Wedge

I honestly don't care about who the admin is. I haven't revealed the exact thing that was used inside the admin panel though it is fairly obvious.

One question I will put though: the area in question does allow for arbitrary PHP code. However, the vulnerability is only present if files are writable by PHP. I would *love* to hear a credible argument for leaving the files writable by PHP.

Well I can't say I'm surprised by this as security vulnerabilities have been reported by many over the years. Years ago there seemed to be a taboo placed on anyone who reported these breaches which is why I have not logged in there for over a year.

I'm sorry, which part of 'this was not a security vulnerability' were you having trouble understanding?

It has actually been mentioned how this was exploited on sm.org: someone uploaded a theme with extra files in it, one of which had nasty code in it. There are other routes to doing something similar - namely the theme editing functionality - but the point stands: this was a compromised account by way of an admin being on another site with the same password and the password compromised there.

The real question I would level at the SM people at this point is why basic security practices were not carried out with respect to files not being made read-only after modifications were carried out. But that's still not a security issue in the software, that's a fault of the underlying operating system configuration and a lack of knowledge and understanding from the people who organise such things. I understand there is some confusion as to what must remain writable for standard functionality.

There are, to the best of my knowledge, no vulnerabilities that have been reported and not been investigated. That is not to say that all reports were valid, or that all reports had an exploit that actually needed immediately patching; the most recent vulnerability, for example, actively requires an admin account to actually exploit it. If you already have an admin account, the potential for mischief - as seen - is already demonstrable and thus while there is a bug to fix, it is not really a legitimate vulnerability if it already requires all the keys to the kingdom to be able to exploit it in the first place.

If you can provide a report that you believe has not been taken seriously, please do contact me and I will investigate and take whatever action needs to be taken (including providing patches to SMF if necessary, it's not like we've never discussed vulnerabilities with them before now). I am well aware such claims have been made - but like every time this has been raised, we always ask for reports or indeed anything to back up this bluster and nothing is ever forthcoming. Provide me with something to work on and I'll look at it. Provide me with bluster and the only thing I can conclude is that you're just trolling and shit-stirring.

In any case, haven't you since been banned from sm.org?

I call BS.

Firstly, he was adamant that they were not fixed in those patches when they arrived.

Secondly, and this is the real BS kicker, either you're lying now about speaking to your father or you've been lying in the past on the various occasions you said your father had passed away, most recently in http://www.simplemachines.org/community/index.php?topic=508045.msg3579546#msg3579546 but in various threads and comments, including here, prior to that. Which is it?

More than one person has suggested to me that you're a troll and specifically that you're using that as an excuse to cover up some deeper issue. If your father has passed away, I'm sorry for your loss but you can't use him as a strawman to cover up for your own issues.

If you want to keep railing about how bad SMF is, please go somewhere else. I would rather you do so willingly rather than making you go, but I have no problem with making you go away if you can't comply reasonably. I doubt there is anything meaningful you could add at this point because you've given me fairly good proof that you're just talking BS now.

So you are the new Doctor Who and posting from the future! :eheh:(Sorry, Pete, I couldn't resist!)

rotflmfao...


OOPS.... caught out.

1- http://www.simplemachines.org/community/index.php?action=profile;u=204928
Last Active:    July 20, 2013, 01:30:42 PM
(also, the IPs used to access this account have not varied)

2- yup... as Arantor says, you've been consistently telling us how terrible the team is because we wouldn't believe that your dad was dead.

3- Nope... 2.0.4 did not patch anything that "your father" reported... Do you know why? Because he complained and moaned, but never ONCE gave anyone on the SMF team and actual security report with any evidence of a vulnerability except for his continual claim that "it is there, I just can;t tell you where"

4- Interesting that, if your account was compromised, all of the posts continued to use the exact same posting style and complaints that both you and "your father" use...

5- ...  well, I'll just call BS at this point.\







Arantor,  to get back to the actual point.  Yeah, we all agree that there was a slip up there as well.  Sleepy has actually just rejoined the site team with some ideas about doing something about that and some ideas on adding a double layer security protocol for the admin, if not for anything else.

While this was not a vulnerability in SMF itself, we all admit that we have some egg on our faces...   our only consolation is that we're not the only ones in this boat.

Nice summary, Kindred, covers everything that's been going on ;)

Yeah, the whole writable-files thing is an issue and it's been an issue since forever. Part of the reason I guess I'm more hardline about it is because I deliberately spent time making that a non-issue in Wedge; every step in Wedge's plugin chain is about not having files be modified, specifically to ensure permissions never get elevated. But the price, of course, is flexibility, and I've not exactly lost sleep over that decision.

I'm interesting in the concept of a double layer security protocol, essentially forcing admin access to be either IP bound (or at least white listed) and/or two-factor authentication. Unfortunately it's not something we can easily adopt as standard beyond IP whitelisting for the obvious reason that both SMF and Wedge typically get deployed on shared hosts and shared hosts typically are the lowest hanging fruit.

im quite interested in the double layer system as well should be an interesting system, from my own aspect I am quite impressed in the speed that we managed to get everything out from first being made aware to site being sorted was 30 - 45 mins.  Took longer to get the message out as we wanted all the information we could, and there is alot of log files to go through as you can imagine.  Liroy did amazing to get every thing sorted,  specially considering I woke him up from a good sleep.  And he spent countless hours with little sleep going through the logs.

Dont get me wrong was massive embarrassment, such a noob mistake for any admin or site, but we have learnt lesson, have taken steps to prevent it and as you read quite large ones, admins have came to an agreement in changing passwords on regular basis, and I believe a policy will be getting put forward by the BoD, what that covers we shall see :)