YaBB SE Community

YaBB SE Info => News From the YaBB SE Team => Topic started by: Jeff Lewis on January 24, 2003, 07:37:18 AM

Title: SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on January 24, 2003, 07:37:18 AM
For those of you using these version, please change the following in the Packages.php file.

Change:

Code: [Select]

include_once("$sourcedir/Packer.php");
// verify the user is an administrator
is_admin();


to

Code: [Select]

// verify the user is an administrator
is_admin();
include_once("$sourcedir/Packer.php");


Make sure the include comes after the is_admin() call.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: bart on January 24, 2003, 08:03:57 AM
Maby it is a little bit unnessesary but my english is not that great...

You mean al versions before the RC36??
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Peter Duggan on January 24, 2003, 08:13:00 AM
My understanding is that that is correct.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: David on January 24, 2003, 10:23:52 AM

Maby it is a little bit unnessesary but my english is not that great...

You mean al versions before the RC36??

Yes, any version of YaBBSE prior to build 36 of RC1.  This includes 1.4.x and 1.3.x.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: bart on January 24, 2003, 10:38:06 AM
Then we are on the same line.. thank you!
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: cornnuts on January 24, 2003, 02:54:49 PM
Thanks 8)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: derekmoore on January 27, 2003, 01:31:08 PM
Cannot stress the importance of this - all our servers running 1.4.x have just been hacked because of this very major hole

You MUST implement the fix now!!!

Derek
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Mike Healan on January 27, 2003, 04:15:29 PM
They got me too. Thankfully, this guy was after white supremacists and neo-nazis and not me. All he did was email my sql password to me and "suggest" I fix it before some 1337 Brazilian h4x3r 0wned me (and yes that's how he spelled it).
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Taras on January 30, 2003, 12:35:02 AM
thanks for the heads up on that... done the update :)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: sensovision on February 02, 2003, 08:53:07 AM
I was shoked when I've got message from some mail-robot with my login and pass... yesterday... so I implement all changes and start to search for forums which not yet install patch... I've saw few memberboards already hacked:( I've mail to more than 50 admins of boards affected by this... but I don't have time anymore time to do this... maybe you can send some e-mail e.g. for registered memebers or something to ask people use this security update as soon as possible? ???
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: PostDeals on February 02, 2003, 10:14:01 AM
Just updated it, t hanks, I can't believe it i didn't see this earlier.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 11:31:39 AM
We sent out an announcement and posted it elsewhere as well...there is only so much we can do...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Anton on February 02, 2003, 11:44:30 AM
I fix it before some 1337 Brazilian h4x3r 0wned me (and yes that's how he spelled it).


That was probably the same group that got me, did they have anything to do with ION?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: akpcep on February 02, 2003, 11:50:12 AM
Many thanks for the heads-up. I just administered the fix.

Strangely, someone in my referrers navigated to my site by searching allinurl:yabbse in google. Scary stuff.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: tamalyn on February 02, 2003, 11:58:02 AM
hi


i am new to this, i have taken the first line out, and moved it to the line below like this

verify the user is an administrator
is_admin(); include_once("$sourcedir/Packer.php");

is that right? or do i need the black blocks in between somewhere??

sorry i am a bit of a bimbo!
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: 7summits on February 02, 2003, 11:59:25 AM
Thanks Jeff,

I just received the extra email (twice), but for all us PHP dummies out here:
What exectly happens /can happen if you don't do it?

One board I immediately changed; the other (test, on other server) I did not, but calling Packages.php or Packer.php does not do much interesting?!?

How does one get to my password if I do not fix this?

Thanks,
Harry
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: PioneeR on February 02, 2003, 12:07:44 PM
Thanks for the announcement.. i must have missed it the first time round!

I had a packer.php error in my http logs a few days ago.. (with a 404).

Anyway.. applied the fix now .. thanks
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: JRCarr on February 02, 2003, 12:07:45 PM
Quote
How does one get to my password if I do not fix this?

If you think about this, would you really want someone to tell everyone how to get into yours and everybody's board that didn't make the fix? I don't think so! :)

Jack
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: plowking on February 02, 2003, 12:10:24 PM
I can't find my packages.php or packer.php file.

I have a folder named pacakges, but no php file for it.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 02, 2003, 12:10:43 PM
No, not really. But for 7summits, I will just say a little bit (nothing specific). Packages.php contains functions for adding functionality into YaBBSE. (Big suprise). Not all functionality is good functionality. That's why you want to make sure the person is an administrator before you let anything exciting happen, and I'm going to leave it at that.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 02, 2003, 12:11:08 PM

I can't find my packages.php or packer.php file.

I have a folder named pacakges, but no php file for it.

It is in the directory "Sources", and the file is Packages.php
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: kev on February 02, 2003, 12:11:50 PM
Packages.php is under the Sources directory.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: sensovision on February 02, 2003, 12:12:54 PM
hi probably it was someone of us... me and my friend  yesterday search for YaBB which didn't apply patch yet and send mails to admins, sorry if we scare you but better to be scared but informed before hackers do this for you... :(

also some posted about ION I saw few boards with huge letters of saing that site was hacked :-\ Seems that hackers was faster in this case... sorry about this :(

Many thanks for the heads-up. I just administered the fix.

Strangely, someone in my referrers navigated to my site by searching allinurl:yabbse in google. Scary stuff.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: akpcep on February 02, 2003, 12:15:34 PM
I hope it was you!

Thanks for your vigilance.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: darqueaynjil on February 02, 2003, 12:31:53 PM
the first time I tried to come to the page, it said that there was a forum error or something.  Today I got 3 more e-mails about it so I came on......good thing I did it appears.

changed the code-  hopefully I won't have any problems.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: NV on February 02, 2003, 12:35:57 PM
I recently also was confronted with some hacks of my board. I guessed the problem was the fact that my folders had to wide restrictions (777).

After I chmod them to 755 the problems were gone (and Yabbse still worked  ;)). A hacker managed to place a new Administrator.php resulting in strange behaviour of the board.

