And yes, it's from the infamous krisbarteo
For troubleshooting it's accomplished, here's the initial error log from our site, cleaned up:
Error messages from IP (range) 94.142.129.147 for user krisbarteo
8: Use of undefined constant port - assumed 'port'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant host - assumed 'host'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant host - assumed 'host'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant query - assumed 'query'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant query - assumed 'query'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant query - assumed 'query'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Undefined index: port
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant port - assumed 'port'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant port - assumed 'port'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant php - assumed 'php'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
For reference, we've disabled attachments and uploads for the time being which would have prevented this exploit. The end result was the c99cmdshell being uploaded and running amok for a few hours.
Are the vectors the script kiddies exploiting patched in the 2.0 rc?
Quote from: rthrash on May 11, 2009, 11:07:12 AM
For reference, we've disabled attachments and uploads for the time being which would have prevented this exploit. The end result was the c99cmdshell being uploaded and running amok for a few hours.
You seem to have things under control, do you still require some assistance related to this - or can this be marked as solved on the support point of view?
If you wish to discuss this issue further - it might be better out of the support boards.
Perhaps this should be moved to SMF Feedback and Discussion (http://www.simplemachines.org/community/index.php?board=2.0) ?
The fact that the avatar upload issue was supposed to be resolved with 1.1.8 definitely leads me to conclude the issue is not resolved. I would appreciate a moderator moving it to the proper locations for ongoing discussion.
Quote from: StarWars Fan on May 12, 2009, 07:41:09 AM
Telling people to disable avatar attachment uploads is ridiculous.
Is it ?
It's a temporary solution,untill the patch is released,if you have any other suggestion,just tell it !
Quote from: StarWars Fan on May 12, 2009, 07:58:36 AM
Look, I'm a long time user of SMF and quite frankly shocked this this kind of "trick upload" of a php file disguised as an avatar could actually occur with SMF.
We've constantly been told that "encrypted" uploads will protect you. And "SMF is a big boy and doesn't need its hand held". What happened?
I believe (I could be wrong) its been over a week and it appears that the support staff already knew about Krisbertwhatever even earlier.
What's the delay in getting a "make sure the avatar is really an image" patch out?
It's unfortunately not so easy to release a security patch as you thought,the DEVs are working hard on this issue and don't forget we're all volunteers here,also you should just have patience and follow the temporary suggestions
Would you agree Duncan?
Quote from: LexArma on May 12, 2009, 03:43:49 AM
Perhaps this should be moved to SMF Feedback and Discussion (http://www.simplemachines.org/community/index.php?board=2.0) ?
SMF should probably officially acknowledge this compromise vector, and officially recommend the temporary measure of locking down uploads until a patch is available. This is a bad, bad, bad thing going on here guys 'n gals, and it's going to affect more and more sites. (This is how we handle any security issues that arise at our CMS project which is running SMF with tens of thousands of users and hundreds of thousands of downloads.)
I'd also submit that the default configuration that ships with SMF be better-tweaked for security out of the box. No new avatars or forum attachments for us for now sadly.
Quote from: StarWars Fan on May 12, 2009, 08:25:21 AM
Also, the hacker DID visit my forum and did not succeed. Why? Not sure, but, here's my setup:
Avatar Attachment uploads disabled for new users only.
That's the compromise vector that's currently known so there's the answer. :) Not allowing new users below a certain threshold of posts to upload avatars is only a false security blanket because once the post count is reached the hole remains. Still, better than nothing, but it's why we turned it off completely.
Is there a way for the SMF team to use the admin area of our forums about upgrades to also announce when there is a known vulnerability that is being actively exploited and pointing out a thread for temporary advice to deal with the issue? That might have helped some of us who aren't checking here all the time looking through threads randomly for trouble to have easily avoided this attack before it created 6 or 8 hours of work? Especially those of use who are not PHP or security whizzes.
I understand theses $#%@# hackers will constantly try, but if I had received a message in admin saying temporarily disable avatars and watch for a 'krisbarteo' my life would have been so much simpler. Maybe many others since this looks like it was going on a while before I was hacked. I'd had so many people trying to get on from European IP's one wasn't any more 'trouble' to me than the next.
Is there a way to use that same mechanism about upgrades for other notices? Is it feasible? Or too much to ask? I understand how much work all this is.
Hi all, Thanks for contacting us regarding the exploit. We are aware of it and our developers are looking into the issue as a priority. As a precaution, I would suggest that you disable 'attachments and uploads' for the time being which will prevent this exploit, the option to do this can be found at the Attachments and Avatars (http://docs.simplemachines.org/index.php?board=50.0;sort=subject) section of your administration control panel.
As a temporary measure, you could rename your attachments directory to something else (preferably random alpha characters) and also ensure that the admin CP has the correct directory name in 'Attachments and Avatars'.
We hope to have this issue resolved shortly, and would again like to thank you for taking the time to warn us of this exploit.
Kind Regards,
-[n3rve]
Quote from: djkimmel on May 12, 2009, 01:04:27 PM
Is there a way for the SMF team to use the admin area of our forums about upgrades to also announce when there is a known vulnerability that is being actively exploited and pointing out a thread for temporary advice to deal with the issue? That might have helped some of us who aren't checking here all the time looking through threads randomly for trouble to have easily avoided this attack before it created 6 or 8 hours of work? Especially those of use who are not PHP or security whizzes.
I understand theses $#%@# hackers will constantly try, but if I had received a message in admin saying temporarily disable avatars and watch for a 'krisbarteo' my life would have been so much simpler. Maybe many others since this looks like it was going on a while before I was hacked. I'd had so many people trying to get on from European IP's one wasn't any more 'trouble' to me than the next.
Is there a way to use that same mechanism about upgrades for other notices? Is it feasible? Or too much to ask? I understand how much work all this is.
Thanks for posting suggestions, please air all concerns at the SMF Feedback and Discussion (http://www.simplemachines.org/community/index.php?board=2.0) board.
-[n3rve]
1. Do you have to disable all new attachments or can you just turn on the "check extension" option
2. I have disabled all but server-stored avatars. Good?
Quote from: Saleem on May 12, 2009, 04:01:02 PM
1. Do you have to disable all new attachments or can you just turn on the "check extension" option
2. I have disabled all but server-stored avatars. Good?
No to #1; no uploads for avatars, period.
