Kindred

  • Posts: 166
Re: SM.org compromised
« Reply #30, on August 2nd, 2013, 02:59 AM »
well, there isn't much that we haven't already discussed openly.

With the exception of the name of the vector/admin - I don't think there is anything really surprising about how the hacker did what he did (once he got into the admin account)

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #31, on August 2nd, 2013, 03:39 AM »
I honestly don't care about who the admin is. I haven't revealed the exact thing that was used inside the admin panel though it is fairly obvious.

One question I will put though: the area in question does allow for arbitrary PHP code. However, the vulnerability is only present if files are writable by PHP. I would *love* to hear a credible argument for leaving the files writable by PHP.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Road Rash Jr.

  • Posts: 76
Re: SM.org compromised
« Reply #32, on August 4th, 2013, 04:25 AM »
Well I can't say I'm surprised by this as security vulnerabilities have been reported by many over the years. Years ago there seemed to be a taboo placed on anyone who reported these breaches which is why I have not logged in there for over a year.
Stick a FORK in it, it's done.
(Error 69) No Seniors Porn Found Here

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #33, on August 4th, 2013, 04:41 AM »
I'm sorry, which part of 'this was not a security vulnerability' were you having trouble understanding?

It has actually been mentioned how this was exploited on sm.org: someone uploaded a theme with extra files in it, one of which had nasty code in it. There are other routes to doing something similar - namely the theme editing functionality - but the point stands: this was a compromised account by way of an admin being on another site with the same password and the password compromised there.

The real question I would level at the SM people at this point is why basic security practices were not carried out with respect to files not being made read-only after modifications were carried out. But that's still not a security issue in the software, that's a fault of the underlying operating system configuration and a lack of knowledge and understanding from the people who organise such things. I understand there is some confusion as to what must remain writable for standard functionality.

There are, to the best of my knowledge, no vulnerabilities that have been reported and not been investigated. That is not to say that all reports were valid, or that all reports had an exploit that actually needed immediately patching; the most recent vulnerability, for example, actively requires an admin account to actually exploit it. If you already have an admin account, the potential for mischief - as seen - is already demonstrable and thus while there is a bug to fix, it is not really a legitimate vulnerability if it already requires all the keys to the kingdom to be able to exploit it in the first place.

If you can provide a report that you believe has not been taken seriously, please do contact me and I will investigate and take whatever action needs to be taken (including providing patches to SMF if necessary, it's not like we've never discussed vulnerabilities with them before now). I am well aware such claims have been made - but like every time this has been raised, we always ask for reports or indeed anything to back up this bluster and nothing is ever forthcoming. Provide me with something to work on and I'll look at it. Provide me with bluster and the only thing I can conclude is that you're just trolling and shit-stirring.

In any case, haven't you since been banned from sm.org?

Road Rash Jr.

  • Posts: 76
Re: SM.org compromised
« Reply #34, on August 4th, 2013, 05:12 AM »
Quote
In any case, haven't you since been banned from sm.org?
I wouldn't know, I haven't logged on there in over a year.

As for security breaches reported by my dad they appear to have been addressed in these releases
Quote
SMF 2.0.4 and 1.1.18 security patches have been released. on February 01, 2013, 05:27:00 PM Critical security patches have been released, addressing few vulnerabilities in SMF 2.0.x and SMF 1.1.x. We urge all administrators to upgrade as soon as possible. Just visit the package manager to install the patch. SMF 2.0.3, 1.1.17 and 1.0.23 security patches have been released. on December 16, 2012, 11:41:05 PM Security patches have been released, addressing a vulnerability in SMF 2.0.x, SMF 1.1.x and SMF 1.0.x. We urge all administrators to upgrade as soon as possible. Just visit the package manager to install the patch.
Re: SM.org compromised
« Reply #35, on August 4th, 2013, 05:52 AM »
I just talked with Dad and he confirms his access is being blocked with this error message
Quote
Simple Machines Community Forum



 An Error Has Occurred!


Sorry Guest, you are banned from using this forum!
Account suspended by user request
This ban is not set to expire.
Curious since he hasn't been on there in years either let alone make any requests.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #36, on August 4th, 2013, 07:38 AM »
I call BS.

Firstly, he was adamant that they were not fixed in those patches when they arrived.

Secondly, and this is the real BS kicker, either you're lying now about speaking to your father or you've been lying in the past on the various occasions you said your father had passed away, most recently in http://www.simplemachines.org/community/index.php?topic=508045.msg3579546#msg3579546 but in various threads and comments, including here, prior to that. Which is it?

More than one person has suggested to me that you're a troll and specifically that you're using that as an excuse to cover up some deeper issue. If your father has passed away, I'm sorry for your loss but you can't use him as a strawman to cover up for your own issues.

If you want to keep railing about how bad SMF is, please go somewhere else. I would rather you do so willingly rather than making you go, but I have no problem with making you go away if you can't comply reasonably. I doubt there is anything meaningful you could add at this point because you've given me fairly good proof that you're just talking BS now.
Quote
Through dangers untold and hardships unnumbered, I have fought my way here to the castle beyond the Goblin City to take back the child that you have stolen, for my will is as strong as yours, and my kingdom as great — You have no power over me.

Road Rash Jr.

