(UPDATED the post and locked the thread, pending analysis of the data)
As you may have heard, several days ago, Avast, a company known for its popular antivirus and related security software, had its forum site hacked. Avast was using SMF as their forum software as they have done for several years now. When we heard, we immediately attempted to contact the Avast staff so that we could provide assistance and, more importantly, analyze the vector of the attack.
Unfortunately, they have not been particularly forthcoming in working with us (to this point), and have indeed accused Simple Machines of a number of things. While we understand that Avast is looking to preserve its standing in the web world and looking to lay the blame at any one else's doorstep, aside from their own, we are concerned and upset over the unfounded accusations they have leveled. We take the security of our software very seriously at SMF. (Indeed, we have one of the best records of all open source forum softwares for security and for quick and effective patching of reported security issues.)
Without getting into any retaliatory accusations or attacks, let me address the issues as presented:
1- Avast claims to have been running SMF v2.0.6. We know of NO vulnerabilities in v2.0.6, and none have been reported to us.
1a- The site image taken by Google shortly before the hack indicates a copyright of 2012 on their SMF installation. This suggests to us that they are not being fully honest with their statement, since the last version of SMF to use a 2012 copyright date was 2.0.3.
(correction added: 2.0.3 used (c)2011. 2.0.4 used (c)2013 - since Avast clearly shows (c)2012, we can confidently state that they were not applying the full SMF approved patches from version to version and that whatever they were doing to patch their system was done by them, possibly manually)
1b- We know that the Avast installation was not a default installation and that some personal modifications had been made to their installation.
2- Avast claims that they have received notification from a blackhat site that there is a security vulnerability allowing RCE (Remote Code Execution) in 2.0.6. They have so far, been unwilling to share the actual vector or logs for us to confirm.
They just shared the site/link which they claim shows the vulnerability. Unfortunately, despite their claims, the "vulnerability" listed on that site is nothing of the sort. It CLAIMS to allow the arbitrary execution of any php code, but it is incorrect (and can be quickly proven to be so). Although it might LOOK dangerous to anyone who is not familiar with code, it is not possible to use that code in the way the "blackhat" author suggests. Given the fact that we expect the Avast team to be familiar with coding, at this time, we have to assume that this is yet another attempt to pass the blame with no actual evidence or support.
3- (We find this particularly troubling) Avast claims that Simple Machines released an undocumented and silent security patch in 2.0.7 which addressed the 2.0.6 issue that they note. We vehemently deny this accusation. 2.0.7 was released with a few minor bug fixes and the main update that was intended to address the preg_replace /e function which was deprecated in PHP 5.5. We have stated, over and over, that there was no security update in 2.0.7 and have even gone so far as to tell people that, if they are not using PHP 5.5, there is no need to upgrade to 2.0.7. We recently criticized a certain other software for releasing a silent security update without informing their users that the upgrade was required to be safe. We would not do that. We did not do that. We invite ANYONE to do a differential compare of the 2.0.6 code against the 2.0.7 code and point out where this supposed silent and undocumented security patch was done.
4- Avast claimed that they are working with us. As I stated above. We approached them, eager to help and work with them to discover the vector of the attack. They not only refused to give us any information but immediately started accusing us of being the vector. --- Shorty before the release of this statement, we received the first real communication from them. At this time, Avast is now communicating with us, somewhat, after we approached them again, but so far, we have not received any usable information so that we may analyze what exactly occurred. We will update this should the situation change.
5- Unfortunately, as happens, some news agencies have picked up on the rumor, innuendo and accusations thrown about by the Avast team and the members of that community, and have concluded (and reported), without any real evidence, as if those statements were the truth.
We assure our community and anyone using our forum software that we have been unable to find any true vulnerabilities in SMF v2.0.6 or v2.0.7.
There are many things to speculate on and I can suggest several possibilities of ways that the hacker could have gotten access to the Avast system without any vulnerability in SMF's code. I will, however, refrain from throwing out counter accusations or wild speculation until more information is available.
Despite the above, we invite the Avast webmasters to contact us further (either Kindred, who is the Project Manager of the Simple Machines Forum project, or CoreISP, who is the President of the Simple Machines corporation and the head of our server group). We are still willing to work with them to find the actual vector and will work quickly release a patch (and our apologies) if we find that the SMF code was, in any way, the vector of the attack. However, at this time, we have seen no evidence to support or even suggest that there are any vulnerabilities in SMF versions 2.0.6 or 2.0.7. Additionally, if ANYONE has ANY information on a potential security issue in the Simple Machines Forum software, you can report it to firstname.lastname@example.org
. ALL reports made to that address are reviewed and considered by the Developers, the Project Manager, the Server Team and members from the rest of the teams. As I stated above, we take our security record seriously.
Most of all, we wish that the Avast team and community refrain from throwing further accusations and attempting to damage the reputation of Simple Machines Forum without clear evidence and proof that they are willing to submit for review.
Avast has declared their intention to move to a different software for their forum, and that is their right. While we hate to see them leave our community of users, I do challenge them to actually find any open source forum software with a better security record or a more responsive team.
Project Manager, Simple Machines Forum
Director, Simple Machines
Avast is now working WITH us to analyze the server logs and the code from the server to determine the vector and the payload of the attack.
Once we are out of the realm of supposition and guessing, and have some evidence, we will put together a clear statement on our findings.