If #2 means the default ones that SMF ships with then you are probably OK.
Quote from: rthrash on May 12, 2009, 04:35:20 PM
Quote from: Saleem on May 12, 2009, 04:01:02 PM
1. Do you have to disable all new attachments or can you just turn on the "check extension" option
No to #1; no uploads for avatars, period.
Sorry to beat a dead horse, but "Can I disable avatars but leave Attachments-uploading enabled?"
I wouldn't but I don't think that's the vector that's been exploited to date.
The method is...
- They register.
- Log in.
- Upload an avatar that has PHP code in the EXIF data.
- Access the avatar using some unknown exploit through index.php (and if someone does figure it out, obviously they shouldn't post it publicly) which causes the avatar to be executed as PHP.
IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.
So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.
Or see my post that I made here: http://www.simplemachines.org/community/index.php?topic=309717.0
Quote from: JBlaze™ on May 12, 2009, 05:28:49 PM
IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.
When the SMF project itself posts a point release to prevent that exact type of exploit (with 1.1.8 IIRC), I can see how someone would think it's OK to enable some basic forum bling for new users. That said, hindsight is 20/20. While you're limiting new users, you might as well restrict their PM ability too to prevent PM spam.
Some findings of how avatars got executed: http://www.simplemachines.org/community/index.php?topic=307717.msg2056804#msg2056804
Quote from: JBlaze™ on May 12, 2009, 05:28:49 PM
IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.
So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.
Or see my post that I made here: http://www.simplemachines.org/community/index.php?topic=309717.0
with all due respect, that statement is patently stupid. Why would any one NOT use a legal feature of software they trust?
what about posting? should that be denied also?
How about reading? maybe we should limit that as well?
Having the user avatars be uploaded and hosted locally IS a better security practice because all someone needs to really screw with your forum is post images or avatars on a server they control and they can track all your member ip's (including your admins) and they can make your performance go to hell (by linking to large images that everyone's browser chokes on trying to download or are really PHP programs with a Sleep() command :(.
I am really disappointed with the SMF behavior of dealing with this/
Without going into details, an announcement of a possible vulnerability and a work-around on the front page or stickied somewhere is , I feel, the appropriate way of dealing with this
I feel strongly (perhaps wrongly), but I feel SMF is more concerned about its perceived security reputation than the safety of its members
:( :( :( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(
This vulnerability is too important to be buried on a back page somewhere. This is the problem with open source that is not "open" and honest.
:( regards
wtmpp, I see you misinterpereted my post. It said, first line, IMHO, which means "In My Honest Opinion". In other words, that is not a statement.
Getting back on topic, the SMF Development Team has made this security patch a priority, even above getting RC2 public. So please, simply follow the simple guidelines provided until the patch is released.
Regards,
JBlaze
Quote from: wtmpp on May 17, 2009, 06:17:05 PM
Quote from: JBlaze™ on May 12, 2009, 05:28:49 PM
IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.
So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.
Or see my post that I made here: http://www.simplemachines.org/community/index.php?topic=309717.0
with all due respect, that statement is patently stupid. Why would any one NOT use a legal feature of software they trust?
what about posting? should that be denied also?
How about reading? maybe we should limit that as well?
Having the user avatars be uploaded and hosted locally IS a better security practice because all someone needs to really screw with your forum is post images or avatars on a server they control and they can track all your member ip's (including your admins) and they can make your performance go to hell (by linking to large images that everyone's browser chokes on trying to download or are really PHP programs with a Sleep() command :(.
I am really disappointed with the SMF behavior of dealing with this/
Without going into details, an announcement of a possible vulnerability and a work-around on the front page or stickied somewhere is , I feel, the appropriate way of dealing with this
I feel strongly (perhaps wrongly), but I feel SMF is more concerned about its perceived security reputation than the safety of its members
:( :( :( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(
This vulnerability is too important to be buried on a back page somewhere. This is the problem with open source that is not "open" and honest.
:( regards
Sorry, but I do not see your logic or flame of SMF as being valid.
As JBlaze said, I agree wholeheartedly and have always done long before this hack was discovered. I do not allow user avatar upoads to my server period anymore, but at one time, never before 50 posts. I do not allow any uploads of avs or attachments for anyone other than admins on my staff. i also beleive that by avatars being hosted on an outside image host, it saves me much bandwidth usage and trouble.
I have never heard of any way that my forum can be compromised by images being hosted elsewhere, nor having my user's IPs harvested. If such exists, I need proof.
The team is working on repairing this security breach. Do not forget that all of SMF's team are purely volunteers, and they do this often for very little thanks and for no pay.
"I have never heard of any way that my forum can be compromised by images being hosted elsewhere, nor having my user's IPs harvested. If such exists, I need proof."
You know, I was halfway into typing up source code and stuff, but that would be going offtopic and frankly, I dont even care if you believe me or not, since I'm not Santa Claus and dont need your cookies and milk on the mantel. suffice it to say, it's all possible, ask one of the SMF devs to explain it to you.
It's not a "flame of SMF to say that a serious security vulnerability that allows someone to take TOTAL CONTROL OF YOUR FORUM should be handled in a more serious and professional manner!
No software is perfect, and mistakes happen always, but this is not an errant mistake, its a conscious act to hide this on the back page :( and I dont think its right.
Quoteits a conscious act to hide this on the back page :( and I dont think its right.
Last I checked, there's a stickied topic under SMF 1.x Support. Yeah, it's not a good thing to have a serious flaw in software, but there are some things you can do to keep your site safe in the meantime.
Quote from: mashby on May 17, 2009, 07:43:55 PM
Quoteits a conscious act to hide this on the back page :( and I dont think its right.
Last I checked, there's a stickied topic under SMF 1.x Support. Yeah, it's not a good thing to have a serious flaw in software, but there are some things you can do to keep your site safe in the meantime.
Do you really think a "sticked post" buried somewhere is enough?
Look on the news on the front page.. no mention of this.
We are also told to not use version 2 yet, not in production anyway.
and I did go look at that post.. Does a good job of whispering the seriousness of the situation....
arghh... no harm done, not to me anyway...
Yes, I know, I guess I'm really pissed 'cause I spent the better part of the weekend tracking down all me mates I've recommended this software to.
