2005, 09:45:29 PM
And I will never forgive myself for thinking that SMF might have had a big security hole

Meh, not your fault...forgiven (by me at least)

.

-Dan The Man

Grudge · June 20, 2005, 04:28:49 PM

We'd much rather you report a bug which didn't end being one then letting one go by undetected. It's good that in this case it was not SMF - but it's always nice to be sure.

NOS ChromeNut · June 20, 2005, 05:10:53 PM

And some of us are watching this intently. I just updated to 1.0.4 and have given out my forums link to several shady "acquaintances" to try and hack into it. I'm also trying to hack my own forums just to see if I can. If I do uncover any openings in that tight SMF wall, I'll be glad to post them here. I'm already disturbed that I was able to hack into my company's forums, which I run on xmb...

I'm only doing this because I've had so many forums/boards on so many different software packages lately that I've become concerned about the security of them across the board (pun intended). I do have all my forums registered with the major search engines and with DMOZ/The Open Directory Project, so I get a lot of trawling and bots/spider hits, but I noticed a significant decrease in 'guest' visitors on my SMF board, which replaced a phpBB board on the same URL, and my feel for that is that phpBB is possibly less restrictive, there fore more open to invasion???

Maybe this isn't the proper forum to discuss this, and I don't want to publicly bash another company's board software, but my initial response to SMF (only have had it running for three months now) is that SMF has a tighter structure and at least that gives me the perception that it's more secure than some others.

Comments???

Grudge · June 21, 2005, 04:40:18 AM

NOS ChromeNut,

If you do *ever* find any possible flaws in SMF never, I mean never post them here! We have a security email address at [email protected] for the posting of any suspected problems. The worst thing anyone can do if they find a possible exploit is to make it public as that puts everyone at risk.

Grudge

forsakenlad · June 21, 2005, 04:47:49 PM

Lol sorry then, I am glad that I have not given the details for using the sql injection on several different CMS'...

trparky · June 30, 2005, 12:44:37 AM

I am not trying to bash PHPbb, but it seriously has security issues.

If you had access to some of the Help Desk Tickets that we have had over the last four months at Rochen, you would notice that 95% of the "Help! My site has been hacked!" tickets were because they had...you guessed it! PHPbb.

One good thing I have to say is that we have had absolutely no issues with a bug in Simple Machines being a doorway for a hack.

That doesn't mean that you should let your guard down, constant code reviews are a must.

NOS ChromeNut · July 01, 2005, 12:00:24 PM

Quote from: Grudge on June 21, 2005, 04:40:18 AM
NOS ChromeNut,

If you do *ever* find any possible flaws in SMF never, I mean never post them here! We have a security email address at [email protected] for the posting of any suspected problems. The worst thing anyone can do if they find a possible exploit is to make it public as that puts everyone at risk.

Grudge

Ah, very good, yes I will take that advice and if I do find anything, which by the way the only thing discovered was something I did in error, but we will let you know via the appropriate method and not here on the web. Thanks again, and great work guys!!!

News:

Sql Injection