News:

Wondering if this will always be free?  See why free is better.

Main Menu

Avast Forum Hack - Results of Analysis

Started by Kindred, June 05, 2014, 07:43:06 PM

Previous topic - Next topic

Omega X

I'm glad that this was handled swiftly and professionally.

Hopefully their anti-virus team isn't as non-nonchalant as the web team.

Itchigotim

What I took away from this (aside from it being handled expertly) is:

Nothing is totally secure, if someone wants in, there is probably a way, even if it's unknown at the time no matter what the software.

Protect your passwords and don't reuse them.

If you understand these 2 things, 99.5% of the time you'll be ok. :)

I didn't know anything about any forum software before I settled on SMF. I chose it because of what I read about it. I read nothing but good things and I didn't see that kind of sentiment across the board on any other software.
Roguepinball: ¡¡ɟooɹ ǝɥʇ uo ǝʇıs ןןɐquıd ʇsǝq ǝɥʇ


Ninja ZX-10RR

Quote from: Itchigotim on June 18, 2014, 09:58:55 PM
I read nothing but good things
Actually if you search well you can find bad feedback but this is not the place to talk about this ;)
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

ranseyer

Maybe it would be a good idea to sign the "packages" (= SMF patches) like Debian does with a PGP Key. So the Package Manager can only install (per default) Packages which are build by the SMF Team.


Yes its work, but i could help.

Kindred

no it would not.... The package manager is used to install MODS as well, which allows you to customize your smf installation.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Deaks

not sure why anyone would want to restrict the customization ability of SMF considering the issue that caused the hack was done not only on this site aswell as  avast but also other sites that dont run SMF.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Ninja ZX-10RR

Quote from: ranseyer on June 19, 2014, 10:44:36 AM
Maybe it would be a good idea to sign the "packages" (= SMF patches) like Debian does with a PGP Key. So the Package Manager can only install (per default) Packages which are build by the SMF Team.


Yes its work, but i could help.
Also it would restrict any unofficial mod and it's not a good idea. How could modders try their mods if they aren't authorized? Lol
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Antes

Quote from: Flavio93Zena on June 19, 2014, 11:16:50 AM
Quote from: ranseyer on June 19, 2014, 10:44:36 AM
Maybe it would be a good idea to sign the "packages" (= SMF patches) like Debian does with a PGP Key. So the Package Manager can only install (per default) Packages which are build by the SMF Team.


Yes its work, but i could help.
Also it would restrict any unofficial mod and it's not a good idea. How could modders try their mods if they aren't authorized? Lol

A Generic key, like MS do for KMS installs, you can't activate (pre-activate) KMS on systems - MS gives generic keys for installs. We do the same for mods, give a generic key(ID) to mod authors to enter (to test), or even we can put a setting to allow unauthorized mods install (Android does that).

Kindred

useless.

We're open source.

That means we would need to issue a key to anyone who makes a mod...   and then the hacker can get the key as easily as a real modder...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Deaks

add to kindred, idea is to encourage more creations adding a key would restrict the contributions etc
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

SaltedWeb

Quote from: ‽ on June 14, 2014, 12:49:21 PM
QuoteI have a dozen smf forums, and one xenforo, the xenforo gets more spam and security issues.

Spam is not a security issue, nor has XenForo ever had any known security issues.

* ‽ is a licence holder btw

QuoteMost paid version never come close.

On the contrary, I consider XenForo a superior platform in a number of respects, even as much as I like SMF.

I beg to differ, XF has security issue particular the last was a Tapatalk issues.
Now true its a plugin but it manipulated XF security limits this was not and issue with SMF.
A person could access Admin areas pretty easily.
Also XF maybe superior in someways, but in others it falls short of SMF. They have a very small staff
and are very slow to address security issues and support is dismal. You can do your own research  and google and see
that working with the forums and staff are all but pleasant experiences. Of course that is your opinion and this was mine.
We are all just having a friendly discussion is my intent. Not trying to challenge your good name here, but I do stand by my own experiences .

