Check out the SMF Function DB!
Started by [Unknown], November 20, 2003, 03:41:19 AM
Quote from: [Unknown] on November 20, 2003, 03:41:19 AMAny other questions? (so far I made all these up, sorry if they aren't realistic .) Feel free to ask and I'll answer away. I challenge you to prove me wrong.... show me that somehow 777 is all that bad.
Quote from: penmin on August 20, 2005, 04:17:15 PM PS. Unknown, my host could talk and talk for hours about this and argue with you, but we all know he is right. Fix your stuff.
Quote from: keepr on August 20, 2005, 02:51:13 PMFirst off SMF is not bug free and neither is any popular forum software, by setting the whole directory to 777 you are opening up every possible avenue for a software exploitation.
QuoteIf you cannot make your mods / application work with proper security restrictions then you need to take another look at your code. This post is reckless and potentially damaging to people who do not understand what it means to have their website exploited.
Quote from: penmin on August 20, 2005, 04:17:15 PMI think my host just told you that its not possible w/o a major security risk. So I wont be using TP until someone can fix this.And btw, it kinda makes me feel abit unsecure that the SMF lead devl. is telling everyone to go unsecure all their ****** (no offense Bloc, Im sure your reading this and TP is quite lovely) but I have to agree (finally) that my host is right, and w/o a secure way to do this, its just something that makes you sit in the waiting room to get hacked.
Quote from: kegobeer on August 20, 2005, 05:17:28 PMIf I set my directory to 777, and you navigate to my site, exactly what could you do to gain access to my files? To my understanding, a file has to be uploaded to the site and then be executed to take advantage of 777. If a user can't upload any sort of attachments, what damage can be done?
QuoteMaybe if you got off your high horse and stopped acting like a 20 year old that knows everything, and instead, work on your bull****** to make it work proper
Quote from: keepr on August 20, 2005, 09:43:46 PMYou are asking people to bypass linux's built in security and trust that all your code is perfect and no exploits will ever be found in it (this is scarey considering that SMF is YABB with a new name) and since your telling my customers to find new hosting I will point out examples of why people should use every piece of security possible with SMF specifically. I really wish you had not made this personal but here we go.
QuoteSmf Size Tag Script Injection Vulnerability
QuoteSimple Machine Forum SQL Injection (modify)
QuoteYabbse 1.5.4 Sql Injection Poc ExploitYaBB/YaBBse Cross Site Scripting VulnerabilityYabbSE Multiple Vulnerabilities March 2004
QuoteYabase v1.5.0 remote exploit to spawn bash shell with Apache uid
Quote from: penmin on August 20, 2005, 09:46:08 PMFirst off, I do apologize for being rude, but I am more than abit frustrated, I have tried numerous times to get any type of help with this ONE problem for over a month now. Maybe if you got off your high horse and stopped acting like a 20 year old that knows everything, and instead, work on your bull****** to make it work proper. I wouldnt get all pissy with you. I have tried to contact 4 differant peope (outside of threads) to gain help, and what was I told............ Contact an admin.......so I tried that, and everyone suggested 777 everything during the install (but change back the settings file), then after install, change everything back to normal and continue on your merry way. Then I am told I need to change and 777 everything, but then you dont state anything else. You just go 'challenge me', so I did. And you still have yet to prove how this will work w/o the actual person being taken advantage of and getting all their mysql jacked.
QuoteHe did read the entire thread, and I will not be changing my host company. He puts more effort into his work than any of you do with your bs blah blah blah about why this is something so easy to fix. It makes me go and delete my damn smf. It's not worth the space on my server. Cheers folks!
QuoteMaybe if you got off your high horse and stopped acting like a 20 year old that knows everything, and instead, work on your bull****** to make it work proper. I wouldnt get all pissy with you.
Quote from: Valodim on August 20, 2005, 11:40:22 PMthere is one easy reason for why not all files should be chmodded 777:a hacker is not always only destructive.for example, if he once gets access, he can just modify an existing php file, so he can send system() or eval() or mysql_query() calls, or only become secret administrator on the forum by adding || $ID_MEMBER == 1234 for the is_admin in the load.php. once the security hole he got in through is fixed (chances are, it will get fixed sooner or later), he keeps his access to all private sections of your forum, or files, or whatever you might have on your server.
QuoteAnd it's not just files, either. A hacker could plant a privileged user on the forum who could, a month later, become a huge problem.
Quote from: Valodim on August 20, 2005, 11:57:05 PMa temporary files folder can just not have any executable file types allowed in it, that's it. It is indeed possible to not have any writable executable files on the server, which are a major security risk for long-term hacks. plus there's no reason to have everything 777-chmod'd
Quotebah, it's easy to find a privileged user in the database (check membergroups, check members, check per-member-permissions if available, done), but there are tons of possibilities to hide a privilege escalation code in a php file...
Quote from: keepr on August 20, 2005, 11:58:53 PMBasic Linux best practices dictate that public files on your web server should not be rwx because almost any exploit becomes much much worse in this situation, Furthermore I don't understand why the specific files that need to be tagged 777 cannot be disclosed rather than taking a sloppy approach and applying rwx access to an entire forum installation.
QuoteAnother good reason to make all your files are secured is that anyone who gets into the account be it via injection, exploit or whatever would be able to add arbitrary code to your installation like a call to a virus stored offsite.
QuoteThe server penmin was having trouble on is a Standards compliant Cpanel server, the exact same setup as 10's of thousands of other hosting providers.
QuoteBasically someone compromised the server and wrote 1 line of code to all the php / html files in the users directories (the ones chmoded 777 anyway) that when executed pulled a virus to the end users computer from a 3rd party website. Anyone visiting a webpage on an infected server was subjected to arbitrary virii code. This did not happen on sites that maintained a strict file security policy.
Quote from: Amacythe on August 21, 2005, 12:38:07 AMI'm still trying not to take sides here, but your comment:QuoteBasically someone compromised the server and wrote 1 line of code to all the php / html files in the users directories (the ones chmoded 777 anyway) that when executed pulled a virus to the end users computer from a 3rd party website. Anyone visiting a webpage on an infected server was subjected to arbitrary virii code. This did not happen on sites that maintained a strict file security policy.makes me wonder if this whole thing is merely a matter of a server owner not wanting the responsibility of security that should be his by default.