This is also an ooooooooooooold bug. there is no excuse for something like this to still be happening :(
oh well....
For the first time, I actually started looking at phpBB3 and PunBB... just for kicks... I definately wont switch my little Trekkie Forum, but maybe for another project that needs a little forum, I'll try one of those maybe... who knows?
Stickied posts are not burried, they pop up on top of the page, no matter if you are on page 1 or 500.
That's not exactly burrying it, is it...?
Which software you use for your site is totally up to you. If you dont wish to disable your avatars for new users while the SMF developers are working very hard on a solution, that is totally up to you and it will be your own problem and risk :)
Even *IF* SMF was trying to burry the fact that there is a little flaw, you are warned now, arent you? ;)
No further point in arguing or pointing fingers at people in my opinion. Let's keep it nice.
I guess it is a matter of choice...
And yes I do understand you may feel a bit angry because you feel vulnerable now due to this little flaw, but the coders are doing their best to fix this issue. Give them a little bit of time, and in the meanwhile: do what you have to do to secure you forum, temporary solutions have been presented to you here :) ;)
Sincerely,
- Liroy
Quote from: StarWars Fan on May 12, 2009, 07:41:09 AM
You're right - its not resolved and won't be until the overdue patch for this problem is released.
Telling people to disable avatar attachment uploads is ridiculous.
Yes...I had members complain about it...
My band aid was to only allow members with one or more posts to upload attachments.
Please.fix.this.soon.
:)
QuoteIMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.
So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.
I agree with this philosophy and I was using it, but after reading a bit further - I'm going to go Brooklyn and disable it all.
Even after the patch, I will allow no uploads for members with no posts...
It's a good plan. Personally I only allow avs and attachment uploads for staff and a trusted membergroup. This is just my standard policy, even before this exploit was known.
" [NOTICE] How to secure your site against recent attacks"
"SMF 1.1.7: Session verification failed when installing mods or SMF 1.1.8 update"
"Upgrade script timing out? New « 1 2 All "
"READ FIRST: How to help us help you "
CoreISP/Liroy, here are the 1st 4 stickied posts. Does any of them have any specific "Call To Action?"
Lets get personal, you run hosting company, correct?
http://order.dedicatedbox.net/cart.php?a=confproduct&i=0 Here is a link to the details page of one of your hosting offerings, and I see you use Plesk.
Now lets say that you have a Linux administrator who regularly sends you an email about the security update news he comes across.
There is a major security hole in Plesk9 that allows an attacker to take COMPLETE CONTROL OF THE SERVER. Your linux admin sends you a notice (one of MANY) that says
'How to secure and harden Plesk against attack" ...
do you think an issue as serious and with as severe implications as this would deserve a more *assertive* warning?
It may be bad to shout "fire" in a crowded theater, but is it better to whisper? What if there really IS a fire? Should we all burn?
Ask yourself this: If you had an employee who's job it was to monitor security news and bring matters to your attention and THAT was the casual way he did it... wouldnt you *fire his ass??*
When you log in via your SMF 1.18 admin panel - is there urgent news on the news feed?
Technically, SMF could turn this off themselves since the news feed is actually Javascript, so technically they could send javascript that turns off the attachment feature.
QuoteAnd yes I do understand you may feel a bit angry because you feel vulnerable now due to this little flaw,
No, I already said why I was upset :)
QuoteYes, I know, I guess I'm really pissed 'cause I spent the better part of the weekend tracking down all me mates I've recommended this software to.
And btw, it's not a LITTLE flaw. Any flaw that allows an attacker to execute arbitrary code is a MAJOR, MAJOR flaw, sigh.
I would recommend that people disable ALL atachments and avatars (maybe by renaming or hiding the avatar/uploads folder for a day) till they have time to check. Blocking new uploads wont help if crap has already been uploaded :(
@Antechinus, thats good too 'cause sometimes you have the issue of offensive images in Avatars/sigs, so it makes sense that that privilege should be earned, not just given away
I'm not sure what debate/fighting is raging here, but I do think the notice of this flaw (and the upcoming patch) should be more prominent. Some suggestions
- Latest news which would show up on simplemachines.org front page
- MUCH more visibly, show it in the News section in the Administration Panel. This is seen by SMF forum admins much more often than simplemachines.org's Support for SMF 1.x board. Why not publicize it to SMF admins? They are not the general public, nor do they have an interest in harming their own forum. Certainly when a patch is released, there will be some notification?
I appreciate the developers' work on a solution and hope it comes very soon. In the meantime, it should be broadcast publicly to SMF forum admins on how to avoid this; the regular users of simplemachines.org's support forum are a small, small subset of all SMF admins.
One thing to bear in mind: anyone who does want to hack SMF sites will have their own test installation. You will be notifying them too. :P
I'd like to present a few points, in brief:
1.) The reason that we do not "announce" security breaches until we have a patch available is because the moment we release information on the exploit, the exploit will quickly fall into the hands of people that will use it for much more destructive use than what this bunch of hackers has used. Understand that these people could just as easily have deleted all files and databases from your account with this exploit. We do not want a larger selection of SMF users being harmed by this than already have. Acknowledging the security breach beforehand will guarantee this. I have already personally verified at least two hacker "groups" that often target Bulletin board softwares that has used information posted by us to hack others in prior exploits.
2.) I do agree that in large scale situations, such as these, we could communicate better with admins, perhaps through the adminCP or similar. We'll be discussing this at the team level. However, we have, rather than staying mum on the subject, been directly assisting people with these issues until the patch is ready. Remember that this exploit, while it is certainly a huge deal, is still limited to a very limited subset of individuals doing the hacking.
3.) This is *not* the same exploit that was fixed between 1.1.7 and 1.1.8, though it is a spin off of that idealism. I do not know where this assumption came from, but this is indeed a different exploit.
4.) The patch we are working on is not just a small "plug" for this hole. It's not a patch and hope it holds job. The patch we are working on is intended to entirely beef up attachment and avatar security as a whole -- for all three branches of SMF. This is not a small undertaking. It's not something as simple as verifying a bit of input data. It goes beyond that. That is why it has taken longer than normal.
Before tonight, if we had released the patch "just to get it out there", nobody's avatar or attachment systems would work beyond a minimal level (in fact, for a short while, using the patch would have rendered the post display template in error.)