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: kkozma on February 02, 2003, 01:00:18 PM
Yep, I got that email yesterday..  I searched fpr the update and found that security mod but half of it didn't work, so I just applied this mod.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: TurboXS on February 02, 2003, 01:12:21 PM
Hi,

I changed that stuff in my board, too.
Thanks for the warnings.

But, honestly, do you think that more than 9 e-mails are necessary? I stopped counting after the 9th one :-\

Regards
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 01:20:38 PM
^ more than 9   ???


ONE IS ENOUGH!!!

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Daniel D. on February 02, 2003, 01:27:28 PM

^ more than 9   ???


ONE IS ENOUGH!!!



Not for some people here...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: maobe on February 02, 2003, 01:30:30 PM
FIXED! thnx for the info!  :D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 01:30:48 PM
(like i said on one of the other threads that got deleted)

one is enough.. if u notice a board hasn't updated it means the admin is out doing something. not everyone lives on the internet...

i came home earlier to 5 emails and i'd only been gone 3 hours... i fixed my board right away... only to get 4 more emails
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: PioneeR on February 02, 2003, 01:39:40 PM
I thought I had got popular at first!

I am glad of the first email.. if it takes 10+ to get everyone safe.. i can live with that too  ;D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 01:42:07 PM
Thats BS.. one is enuf.. anymore is just spam.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jan Houtsma on February 02, 2003, 01:45:06 PM
wtf with all these messages.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: -Napalm- on February 02, 2003, 01:46:56 PM
I noticed that in the extra emails the thread ID kept increasing with each email... so possibly a bug with the notification code here on YaBB SE?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Ben_S on February 02, 2003, 01:52:59 PM
Gotta love it the way people are quick to call anything spam these days.

Ok so 10 is a bit excessive, but it wasnt intentional so stop moaning, if you dont like getting 10, then opt out  ::)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: BrudaSwen on February 02, 2003, 01:53:21 PM
THX!
I just came home and saw 5-Mails on that old E-Mail address!
So I thought, that it is very important and I fixed it!
THX!
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: edlomon on February 02, 2003, 01:58:44 PM
i got 7 about this error and i quickly fixed it b4 nething serious happened to my site/or the server its on. luckly i got it fixed.b4 any harm happened.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: baldrick on February 02, 2003, 01:58:59 PM
Thanks for the heads up!
Fix in place.
And I agree, 9 e-mails is a small price to pay  :-*
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 02:02:53 PM

Gotta love it the way people are quick to call anything spam these days.

Ok so 10 is a bit excessive, but it wasnt intentional so stop moaning, if you dont like getting 10, then opt out  ::)


not at the risk of missing another of these announcements.

unfortunately.. this now many cause people to do so and therefore miss future announcements of this type.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Mr Slabi on February 02, 2003, 02:04:27 PM
    10 Emails here and it doesn't bother me at all...It lets those lazy people that never fix their boards know just how important this fix is.
   Thanx for the heads up...I am useless at php and would have never known untill it was too late. Repairs made.

Slabi
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Killer Possum on February 02, 2003, 02:13:05 PM
WOW all these people got around 10 e-mails and I got only 2, feeling a bit unloved here :P
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Ben_S on February 02, 2003, 02:14:42 PM
I've seen it all.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Aquilo on February 02, 2003, 02:15:41 PM
Honestly don't care but I was wondering way I got 9 emails!?

I keep outlook express open all the time and kept getting the chime for new email every 20 minutes, I had fixed it yesterday when I installed YaPP for the first time and went to there boards to post my own problem.

But I think everyone should have there board fixed except for the noone@nowhere.daa emails you should be getting allot of bounced emails :-\
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: David on February 02, 2003, 02:25:43 PM
I got nine of them and do not care.  As you can see, THIS IS IMPORTANT!!!!  Apply the fix, if you need help applying it contact me and I will try to help.

Attached is a fixed Packages file for 1.4.1.  Rename it to Packages.php and upload it.  I did this for those who do not wish to modify their sources by hand.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: drinkitbitch on February 02, 2003, 02:35:53 PM

Thats BS.. one is enuf.. anymore is just spam.


I disagree.

Like you said yourself, not everyone lives on the internet. Just because you happened to fix the error after only 4 emails, doesnt mean everyone else did as well.

Maybe 9 was a bit excessive, but had they only sent one, I more than likely would have ignored it. I often ignore announcements, but the fact that there were nine made me very curious.

They seem to think this is a major issue that everyone needs to fix and just one email wont get everyone's attention, but 9 definitely or hopefully will.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 02:39:22 PM
naww sending the same thing multiple time is just ignorant IMO.

one is enough... and my previous comment was meant to highlight that it may not be ignored because of '1' email but because people might not read their email for a day.

now... whats even more dumb now is that when u read one of these these other emails the actual post has been deleted... so u end up with a "topic does not exist error" ... ummm duh!!!

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: David on February 02, 2003, 02:40:54 PM

naww sending the same thing multiple time is just ignorant IMO.

one is enough... and my previous comment was meant to highlight that it may not be ignored because of '1' email but because people might not read their email for a day.

now... whats even more dumb now is that when u read one of these these other emails the actual post has been deleted... so u end up with a "topic does not exist error" ... ummm duh!!!

I think you have expressed your dislike of recieving 9 e-mails enough in this thread.  Let those that may need help with this fix speak without the constant flaming.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 02:41:23 PM
actually.. i just realised deleting those topics has done more harm because someone reading their email would most likely read the newestt one and see topic doesnt exist.. would they be patient enough to check all nine  - or whatever figure we end up at?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 02:42:52 PM


naww sending the same thing multiple time is just ignorant IMO.

one is enough... and my previous comment was meant to highlight that it may not be ignored because of '1' email but because people might not read their email for a day.

now... whats even more dumb now is that when u read one of these these other emails the actual post has been deleted... so u end up with a "topic does not exist error" ... ummm duh!!!