Point was not to bash XF, it was to show that even paid software can have issues and there have been several since XF started very
recently in the forum game. So not sure why you would say there are not when even XF recognizes past issues.
And I have not had these issues at anytime over the years with SMF.

SMF is far superior to most forums out there, its not about fluff and add ons like XF has, its about reliability and stability.
If one leaves SMF alone and does not mod the heck out of it. Its about as stable as it gets. SMF has a decade of proven grounds.
XF is the new kid on the block and has hardly proven its self. Comparing the two is like apples and oranges.




Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Arantor

#51
QuoteI beg to differ, XF has security issue particular the last was a Tapatalk issues.
Now true its a plugin but it manipulated XF security limits this was not and issue with SMF.
A person could access Admin areas pretty easily.

Tapatalk breaking any security protocol is a Tapatalk problem. At one time the Tapatalk plugin could break into the admin area in SMF too.

QuoteThey have a very small staff
and are very slow to address security issues and support is dismal. You can do your own research  and google and see

Two full time developers built XF in a year from scratch. A horde of part time people has yet to even push out a partial update to 2.0 in the form of 2.1 in 3 years.

Given that I have actually reviewed XF's code, and all the updates... the only concern I have ever encountered was with swfupload which wasn't actually XenForo's own component and a large number of other systems had trouble with it too (and I never enabled it anyway)

I have done my own research and lurked around XF's forums for some time. The support response seems more efficient than it does here, even from people who are volunteers themselves.

QuoteSMF is far superior to most forums out there, its not about fluff and add ons like XF has, its about reliability and stability.

That's why 2.0 shipped with hundreds of known defects, a small number of which were fixed in 2.0.7 alongside the PHP 5.5 compatibility stuff, and a large number of which are still present in 2.1. I've even seen the dev team adding code recently without even testing it. Most of the interesting/complex code in SMF was written years ago by people who don't even remember it, nor remember why it was added, and I can be fairly sure in asserting that I could point things out in the source that people would not understand why it was done.

As a trivial example I give you https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/index.php#L39 - doing the same unset operation twice in a row. I know exactly why that's like that, I also know it can now be changed to be sane again but I doubt the bulk of the dev team would understand it without an unnecessarily long explanation of why.

That's why a bug that allowed users to "fake" usernames was left unpatched for over 2 years (I know, I'm the one who fixed it in 2.0.6)

And honestly if you dig deeper there are security issues at play. What happened with Avast could not physically have happened if they were using XenForo, IPB or other systems. Physically impossible - bear in mind I've seen the code itself, I know *precisely* what was done once admin access was obtained. It only worked because the theme editor allows for anyone with admin access to directly edit PHP files as well as the package manager allows raw PHP to be uploaded and executed from the ACP. All the big systems long since moved to a template engine that utterly negates the theme editor and almost all of them require FTP/SFTP uploads manually specifically so that a miscreant who breaks into an admin account can't make things worse. But none of this will change because 'it's so flexible and convenient' to have this. I've known about the fragility of this stuff for years and been campaigning for years to get it changed but it's always been discouraged.

It would be possible for someone with more limited permissions to escalate their permissions upwards. It's possible for a non-admin under limited circumstances to steal an admin's account (they only need manage-boards or manage-permissions). And it's been a vulnerability for years, every time a new release comes out, it never gets fixed because "it would break backwards compatibility". And this has been *known* for years. I've known about it for 4 years for example. A similar vulnerability existed in censored words but that was 'fixed' by making it an admin only area back in 2010.

SMF has more than a decade, yes. XenForo has 4 years, and that's before you factor in the years of experience its developers had being the main developers of vBulletin before that. (Kier Darby was the former lead developer of vBulletin in 3.x days.)


EDIT: I just found another vulnerability. It's not the easiest to exploit in the world but it's entirely possible by way of social engineering.

samborabora

Quote from: ‽ on June 19, 2014, 12:20:45 PM
As a trivial example I give you https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/index.php#L39 - doing the same unset operation twice in a row. I know exactly why that's like that, I also know it can now be changed to be sane again but I doubt the bulk of the dev team would understand it without an unnecessarily long explanation of why.

I'm intrigued, why IS it unset twice in a row?