Fortunately, the patch was released to Beta Testers this evening for final bug testing. Once the few final remaining glitches are ironed out, it will be released.
One thing of note, this is quite possibly the biggest patch we've done.
Very nicely put metallica48423 :)
Thank you metallica48423 :) This is quite a large scope update, I see, and I appreciate the team's work.
I understand your reasons for not advertising the issue and I respect that as you obviously have more experience administering this software than i ;)
Quote from: metallica48423 on May 18, 2009, 12:44:29 AM
Fortunately, the patch was released to Beta Testers this evening for final bug testing. Once the few final remaining glitches are ironed out, it will be released.
One thing of note, this is quite possibly the biggest patch we've done.
"Managing expectations" is key in Project Management and I appreciate your update on scope and status of the patch.
You are very welcome :)
Guys, all i'm trying to say here is: we're on your side. Our forums are just as in danger as everyone else's here!
We've had 4 people exclusively working on this patch since we first found out about the problems. So we're certainly *not* ignoring the situation. We decided to take the path of (hopefully) eliminating the core of the problem that has allowed the last few exploits to even happen, rather than fix only the symptoms of the problem. Unfortunately, a certain browser makes this more difficult as well *cough*IE6*cough*. Ugh... man, my allergies are killing me.
We also hope to resume regular email notifications of releases once again with this release, now that we have a better infrastructure in place to handle the 170,000+ emails that must be sent. Unfortunately they've been spotty and sporadic due to server problems.
Quote from: metallica48423 on May 18, 2009, 01:04:08 AM
Unfortunately, a certain browser makes this more difficult as well *cough*IE6*cough*. Ugh... man, my allergies are killing me.
IE6 allergies? Reminds me of the H1N1 flu :P
code names... hmmm...
Hi All, sorry if this is a very stupid question, but have been reading this topic as our site has got problems with this issue, we have disabled the upload of attachments & avatars & have banned the member Krisbarteo, but will the patch that is due fix our forum ? or is there anything else we will have to do ?, once again sorry if it's a stupid question , but we are complete novices, so any help would be appreciated. p.s. we are still getting error log messages all the time.
I would say the best way to go about this, would be to revert to a clean backup from the time before the hack. But you could also just clean out the files and database manually, and while that would require a bit of work, it would also save your new posts from the time after this hack occurred.
Hi Lexa, thanks for the reply & much as it's appreciated I would not have a clue how to do that & as our site owner is just a bit elusive & it would be him that normally does that sort of thing, so we are a bit stuck. So we just hope that the patch will fix things for us.
Quote from: dreamers4317 on May 18, 2009, 07:09:28 AM
Hi Lexa, thanks for the reply & much as it's appreciated I would not have a clue how to do that & as our site owner is just a bit elusive & it would be him that normally does that sort of thing, so we are a bit stuck. So we just hope that the patch will fix things for us.
The patch is intended to close off the exploit as well as do much more. It will not, however, clean your forum if it has been hacked. This patch covers all three branches of SMF. (1.0.x - 1.1.x - 2.0)
Oh bugger!
Quote from: dreamers4317 on May 18, 2009, 07:49:42 AM
Oh bugger!
If you have been hacked, feel free to start a topic and members here will be glad to assist you.
QuoteBut you could also just clean out the files and database manually, and while that would require a bit of work, it would also save your new posts from the time after this hack occurred.
Can any one give us a simple blow by blow way of doing this please?
We don't use the attachments or locally stored avatars features on our SMF forum, so these last exploits haven't really been an issue for us, but I have to agree with wtmpp, that the way this has been handled by SMF doesn't exactly aspire confidence...
I visit this community on a daily basis, but since I'm not looking for support at the moment, I rarely, if ever, open the SMF 1.x Support board. I actually only became aware of this situation by chance while reading the Bug Tracker. I understand the desire not to broadcast the vulnerability to the world, but if information about it can be posted publicly in this board, I don't see why it couldn't have been posted in the News and Updates board, where it would be much more prominent to visitors of the community, instead. By trying to keep such a tight lid on these situations, I feel SMF does its members/users a huge disservice.
I'm just glad that the restrictive permission scheme we're running already keeps us safe from many of these attacks, especially considering the fact that MagicOPromotion paid us a visit a couple of weeks ago.
I don't suppose disabling PHP execution itself in the folder would fix this right? If it did you could do this...
.htaccess (in avatars and attachments folders)
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
Trying to execute php scripts would give a 403 error.
Quote
CoreISP/Liroy, here are the 1st 4 stickied posts. Does any of them have any specific "Call To Action?"
By the looks of it, yes it does tell you what you can do to temporarily secure your forum.
Quote
Lets get personal, you run hosting company, correct?
http://order.dedicatedbox.net/cart.php?a=confproduct&i=0 Here is a link to the details page of one of your hosting offerings, and I see you use Plesk.
I dont use Plesk myself, I use cPanel, but yes, I do offer it.
Quote
Now lets say that you have a Linux administrator who regularly sends you an email about the security update news he comes across.
There is a major security hole in Plesk9 that allows an attacker to take COMPLETE CONTROL OF THE SERVER. Your linux admin sends you a notice (one of MANY) that says
'How to secure and harden Plesk against attack" ...
do you think an issue as serious and with as severe implications as this would deserve a more *assertive* warning?
I have no doubt that Plesk 9 has security holes, lol. (just kidding)
Anyway, assuming that such a big security hole would be in place:
No, because I would know they are working on a solution. (Plesk is paid by the way, SMF is free)
If they are working on a solution, and they warn me that it is best to disable 2 features on the system while they are working very hard on a patch, then I will most certainly disable those 2 features.
It's not a "assertive" warning, it is simply a big warning telling you that there is a major issue and that you should take steps immedieately while the problem is being attended to by their programmers.
Leaving those 2 functions enabled when it is not patched is simply dumb and being lazy.
Quote
It may be bad to shout "fire" in a crowded theater, but is it better to whisper? What if there really IS a fire? Should we all burn?
There are tons of topics on this issue, and if a patch is released, people will know.
Pointless to light the same fire if there is no point.