I think you have expressed your dislike of recieving 9 e-mails enough in this thread.  Let those that may need help with this fix speak without the constant flaming.


only answering replies to my earlier questions  ::)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Compuart on February 02, 2003, 02:48:29 PM
Yes, something went wrong with the announcement script here. I've applied some fixes, and the mail sending seems to have stopped.

We sincerely apoligise for the inconvenience this has caused.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 02:52:54 PM
ok thats cool.

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Mike Healan on February 02, 2003, 03:04:53 PM
Jeez... Get a grip. With as many registered users as there are, do you really think they intended to send 10 of the same email to everyone? It's obviously a bug or a glitch. Report it and be done with it.
Considering how serious this is, I wouldn't care if the server burped and I got 100 of them. Some damned hacker emailed my password to me. If he had decided he didn't like me, all the warning I would've gotten would have been an emptied sql database.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: UNICRON on February 02, 2003, 03:22:41 PM

Jeez... Get a grip. With as many registered users as there are, do you really think they intended to send 10 of the same email to everyone? It's obviously a bug or a glitch. Report it and be done with it.
Considering how serious this is, I wouldn't care if the server burped and I got 100 of them. Some damned hacker emailed my password to me. If he had decided he didn't like me, all the warning I would've gotten would have been an emptied sql database.


agreed
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: yensid4him on February 02, 2003, 03:44:09 PM
Hey I appreciate the 9 emails I got... I'm one of the ones that might have ignored just one announcement email, but having 9 made me decide it was pretty important.  I did get the "topic doesn't exist" message but navigated my way over here to this one just fine...

Also wanted to say thanks to whoever included the packages.txt file with the fix for download... I'm a good coder, but I also like to save time whenever possible!

One suggestion for those setting up new boards... my board didn't get hit by a hacker, nor did I get an email with my password in it, perhaps due to the fact that when I installed my board I changed the directory name from "yabbse" to "msgboard" ... hackers wouldn't be able to search the web and come across my board as easily based on the url alone.

- holly
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 03:48:09 PM
I apologize for the multiple emails but really is it worth bitching over? We sent out an announcement for this before and apparently not everyone thought it was important enough to apply the fix.

If the little problem with the extra emails saves at least one persons forum I'm fine with that.

I sent the announcement and left to visit my parents, my apologies to those that were so angered by a few extra emails in the inbox and my thanks to those that were understanding.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Snoopy_5 on February 02, 2003, 04:04:22 PM
Jeff I just wanted to say thanks for sending out the word about this fix a second time.  Without this notice I would still be exposed.

I am one of the ones who didnt bother to change or fix my site after the first message, mainly because I didnt get the first message.  I did get the multiple messages this morning though,which didnt bother me except to press the urgency of the matter.

Keep up the good work
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 04:16:04 PM
Thanks Snoopy. Not sure why Overseer is so mad...his messages table got seriously corrupted this week and he should ask Corey who was helping fix it...so a few extra emails by accident shouldn't be too hard to swallow :)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: TurboXS on February 02, 2003, 04:36:19 PM
:-\

I feel terribly sorry for mentioning the multiple message stuff.

Keep up the great work with this board software.

Regards
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 04:38:08 PM
Don't feel terrible, it was an accident on our part and our fault. It can be annoying but some people are acting like their life is going to end because they received an email about a security fix 7-10 times...

Just make sure you patch your install ;)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Sergio on February 02, 2003, 04:38:35 PM
Thanks for the advise, I have fixed it.

I'm glad that there were 9 or 10 emails, because I use some strong email filters, and the filter program has considered them as spam, as (I think) "sent to nobody".

But with nine equal subjects in the report I have noticed them.

Uuuhhh, pherhaps I'm not so clear  ;), however...

THANKS !  :D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 02, 2003, 04:52:07 PM

Thanks Snoopy. Not sure why Overseer is so mad...his messages table got seriously corrupted this week and he should ask Corey who was helping fix it...so a few extra emails by accident shouldn't be too hard to swallow :)


umm unrelated but.. i'm very grateful to him and I will continue to bring him customers (4 to my knowledge so far).

lol jeff i'm not mad. i was just saying that (before it was pointed out it was a bug) it was weird to have those mails and  if it were on purpose that I thought it was out of order.  am just shocked that some people think thats a legit way to highlight the issue to people and that they'd leap to defend such an action.

now for some irony ;)

just an idea. but it might be a good idea to do one more which explains about the email problem and the security fix because of those 'bad mails' which lead to a now deleted post.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: sensovision on February 02, 2003, 05:05:58 PM
It's nice to see that many people to pay attention to fix now, so I believe that this bug in this case were good as it's force people to pay attention for security measures... I carefully read all anouncements but I didn't get this announcement... maybe it was becasue it's sended less or more in the time when problem have major slowdown across the web due to worm attack, so anyway I'm sure that I didn't get first announcement and second was from some person who I never heard about...
so I believe 10 or more mails is good price to pay for saving you and your members from hackers attacks.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 05:07:30 PM
Yes, I've heard from at least 12 people already that ignored the first announcement on this...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: acf [delete me]! on February 02, 2003, 05:29:41 PM
I've pluged the hole :D

thanx yabb team  8)

And stop spamming in this tread about the many mails you get. Beter to have a lot of mails then to have board that is cracked.

peace  ;)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: UKA_Bart on February 02, 2003, 07:42:18 PM

If the little problem with the extra emails saves at least one persons forum I'm fine with that.

I agree. Send me as many warningmails as you (or your script :-)  likes. I don't mind. As long as I'm warned about something that potentially makes me lose my forum all together.

Thanks!  ;)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: phark on February 02, 2003, 08:05:50 PM

Thats BS.. one is enuf.. anymore is just spam.


