I have a user on my forum which keeps managing to escalate themselves from normal user to global moderator.
I have banned the account but wanted to know if there is any knowledge of such a hack or any ways to mitigate it entirely?
smf 2.1.3 blue evolution theme
thanks
Quote from: chaos40 on December 01, 2024, 09:45:00 AMI have banned the account but wanted to know if there is any knowledge of such a hack or any ways to mitigate it entirely?
Can you please elaborate a little further on this?
Quote from: Doug Heffernan on December 01, 2024, 10:28:31 AMQuote from: chaos40 on December 01, 2024, 09:45:00 AMI have banned the account but wanted to know if there is any knowledge of such a hack or any ways to mitigate it entirely?
Can you please elaborate a little further on this?
We had a normal user which was able to add themselves to the global moderators group. no log file generated and this change was not done by an administrator.
the first action I took was to place the user in a very confined user group with very limited posting and account change ability. Subsequently, a few weeks later they were able to elevate their privileges back to that of global moderator. No logs. No traces.
Quote from: chaos40 on December 01, 2024, 10:34:34 AMWe had a normal user which was able to add themselves to the global moderators group. no log file generated and this change was not done by an administrator.
the first action I took was to place the user in a very confined user group with very limited posting and account change ability. Subsequently, a few weeks later they were able to elevate their privileges back to that of global moderator. No logs. No traces.
Thank you for the clarification. Now I see what you mean. In order to be able to change their groups like that, they must have access to your database somehow imo. Can you ask your host to check their logs and see if there was any access to your database for around the time that the change of group was made?
When you say no logs, no trace, what logs did you mean?
Quote from: Doug Heffernan on December 01, 2024, 11:03:50 AMQuote from: chaos40 on December 01, 2024, 10:34:34 AMWe had a normal user which was able to add themselves to the global moderators group. no log file generated and this change was not done by an administrator.
the first action I took was to place the user in a very confined user group with very limited posting and account change ability. Subsequently, a few weeks later they were able to elevate their privileges back to that of global moderator. No logs. No traces.
Thank you for the clarification. Now I see what you mean. In order to be able to change their groups like that, they must have access to your database somehow imo. Can you ask your host to check their logs and see if there was any access to your database for around the time that the change of group was made?
When you say no logs, no trace, what logs did you mean?
There were no logs in the SMF forum software indicating this user transitioned from one group to another.
I have access to the underlying server via ssh so I can check the logs. Any log in particular you would recommend?
Also, I did notice that the database was incorrectly listening on 3306 on the publicly routable ip address. I changed that to 127.0.0.1
I know of one but it doesn't escalate to global moderator, it escalates to admin.
I've never seen one that escalates specifically to global moderator (and it would be weird if it did, to be honest), especially since it's somehow circumventing the ban system.
Is the profile edits log turned on?
Quote from: chaos40 on December 01, 2024, 11:07:33 AMAlso, I did notice that the database was incorrectly listening on 3306 on the publicly routable ip address.
This is only an issue if the database is publicly accessible which is something you should be checking at this point. Though frankly if they have the ability to escalate their permissions, *why stop at global moderator*?
Do you have any other global moderators?
Quote from: Arantor on December 01, 2024, 11:17:44 AMI know of one but it doesn't escalate to global moderator, it escalates to admin.
I've never seen one that escalates specifically to global moderator (and it would be weird if it did, to be honest), especially since it's somehow circumventing the ban system.
Is the profile edits log turned on?
Quote from: chaos40 on December 01, 2024, 11:07:33 AMAlso, I did notice that the database was incorrectly listening on 3306 on the publicly routable ip address.
This is only an issue if the database is publicly accessible which is something you should be checking at this point. Though frankly if they have the ability to escalate their permissions, *why stop at global moderator*?
Do you have any other global moderators?
The question of why stop at global moderator was perplexing to me as well. Same person did it twice.
I did change the database to listen on 127.0.0.1 via the my.cnf file
the hack you are referring to. Is there any way to mitigate it?
It's not so much a hack as much as it is a design fault and a misconfiguration. Basically, don't screw up the post count groups, so there's always a post count starting at 0 posts. If you have a situation where a user posts and there's no valid post group for them to go into, they end up going into admin.
Quote from: Arantor on December 01, 2024, 11:58:20 AMIt's not so much a hack as much as it is a design fault and a misconfiguration. Basically, don't screw up the post count groups, so there's always a post count starting at 0 posts. If you have a situation where a user posts and there's no valid post group for them to go into, they end up going into admin.
this is all I have in terms of post count groups. We don't use post count groups basically. We assign them to a group at registration and they pretty much stay there until there is a private board they are invited to
Newbie * 625 0 Modify
So you have a post count group that starts at 0 posts meaning there's always a valid group for people to be in. No exploit there.
what mods and themes do you have installed?