Hacked: 1.1.8 attachments / avatars still has a vulnerability

[metallica48423]

I'm sure every script kiddie knows about the exploit by now. It's time to tell the forum administrators.

Not quite.  Every instance of this so far (that I am personally aware of) has been traced back to one individual.  It's by no means not a big deal, but by announcing it immediately to everyone without an immediate patch, we are ensuring that every script kiddie out there WILL know about it, and WILL use it.  We want to patch it before it gets that far. 

Once we have a patch available to install that will FIX the problem instead of averting it, it will be announced via the normal methods.  Averting it would mean simply that later someone can come back with another derivative security issue based on this one, much like this is similar to the last one.

This is not out on security trackers yet, but we will have a patch for it *very* soon.  This patch is quite possibly the biggest security patch we've ever done.  Significant work has been done for all 3 branches to improve attachment and avatar security.  But with that comes bugs.  The patch is with our beta testers who are testing the functionality to ensure that it works properly and without causing further problems.

I hate telling people who could be affected by this to wait, but remember that our forums are vulnerable too.  Hang in there, we will get everyone taken care of, just as we already have.  We just need a bit to sort it all properly.

[Crasy]

I'm sure every script kiddie knows about the exploit by now. It's time to tell the forum administrators.

Not quite.  Every instance of this so far (that I am personally aware of) has been traced back to one individual.  It's by no means not a big deal, but by announcing it immediately to everyone without an immediate patch, we are ensuring that every script kiddie out there WILL know about it, and WILL use it.  We want to patch it before it gets that far. 

Once we have a patch available to install that will FIX the problem instead of averting it, it will be announced via the normal methods.  Averting it would mean simply that later someone can come back with another derivative security issue based on this one, much like this is similar to the last one.

This is not out on security trackers yet, but we will have a patch for it *very* soon.  This patch is quite possibly the biggest security patch we've ever done.  Significant work has been done for all 3 branches to improve attachment and avatar security.  But with that comes bugs.  The patch is with our beta testers who are testing the functionality to ensure that it works properly and without causing further problems.

I hate telling people who could be affected by this to wait, but remember that our forums are vulnerable too.  Hang in there, we will get everyone taken care of, just as we already have.  We just need a bit to sort it all properly.

Thank you metallica48423, I appreciate the update.
I kinda understand what you are doing. You're stuck in a tight situation where you're pretty frustrated that you can't give a shout out to forum administrators anyways.

Anyways, tell the devs and testers that there is NO SLEEPING TONIGHT UNTIL THIS IS DONE.
On second thought please don't. Make sure they know how much I appreciate that my lazy ass doesn't have to do anything but APPLY their hardwork

[wtmpp]

Thanks for your reply Core, I think we have a fundamental disagreement on the way a professional company should operate when there is a defect in one of their products.

The arguments that you are regurgitating w/o understanding - (as you are not a developer or Software Riskmanagement executive are without merit.)

"1. Disclosure that there is a problem-  even that there is a security problem will leave us open to attacks by script kiddies"

First: a "script kiddie" is someone who lacks the skill to implement and craft an exploit on their own, but is technically competent enough to download and follow a few step by step instructions and maybe make tiny code edits.

Saying nothing more explicit than: "We have important security news for all: Disable uploads/avatars temporarily while we work on a patch that does not limit functionality"
will not jeopardize security and allow members to secure their sites accordingly.
This information should be widely broadcast.

We've had 4 people exclusively working on this patch since we first found out about the problems.  So we're certainly *not* ignoring the situation.  We decided to take the path of (hopefully) eliminating the core of the problem that has allowed the last few exploits to even happen, rather than fix only the symptoms of the problem.  Unfortunately, a certain browser makes this more difficult as well *cough*IE6*cough*.

At Metallica: First, this issue is not related to browsers at all. I know we all love to bash IE but c'mon now! lol
Nobody has ever said you guy's were ignoring the situation.... that would mean knowing something is wrong but doing nothing. I believe you ARE doing something, but something inappropriate, something that serves to salve your reputations at  the expense of forum owners.

You say you dont want to announce the problem without having a 'perfect patch' ready?
Why not have an 'almost perfect patch' ready in an hour (disabling avatar uploads,theme switching, etc) ANNOUNCE THAT then continue to work on the "mother of all patches?"

This behavior of you guys is really poor in this regard. It's like you dont care about those people who got their forum hacked -and would NOT  have, if only they knew in advance and could have done something. Dont take this as an indictment of YOU personally, but as on the system as a whole. Beside's, why is there this constant crowing, mutual back slapping about providing "support" for something that shouldnt happen in the first place?

Thats like a babysitter boasting  of her CPR skills in (not) saving the toddlers from drowning while she was sleeping
http://www.foxnews.com/story/0,2933,276733,00.html [nofollow]

And look, I get it, you guys are all volunteers, work for free, just like Jesus etc. Thats no reason to not be held to (or act according to) the highest professional standard and duty of care towards the public?


Looking back through the forums there are tons of IDENTICAL scenarios just like this one.
Major security breach that enables complete take over of a forum.
SMF obfuscation and stonewalling,
Patch released with little fanfare.

Since adoption of end users of a patch or upgrade takes a long time and then, is never 100%, then announcing there is a problem when you have a patch - is just as bad as announcing it when you dont! - since the "ever lurking script kiddies" will seize on that information and wreak havoc!

actually, their havoc is easily implemented now, since now they have a before and after file to DIFF on and know exactly what to do

C'mon guys, we can do better - especially when its a flaw that allows somebody to take control of a server or hosted account.
Announce (w/o going into details), let people know ASAP, and we can take informed actions to protect our forums and sites.


*I know the fanboys are all set to jump on me now, so I am out of this thread. There is no new information to be gained or given, and I've had my say.

So long and thanks for all the fish!

[rthrash]

I have to agree and reiterate that I'm still amazed there's no warning to disable avatars and attachments inside the Admin panel. I'd venture to say that the gross majority of forum owners do not visit the project forums that frequently. People are getting hacked daily, and I'm certain some could have been prevented had this simple step been taken.

[JBlaze]

IMHO, being a forum owner/admin, it is your responsibility to keep up to date with all things going on with your software. If that means signing up on the project forums and checking it once a week, so be it. I have owned a forum for 2 years now, and have been through much worse software and support communities. SMF really has it right. If you are going to bash the SMF Team for not doing what you think they should do, then you should take that up with them directly instead of publicly bashing them.

So, with that said, SMF should not have to hold your hand and guide you through this. The biggest part of being an owner/admin is being able to take care of problems yourself. It is your responsibility.

I am leaving it at that.
[/discussion]

Regards,
JBlaze

[metallica48423]

I'll just note two things here:

1.) My comments on IE6, while not related to the core of this exploit as far as SMF is concerned, aren't entirely irrelevant.  IE6 is vulnerable to a similar type of attack due to how it parses the header information in images.  That means we must also tend to these script injection problems (after all, no software developer wants their software being a vehicle for computer hijacking either).  So no, i'm not picking on IE because it's the popular thing to do, but because, yes, infected images are now (moreso than ever) an enemy to IE6.

2.) We will note your concerns.  Please do not think that because I am rebutting them (with my own opinion and what we've currently established as policy, mind you) that I am simply ignoring them.  I am not, and neither are the rest of us.  In fact, I agree with you, but not, perhaps, on the level you feel I should. 

Truth is, this is still a relatively small scale attack by only one confirmed individual (again, that doesn't mean that the threat is not there or is unimportant).  If that weren't the case, and this were an epidemic level attack, or if we couldn't get the patch out before it came so -- that'd change things a lot, actually.  I could then see getting a notification out ASAP.  And we have actually done notifications in the past, though not through the admin CP), though it has been awhile since we've had a situation arise where an exploit was either of huge scale, or where we couldn't get it patched in a decent timeframe.

[babjusi]

Justin is right. If the issue were to be known to everyone, then the damage would have been much more worse. I think that the Smf team has handled this as best as they could under the circumstances. And don''t forget that it couldn''t come at a much worse time when they are very busy working on Smf 2.0. So please a little bit patience and understanding.

[Sverre]

As I said in my previous post in this topic, the forum I manage has been safe from this exploit all along, so I can afford to wait for the patch. Others are not so fortunate though, and in the future, I could very well find myself in their position. That's why I hate the fact that the information which could potentially "save" my forum, or save me the hassle of restoring it to be more precise, is kept "hidden" in a board which isn't natural for me to visit unless I actually need support. A warning in the Administration Center would probably be my preferred solution in a situation like this, but simply relocating the information to the News and Updates board, where it has a much better chance of being noticed by administrators who need it to protect their forum, would go a long way in boosting my confidence in the project.

[Crasy]

I believe that wtmpp is onto something. He's saying it in a kinda...funky way...that leaves far too much blame on staff around here. I don't like that since I do appreciate a lot of the work that goes into this.

But.
Heh.

My SMF forum is only a small, small forum for a group of friends. I spend maybe 5-10 minutes a day on the forum. Probably far less. JBlaze, are you telling me I should be checking this forums so often for my simple, small hobby forum?
I would be pretty fried if I got hacked, since I don't have time to fix the hack. I would probably just do a clean install and worry about fixing up mods I had later. I just disabled attachments and avatars.

Or should I be seeking a different software, one that is much smaller and less likely to be targeted by hackers? Kinda like picking a Mac because it has fewer viruses "out there".

I want to be corrected here. I'm mostly asking and saying these statements for clarification, not the purpose of pointing fingers.
I am only slightly reassured by Justin's statement that he is taking note of our concerns.

[JBlaze]

Believe me, the 2.0 Project has been pretty much put to a stop until this patch is out. It doesn't matter what software you use, as any site has the same chance of being targeted by hackers or spammers. The internet is a crazy place.

[busterone]

I previously said that I had said all I could on this subject, but sorry, I have one more thing. JBlaze hit on a very strong point. -
The majority of all of us here are forum admins. It is OUR responsibility as an admin/site owner to keep up to date on all issues that can and will cause our sites trouble. We all get busy with our own sites, I know that I do. I still come here at least once a day and scan through the unread post since last visit for anything that looks like it could be a problem. I know that sometimes, a topic title can be misleading or simply non descriptive, such as HEEEELP!    but anytime anything even smells of security or hack, I check it out. Most of the time, it doesn't concern me and I then move on, but often it does.

We do have to be vigilant in staying as informed as possible.  It is indeed a crazy web out there. 

[DavidCT]

I really didn't want to jump into this debate, but I do have one small thing to say...

Saying we should read these forums (daily, basically due to the volume of traffic and the possible dangers of new exploits) to find out if there is a security threat out there is dumb.  If people spent their time reading forums for every piece of software they used just in case there is an exploit out there they wouldn't have any time to do anything else.  The only responsibility an admin has is to apply patches, which there currently is none.  And placing a notice in the admin panel - not good either as who logs into that panel daily?  An email would be nice, afterall it is a real threat.  Maybe that is too costly?  I don't know.  Maybe place a notice in the download area would be great if nothing else.  At least if an admin checked that daily for patches they'd see it.  Maybe even an RSS alert?

I realize this software is free, programmed by volunteers, but if I was involved with it I'd want to make sure I did everything to keep people from having their forum usage experience from being a sour one.  If one person's forum got trashed because they didn't know how to prevent it, that wouldn't make me feel too great as a programmer of software which I take pride in coding.

I appreciate free software, and nothing is perfect.  Just my 2 cents.

[Crasy]

Looking in hindsight now.

I believe it was a smart decision not to make this exploit heavily publicised.
As it appears the issue isnt very widespread.
And is isolated to a single spammer
And has the potiential to be devastating if the issue is made more public.

But has remained isolated, thanks to the smart decision by staff around here.
I disagreed earlier, but in hindsight I think I was wrong.

[karlbenson]

For anyone who hasn't done so yet, 1.1.9 was released tonight, patching this.   Please be sure to update your forums ASAP.

Thanks!