On something this important, I don't mind getting 10 emails.  Stop your crying.   :P
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 02, 2003, 08:30:34 PM
Just out of curiosity Jeff, was this a bug in NotifyUsersNewAnnouncement() that we all need to patch our installations for, or was this some outside script you coded to do announcements for YSE? (i.e. do I need to worry about infinite looping on my board, or is this a script not a part of YSE?)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 08:35:07 PM
I'm still trying to see if anyone messed with the announcement script. It was fine during our last announcement but we knew it needed work so someone may have screwed with it...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: eknee on February 02, 2003, 09:32:59 PM
I've been hacked by this.  I've made the update to Packages.php, but is there anyway to recover the database?

Where other user names and passwords in the MySQL database exposed?

Thanks,
Eric
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Alex Rolko on February 02, 2003, 09:35:27 PM
passwords are encrypted, so all passwords were safe.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: eknee on February 02, 2003, 09:43:31 PM
Ok.  Thank you.

In case you're collecting this type of info, here's an entry from my log file...

200.181.183.199 - - [02/Feb/2003:15:26:16 -0800] "GET /modules/forum/index.php H
TTP/1.1" 200 5984 "http://www.google.com.br/search?q=Powered+by+YaBB+SE+site:.or
g&hl=pt&lr=&ie=UTF-8&start=180&sa=N" "Mozilla/4.0 (compatible; MSIE 5.0; Windows
98; DigExt)"
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 09:46:00 PM
The same idiots going around and abusing this exploit...this is why we posted an announcement about it when it first came out...sadly not everyone has patched up.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Ichiban on February 02, 2003, 10:20:59 PM
Thanks for the update guys. Didn't mind the extra emails at all. Extremely small price to pay IMHO.

I kind of doubt my little personal board was exploited, but is there anything in particular that might indicate it was owned? Something in the access log perhaps or a likely modification that might be made via this vulnerability?

Just want to make sure everything is OK now that it's been patched. I think I understand what the hole was about, but I don't have a feel for the limits of the damage that might have been done.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Ratman on February 02, 2003, 10:26:18 PM
Hey, I just fixed my 1.4.1 board and now I'm getting an error within the Admin Center, right on top of the Forum Preferences and Settings section I get a message: "Failed to make backup of Settings.php" which wasn't there before -- e.g. about 30 seconds before uploading the patched file. Has anyone got such an error or is it just me? ??? Maybe I should upgrade to 1.5, but anyway...
Well, and I got 9 mails too, I think it's better safe than sorry! :D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Alex Rolko on February 02, 2003, 10:33:46 PM
just chmod your directory and files again.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: eknee on February 02, 2003, 10:35:48 PM
I've just looked at my database and it seems fine.  What did this hacker do?  

And more importantly, what can I do to fix it?

Best,
Eric
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Peter Crouch on February 02, 2003, 11:00:22 PM
Well considering I usually ignore most announcements the 9 emails pricked my interest enough to actually check it out, and heaven forbid, POST!!  :o
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 11:15:22 PM
Hehe welcome back for if even for a few moments ;)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 02, 2003, 11:17:51 PM
For any of you that HAVE been hit by this, if you have access to your logs and can send me a block of them where the person did something stupid, please do send them my way...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Patty on February 03, 2003, 12:57:33 AM
Actually, I'm wondering the same as eknee ... I saw the "google" search and that IP in my logs on Friday, but nothing screwy happened to the board. I applied the patch, but what, if anything, did the hacker do beforehand?

Oh, and I've no problems with the multiple emails -- except that the link displays a blank page when I click it. Regardless, the multiple emails just drove the "UPGRADE NOW OR ELSE" point home. Thanks for letting everyone know about this.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: rickc on February 03, 2003, 04:02:22 AM
what can they do to your board with this "leak"??
???
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: [Unknown] on February 03, 2003, 04:08:40 AM

what can they do to your board with this "leak"??
???


Anything and everything they want.

-[Unknown]
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Alan Roy on February 03, 2003, 05:47:55 AM
What exactly did this fix fix?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: sensovision on February 03, 2003, 05:54:14 AM
people if you get click from Google with keywords "Powered by YaBB SE" and nothing happen don't worry it was me(if you got member phoenix it's also me) or Mike, we just searching for forums check them for error and send alert e-mail to admin if forum was in danger we don't use info for anything more I give you my word. just ask your members if possible to change passwords as security measure it's good idea to change passwords from time to time anyway. and sorry once again if we scare anyone.
Actually, I'm wondering the same as eknee ... I saw the "google" search and that IP in my logs on Friday, but nothing screwy happened to the board. I applied the patch, but what, if anything, did the hacker do beforehand?

Oh, and I've no problems with the multiple emails -- except that the link displays a blank page when I click it. Regardless, the multiple emails just drove the "UPGRADE NOW OR ELSE" point home. Thanks for letting everyone know about this.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: tricky on February 03, 2003, 06:55:19 AM
Hi jeff, its tricky from mp3dreaming, i'm afraid we were too late and like countless others we were hacked yesterday! the good news is that our host is also one of our admins and has the server logs! they deleted everything! luckily we have restored a server backup which took only a few minutes! i think this was passed around as the hackers that did us were hollandfxp, the real good news is we have all the details of the hacker from the server log, he was a member of our board and didn't even connect through a proxy? i was wondering what everyone else that got hacked is planning to do about it?

tricky
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 03, 2003, 06:58:14 AM
Sorry to hear that...and from a member? Ugh, that bothers me so much...care to send a log block to me to look over?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: tricky on February 03, 2003, 06:58:53 AM
hi jeff, its tricky from mp3dreaming,
we were not so lucky and got hacked yesterday! we have all the hackers details from the server logs, our host is also an admin on the board! the hackers were posting rammell about hollandfxp but is probably just a rouse? what are the rest of the ppl who got hacked doing about it?

is there someone collating ip info etc... the guy that hacked us was also a member of the board so we have a little history?

tricky

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 09:54:33 AM
There are still some people who have not yet applied the patch :(...

