Apparently the SM community site has been compromised...
"The entire British Empire was built on cups of tea … and if you think I'm going to war without one, mate, you're mistaken."
SM.org compromised
Aaron
-
-
- Posts: 356
xrunner
-
-
- Posts: 192
I found out because I got a notice that a new topic was posted about it on this board here. I never got an email from them. I did go there and change my password.
What the Hell is going on out there? Last week I got a notice that the NASDAQ site was hacked. Then a few days ago I got an email from the Ubuntu forum that they were hacked. Now the SM forum is hacked. I'm starting to get worried about security like never before.
What the Hell is going on out there? Last week I got a notice that the NASDAQ site was hacked. Then a few days ago I got an email from the Ubuntu forum that they were hacked. Now the SM forum is hacked. I'm starting to get worried about security like never before.
My Forum - Atheist Think Tank
Dragooon
- I can code! Really!
-
-
- polygon.com has to be one of the best sites I've seen recently.
- Posts: 1,841
Yay for PMs being hacked, I have a lot of stuff in there. Although most of the stuff is kinda useless...so okay.
 | The way it's meant to be |
Kindred
-
- Posts: 166
agent47
-
- Now I see the changes you're talking about.
- Posts: 115
Just when things couldn't get any worse for SM.org....
TE
-
-
- Posts: 286
Re: SM.org compromised
« Reply #5, on July 23rd, 2013, 08:53 PM »Last edited on July 23rd, 2013, 09:07 PM
yep, so many hackers out there.. drupal.org has been hacked last month IIRC..
https://drupal.org/news/130529SecurityUpdate
Glad I deleted my account over at SM.org two weeks ago :whistle:
https://drupal.org/news/130529SecurityUpdate
Glad I deleted my account over at SM.org two weeks ago :whistle:
Thorsten "TE" Eurich - Former SMF Developer & Converters Guru
Nao
- Dadman with a boy
-
-
- Posts: 16,080
They should have used Wedge... It doesn't have the admin feature to download a DB backup... :niark:
live627
-
-
- Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
- Posts: 1,670
This is why Wedge doesn't allow file edits.
A confident man keeps quiet.whereas a frightened man keeps talking, hiding his fear.
emanuele
-
- Posts: 125
ehm...does it allow to upload a plugin with php code? ;)
live627
-
-
- Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
- Posts: 1,670
Yes. However, it connects through FTP. Nothing is ever uploaded directly with PHP.
Arantor
-
-
- As powerful as possible, as complex as necessary.
- Posts: 14,278
Just to elaborate, the entire plugin architecture in Wedge is different to SMF, there is no code remaining from the old packman. Live is right about the plugin upload aspect - but I'll elaborate as to what we do and why.
When you upload a plugin to the admin panel as a zip file, some basic stuff is done to validate the package (looks for plugin-info.xml, quickly validates it) and if successful, it is moved out of the temporary folder into one of the Wedge folders where it can be dealt with.
What then happens is the admin is prompted for FTP details and then Wedge performs the upload of the package itself. More accurately, it opens the connection, creates all the folders via FTP then proceeds to upload the files via FTP too. The very important detail here is that at no point does the www-data/nobody/apache user ever actually own the files, because they are uploaded with the user's FTP details so all the files are then also owned by that FTP user, making all those files write-protected against by other users even on shared systems. This is the really neat part about this: since plugins never have to edit files (not that, generally, they could anyway), permissions never need to be escalated.
I should add, I actually tested this on a real shared server and was able to upload plugins without ever having to escalate permissions in any way whatsoever.
Yes, it would be possible to add a plugin which allowed downloads of the DB but it would have to be done by the admin with actual FTP credentials.
Just one last thing: this was not, at least not directly, a vulnerability of SMF. Information has been provided to me about a method by which the password forcing could have been expedited, a method which I was already aware of and has even been discussed on this forum, but it is not a vulnerability in the software as such (though it probably should be modified to mitigate this sort of circumstance). All in all this was a user account being forced, and as ever the users are the weakest part of the security chain.
Also, as much as I didn't want to, I logged into sm.org to reset my password.
When you upload a plugin to the admin panel as a zip file, some basic stuff is done to validate the package (looks for plugin-info.xml, quickly validates it) and if successful, it is moved out of the temporary folder into one of the Wedge folders where it can be dealt with.
What then happens is the admin is prompted for FTP details and then Wedge performs the upload of the package itself. More accurately, it opens the connection, creates all the folders via FTP then proceeds to upload the files via FTP too. The very important detail here is that at no point does the www-data/nobody/apache user ever actually own the files, because they are uploaded with the user's FTP details so all the files are then also owned by that FTP user, making all those files write-protected against by other users even on shared systems. This is the really neat part about this: since plugins never have to edit files (not that, generally, they could anyway), permissions never need to be escalated.
I should add, I actually tested this on a real shared server and was able to upload plugins without ever having to escalate permissions in any way whatsoever.
Yes, it would be possible to add a plugin which allowed downloads of the DB but it would have to be done by the admin with actual FTP credentials.
Just one last thing: this was not, at least not directly, a vulnerability of SMF. Information has been provided to me about a method by which the password forcing could have been expedited, a method which I was already aware of and has even been discussed on this forum, but it is not a vulnerability in the software as such (though it probably should be modified to mitigate this sort of circumstance). All in all this was a user account being forced, and as ever the users are the weakest part of the security chain.
Posted: July 24th, 2013, 06:37 AM
Also, as much as I didn't want to, I logged into sm.org to reset my password.
Also, we really need to add a method by which user passwords can be force-reset by the admin on a bulk level like this.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial
Pandos
-
-
- Living on the edge of Wedge
- Posts: 635
Yay for PMs being hacked, I have a lot of stuff in there. Although most of the stuff is kinda useless...so okay.
This was already discussed here:
http://wedge.org/bzz/6110/pm-encryption/
# dpkg-reconfigure brain
error: brain is not installed or configured
error: brain is not installed or configured
Arantor
-
-
- As powerful as possible, as complex as necessary.
- Posts: 14,278
-sigh- You do realise that all you do is simply slow down an attacker rather than actually preventing anything? And the slowdown is trivial to beat, not lengthy...
The PMs must be in a form that can be decrypted by each user. Unless you create one duplicate for every recipient (as opposed to the current situation of one copy per PM and one entry for each recipient) which is separately encrypted which opens a massive glut of issues in terms of storage (it would render the announcements system basically useless), you have to keep them decryptable without complex systems. Which means it's basically a waste of effort because it can always be decrypted by anyone who gets the database.
:edit: Did you actually read the thread you linked? It would explain pretty much every reason why this is a bad idea.
The PMs must be in a form that can be decrypted by each user. Unless you create one duplicate for every recipient (as opposed to the current situation of one copy per PM and one entry for each recipient) which is separately encrypted which opens a massive glut of issues in terms of storage (it would render the announcements system basically useless), you have to keep them decryptable without complex systems. Which means it's basically a waste of effort because it can always be decrypted by anyone who gets the database.
:edit: Did you actually read the thread you linked? It would explain pretty much every reason why this is a bad idea.
Pandos
-
-
- Living on the edge of Wedge
- Posts: 635
Ouch ...
Hackers are one thing, but there is more:
Here in Germany a lot change the way privacy is handled.
An Administator I know was sued because he has read the PM's of users. Not really turned out well for him ...
So it would be a cool feature to deal with legal issues.
But I can understand your concerns about it. Technically impossible to implement ..