Aaron

  • Posts: 356
"The entire British Empire was built on cups of tea … and if you think I'm going to war without one, mate, you're mistaken."

xrunner

  • Posts: 192
Re: SM.org compromised
« Reply #1, on July 23rd, 2013, 08:29 PM »
I found out because I got a notice that a new topic was posted about it on this board here. I never got an email from them. I did go there and change my password.

What the Hell is going on out there? Last week I got a notice that the NASDAQ site was hacked. Then a few days ago I got an email from the Ubuntu forum that they were hacked. Now the SM forum is hacked. I'm starting to get worried about security like never before.

Dragooon

  • I can code! Really!
  • polygon.com has to be one of the best sites I've seen recently.
  • Posts: 1,841
Re: SM.org compromised
« Reply #2, on July 23rd, 2013, 08:42 PM »
Yay for PMs being hacked, I have a lot of stuff in there. Although most of the stuff is kinda useless...so okay.
The way it's meant to be

Kindred

  • Posts: 166
Re: SM.org compromised
« Reply #3, on July 23rd, 2013, 08:48 PM »
Hackers should be locked up in general population....

agent47

  • Now I see the changes you're talking about.
  • Posts: 115
Re: SM.org compromised
« Reply #4, on July 23rd, 2013, 08:50 PM »
Just when things couldn't get any worse for SM.org....

TE

  • Posts: 286
Thorsten "TE" Eurich - Former SMF Developer & Converters Guru

Nao

  • Dadman with a boy
  • Posts: 16,063
Re: SM.org compromised
« Reply #6, on July 23rd, 2013, 11:38 PM »
They should have used Wedge... It doesn't have the admin feature to download a DB backup... :niark:

live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,667
Re: SM.org compromised
« Reply #7, on July 24th, 2013, 12:29 AM »
This is why Wedge doesn't allow file edits.
A confident man keeps quiet.whereas a frightened man keeps talking, hiding his fear.

emanuele

  • Posts: 125
Re: SM.org compromised
« Reply #8, on July 24th, 2013, 12:33 AM »
ehm...does it allow to upload a plugin with php code? ;)

live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,667
Re: SM.org compromised
« Reply #9, on July 24th, 2013, 05:34 AM »
Yes. However, it connects through FTP. Nothing is ever uploaded directly with PHP.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #10, on July 24th, 2013, 06:39 AM »
Just to elaborate, the entire plugin architecture in Wedge is different to SMF, there is no code remaining from the old packman. Live is right about the plugin upload aspect - but I'll elaborate as to what we do and why.

When you upload a plugin to the admin panel as a zip file, some basic stuff is done to validate the package (looks for plugin-info.xml, quickly validates it) and if successful, it is moved out of the temporary folder into one of the Wedge folders where it can be dealt with.

What then happens is the admin is prompted for FTP details and then Wedge performs the upload of the package itself. More accurately, it opens the connection, creates all the folders via FTP then proceeds to upload the files via FTP too. The very important detail here is that at no point does the www-data/nobody/apache user ever actually own the files, because they are uploaded with the user's FTP details so all the files are then also owned by that FTP user, making all those files write-protected against by other users even on shared systems. This is the really neat part about this: since plugins never have to edit files (not that, generally, they could anyway), permissions never need to be escalated.

I should add, I actually tested this on a real shared server and was able to upload plugins without ever having to escalate permissions in any way whatsoever.

Yes, it would be possible to add a plugin which allowed downloads of the DB but it would have to be done by the admin with actual FTP credentials.

Just one last thing: this was not, at least not directly, a vulnerability of SMF. Information has been provided to me about a method by which the password forcing could have been expedited, a method which I was already aware of and has even been discussed on this forum, but it is not a vulnerability in the software as such (though it probably should be modified to mitigate this sort of circumstance). All in all this was a user account being forced, and as ever the users are the weakest part of the security chain.
Posted: July 24th, 2013, 06:37 AM

Also, as much as I didn't want to, I logged into sm.org to reset my password.
Re: SM.org compromised
« Reply #11, on July 24th, 2013, 07:03 AM »
Also, we really need to add a method by which user passwords can be force-reset by the admin on a bulk level like this.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Pandos

  • Living on the edge of Wedge
  • Posts: 635
# dpkg-reconfigure brain
error: brain is not installed or configured

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #13, on July 24th, 2013, 08:58 AM »
-sigh- You do realise that all you do is simply slow down an attacker rather than actually preventing anything? And the slowdown is trivial to beat, not lengthy...

The PMs must be in a form that can be decrypted by each user. Unless you create one duplicate for every recipient (as opposed to the current situation of one copy per PM and one entry for each recipient) which is separately encrypted which opens a massive glut of issues in terms of storage (it would render the announcements system basically useless), you have to keep them decryptable without complex systems. Which means it's basically a waste of effort because it can always be decrypted by anyone who gets the database.

:edit: Did you actually read the thread you linked? It would explain pretty much every reason why this is a bad idea.

Pandos

  • Living on the edge of Wedge
  • Posts: 635
Re: SM.org compromised
« Reply #14, on July 24th, 2013, 09:13 AM »

Ouch ...
Hackers are one thing, but there is more:
Here in Germany a lot change the way privacy is handled.
An Administator I know was sued because he has read the PM's of users. Not really turned out well for him ...
So it would be a cool feature to deal with legal issues.


But I can understand your concerns about it. Technically impossible to implement ..