Jeff, perhaps you should add something into the .xml file that displays when you go to the admin center? Not all users of YSE are members of this board, but most will see the news in the .xml file displayed in the admin center...

edited for clairty
Title: Re:The Boys from Brazil
Post by: Reverend Spalding on February 03, 2003, 10:21:38 AM
Looking around at the Nuke community and they too have been hacked by a group of hackers in brazil. Looking for NeoNazis? I thought all of the NeoNazis migrated to Brazil? There's a good discussion on http://www.computercops.biz/ and one guy just decided to update his .htaccess file to deny all of Brazil. I like that idea, because it appears from the thread that the offenders have the cooperation of their hosting IP.
Title: Re:The Boys from Brazil
Post by: Overseer on February 03, 2003, 10:39:11 AM
Looking around at the Nuke community and they too have been hacked by a group of hackers in brazil. Looking for NeoNazis? I thought all of the NeoNazis migrated to Brazil? There's a good discussion on http://www.computercops.biz/ and one guy just decided to update his .htaccess file to deny all of Brazil. I like that idea, because it appears from the thread that the offenders have the cooperation of their hosting IP.

damn.. i never knew that was possible. anyone have a reference they can point me to on this? i have an ex-member i'd like to stop browsing the board full-stop.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: kkozma on February 03, 2003, 10:47:23 AM
Just thought I'd chime in once more to tell people how serious this is.  I have two SE installations and they both got hit.  Some joker uploaded a friggin porno gallery inside both yabbse directories using the exploit.  Not cool, especially since both sites deal with volkswagens.  

What made it exceeding difficult is for what ever mind numbingly STUPID reason, my ISP has chown disabled, so I couldn't even take ownership of the files to delete them... >:(
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Omar Bazavilvazo on February 03, 2003, 11:17:36 AM
Let's hope ppl now applies the patch, and not like the last announcement...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Omar Bazavilvazo on February 03, 2003, 11:18:00 AM
Let's hope ppl now applies the patch...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Taras on February 03, 2003, 01:13:09 PM
Jeff as  Agelmar, said can all future security alerts show up on the admin centre :)

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Omar Bazavilvazo on February 03, 2003, 01:20:59 PM
Jeff as  Agelmar, said can all future security alerts show up on the admin centre :)



that would be cool to do, also
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 03, 2003, 04:07:18 PM
I'm working on a way to notify people yes, a neat little feature if you will :)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 06:02:46 PM
That's all well and nice, but perhaps until that is complete you could add it to the .xml file? :-)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 06:06:11 PM
Hmm, that's really odd. While posting the previous message, I got the following.

Unknown column 'memberName' in 'where clause'

Is someone working on either the db or sourcecode live, or do you have a more serious problem going on?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 06:07:34 PM
Same thing again - it posts the message, but somewhere in action=post2 it's crapping out, saying "Unknown column 'memberName' in 'where clause'". It posts it, but this is most disconcerting.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Killer Possum on February 03, 2003, 06:09:32 PM
I'm not having any problems on my side 8)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Killer Possum on February 03, 2003, 06:11:18 PM
Nevermind  :-\ just got it:

Unknown column 'memberName' in 'where clause'

hmmm....
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 03, 2003, 06:31:14 PM
I'll try to hunt it down guy, I looked earlier but had no luck.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Doomfalcon on February 03, 2003, 06:46:43 PM
I normally don't pay attention to announcements, but this 9-in-a-row thingy really got my attention - thanks for the info guys.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Doomfalcon on February 03, 2003, 06:48:02 PM
And I'm having the same problem with posts - The message posts, but I have the same error message.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 07:15:42 PM
It seems to be working for me now. I just posted a test message (and subsequently delted) in the German help forum, no problem.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 07:16:29 PM
OK, I did not have a problem making a new thread in the German forum, but I just got the same error when replying to this thread. I am going to make a new thread on this board to test, will report back.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 07:17:37 PM
Got the error on last post. BTW, crap, I just realized I can't post on this board... I am going to do some testing over in german board, will report back. (If you make me mod or something I will do a test on this board. I have a feeling it is specific to this board, but I cannot confirm that...)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 07:22:56 PM
Most odd, but I only seem to get that error when replying to this thread. I made a new thred in the german forums, no problem, replied to that, no problem, then I replied to some random threads on this board, no problem, but when replying to *this* thread I get the error.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 07:24:27 PM
Perhaps of note so you can figure out where the problem is: On the error screen, I get:

Unknown column 'memberName' in 'where clause'

I then click "Home", and it shows the News from Team board as having a new message (light blue icon). Click on the board, and it does *not* show this thread as being new. So somewhere inbetween the actual insertion of the post into the MySQL db and the updating of which threads/boards are read for the user, there is something wierd going on.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Killer Possum on February 03, 2003, 10:03:20 PM
I'm having the same issues, it only happens on this thread... all the other ones work fine but thisone... not keep getting the error. I'm no expert but I would say it has something to do with the fact that this is an announcment board and us "regular users" cannot start topics. But again I'm no expert :-/
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 10:06:36 PM
That it is an announcement board may or may not have something to do with it. I can reply fine to other threads on this board. It is most curious, but also rather hard to troubleshoot. What I find interesting is that moderators / admins do not seem to be experiencing the trouble in this thread. Might be interesting to see if a regular user who has trouble doesn't have trouble after becoming a moderator, but then again, it might not ^-^.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Killer Possum on February 03, 2003, 10:09:51 PM
I would glady become a moderator to test it out for you guys ;D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Michele on February 03, 2003, 10:11:38 PM
Just wondering if we'll all see that error.

TEST

UPDATE: NO ERROR FOR ME
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: [Unknown] on February 03, 2003, 10:19:36 PM
Yeah... ermm.. guess I should have said something.

I fixed it ;).

-[Unknown]
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Killer Possum on February 03, 2003, 10:21:52 PM
If I don't edit this messege then yes you have ;D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Killer Possum on February 03, 2003, 10:23:08 PM
Out of curiosity, what was wrong?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: [Unknown] on February 03, 2003, 10:47:04 PM
A few minor changes needed to be amde to the ignore topics mod...