Quote
Ask yourself this: If you had an employee who's job it was to monitor security news and bring matters to your attention and THAT was the casual way he did it... wouldnt you *fire his ass??*
... Why? If he is doing his job and there is nothing he can do, except for providing tepm. steps to secure the system, while the coders are working on it, why should I fire him? For bringing news that isnt exactly what I want to hear because I dont like security issues? Nice boss that would fire you :-X
Anyway, I think you are overreacting. There is a problem, it is being attended to and in the meanwhile a temp. solution has been given multiple times all over the forum. If you dont follow that advice then it is your own fault if you run in to issues. Nothing more that I can say about it.
/exit topic.
Sincerely,
- Liroy
Thanks Liroy. Perfectly put.
To add on, there are members who have dedicated alot of their time to helping members who have been attacked. I, myself, have dedicated countless hours to helping others resolve this issue and also help secure their site temporarily until this patch is released.
There are other ways to prevent this attack from happening as well. SMF could say "Screw it, just take your forum offline. Problem solved." But no, they didn't. Instead, they choose to take the time and get the patch done right. How the SMF Team has handled this situation as far as making it public, that is totally up to them, and I agree with the way they are doing it, but it remains personal preferece I guess.
Just think, there are alot of changes happening at this time. The SMF Team has its hands full with 2.0 RC2, Curve, and this attack just as a sample. Just keep in mind that the steps provided in these many topics are intended to temporarily prevent the attacks from happening until the patch is out. Sometimes, you gotta sacrifice functionality for security.
Best regards,
JBlaze
Of course, there's the other way of looking at it...
If this vulnerability was broadcast in big letters all over the net, other script-kiddies would know about it and try to exploit it.
We all have our own opinions and slamming people about it will hardly help matters.
Just my tuppence worth...
I agree. Smf team is very busy with the smf 2 and all and knowing the smf staff that it takes the security very seriously, I am sure that they are working hard at releasing a patch that would fix the issue. However these things must be thoroughly tested before being released and this could take some time. So the best way is to hang on for a bit more and give the team the time needed to take care of it.
I have been watching this since it first became known that there was an issue. I have especially noticed how efficient and helpful JBlaze has been in this situation. Although I was not hacked myself, I beleive thanks and kudos to you JBlaze for your efforts here are in order. I also want to commend all of the staff for the handling of this problem. I agree with the way it has been handled. Every other script kiddie in the world does not visit this site, but you can bet that if a widespread announcement was made, hundreds more would jump on the bandwagon and try their hand at hacking a few sites. I believe more damage would have occurred if that were so. That said, I should also say no more on this subject myself either, other than thanks to all the hard working volunteers that do this on their own time.
I too, have no dog in this fight. As soon as I saw the first topic on here about this exploit and the hacker I went and made sure to secure my forum.
I am not a coder nor do I have the ability to do the intricate work that goes into adding or removing script.
I can use common sense and make sure my door is locked to try and keep a thief out.
JBlaze has gone up and beyond the call of duty on this. I have read nearly everything he has put up about this. Everytime I get on here, he is here. So kudos to him and the team for all the long hours of FREE work you all have put on here fighting this fire!
Cheers mates (https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.smileygenerator.us%2Fcommunity%2Fuploads%2F1238275420.CR-Faded%2520Glory-Cheers%2520Mate.gif&hash=d0c5c2230c7b6d9e623a8c0dc4825e3ec8395049)
@ David CT. Your htaccess snippet is good to use as a general practice, but would not be applicable to this particular exploit I think, because the exif data is being parsed by SMF and is executed within the context of an area that HAS to be able run php AND IS ALREADY RUNNING PHP when it is executing the code hiding in the jpeg.
@Those who see themselves in the following
Quote
look, SMF is a big ecosystem, like the Rainforest, there's room for everyone I think and we all play our part, from the casual users who just want to have a forum (any forum) to base their community, to those who seek to profit from and sell to the huge SMF community, those who lack a sense of personal identity and find here a "place where they can BE SOMEBODY IMPORTANT AND A REAL MAN" - (like World Of Warcraft w/o the spells and subscription fees : ), and the obsequious fan boys, to whom SMF can do no wrong and who sit poised like crows on a telephone pole to vociferously denounce as "flames" and "trolling" common sense arguments demanding an equitable and sensible approach to dealing with security issues.
Yeah, there's room for all in this big tent or jungle (https://www.simplemachines.org/community/Smileys/simple/rolleyes.gif)
Quote
There are other ways to prevent this attack from happening as well. SMF could say "Screw it, just take your forum offline. Problem solved." But no, they didn't. Instead, they choose to take the time and get the patch done right.
Why on earth would SMF or ANY company say something as ridiculous as "take your forum offline?"
For MOST communities with a forum, the forum IS the community! I guess it makes sense to proffer an even more bizarre position to offset an indefensible one?
Here is the approach that SMF should do /should have done.1. Update the News feed that is pulled when you log in to your Admin panel warning of the issue. (1hr or less)
2. immediately on becoming aware of the problem, issue an alert (news on the front page) and release a version agnostic php file that would do the settings patch (via the mySQL database) to disable avatars and attachments.
(15 minutes)
3.
Update the SMF download so that the downloaded version DISABLES THE AT RISK FUNCTIONALITY BY DEFAULT (1 hr)Admins would see the security update in progress message when they log in.
3. THEN continue working on a more appropriate patch, that can secure the functionality AND allow it to be used.
I know you feel proud of yourself and your "countless hours spent" but really, it cant have been more than 4 or 5, and if this information was properly disseminated, it would have been ZERO.
I know full well that its a league of volunteers, but there is no excuse for sloppy, unprofessional attitudes backed up by a cheerleading team.
On some SMF forums I have seen, there is a message that pops up when you browse as guest
Quote
I see you are browsing as a guest! please login or register to see what we have to offer!
we could have..
Quote
NOTICE! - AN URGENT MESSAGE IS WAITING FOR SMF SITE ADMINISTRATORS- Please log in to SMF here, or to the admin panel of your forum!
@Kat - script kiddies have been running wild with this for months, and anyway, announcing that there is a vulnerability and a way to patch it (without getting into explicit details how to reproduce it or even exactly how the vector works,) is the appropriate thing to do, not bury heads in the sand, and hope "script kiddies dont pass by and see us with our butt in the air :("
@babjus
I couldnt agree with you more, of course they will work hard on the patch!
you know, SMF could do something like IE and have a range of SQL files that set the SMF security context to Low, Medium, High, Lockdown?
