SECURITY FIX! Users using any version prior to 1.5.1

[Dude]

a better way is to upgrade to 1.5.1RC1

uh huh cept on the the download page it says:

We are currently in an open beta test of version 1.5.1RC1. The download location and current build can be acquired here. Please note that version 1.5 is now termed "experimental". If you are installing a fresh copy of YaBB SE, please install version 1.4.1 or 1.5.1RC1.

so since folks are being encouraged to download 1.4.1 I agree with oldford. It shouldn't be that hard to apply the fix and repackage the download.

and btw, I think you may need a little sun.........

[Peter Duggan]

Should this fix maybe be implemented in all the files in the download section?

While I can see where you're coming from here, surely changing previous versions retrospectively stops them being what they purport to be?

so since folks are being encouraged to download 1.4.1 I agree with oldford.

But this also makes sense, so perhaps the download version of 1.4.1 should be 'rebadged' somehow?

[Spaceman-Spiff]

if u're using 1.4.1, u can apply this mod: http://www.yabbse.org/community/index.php?board=158;action=display;threadid=12512
and "everything" will be fixed

[Jaxom]

Unfortunately, I've been added to the list of people that got nailed by this, got hit yesterday. For some reason  (no doubt my end, probably my spam filter!) I never got notified of any security holes - and I don't check this board that often, don't need to. D'oh!

From the access logs, I have a webserver in brazil which was was used to nail me. They altered the front page, and deleted one of my yabbse folders. I've taken the site down while I do repairs, alter passwords et al.

If anyone wants my access logs, or info from the board itself in order to build evidence or somesuch (they appear to have left the sql database intact) they're more than welcome, and my email address does appear to be working now

As for being hacked... well, such is life, I don't see anything more the yabb team could have done to let me know, I haven't even needed to login to the board admin for a while so even an xml update proably wouldn't have got to me.

[luisr]

What about these two vulnerabilities?  I found these by searching Google with " YaBB SE vulnerability":

This one is for a vulnerability with News.php
http://www3.ca.com/virusinfo/Threat.asp?ID=14136

And this one for news_template.php
http://www.securiteam.com/unixfocus/5BP051F8VE.html

[[Unknown]]

Both have been fixed in 1.5.1.

-[Unknown]

[iamdamnsam]

Both have been fixed in 1.5.1.

-[Unknown]

Well....how do you fix them in 1.3 and 1.4?

[Gobalopper]

Check Compuart's posts in the bug boards, I'm pretty sure it has fixes for the 1.4.1 version.

[iamdamnsam]

what about 1.3?  It doesn't list it as vulnerable on those sites.  I have tried it on my own site, and I don't see how they can get hijacked, it is only showing your own cookie.

[Jeff Lewis]

Using 1.3, if you're not using it, I'd delete Packages.php

[iamdamnsam]

Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?

[[Unknown]]

Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?

I very much recommend going to 1.5.1 if you want full security.

-[Unknown]

[luisr]

I am in a similar situation, using 1.3.1 at present and waiting for 1.5.1 to be released in its final form before I upgrade.  Don't want to deal with release candidates.   Already deleted the Packages.php file.  I don't use the news feature.  Can I safely delete the other files?

By the way, I tried the one that allegedly allows stealing of cookies but as iamdamnsam said, I just see my own cookie.  But it shows a vulnerability anyway because it should not allow running scripts that way.

[[Unknown]]

The problem is, if you can see your cookie.... then the java script can see it.

If the javascript can see your cookie, it can send that cookie to someone else.

If someone else has your cookie, they can login to your forum - as you.

If that happens you are dead.

-[Unknown]

[luisr]

But that involves inserting the malicious code somehow in a message or somewhere that other users can see as well, not just me.  May be I cannot think of a way of doing it because I am not a hacker.