Welcome Guest ( Log In | Register )


 
Reply to this topicStart new topic
> ΑΠΑΡΑΔΕΚΤΗ ΣΥΜΠΕΡΙΦΟΡΑ !
prostyxos13
post 14 Mar 2006, 02:24 PM
Post #1


Regular Member
Group Icon

Group: Members
Posts: 99
Joined: 11-September 05
Member No.: 309
Zodiac Sign: I'm a leo!
Gender: I'm a m!



THIS IS THE ORIGINAL POST AS I MADE IT IN MY FORUM:


ΣΗΜΕΡΑ ΕΝΗΜΕΡΩΘΗΚΑΜΕ ΑΠΟ ΤΟN hlia_gr πως το shoutbox εχει σοβαρό κενό ασφαλείας.

Θεώρησα υποχρέωση μου να ενημερώσω τον ευταξια που χρησιμοποιεί το ίδιο shout με εμάς.
Eκανα register σαν www.lexrites.com
Δεν ήταν online οπότε έκανα το ακόλουθο post

Σε μερικά θέματα δεν χωράνε αντιπαλότητες, "κακίες" κτλ
Στα πλαίσια της "συναδερφικής αλληλεγγύης" , που ΠΡΕΠΕΙ να υπάρχει μεταξύ των ΕΛΛΗΝΙΚΩΝ φόρουμ
σας ενημερώνουμε ότι το shoutbox έχει ένα σοβαρό κενό ασφαλείας. Το οποίο μπορεί άνετα ο καθένας (που ξέρει 5 πράγματα παραπάνω) να εκμεταλλευτεί και να σας γαμήσει στην κυριολεξία το site. Γίνεται να φορτώσει κάποιος sql Μεσω του shout και να αποκτήσει admin access… μπορεί να σας σβήσει τα μέλη , τα ποστ, τους πίνακες… κοινώς να πάψει να υπάρχει … eftaxias.


Βέβαια υπάρχει και λύση στο πρόβλημα.

Άνοιξε το shoutbox.php

Βρες εκεί που λέει : render_saved_shouts

Και πρόσθεσε ακριβώς από πάνω :

function blah()
{
$this->ipsclass->input['load'] = intval($this->ipsclass->input['load']);
}

Βγάλε το shoutbox εκτός λειτουργίας για λίγα λεπτά, επανέφερέ το.

Όλα τώρα είναι ΟΚ. Κάνανε hack στο www.yourforum.gr (από τα γνωστά)
Και δώθηκε η λύση σχεδόν άμεσα.


η απάντηση ήταν η εξής ... :



TRANSLATION TO ENGLISH :


TODAY WE WERE INFORMED FROM hlias_gr that shoutbox D21 has a serious void of safety (leak). I considered my obligation to inform eftaxias (owner of eftaxias.gr/board) who uses same shout with us. I made a new registration as www.lexrites.com He was not online therefore I made the following post:

In certain subjects ther must be no adversities, "malices" etc In the frames of "fellowship ", that SHOULD exist between the GREEK forums we inform you that shoutbox has a serious void of safety. That can comfortably each one (who knows a little more in hacking) exploits and is capable to literally f*** your site completely. y sql Via shout and it acquires admin access... he extinguishes/deletes the members, posts, the tables... commonly if he wants there is going to be no eftaxias after that...



Of course there exists a solution in the problem:

open shoutbox.php Findwhere it says: render_saved_shouts

add exactly above that : function blah()
{
$this->ipsclass->input['load'] = intval($this->ipsclass->input['load']);
}

Remove shoutbox for a few minutes, then restore it. everything now is OK. They hacked www.yourforum.gr (from known) And a solution was given almost immediately. the answer was the following... :


user posted image


yeap, he banned me for the tip !!! Because he we had an argue 2 months ago (he also banned me then for another reason... (because I dared to open my own forum !!! ) but that's another story

www.eftaxias.gr/board this man's forum.... what can I say ?