Basically a sliding scale for functionality/vs paranoia/ vs security?
You can trade off simply what you want or are prepared to do without?
Experts of course, will use the fine-tuned controls in the admin panel
Quote
Why on earth would SMF or ANY company say something as ridiculous as "take your forum offline?"
The point of the story was that that is exactly what they did !!NOT!! do.
Did you keep in mind that making a global announcement will let all script kidz0rs out th3r3 know about this issue? That would make it even a bigger issue.
Quote
I see you are browsing as a guest! please login or register to see what we have to offer!
We could have...
NOTICE! - AN URGENT MESSAGE IS WAITING FOR SMF SITE ADMINISTRATORS- Please log in to SMF here, or to the admin panel of your forum!
It is not SMF that maintains the messages that popup... It is user defined.
Anyway, no point in arguing with you. You are, according to yourself, right and everybody else that doesnt have the same opinion isnt right and is unprofessional... Hehe.
Good luck to you and your forum :)
I do hope you did disable those functions in the meanwhile though.
Sincerely,
- Liroy
Quote from: wtmpp on May 18, 2009, 08:04:11 PMwe could have..
NOTICE! - AN URGENT MESSAGE IS WAITING FOR SMF SITE ADMINISTRATORS- Please log in to SMF here, or to the admin panel of your forum!
And draw widespread attention to a not very widely known security hole?
Quote from: busterone on May 18, 2009, 07:26:06 PM
I have been watching this since it first became known that there was an issue. I have especially noticed how efficient and helpful JBlaze has been in this situation. Although I was not hacked myself, I beleive thanks and kudos to you JBlaze for your efforts here are in order. I also want to commend all of the staff for the handling of this problem. I agree with the way it has been handled. Every other script kiddie in the world does not visit this site, but you can bet that if a widespread announcement was made, hundreds more would jump on the bandwagon and try their hand at hacking a few sites. I believe more damage would have occurred if that were so. That said, I should also say no more on this subject myself either, other than thanks to all the hard working volunteers that do this on their own time.
Quote from: Faded Glory on May 18, 2009, 07:46:06 PM
I too, have no dog in this fight. As soon as I saw the first topic on here about this exploit and the hacker I went and made sure to secure my forum.
I am not a coder nor do I have the ability to do the intricate work that goes into adding or removing script.
I can use common sense and make sure my door is locked to try and keep a thief out.
JBlaze has gone up and beyond the call of duty on this. I have read nearly everything he has put up about this. Everytime I get on here, he is here. So kudos to him and the team for all the long hours of FREE work you all have put on here fighting this fire!
Cheers mates (https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.smileygenerator.us%2Fcommunity%2Fuploads%2F1238275420.CR-Faded%2520Glory-Cheers%2520Mate.gif&hash=d0c5c2230c7b6d9e623a8c0dc4825e3ec8395049)
Thanks, it's all in a days work and countless sleepless nights :)
@wtmpp: While you are allowed to have your opinion on this matter, it is obvious that you do not realize the full picture. I have been working with members as well as SMF Team Members on this issue. I have seen pretty much everything this attack can throw at me. So please, take things as they are and try not to start a huge debate/fight on a topic as serious as this.
Do not take this the wrong way, I am not flaming you. You are, as I said, entitled to your opinion. But in this case, your opinion is faulted. There are reasons why the SMF Team has done what they have done.
Now, allow me to go back to work.
Regards,
JBlaze
Quote from: wtmpp on May 18, 2009, 08:04:11 PM3. Update the SMF download so that the downloaded version DISABLES THE AT RISK FUNCTIONALITY BY DEFAULT (1 hr)
I can see the arguments in favour of not publicising the exploit more than necessary but I think this particular suggestion is worth considering.
Quote@Kat - script kiddies have been running wild with this for months, and anyway, announcing that there is a vulnerability and a way to patch it (without getting into explicit details how to reproduce it or even exactly how the vector works,) is the appropriate thing to do, not bury heads in the sand, and hope "script kiddies dont pass by and see us with our butt in the air :("
No, they haven't. This is a new exploit. It may be loosely related to earlier ones but script kiddies are not running wild with this one. It's being deployed by one specific group.
Quoteyou know, SMF could do something like IE and have a range of SQL files that set the SMF security context to Low, Medium, High, Lockdown?
Basically a sliding scale for functionality/vs paranoia/ vs security?
You can trade off simply what you want or are prepared to do without?
Experts of course, will use the fine-tuned controls in the admin panel
I think this is another suggestion that is worth considering. Of course what will happen in practice is that many inexperienced admins will want all the frills and have no understanding of risks (we see this all the time) and will use the lowest security settings anyway, but at least it would give anyone who does want security and lacks skills a good warning and some easy options.
I must add....
Why didn't we get told to disable attachments and avatars through our admin panels? I know it would have made a unknown problem known...
But...welll...even now when the problem IS widely known...why aren't we being told?
I'm sure every script kiddie knows about the exploit by now. It's time to tell the forum administrators.
However, however,
I must commend the efforts shown by staff, regulars and even random members around here. Seriously, you guys are doing a great job figuring this out. And while I cannot tell how much effort the devs are putting into a patch, I have to thank them in advance.
I have to add my 2cents here. I have had other forum software in the past and none of them offered anywhere near the support that SMF has offered. Anytime I need help, I come here and someone helps me within minutes it seems.
Once I knew images (avatars) were missing I came here and saw what was happening. I followed the directions on what to do to stop it and then went about cleaning up the mess. JBlaze especially has gone out of his way to help me and many others.
This is the first time my forum has had any incident with some outsider causing any kind of trouble. And these fine folks here at SMF have done more to help those of us who aren't sure of what we are doing, than any other software support team ever has
I applaud every member of this support team. You deserve high praise for your work!
and if someone else out there has an idea on how the support could be better, then I suggest signing up and becoming a member of the support team.
Quote from: Broken Arrow on May 19, 2009, 12:15:08 AM
I have to add my 2cents here. I have had other forum software in the past and none of them offered anywhere near the support that SMF has offered. Anytime I need help, I come here and someone helps me within minutes it seems.