-[Unknown]
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Agelmar on February 03, 2003, 10:59:35 PM
It would certainly be nice to know the fix so we can fix it on our boards (if necessary)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Gobalopper on February 04, 2003, 12:08:49 AM
Ignore topics isn't installed by default, its a mod by Joseph I think.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Omar Bazavilvazo on February 04, 2003, 01:09:50 AM
Ignore topics isn't installed by default, its a mod by Joseph I think.

/me nods

no1 has it by default

ja ne!
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Joseph Fung on February 04, 2003, 02:31:31 AM
Ignore topics isn't installed by default, its a mod by Joseph I think.
That would be correct :)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Swatdog on February 05, 2003, 01:38:09 AM
Well, i guess i was one of the lucky ones. I didnt get hacked!

 Thank god i was reading this topic. And thank god we found this out. :P

-Swatdog
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: junomat on February 05, 2003, 02:34:36 PM
some of my users are complaining of this error.

has anyone else had this problem and/or know of a solution?

thanks,
mat

(http://207.230.156.93/omerror.jpg)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Daniel D. on February 05, 2003, 02:41:34 PM
Yes, quite often here on yabbse.org.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: junomat on February 05, 2003, 02:50:09 PM
is there a solution?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: David on February 05, 2003, 02:54:02 PM
is there a solution?
It has nothing to do with this security fix.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: junomat on February 05, 2003, 03:15:18 PM
is there a solution?
It has nothing to do with this security fix.

it started happening after i upgraded to this fix.

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Gobalopper on February 05, 2003, 03:21:00 PM
Well your sessions will eventually timeout. You could try extending the length of sessions in php.ini.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: rickc on February 05, 2003, 07:27:04 PM
This brings up another question....

What version is this board here??

I run 1.41 with the   Expand Collapse
mod that yipsir (I thinks thats his name)
wrote. How long should I wait b4 upgrading??


Thanks in advance RickC
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 05, 2003, 08:14:55 PM
This forum is running 1.5.1 with the latest RC.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: ax2graphics on February 10, 2003, 11:38:27 AM
Hey guys.. my site was hacked over the weekend.. I just NOW found this thread... (figures).

Anyhow, I went to apply the fix, and see that the file to be updated doesn't exist in my SOURCES folder...

Ideas?

Thanks!

- A
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Daniel D. on February 10, 2003, 11:41:19 AM
There are 3 more folder...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 10, 2003, 11:43:53 AM
Check in the root folde of your install for that file. Also, you'd be best off upgrading to the newest version.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 10, 2003, 11:56:36 AM
It's amazing how rude people can be...I went to a site that was hacked suggested to upgrade to fix it and got this reply:

"Your logic = screwed the f up"

Yes, lovely :)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Omar Bazavilvazo on February 10, 2003, 12:05:18 PM
It's amazing how rude people can be...I went to a site that was hacked suggested to upgrade to fix it and got this reply:

"Your logic = screwed the f up"

Yes, lovely :)

Remember is OUR fault, they didn't came here after receiving 10 emails, and never applied the fix....

/me is being sarcastic...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: ax2graphics on February 10, 2003, 12:54:24 PM
I blame no one but myself....!

Just to make sure THIS was the problem.. is it possible that through this hole, the hacker could replace my index page? Now, keep in mind, none of my MySQL passwords OR usernames are duplicated throughout my site configuration.

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 10, 2003, 01:12:39 PM
Yes they could and that's how they replaced our index page here before we fixed it here  :-X
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Alex Rolko on February 10, 2003, 01:28:28 PM
Were really annoyed with these people who are hacking these forums.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Spaceman-Spiff on February 10, 2003, 03:31:31 PM
I run 1.41 with the   Expand Collapse
mod that yipsir (I thinks thats his name)
wrote. How long should I wait b4 upgrading??

wait no more: http://www.yabbse.org/community/index.php?board=158;action=display;threadid=12045
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: luisr on February 11, 2003, 07:27:45 PM
Hi there!  I just got this e-mail from my web host:


Quote
Hello,

Recently we have become aware of a security risk to your hosting account and web site.  Your site is using a bulletin board system called YaBB SE.
This software causes your web site to become vulnerable to outside attack and would allow a malicious user access to the server to modify or even erase all content on your site, including email and log files.  Some of our customers have already been attacked.
We are aware that the publisher has recently released an updated script for this program, however we are not sure that this new release has resolved the security issue.  Therefore, we strongly recommend that you take down your bulletin board system until this security issue has been resolved.

For more information regarding this issue, please visit:
http://online.securityfocus.com/bid/6663/info/

To go to the publisher's site, visit:
http://www.yabbse.org/

Please let us know if you have any further questions or problems.


Sincerely,

Justin
TierraNet Support
support@tierranet.com
---------------------

They say that they are not sure that this vulnerability has been fixed by the patch.  And they are suggesting me to take down my board.  I replied telling that I can not take it down just like that but I removed the Packages.php script as a temporary solution.

I have never dealt with this packages thing and the board seems to run normally without this script.  Is this temporary solution good enough?  I am waiting for the official 1.5.1 release before I update.  My board currently runs 1.3.1.

By the way, the suggestion way many message ago about using the XML file for this kind of announcement in the admin area won't necessarily work for everyone.  I don't visit my admin area often.  The e-mails did the job quite well.

Finally, I will suggest something that may offer some degree of protection, at least from hackers using search engines from finding your board.  There is a way to tell search engine spiders and robots what places in your site are off-limits and should not be indexed.  This is done by putting a file called "robots.txt" in your root web directory.  This file contains a series of instructions that tell spiders and robots not to look at specified directories within your web site.  It looks like this:

User-agent: *
Disallow: /cgi-bin/

The first line means that this robots.txt file is means for all user agents (hence the *).  The second line means not to look into the contents of directory cgi-bin.  You add one of those for every single directory you wish to prevent from being indexed by spiders and robots.  My sites have these disallowing folder containing information that can be harvested by spammers such as e-mail addresses from guestbooks and discussion boards.