Shame on him!!!


--------------------
[center]Eπισκεφθείτε τις ιστοσελίδες μου :

My Homepage**H Σελίδα μου με Ανέκδοτα** Lexrites Forum

user posted image
[/center]
Go to the top of the page
 
Bookmark this: Post to Del.icio.usPost to DiggPost to FacebookPost to GooglePost to SlashdotPost to StumbleUponPost to TechnoratiPost to YahooMyWeb
+Quote Post
prostyxos13
post 14 Mar 2006, 05:21 PM
Post #2


Regular Member
Group Icon

Group: Members
Posts: 99
Joined: 11-September 05
Member No.: 309
Zodiac Sign: I'm a leo!
Gender: I'm a m!



I forgot to mention that after my ban they started ... making fun of me in their shoutbox (I saw it via another account) claiming tha I was ... advertising myself an that I was writing crap !!!


--------------------
[center]Eπισκεφθείτε τις ιστοσελίδες μου :

My Homepage**H Σελίδα μου με Ανέκδοτα** Lexrites Forum

user posted image
[/center]
Go to the top of the page
 
+Quote Post
hlias_gr
post 14 Mar 2006, 05:24 PM
Post #3


ex - Member Staff
Group Icon

Group: Platinum Members
Posts: 8117
Joined: 3-June 05
From: Athens, Greece
Member No.: 5
Zodiac Sign: I'm a virgo!
Gender: I'm a m!



Well I say! Flame the site! plus.smilie3.gif


--------------------


You are working for a living,
not living for working !
Go to the top of the page
 
+Quote Post
www.yourforum.gr
post 14 Mar 2006, 08:53 PM
Post #4


No comments
Group Icon

Group: Admin
Posts: 31636
Joined: 8-July 05
Member No.: 121
Zodiac Sign: I'm a leo!
Gender: I'm a m!



my personal opinion :

NEVER shout about security issues on a shoutbox ( i know you did not i am just mentioning )

NEVER register an account named as your DNS name ( your site ) because this is spam by default ( i have registered to more than 200 forums but almost NEVER used the account name www.yourforum.gr

NEVER register another account when they kill your first one ( it is like giving them more value in response to them dumping you for soem reason )

i have no personal problem with eftaxias board, although if you remember ( and my posts are still there to prove it ) i made some suggestions for improvement THE MOMENT i set foot on that site. I was partially ignored and ironically responded that this is their admin job and he knows well what to do...

So, farewell to them


--------------------
Go to the top of the page
 
+Quote Post
www.yourforum.gr
post 14 Mar 2006, 08:55 PM
Post #5


No comments
Group Icon

Group: Admin
Posts: 31636
Joined: 8-July 05
Member No.: 121
Zodiac Sign: I'm a leo!
Gender: I'm a m!



for your attention though, should i ever see any greek admin (that had been warned of security holes as serious as the shoutbox exploit) not doing anything to secure his board... he asks for it !


--------------------
Go to the top of the page
 
+Quote Post
NickTheGreek
post 7 Jul 2006, 06:43 AM
Post #6


Administrator
Group Icon

Group: Admin
Posts: 110840
Joined: 3-June 05
From: Athens, Greece
Member No.: 1
Zodiac Sign: I'm a leo!
Gender: I'm a m!



and accordng to personal experience and some surveys i see, most greek forums are not even pactehd for the most common sceurity exploits, why should the admins care to patch their boards for MODs ?

just a disaster waiting to happen


--------------------

c:\ When the going gets tough, the tough get going ...
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 28th March 2024 - 10:06 AM
Skin and Graphics by Dan Ellis and Anubis. Hosting by Forums & More © 2005-2011.
InvisionGames - Your #1 Arcade Games Repository | AllSigs - Signatures for all | Rock Band + Guitar Hero = RockHero ! | The Remoters - Remote Assistance | FileMiners - You ask, We find