Once I knew images (avatars) were missing I came here and saw what was happening. I followed the directions on what to do to stop it and then went about cleaning up the mess. JBlaze especially has gone out of his way to help me and many others.
This is the first time my forum has had any incident with some outsider causing any kind of trouble. And these fine folks here at SMF have done more to help those of us who aren't sure of what we are doing, than any other software support team ever has
I applaud every member of this support team. You deserve high praise for your work!
and if someone else out there has an idea on how the support could be better, then I suggest signing up and becoming a member of the support team.
X2
The SMF guys/gals just ROCK!! PHPbb wouldn't help like this...vbullcrap wouldn't help... SMF sure does!! Keep up the great work!! It is nice to have a
FREE forum that has this much support!! Where do i donate?
QuoteI'm sure every script kiddie knows about the exploit by now. It's time to tell the forum administrators.
Not quite. Every instance of this so far (that I am personally aware of) has been traced back to one individual. It's by no means not a big deal, but by announcing it immediately to everyone without an immediate patch, we are ensuring that every script kiddie out there WILL know about it, and WILL use it. We want to patch it before it gets that far.
Once we have a patch available to install that will FIX the problem instead of averting it, it will be announced via the normal methods. Averting it would mean simply that later someone can come back with another derivative security issue based on this one, much like this is similar to the last one.
This is not out on security trackers yet, but we will have a patch for it *very* soon. This patch is quite possibly the biggest security patch we've ever done. Significant work has been done for all 3 branches to improve attachment and avatar security. But with that comes bugs. The patch is with our beta testers who are testing the functionality to ensure that it works properly and without causing further problems.
I hate telling people who could be affected by this to wait, but remember that our forums are vulnerable too. Hang in there, we will get everyone taken care of, just as we already have. We just need a bit to sort it all properly.
Quote from: metallica48423 on May 19, 2009, 12:42:15 AM
QuoteI'm sure every script kiddie knows about the exploit by now. It's time to tell the forum administrators.
Not quite. Every instance of this so far (that I am personally aware of) has been traced back to one individual. It's by no means not a big deal, but by announcing it immediately to everyone without an immediate patch, we are ensuring that every script kiddie out there WILL know about it, and WILL use it. We want to patch it before it gets that far.
Once we have a patch available to install that will FIX the problem instead of averting it, it will be announced via the normal methods. Averting it would mean simply that later someone can come back with another derivative security issue based on this one, much like this is similar to the last one.
This is not out on security trackers yet, but we will have a patch for it *very* soon. This patch is quite possibly the biggest security patch we've ever done. Significant work has been done for all 3 branches to improve attachment and avatar security. But with that comes bugs. The patch is with our beta testers who are testing the functionality to ensure that it works properly and without causing further problems.
I hate telling people who could be affected by this to wait, but remember that our forums are vulnerable too. Hang in there, we will get everyone taken care of, just as we already have. We just need a bit to sort it all properly.
Thank you metallica48423, I appreciate the update.
I kinda understand what you are doing. You're stuck in a tight situation where you're pretty frustrated that you can't give a shout out to forum administrators anyways.
Anyways, tell the devs and testers that there is
NO SLEEPING TONIGHT UNTIL THIS IS DONE.On second thought please don't. Make sure they know how much I appreciate that my lazy ass doesn't have to do anything but APPLY their hardwork
Thanks for your reply Core, I think we have a fundamental disagreement on the way a professional company should operate when there is a defect in one of their products.
The arguments that you are regurgitating w/o understanding - (as you are not a developer or Software Riskmanagement executive are without merit.)
"1. Disclosure that there is a problem- even that there is a
security problem will leave us open to attacks by script kiddies"
First: a "script kiddie" is someone who lacks the skill to implement and craft an exploit on their own, but is technically competent enough to download and follow a few step by step instructions and maybe make tiny code edits.
Saying nothing more explicit than: "We have important security news for all: Disable uploads/avatars temporarily while we work on a patch that does not limit functionality"
will not jeopardize security and allow members to secure their sites accordingly.
This information should be widely broadcast.
Quote from: metallica48423 on May 18, 2009, 01:04:08 AM
We've had 4 people exclusively working on this patch since we first found out about the problems. So we're certainly *not* ignoring the situation. We decided to take the path of (hopefully) eliminating the core of the problem that has allowed the last few exploits to even happen, rather than fix only the symptoms of the problem. Unfortunately, a certain browser makes this more difficult as well *cough*IE6*cough*.
At Metallica: First, this issue is not related to browsers at all. I know we all love to bash IE but c'mon now! lol
Nobody has ever said you guy's were ignoring the situation.... that would mean knowing something is wrong but doing nothing. I believe you ARE doing something, but something inappropriate, something that serves to salve your reputations at the expense of forum owners.
You say you dont want to announce the problem without having a 'perfect patch' ready?
Why not have an 'almost perfect patch' ready in an hour (disabling avatar uploads,theme switching, etc) ANNOUNCE THAT then continue to work on the "mother of all patches?"
This behavior of you guys is really poor in this regard. It's like you dont care about those people who got their forum hacked -and would NOT have, if only they knew in advance and could have done something. Dont take this as an indictment of YOU personally, but as on the system as a whole. Beside's, why is there this constant crowing, mutual back slapping about providing "support" for something that shouldnt happen in the first place?
Thats like a babysitter boasting of her CPR skills in (not) saving the toddlers from drowning while she was sleeping :(
http://www.foxnews.com/story/0,2933,276733,00.html
And look, I get it, you guys are all volunteers, work for free, just like Jesus etc. Thats no reason to not be held to (or act according to) the highest professional standard and duty of care towards the public?
Looking back through the forums there are tons of IDENTICAL scenarios just like this one.
Major security breach that enables complete take over of a forum.
SMF obfuscation and stonewalling,
Patch released with little fanfare.
Since adoption of end users of a patch or upgrade takes a long time and then, is never 100%, then announcing there is a problem when you have a patch - is just as bad as announcing it when you dont! - since the "ever lurking script kiddies" will seize on that information and wreak havoc!
actually, their havoc is easily implemented now, since now they have a before and after file to DIFF on and know exactly what to do :(
C'mon guys, we can do better - especially when its a flaw that allows somebody to take control of a server or hosted account.
Announce (w/o going into details), let people know ASAP, and we can take informed actions to protect our forums and sites.