  • Posts: 76
Re: SM.org compromised
« Reply #37, on August 4th, 2013, 02:45 PM »
Arantor I have no wish to carry on this discussion with you here because it is obvious to me someone has been feeding you a line of BS and it isn't me.
Dad is alive and well thank you and I have never posted anywhere, here or on SMF that he was dead. Heaven forbid that is just morbid. I've never posted here either that he was dead so again you have me mistaken for someone else.
I have not logged into the SMF forum nor have I posted anything there. Neither has Dad. SO I have no idea what you are talking about and have no way to validate your link or what it says.
But the facts and truth is, we have not logged into or posted anything on the SMF forum in over a year.
I've just checked my past posts on here and can find nothing of what you speak of so I'm at a loose as to what you are referring to.
This is my last post here over a year ago http://wedge.org/pub/smf/7996/my-review-of-customer-service-on-smf/msg288899/#msg288899 and my next post was this one http://wedge.org/pub/smf/8221/sm-org-compromised/msg290840/#msg290840

Arantor I have no animosity towards you or this project and have never spoken unkindly about either.
Neither do I have any animosity towards the SMF project.
Re: SM.org compromised
« Reply #38, on August 4th, 2013, 03:26 PM »
As an added thought, if you prefer to discuss me or my Dad further, it should probably be done by email. So if you want send me an email and we'll try to clarify any misunderstanding that way rather than detract  from the original topic.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #39, on August 4th, 2013, 06:55 PM »
That's funny, the post I linked was from YOUR ACCOUNT. The closing line of the post I linked to:
Quote
That is pretty insensitive of you. Dad past away over a year ago.
And
Quote
But the facts and truth is, we have not logged into or posted anything on the SMF forum in over a year.
That's funny, because I see posts from your account last month on sm.org.
Quote
This is my last post here over a year ago
Yes, because May 12, 2013 is more than one year ago.
Quote
As an added thought, if you prefer to discuss me or my Dad further, it should probably be done by email. So if you want send me an email and we'll try to clarify any misunderstanding that way rather than detract  from the original topic.
The only misunderstanding is how stupid you think the rest of us are. Are you seriously going to claim that your account was hijacked and someone's been using it to spread nonsense? That would be funny since the writing style hasn't changed in the entire time I've seen your posts.
Re: SM.org compromised
« Reply #40, on August 4th, 2013, 07:01 PM »
OK, so here's the point I don't get. If the account was 'compromised' and someone else took it over, changing the password should have fixed that entirely. It seems funny that that never happened.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: SM.org compromised
« Reply #41, on August 4th, 2013, 07:06 PM »
Quote from Arantor on August 4th, 2013, 06:55 PM
Quote
This is my last post here over a year ago
Yes, because May 12, 2013 is more than one year ago.
So you are the new Doctor Who and posting from the future! :eheh:(Sorry, Pete, I couldn't resist!)


Kindred

  • Posts: 166
Re: SM.org compromised
« Reply #42, on August 4th, 2013, 09:53 PM »Last edited on August 4th, 2013, 10:01 PM
rotflmfao...


OOPS.... caught out.

1- http://www.simplemachines.org/community/index.php?action=profile;u=204928
Last Active:    July 20, 2013, 01:30:42 PM
(also, the IPs used to access this account have not varied)

2- yup... as Arantor says, you've been consistently telling us how terrible the team is because we wouldn't believe that your dad was dead.

3- Nope... 2.0.4 did not patch anything that "your father" reported... Do you know why? Because he complained and moaned, but never ONCE gave anyone on the SMF team and actual security report with any evidence of a vulnerability except for his continual claim that "it is there, I just can;t tell you where"

4- Interesting that, if your account was compromised, all of the posts continued to use the exact same posting style and complaints that both you and "your father" use...

5- ...  well, I'll just call BS at this point.\







Arantor,  to get back to the actual point.  Yeah, we all agree that there was a slip up there as well.  Sleepy has actually just rejoined the site team with some ideas about doing something about that and some ideas on adding a double layer security protocol for the admin, if not for anything else.

While this was not a vulnerability in SMF itself, we all admit that we have some egg on our faces...   our only consolation is that we're not the only ones in this boat.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #43, on August 4th, 2013, 09:59 PM »
Nice summary, Kindred, covers everything that's been going on ;)

Yeah, the whole writable-files thing is an issue and it's been an issue since forever. Part of the reason I guess I'm more hardline about it is because I deliberately spent time making that a non-issue in Wedge; every step in Wedge's plugin chain is about not having files be modified, specifically to ensure permissions never get elevated. But the price, of course, is flexibility, and I've not exactly lost sleep over that decision.

I'm interesting in the concept of a double layer security protocol, essentially forcing admin access to be either IP bound (or at least white listed) and/or two-factor authentication. Unfortunately it's not something we can easily adopt as standard beyond IP whitelisting for the obvious reason that both SMF and Wedge typically get deployed on shared hosts and shared hosts typically are the lowest hanging fruit.

runic

  • To be or not to be that is the question ....
  • Posts: 54
Re: SM.org compromised
« Reply #44, on August 5th, 2013, 06:25 AM »
im quite interested in the double layer system as well should be an interesting system, from my own aspect I am quite impressed in the speed that we managed to get everything out from first being made aware to site being sorted was 30 - 45 mins.  Took longer to get the message out as we wanted all the information we could, and there is alot of log files to go through as you can imagine.  Liroy did amazing to get every thing sorted,  specially considering I woke him up from a good sleep.  And he spent countless hours with little sleep going through the logs.

Dont get me wrong was massive embarrassment, such a noob mistake for any admin or site, but we have learnt lesson, have taken steps to prevent it and as you read quite large ones, admins have came to an agreement in changing passwords on regular basis, and I believe a policy will be getting put forward by the BoD, what that covers we shall see :)