Just put your YaBB SE directory into one of those and this will at least make it harder for hackers to find your board by just using a search engine.

Of course, this has a cost.  If you DO REALLY WANT that your board appear in search engines, then this is not a solution.  In my case, having the root site URL appear in most search engines is enough for me.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: firewired on February 11, 2003, 08:07:43 PM
Yup, I'm expecting a similar message from my host soon regarding YaBB SE. PinoyDVD.com was hacked yesterday and it felt like we were playing ping-pong with the "invaders" before we learned about and were able to upload the patched file. The front page was changing every 5 minutes! Everytime we'd correct it, they'd immediately hack it.

My host ended up having to reboot the server to keep them out. They were as worried as we were, probably more so because they weren't familiar with YaBB SE.
Title: Mass deface
Post by: mikkom on February 12, 2003, 02:30:15 AM
I have been studying my logs and it seems obvoius that these crackers are using a mass deface program that automatically searches for yabb boards and defaces them.

Visit http://www.vulnerabilidades.hpg.ig.com.br/index.html
I haven't unpacked those packages but you can propably find the code that attackers used there.

Also, a php terminal and another backdoor was installed to my computer after an attack,  for more information visit http://www.madmonkey.net/page.cgi/index?areaID=100&newsID=439

the attacks came from dialup of brazilian web operator, I sent them notification about attack but no replies..
 >:(
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Michele on February 12, 2003, 11:54:58 AM
At this point, I'm backing up my site everyday, including the database. My logs show someone's been trying to get in for the last 4 days, but so far, so good... don't think it's' the Brazilians though. ;)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: PioneeR on February 12, 2003, 01:57:12 PM
I have had a few weird errors in my logs also... someone seems to be trying to get access to the admin account. I just ban the IP just in case.

Have applied the fix last week.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 12, 2003, 02:06:34 PM
People really should be repairing their installs or there is a very strong possibility of being hacked, this is why we announced this several times aready.

I guess we have to thank Matt Siegman for this hole ;)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: gingerfire on February 12, 2003, 05:26:01 PM
I'm a registered user of YaBB SE, but I never received an email about the security fix.  Fortunately, I was still trying to get the board up and running, so there was no link to it from my website and I was checking the forum often (1st board).  

But please be aware that not all registered users received an email for whatever reason.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: oldford on February 19, 2003, 12:34:18 AM
Should this fix maybe be implemented in all the files in the download section? I just upgraded to 1.4 and still had to make this fix by hand. Wasn't a big deal and only took a second, but I almost didn't check because I assumed that it would have been fixed.

Just a thought.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Spaceman-Spiff on February 19, 2003, 12:41:54 AM
a better way is to upgrade to 1.5.1RC1
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Dude on February 19, 2003, 03:47:51 AM
a better way is to upgrade to 1.5.1RC1

uh huh cept on the the download page it says:

We are currently in an open beta test of version 1.5.1RC1. The download location and current build can be acquired here. Please note that version 1.5 is now termed "experimental". If you are installing a fresh copy of YaBB SE, please install version 1.4.1 or 1.5.1RC1.

so since folks are being encouraged to download 1.4.1 I agree with oldford. It shouldn't be that hard to apply the fix and repackage the download.

and btw, I think you may need a little sun......... ;D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Peter Duggan on February 19, 2003, 04:00:12 PM
Should this fix maybe be implemented in all the files in the download section?

While I can see where you're coming from here, surely changing previous versions retrospectively stops them being what they purport to be?

so since folks are being encouraged to download 1.4.1 I agree with oldford.

But this also makes sense, so perhaps the download version of 1.4.1 should be 'rebadged' somehow? :)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Spaceman-Spiff on February 19, 2003, 04:22:07 PM
if u're using 1.4.1, u can apply this mod: http://www.yabbse.org/community/index.php?board=158;action=display;threadid=12512
and "everything" will be fixed
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jaxom on February 19, 2003, 08:04:09 PM
Unfortunately, I've been added to the list of people that got nailed by this, got hit yesterday. For some reason  (no doubt my end, probably my spam filter!) I never got notified of any security holes - and I don't check this board that often, don't need to. D'oh!

From the access logs, I have a webserver in brazil which was was used to nail me. They altered the front page, and deleted one of my yabbse folders. I've taken the site down while I do repairs, alter passwords et al.

If anyone wants my access logs, or info from the board itself in order to build evidence or somesuch (they appear to have left the sql database intact) they're more than welcome, and my email address does appear to be working now :)

As for being hacked... well, such is life, I don't see anything more the yabb team could have done to let me know, I haven't even needed to login to the board admin for a while so even an xml update proably wouldn't have got to me.

 :-\
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: luisr on February 21, 2003, 03:47:20 PM
What about these two vulnerabilities?  I found these by searching Google with " YaBB SE vulnerability":

This one is for a vulnerability with News.php
http://www3.ca.com/virusinfo/Threat.asp?ID=14136

And this one for news_template.php
http://www.securiteam.com/unixfocus/5BP051F8VE.html
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: [Unknown] on February 21, 2003, 07:17:40 PM
Both have been fixed in 1.5.1.

-[Unknown]
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: iamdamnsam on February 24, 2003, 05:26:47 PM
Both have been fixed in 1.5.1.

-[Unknown]

Well....how do you fix them in 1.3 and 1.4?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Gobalopper on February 24, 2003, 05:33:00 PM
Check Compuart's posts in the bug boards, I'm pretty sure it has fixes for the 1.4.1 version.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: iamdamnsam on February 24, 2003, 05:49:14 PM
what about 1.3?  It doesn't list it as vulnerable on those sites.  I have tried it on my own site, and I don't see how they can get hijacked, it is only showing your own cookie.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 24, 2003, 06:08:15 PM
Using 1.3, if you're not using it, I'd delete Packages.php
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: iamdamnsam on February 24, 2003, 07:49:04 PM
Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: [Unknown] on February 24, 2003, 07:53:32 PM
Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?

I very much recommend going to 1.5.1 if you want full security.

-[Unknown]
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: luisr on February 25, 2003, 09:32:20 AM
I am in a similar situation, using 1.3.1 at present and waiting for 1.5.1 to be released in its final form before I upgrade.  Don't want to deal with release candidates.   Already deleted the Packages.php file.  I don't use the news feature.  Can I safely delete the other files?

By the way, I tried the one that allegedly allows stealing of cookies but as iamdamnsam said, I just see my own cookie.  But it shows a vulnerability anyway because it should not allow running scripts that way.
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: [Unknown] on February 25, 2003, 05:58:39 PM
The problem is, if you can see your cookie.... then the java script can see it.

If the javascript can see your cookie, it can send that cookie to someone else.

If someone else has your cookie, they can login to your forum - as you.

If that happens you are dead.

-[Unknown]
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: luisr on February 26, 2003, 10:17:07 AM
But that involves inserting the malicious code somehow in a message or somewhere that other users can see as well, not just me.  May be I cannot think of a way of doing it because I am not a hacker.
Title: Re:The Boys from Brazil
Post by: lilb on February 26, 2003, 01:36:25 PM
Looking around at the Nuke community and they too have been hacked by a group of hackers in brazil. Looking for NeoNazis? I thought all of the NeoNazis migrated to Brazil? There's a good discussion on http://www.computercops.biz/ and one guy just decided to update his .htaccess file to deny all of Brazil. I like that idea, because it appears from the thread that the offenders have the cooperation of their hosting IP.

damn.. i never knew that was possible. anyone have a reference they can point me to on this? i have an ex-member i'd like to stop browsing the board full-stop.
Overseer, I thought ya might find the following information useful...always glad to help out when I can.   ;)

Wanna stop file grabbing and email sucking bots?  add this to your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*NameOfBotProgramHere.*$ [OR]
RewriteRule /*$ http://botssuck!/index.html [L,R]


to deny by country:
ErrorDocument 403 http://whereveryousendyour403's/index.htm
<Limit GET>
order allow,deny
allow from all
deny from .countrycode
deny from .countrycode
deny from .countrycode
deny from .countrycode
</Limit>
ErrorDocument 404 http://whereveryousendyour404's/index.html


As for banning by IP, you can do it the same way as with the countrycodes, but I do believe you'll find that in your admin console.  (But, careful when ya do that...we accidentally banned an entire C class of IP's...oops, hehe!)  Also keep in mind that large .htaccess files put a heavy strain on the server's cpu...

Hope this helps!   8)

Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Overseer on February 26, 2003, 01:50:34 PM
wow  :)

/me rubs hands with glee.

.. damn where the devil smiley at? ;)
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: lilb on February 27, 2003, 01:34:22 AM
ya mean something like this one?  (http://138.121.52.29/contrib/ruinkai/flame.gif)  LOL!
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Chris Cromer on February 27, 2003, 01:42:53 AM
There is a hidden smilie built into SE. Type in certain characters and it appears:

 >:D
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: lilb on February 27, 2003, 02:00:11 AM
ahhh, and my curiosity is now piqued...
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: Jeff Lewis on February 27, 2003, 07:00:53 PM
Yep again, a way to stop that spider searching for the Packages.php file:

.htaccess file
AllowOverride None
order allow,deny
deny from all

<Files .htaccess>
order allow,deny
deny from all
</Files>

<Files Packages.php>
order allow,deny
deny from all
</Files>

The first one is more than efficient BUT I was able to still get to the script the second set wont allow a hacker to read the .htaccess file

The third blocks access to the script itself and this fourth one If people have accesss to there raw Apache logs they
can run this

By the way these are crackers in this list.

order allow,deny
deny from 66.147.154.3
deny from 200.221.142.107
deny from 200.180.112.60
deny from 200.228.23.130
deny from 212.159.68.103
deny from 64.140.49.66
deny from 213.241.68.46
deny from 200.149.32.101
deny from 66.109.34.67
deny from 68.36.170.254
allow from all
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: iamdamnsam on February 28, 2003, 04:36:33 PM
I very much recommend going to 1.5.1 if you want full security.

-[Unknown]

That is not an option till a very stable release that is worth the effort for me to hack is out.  My board is exrememely modded, and not with basic mods, almost all mods are custom. I have many features related to my site that run off of YaBB's template system and member base.

So every version before 1.51 is open to hackers?
Title: Re:SECURITY FIX! Users using any version prior to 1.5.1
Post by: [Unknown] on February 28, 2003, 05:11:12 PM
I very much recommend going to 1.5.1 if you want full security.

-[Unknown]

That is not an option till a very stable release that is worth the effort for me to hack is out.  My board is exrememely modded, and not with basic mods, almost all mods are custom. I have many features related to my site that run off of YaBB's template system and member base.

So every version before 1.51 is open to hackers?

Yes.  Please apply as many of the fixes as you can manage.

-[Unknown]
Title: Re:Security Fix! Users using any version prior to 1.5.1
Post by: Tilton53 on May 06, 2003, 12:36:23 AM
How the hell did the fact that the isadmin came after include let hacker into the website.
Title: Re:Security Fix! Users using any version prior to 1.5.1
Post by: [Unknown] on May 06, 2003, 03:24:14 AM
How the hell did the fact that the isadmin came after include let hacker into the website.

Sorry, can't say.  And I'll delete anyone's post who tries.

-[Unknown]
Title: Re:Security Fix! Users using any version prior to 1.5.1
Post by: Tilton53 on May 06, 2003, 01:27:35 PM
Somebody pls pm me then  why it was so important I am a php newbie and this might help me later!
Title: Re:Security Fix! Users using any version prior to 1.5.1
Post by: Omar Bazavilvazo on May 06, 2003, 02:12:47 PM
just apply the fix, then upgrade to 1.5.2, and all will be working perfect.
Title: Re:Security Fix! Users using any version prior to 1.5.1
Post by: David on May 24, 2003, 12:29:22 AM
Everyone should be upgrading to 1.5.3.