*I know the fanboys are all set to jump on me now, so I am out of this thread. There is no new information to be gained or given, and I've had my say.
So long and thanks for all the fish!
I have to agree and reiterate that I'm still amazed there's no warning to disable avatars and attachments inside the Admin panel. I'd venture to say that the gross majority of forum owners do not visit the project forums that frequently. People are getting hacked daily, and I'm certain some could have been prevented had this simple step been taken.
IMHO, being a forum owner/admin, it is your responsibility to keep up to date with all things going on with your software. If that means signing up on the project forums and checking it once a week, so be it. I have owned a forum for 2 years now, and have been through much worse software and support communities. SMF really has it right. If you are going to bash the SMF Team for not doing what you think they should do, then you should take that up with them directly instead of publicly bashing them.
So, with that said, SMF should not have to hold your hand and guide you through this. The biggest part of being an owner/admin is being able to take care of problems yourself. It is your responsibility.
I am leaving it at that.
[/discussion]
Regards,
JBlaze
I'll just note two things here:
1.) My comments on IE6, while not related to the core of this exploit as far as SMF is concerned, aren't entirely irrelevant. IE6 is vulnerable to a similar type of attack due to how it parses the header information in images. That means we must also tend to these script injection problems (after all, no software developer wants their software being a vehicle for computer hijacking either). So no, i'm not picking on IE because it's the popular thing to do, but because, yes, infected images are now (moreso than ever) an enemy to IE6.
2.) We will note your concerns. Please do not think that because I am rebutting them (with my own opinion and what we've currently established as policy, mind you) that I am simply ignoring them. I am not, and neither are the rest of us. In fact, I agree with you, but not, perhaps, on the level you feel I should.
Truth is, this is still a relatively small scale attack by only one confirmed individual (again, that doesn't mean that the threat is not there or is unimportant). If that weren't the case, and this were an epidemic level attack, or if we couldn't get the patch out before it came so -- that'd change things a lot, actually. I could then see getting a notification out ASAP. And we have actually done notifications in the past, though not through the admin CP), though it has been awhile since we've had a situation arise where an exploit was either of huge scale, or where we couldn't get it patched in a decent timeframe.
Justin is right. If the issue were to be known to everyone, then the damage would have been much more worse. I think that the Smf team has handled this as best as they could under the circumstances. And don''t forget that it couldn''t come at a much worse time when they are very busy working on Smf 2.0. So please a little bit patience and understanding.
As I said in my previous post in this topic, the forum I manage has been safe from this exploit all along, so I can afford to wait for the patch. Others are not so fortunate though, and in the future, I could very well find myself in their position. That's why I hate the fact that the information which could potentially "save" my forum, or save me the hassle of restoring it to be more precise, is kept "hidden" in a board which isn't natural for me to visit unless I actually need support. A warning in the Administration Center would probably be my preferred solution in a situation like this, but simply relocating the information to the News and Updates board, where it has a much better chance of being noticed by administrators who need it to protect their forum, would go a long way in boosting my confidence in the project.
I believe that wtmpp is onto something. He's saying it in a kinda...funky way...that leaves far too much blame on staff around here. I don't like that since I do appreciate a lot of the work that goes into this.
But.
Heh.
My SMF forum is only a small, small forum for a group of friends. I spend maybe 5-10 minutes a day on the forum. Probably far less. JBlaze, are you telling me I should be checking this forums so often for my simple, small hobby forum?
I would be pretty fried if I got hacked, since I don't have time to fix the hack. I would probably just do a clean install and worry about fixing up mods I had later. I just disabled attachments and avatars.
Or should I be seeking a different software, one that is much smaller and less likely to be targeted by hackers? Kinda like picking a Mac because it has fewer viruses "out there".
I want to be corrected here. I'm mostly asking and saying these statements for clarification, not the purpose of pointing fingers.
I am only slightly reassured by Justin's statement that he is taking note of our concerns.
Believe me, the 2.0 Project has been pretty much put to a stop until this patch is out. It doesn't matter what software you use, as any site has the same chance of being targeted by hackers or spammers. The internet is a crazy place.
I previously said that I had said all I could on this subject, but sorry, I have one more thing. JBlaze hit on a very strong point. -
The majority of all of us here are forum admins. It is OUR responsibility as an admin/site owner to keep up to date on all issues that can and will cause our sites trouble. We all get busy with our own sites, I know that I do. I still come here at least once a day and scan through the unread post since last visit for anything that looks like it could be a problem. I know that sometimes, a topic title can be misleading or simply non descriptive, such as HEEEELP! 8) but anytime anything even smells of security or hack, I check it out. Most of the time, it doesn't concern me and I then move on, but often it does.
We do have to be vigilant in staying as informed as possible. It is indeed a crazy web out there. :)
I really didn't want to jump into this debate, but I do have one small thing to say...
Saying we should read these forums (daily, basically due to the volume of traffic and the possible dangers of new exploits) to find out if there is a security threat out there is dumb. If people spent their time reading forums for every piece of software they used just in case there is an exploit out there they wouldn't have any time to do anything else. The only responsibility an admin has is to apply patches, which there currently is none. And placing a notice in the admin panel - not good either as who logs into that panel daily? An email would be nice, afterall it is a real threat. Maybe that is too costly? I don't know. Maybe place a notice in the download area would be great if nothing else. At least if an admin checked that daily for patches they'd see it. Maybe even an RSS alert?
I realize this software is free, programmed by volunteers, but if I was involved with it I'd want to make sure I did everything to keep people from having their forum usage experience from being a sour one. If one person's forum got trashed because they didn't know how to prevent it, that wouldn't make me feel too great as a programmer of software which I take pride in coding.
I appreciate free software, and nothing is perfect. Just my 2 cents.
Looking in hindsight now.
I believe it was a smart decision not to make this exploit heavily publicised.
As it appears the issue isnt very widespread.
And is isolated to a single spammer
And has the potiential to be devastating if the issue is made more public.
But has remained isolated, thanks to the smart decision by staff around here.
I disagreed earlier, but in hindsight I think I was wrong.
For anyone who hasn't done so yet, 1.1.9 was released (http://www.simplemachines.org/community/index.php?topic=311899.0) tonight, patching this. Please be sure to update your forums ASAP.
Thanks!