Welcome, Guest. Please Login or Register.
September 27, 2021, 02:09:10 AM
Home Help Search Login Register
News: If you are still using YaBB SE, please consider upgrading to SMF as soon as possible.

YaBB SE Community  |  YaBB SE Info  |  News From the YaBB SE Team  |  Topic: SECURITY FIX! Users using any version prior to 1.5.1 « previous next »
Pages: 1 ... 9 10 [11] 12 Reply Ignore Print
Author Topic: SECURITY FIX! Users using any version prior to 1.5.1  (Read 76968 times)
Dude
Guest
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #150 on: February 19, 2003, 03:47:51 AM »
Reply with quote

a better way is to upgrade to 1.5.1RC1

uh huh cept on the the download page it says:

We are currently in an open beta test of version 1.5.1RC1. The download location and current build can be acquired here. Please note that version 1.5 is now termed "experimental". If you are installing a fresh copy of YaBB SE, please install version 1.4.1 or 1.5.1RC1.

so since folks are being encouraged to download 1.4.1 I agree with oldford. It shouldn't be that hard to apply the fix and repackage the download.

and btw, I think you may need a little sun......... ;D
Logged
Peter Duggan
Llama Chameleon
Global Moderator
YaBB God
*****
Posts: 1793


You come and go...


WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #151 on: February 19, 2003, 04:00:12 PM »
Reply with quote

Should this fix maybe be implemented in all the files in the download section?

While I can see where you're coming from here, surely changing previous versions retrospectively stops them being what they purport to be?

so since folks are being encouraged to download 1.4.1 I agree with oldford.

But this also makes sense, so perhaps the download version of 1.4.1 should be 'rebadged' somehow? :)
« Last Edit: February 19, 2003, 04:04:03 PM by Peter Duggan » Logged

Spaceman-Spiff
Mod Team
YaBB God
*****
Posts: 3689


My $txt[228]


Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #152 on: February 19, 2003, 04:22:07 PM »
Reply with quote

if u're using 1.4.1, u can apply this mod: http://www.yabbse.org/community/index.php?board=158;action=display;threadid=12512
and "everything" will be fixed
Logged

   My mods, ysePak, codes, tutorials
    Support question IMs = bad.
Jaxom
Noobie
*
Posts: 34


Damn llama ate my karma...


WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #153 on: February 19, 2003, 08:04:09 PM »
Reply with quote

Unfortunately, I've been added to the list of people that got nailed by this, got hit yesterday. For some reason  (no doubt my end, probably my spam filter!) I never got notified of any security holes - and I don't check this board that often, don't need to. D'oh!

From the access logs, I have a webserver in brazil which was was used to nail me. They altered the front page, and deleted one of my yabbse folders. I've taken the site down while I do repairs, alter passwords et al.

If anyone wants my access logs, or info from the board itself in order to build evidence or somesuch (they appear to have left the sql database intact) they're more than welcome, and my email address does appear to be working now :)

As for being hacked... well, such is life, I don't see anything more the yabb team could have done to let me know, I haven't even needed to login to the board admin for a while so even an xml update proably wouldn't have got to me.

 :-\
Logged

Linux is like wigwam - no windows, no gates, apache inside.

My wigwam - The Guildhouse
luisr
Full Member
***
Posts: 120


Left blank to save space.


Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #154 on: February 21, 2003, 03:47:20 PM »
Reply with quote

What about these two vulnerabilities?  I found these by searching Google with " YaBB SE vulnerability":

This one is for a vulnerability with News.php
http://www3.ca.com/virusinfo/Threat.asp?ID=14136

And this one for news_template.php
http://www.securiteam.com/unixfocus/5BP051F8VE.html
Logged
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830



WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #155 on: February 21, 2003, 07:17:40 PM »
Reply with quote

Both have been fixed in 1.5.1.

-[Unknown]
Logged
iamdamnsam
Full Member
***
Posts: 225


RamchargerCentral.Com


WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #156 on: February 24, 2003, 05:26:47 PM »
Reply with quote

Both have been fixed in 1.5.1.

-[Unknown]

Well....how do you fix them in 1.3 and 1.4?
Logged

RamchargerCentral.Com
http://ramchargercentral.com
Gobalopper
Mod Team
YaBB God
*****
Posts: 993


Cookie Monster


WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #157 on: February 24, 2003, 05:33:00 PM »
Reply with quote

Check Compuart's posts in the bug boards, I'm pretty sure it has fixes for the 1.4.1 version.
Logged
iamdamnsam
Full Member
***
Posts: 225


RamchargerCentral.Com


WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #158 on: February 24, 2003, 05:49:14 PM »
Reply with quote

what about 1.3?  It doesn't list it as vulnerable on those sites.  I have tried it on my own site, and I don't see how they can get hijacked, it is only showing your own cookie.
Logged

RamchargerCentral.Com
http://ramchargercentral.com
Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!


WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #159 on: February 24, 2003, 06:08:15 PM »
Reply with quote

Using 1.3, if you're not using it, I'd delete Packages.php
Logged

iamdamnsam
Full Member
***
Posts: 225


RamchargerCentral.Com


WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #160 on: February 24, 2003, 07:49:04 PM »
Reply with quote

Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?
Logged

RamchargerCentral.Com
http://ramchargercentral.com
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830



WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #161 on: February 24, 2003, 07:53:32 PM »
Reply with quote

Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?

I very much recommend going to 1.5.1 if you want full security.

-[Unknown]
Logged
luisr
Full Member
***
Posts: 120


Left blank to save space.


Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #162 on: February 25, 2003, 09:32:20 AM »
Reply with quote

I am in a similar situation, using 1.3.1 at present and waiting for 1.5.1 to be released in its final form before I upgrade.  Don't want to deal with release candidates.   Already deleted the Packages.php file.  I don't use the news feature.  Can I safely delete the other files?

By the way, I tried the one that allegedly allows stealing of cookies but as iamdamnsam said, I just see my own cookie.  But it shows a vulnerability anyway because it should not allow running scripts that way.
Logged
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830



WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #163 on: February 25, 2003, 05:58:39 PM »
Reply with quote

The problem is, if you can see your cookie.... then the java script can see it.

If the javascript can see your cookie, it can send that cookie to someone else.

If someone else has your cookie, they can login to your forum - as you.

If that happens you are dead.

-[Unknown]
Logged
luisr
Full Member
***
Posts: 120


Left blank to save space.


Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #164 on: February 26, 2003, 10:17:07 AM »
Reply with quote

But that involves inserting the malicious code somehow in a message or somewhere that other users can see as well, not just me.  May be I cannot think of a way of doing it because I am not a hacker.
Logged
Pages: 1 ... 9 10 [11] 12 Reply Ignore Print 
YaBB SE Community  |  YaBB SE Info  |  News From the YaBB SE Team  |  Topic: SECURITY FIX! Users using any version prior to 1.5.1 « previous next »
 


Powered by MySQL Powered by PHP YaBB SE Community | Powered by YaBB SE
2001-2003, YaBB SE Dev Team. All Rights Reserved.
SMF 2.0.18 | SMF © 2021, Simple Machines
Valid XHTML 1.0! Valid CSS!
Page created in 0.246 seconds with 19 queries.