ΑΠΑΡΑΔΕΚΤΗ ΣΥΜΠΕΡΙΦΟΡΑ ! |
|
|||||||||
ΑΠΑΡΑΔΕΚΤΗ ΣΥΜΠΕΡΙΦΟΡΑ ! |
14 Mar 2006, 02:24 PM
Post
#1
|
|
Regular Member Group: Members Posts: 99 Joined: 11-September 05 Member No.: 309 Zodiac Sign: Gender: |
THIS IS THE ORIGINAL POST AS I MADE IT IN MY FORUM:
ΣΗΜΕΡΑ ΕΝΗΜΕΡΩΘΗΚΑΜΕ ΑΠΟ ΤΟN hlia_gr πως το shoutbox εχει σοβαρό κενό ασφαλείας. Θεώρησα υποχρέωση μου να ενημερώσω τον ευταξια που χρησιμοποιεί το ίδιο shout με εμάς. Eκανα register σαν www.lexrites.com Δεν ήταν online οπότε έκανα το ακόλουθο post Σε μερικά θέματα δεν χωράνε αντιπαλότητες, "κακίες" κτλ Στα πλαίσια της "συναδερφικής αλληλεγγύης" , που ΠΡΕΠΕΙ να υπάρχει μεταξύ των ΕΛΛΗΝΙΚΩΝ φόρουμ σας ενημερώνουμε ότι το shoutbox έχει ένα σοβαρό κενό ασφαλείας. Το οποίο μπορεί άνετα ο καθένας (που ξέρει 5 πράγματα παραπάνω) να εκμεταλλευτεί και να σας γαμήσει στην κυριολεξία το site. Γίνεται να φορτώσει κάποιος sql Μεσω του shout και να αποκτήσει admin access… μπορεί να σας σβήσει τα μέλη , τα ποστ, τους πίνακες… κοινώς να πάψει να υπάρχει … eftaxias. Βέβαια υπάρχει και λύση στο πρόβλημα. Άνοιξε το shoutbox.php Βρες εκεί που λέει : render_saved_shouts Και πρόσθεσε ακριβώς από πάνω : function blah() { $this->ipsclass->input['load'] = intval($this->ipsclass->input['load']); } Βγάλε το shoutbox εκτός λειτουργίας για λίγα λεπτά, επανέφερέ το. Όλα τώρα είναι ΟΚ. Κάνανε hack στο www.yourforum.gr (από τα γνωστά) Και δώθηκε η λύση σχεδόν άμεσα. η απάντηση ήταν η εξής ... : TRANSLATION TO ENGLISH : TODAY WE WERE INFORMED FROM hlias_gr that shoutbox D21 has a serious void of safety (leak). I considered my obligation to inform eftaxias (owner of eftaxias.gr/board) who uses same shout with us. I made a new registration as www.lexrites.com He was not online therefore I made the following post: In certain subjects ther must be no adversities, "malices" etc In the frames of "fellowship ", that SHOULD exist between the GREEK forums we inform you that shoutbox has a serious void of safety. That can comfortably each one (who knows a little more in hacking) exploits and is capable to literally f*** your site completely. y sql Via shout and it acquires admin access... he extinguishes/deletes the members, posts, the tables... commonly if he wants there is going to be no eftaxias after that... Of course there exists a solution in the problem: open shoutbox.php Findwhere it says: render_saved_shouts add exactly above that : function blah() { $this->ipsclass->input['load'] = intval($this->ipsclass->input['load']); } Remove shoutbox for a few minutes, then restore it. everything now is OK. They hacked www.yourforum.gr (from known) And a solution was given almost immediately. the answer was the following... : yeap, he banned me for the tip !!! Because he we had an argue 2 months ago (he also banned me then for another reason... (because I dared to open my own forum !!! ) but that's another story www.eftaxias.gr/board this man's forum.... what can I say ? Shame on him!!! -------------------- [center]Eπισκεφθείτε τις ιστοσελίδες μου :
My Homepage**H Σελίδα μου με Ανέκδοτα** Lexrites Forum [/center] |
|
14 Mar 2006, 05:21 PM
Post
#2
|
|
Regular Member Group: Members Posts: 99 Joined: 11-September 05 Member No.: 309 Zodiac Sign: Gender: |
I forgot to mention that after my ban they started ... making fun of me in their shoutbox (I saw it via another account) claiming tha I was ... advertising myself an that I was writing crap !!!
-------------------- [center]Eπισκεφθείτε τις ιστοσελίδες μου :
My Homepage**H Σελίδα μου με Ανέκδοτα** Lexrites Forum [/center] |
|
14 Mar 2006, 05:24 PM
Post
#3
|
|
ex - Member Staff Group: Platinum Members Posts: 8117 Joined: 3-June 05 From: Athens, Greece Member No.: 5 Zodiac Sign: Gender: |
Well I say! Flame the site!
-------------------- |
|
14 Mar 2006, 08:53 PM
Post
#4
|
|
No comments Group: Admin Posts: 31641 Joined: 8-July 05 Member No.: 121 Zodiac Sign: Gender: |
my personal opinion :
NEVER shout about security issues on a shoutbox ( i know you did not i am just mentioning ) NEVER register an account named as your DNS name ( your site ) because this is spam by default ( i have registered to more than 200 forums but almost NEVER used the account name www.yourforum.gr NEVER register another account when they kill your first one ( it is like giving them more value in response to them dumping you for soem reason ) i have no personal problem with eftaxias board, although if you remember ( and my posts are still there to prove it ) i made some suggestions for improvement THE MOMENT i set foot on that site. I was partially ignored and ironically responded that this is their admin job and he knows well what to do... So, farewell to them -------------------- |
|
14 Mar 2006, 08:55 PM
Post
#5
|
|
No comments Group: Admin Posts: 31641 Joined: 8-July 05 Member No.: 121 Zodiac Sign: Gender: |
for your attention though, should i ever see any greek admin (that had been warned of security holes as serious as the shoutbox exploit) not doing anything to secure his board... he asks for it !
-------------------- |
|
7 Jul 2006, 06:43 AM
Post
#6
|
|
Administrator Group: Admin Posts: 111571 Joined: 3-June 05 From: Athens, Greece Member No.: 1 Zodiac Sign: Gender: |
and accordng to personal experience and some surveys i see, most greek forums are not even pactehd for the most common sceurity exploits, why should the admins care to patch their boards for MODs ?
just a disaster waiting to happen -------------------- |
|
Lo-Fi Version | Time is now: 19th April 2024 - 09:51 PM |
Skin and Graphics by Dan Ellis and Anubis. Hosting by Forums & More © 2005-2011. |