Arantor

Because it's a vulnerability in PHP itself that was fixed in PHP 5.1.4.

Quick bit of theory: in PHP there are really two kinds of arrays, numeric and hashmap. The latter is where it doesn't use the actual 'key' you give it but instead creates a hash out of it and uses that. Under some circumstances prior to 5.1.4, unsetting a key in an array would clean out one key but a second variation of the key would produce the same hash. It's known as the Zend_Hash_Del_Key_Or_Index vulnerability inside the Zend engine that powers PHP itself.

Unsetting it twice in a row is required to neuter the vulnerabilty. SMF 2.0 still supports below PHP 5.1.4 so it had to be patched like that. 2.1 until very recently supported 5.1.0 as a minimum target version, which still required said patch, but now is 5.3.8+ and so it can be changed. But it's the kind of fringe detail that only miserable old farts like me would know about.

nadialeigh

I hope they will fix it soon, Is there any problem if I use Avast antivirus. It could be possible if hackers are handling forum then they can do anything with the entire platform.

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

samborabora

Quote from: ‽ on August 04, 2014, 02:47:59 PM
Because it's a vulnerability in PHP itself that was fixed in PHP 5.1.4.

Quick bit of theory: in PHP there are really two kinds of arrays, numeric and hashmap. The latter is where it doesn't use the actual 'key' you give it but instead creates a hash out of it and uses that. Under some circumstances prior to 5.1.4, unsetting a key in an array would clean out one key but a second variation of the key would produce the same hash. It's known as the Zend_Hash_Del_Key_Or_Index vulnerability inside the Zend engine that powers PHP itself.

Unsetting it twice in a row is required to neuter the vulnerabilty. SMF 2.0 still supports below PHP 5.1.4 so it had to be patched like that. 2.1 until very recently supported 5.1.0 as a minimum target version, which still required said patch, but now is 5.3.8+ and so it can be changed. But it's the kind of fringe detail that only miserable old farts like me would know about.
So it was still a requirement for supporting earlier versions? Thanks for the info, I didn't know there were certain hacks in there to overcome certain issues with php itself.

I wonder why Avast blamed a third-party forum software, seems kinda unprofessional.

Arantor

Yes, it's still a requirement in the 2.0 branch of the code to support pre-5.1.4 versions but it can safely be removed from 2.1 since the minimum target version is 5.3.8 now.

And yes, there are quite a few comments like that in the source where SMF is patching around issues in old versions of PHP.

Avast's blaming a third party software is understandable; a security firm accepting poor security practices on themselves would not be a wise marketing move. Easier to blame a third party, especially when it's 'written by amateurs' and whatever other nonsense normally gets spouted.

Ninja ZX-10RR

Now they claim that they are using their own SSL encryption for passwords... I am not entirely sure about what that means. Do they claim that the data was spoofed or something? O.o

About them being professional check my (angry) comment here-->http://www.simplemachines.org/community/index.php?topic=523494.msg3704958#msg3704958, do they look professional to you for that?
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

SaltedWeb

Quote from: ‽ on August 10, 2014, 09:24:11 AM
. Easier to blame a third party, especially when it's 'written by amateurs' and whatever other nonsense normally gets spouted.

Well maybe these so called Amateurs, should work at Avast and then things would work better as the monkeys over at  Avast are to busy cleaning ticks off each other.

We all see the government workers holding job security digging a 6x6x6 ditch that takes two days with 5 people and a back hoe.
Then you see non-profit organization clean an entire hiway with 5 people and trashbags.
Avast is marketing job security and wouldn't know hard work to get it done if it fell in their lap.
This latest outburst this year by them and the ( my opinion ) disrespectful way it was done. I wont be a buyer
free or not from them.

SMF is the best free software on the planet and runs circles around many paid forum both secure and options.
The work here is a work of passion, not a lets all get rich quick you see so much.
SMF may not be perfect, but how can you compare the hard work done here by people that actually give shoot, to people who want a paycheck the next ten years and will stop at nothing to secure retirement.

Just how I feel, there is right and wrong in this world and seems too many are forgetting we are supposed to act like we are civilized.


Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Advertisement: