Hacked: 1.1.8 attachments / avatars still has a vulnerability

[JBlaze]

wtmpp, I see you misinterpereted my post. It said, first line, IMHO, which means "In My Honest Opinion". In other words, that is not a statement.

Getting back on topic, the SMF Development Team has made this security patch a priority, even above getting RC2 public. So please, simply follow the simple guidelines provided until the patch is released.

Regards,
JBlaze

[busterone]

IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.

So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.

Or see my post that I made here: http://www.simplemachines.org/community/index.php?topic=309717.0

with all due respect, that statement is patently stupid. Why would any one NOT use a legal feature of software they trust?
what about posting? should that be denied also?

How about reading? maybe we should limit that as well?

Having the user avatars be uploaded and hosted locally IS a better security practice because all someone needs to really screw with your forum is post images or avatars on a server they control and they can track all your member ip's (including your admins)  and they can make your performance go to hell (by linking to large images that everyone's browser chokes on trying to download or are really PHP programs with a Sleep() command .

I am really disappointed with the SMF behavior of dealing with this/

Without going into details, an announcement of a possible vulnerability and a work-around on the front page or stickied somewhere is , I feel, the appropriate way of dealing with this

I feel strongly (perhaps wrongly), but I feel SMF is more concerned about its perceived security reputation than the safety of its members

 

This vulnerability is too important to be buried on a back page somewhere. This is the problem with open source that is not "open" and honest.
regards

Sorry, but I do not see your logic or flame of SMF as being valid.
As JBlaze said, I agree wholeheartedly and have always done long before this hack was discovered. I do not allow user avatar upoads to my server period anymore, but at one time, never before 50 posts.  I do not allow any uploads of avs or attachments for anyone other than admins on my staff. i also beleive that by avatars being hosted on an outside image host, it saves me much bandwidth usage and trouble.
I have never heard of any way that my forum can be compromised by images being hosted elsewhere, nor having my user's IPs harvested. If such exists, I need proof.
The team is working on repairing this security breach. Do not forget that all of SMF's team are purely volunteers, and they do this often for very little thanks and for no pay.

[wtmpp]

"I have never heard of any way that my forum can be compromised by images being hosted elsewhere, nor having my user's IPs harvested. If such exists, I need proof."

You know, I was halfway into typing up source code and stuff, but that would be going offtopic and frankly, I dont even care if you believe me or not, since I'm not Santa Claus and dont need your cookies and milk on the mantel. suffice it to say, it's all possible, ask one of the SMF devs to explain it to you.


It's not a "flame of SMF to say that a serious security vulnerability that allows someone to take TOTAL CONTROL OF YOUR FORUM should be handled in a more serious and professional manner!
No software is perfect, and mistakes happen always, but this is not an errant mistake, its a conscious act to hide this on the back page and I dont think its right.

[mashby]

its a conscious act to hide this on the back page and I dont think its right.

Last I checked, there's a stickied topic under SMF 1.x Support. Yeah, it's not a good thing to have a serious flaw in software, but there are some things you can do to keep your site safe in the meantime.

[wtmpp]

its a conscious act to hide this on the back page and I dont think its right.

Last I checked, there's a stickied topic under SMF 1.x Support. Yeah, it's not a good thing to have a serious flaw in software, but there are some things you can do to keep your site safe in the meantime.

Do you really think a "sticked post" buried somewhere is enough?
Look on the news on the front page.. no mention of this.

We are also told to not use version 2 yet, not in production anyway.

and I did go look at that post.. Does a good job of whispering the seriousness of the situation....
arghh... no harm done, not to me anyway...

Yes, I know, I guess I'm really pissed 'cause I spent the better part of the weekend tracking down all me mates I've recommended this software to.

This is also an ooooooooooooold bug. there is no excuse for something like this to still be happening
oh well....

For the first time, I actually started looking at phpBB3 and PunBB... just for kicks... I definately wont switch my little Trekkie Forum, but maybe for another project that needs a little forum, I'll try one of those maybe... who knows?

[LiroyvH]

Stickied posts are not burried, they pop up on top of the page, no matter if you are on page 1 or 500.
That's not exactly burrying it, is it...?

Which software you use for your site is totally up to you. If you dont wish to disable your avatars for new users while the SMF developers are working very hard on a solution, that is totally up to you and it will be your own problem and risk
Even *IF* SMF was trying to burry the fact that there is a little flaw, you are warned now, arent you?
No further point in arguing or pointing fingers at people in my opinion. Let's keep it nice.

I guess it is a matter of choice...
And yes I do understand you may feel a bit angry because you feel vulnerable now due to this little flaw, but the coders are doing their best to fix this issue. Give them a little bit of time, and in the meanwhile: do what you have to do to secure you forum, temporary solutions have been presented to you here


Sincerely,
- Liroy

[Uhura!]

You're right - its not resolved and won't be until the overdue patch for this problem is released.

Telling people to disable avatar attachment uploads is ridiculous.

Yes...I had members complain about it...

My band aid was to only allow members with one or more posts to upload attachments.

Please.fix.this.soon.

[Uhura!]

IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.

So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.

I agree with this philosophy and I was using it, but after reading a bit further - I'm going to go Brooklyn and disable it all.

Even after the patch, I will allow no uploads for members with no posts...

[Antechinus]

It's a good plan. Personally I only allow avs and attachment uploads for staff and a trusted membergroup. This is just my standard policy, even before this exploit was known.

[wtmpp]

" [NOTICE] How to secure your site against recent attacks"
"SMF 1.1.7: Session verification failed when installing mods or SMF 1.1.8 update"
"Upgrade script timing out?  New  « 1 2  All "
"READ FIRST: How to help us help you "

CoreISP/Liroy, here are the 1st  4 stickied posts. Does any of them have any specific "Call To Action?"

Lets get personal, you run hosting company, correct?
http://order.dedicatedbox.net/cart.php?a=confproduct&i=0 [nofollow] Here is a link to the details page of one of your hosting offerings, and I see you use Plesk.

Now lets say that you have a Linux administrator who regularly sends you an email about the security update news he comes across.
There is a major security hole in Plesk9 that allows an attacker to take COMPLETE CONTROL OF THE SERVER. Your linux admin sends you a notice (one of MANY) that says
'How to secure and harden Plesk against attack" ...
do you think an issue as serious and with as severe implications as this would deserve a more *assertive* warning?

It may be bad to shout "fire" in a crowded theater, but is it better to whisper? What if there really IS a fire? Should we all burn?

Ask yourself this: If you had an employee who's job it was to monitor security news and bring matters to your attention and THAT was the casual way he did it... wouldnt you *fire his ass??*

When you log in via your SMF 1.18 admin panel - is there urgent news on the news feed?
Technically, SMF could turn this off themselves since the news feed is actually Javascript, so technically they could send javascript that turns off the attachment feature.

And yes I do understand you may feel a bit angry because you feel vulnerable now due to this little flaw,

No, I already said why I was upset

Yes, I know, I guess I'm really pissed 'cause I spent the better part of the weekend tracking down all me mates I've recommended this software to.

And btw, it's not a LITTLE flaw. Any flaw that allows an attacker to execute arbitrary code is a MAJOR, MAJOR flaw, sigh.
I would recommend that people disable ALL atachments and avatars (maybe by renaming or hiding the avatar/uploads folder for a day) till they have time to check. Blocking new uploads wont help if crap has already been uploaded

@Antechinus, thats good too 'cause sometimes you have the issue of offensive images in Avatars/sigs, so it makes sense that that privilege should be earned, not just given away

[Leemy]

I'm not sure what debate/fighting is raging here, but I do think the notice of this flaw (and the upcoming patch) should be more prominent.  Some suggestions

- Latest news which would show up on simplemachines.org front page
- MUCH more visibly, show it in the News section in the Administration Panel. This is seen by SMF forum admins much more often than simplemachines.org's Support for SMF 1.x board.  Why not publicize it to SMF admins? They are not the general public, nor do they have an interest in harming their own forum.  Certainly when a patch is released, there will be some notification?

I appreciate the developers' work on a solution and hope it comes very soon. In the meantime, it should be broadcast publicly to SMF forum admins on how to avoid this; the regular users of simplemachines.org's support forum are a small, small subset of all SMF admins.

[Antechinus]

One thing to bear in mind: anyone who does want to hack SMF sites will have their own test installation. You will be notifying them too.

[metallica48423]

I'd like to present a few points, in brief:

1.) The reason that we do not "announce" security breaches until we have a patch available is because the moment we release information on the exploit, the exploit will quickly fall into the hands of people that will use it for much more destructive use than what this bunch of hackers has used.  Understand that these people could just as easily have deleted all files and databases from your account with this exploit.  We do not want a larger selection of SMF users being harmed by this than already have.  Acknowledging the security breach beforehand will guarantee this.  I have already personally verified at least two hacker "groups" that often target Bulletin board softwares that has used information posted by us to hack others in prior exploits. 

2.) I do agree that in large scale situations, such as these, we could communicate better with admins, perhaps through the adminCP or similar.  We'll be discussing this at the team level.  However, we have, rather than staying mum on the subject, been directly assisting people with these issues until the patch is ready.  Remember that this exploit, while it is certainly a huge deal, is still limited to a very limited subset of individuals doing the hacking.

3.) This is *not* the same exploit that was fixed between 1.1.7 and 1.1.8, though it is a spin off of that idealism.  I do not know where this assumption came from, but this is indeed a different exploit.

4.) The patch we are working on is not just a small "plug" for this hole.  It's not a patch and hope it holds job.  The patch we are working on is intended to entirely beef up attachment and avatar security as a whole -- for all three branches of SMF.  This is not a small undertaking.  It's not something as simple as verifying a bit of input data.  It goes beyond that.  That is why it has taken longer than normal. 

Before tonight, if we had released the patch "just to get it out there", nobody's avatar or attachment systems would work beyond a minimal level (in fact, for a short while, using the patch would have rendered the post display template in error.) 

Fortunately, the patch was released to Beta Testers this evening for final bug testing.  Once the few final remaining glitches are ironed out, it will be released. 

One thing of note, this is quite possibly the biggest patch we've done.

[JBlaze]

Very nicely put metallica48423

[Leemy]

Thank you metallica48423 This is quite a large scope update, I see, and I appreciate the team's work.

I understand your reasons for not advertising the issue and I respect that as you obviously have more experience administering this software than i

Fortunately, the patch was released to Beta Testers this evening for final bug testing.  Once the few final remaining glitches are ironed out, it will be released. 

One thing of note, this is quite possibly the biggest patch we've done.

"Managing expectations" is key in Project Management and I appreciate your update on scope and status of the patch.

[metallica48423]

You are very welcome

Guys, all i'm trying to say here is:  we're on your side.  Our forums are just as in danger as everyone else's here!

We've had 4 people exclusively working on this patch since we first found out about the problems.  So we're certainly *not* ignoring the situation.  We decided to take the path of (hopefully) eliminating the core of the problem that has allowed the last few exploits to even happen, rather than fix only the symptoms of the problem.  Unfortunately, a certain browser makes this more difficult as well *cough*IE6*cough*.  Ugh... man, my allergies are killing me.

We also hope to resume regular email notifications of releases once again with this release, now that we have a better infrastructure in place to handle the 170,000+ emails that must be sent.  Unfortunately they've been spotty and sporadic due to server problems.

[JBlaze]

Unfortunately, a certain browser makes this more difficult as well *cough*IE6*cough*.  Ugh... man, my allergies are killing me.

IE6 allergies? Reminds me of the H1N1 flu

code names... hmmm...

[dreamers4317]

Hi All, sorry if this is a very stupid question, but have been reading this topic as our site has got problems with this issue, we have disabled the upload of attachments & avatars & have banned the member Krisbarteo, but will the patch that is due fix our forum ? or is there anything else we will have to do ?, once again sorry if it's a stupid question , but we are complete novices, so any help would be appreciated.  p.s. we are still getting error log messages all the time. 

[Aleksi "Lex" Kilpinen]

I would say the best way to go about this, would be to revert to a clean backup from the time before the hack. But you could also just clean out the files and database manually, and while that would require a bit of work, it would also save your new posts from the time after this hack occurred.

[dreamers4317]

Hi Lexa, thanks for the reply & much as it's appreciated I would not have a clue how to do that & as our site owner is just a bit elusive & it would be him that normally does that sort of thing, so we are a bit stuck. So we just hope that the patch will fix things for us.