Webmastersite.net
Register Log In

Security breach in 6+ month old versions

Comments on Security breach in 6+ month old versions

eharris
Member

Usergroup: Customer
Joined: Dec 15, 2005

Total Topics: 8
Total Comments: 21
eharris
Posted Aug 30, 2006 - 9:31 AM:

I have already sent some emails to Paul yesterday, 8/29, but have not yet received a reply so I thought I should share this. In a former post made by Paul he states that there was a security issue in version 3.3.2 and earlier versions that had been addressed, so the issue MAY be fixed. The problem is that I don't know whether this is the same security issue as the one fixed, or a new one that may exist in the latest version as well. I have currently upgraded to the latest version, 3.4.2, but for all I know the bug could still exist and I am possibly foolish to be using it until I hear from Paul. Basically, through a security hole in WSN Links, a hacker was able to log onto the server of my web hosting provider and damage every account on their server. That's why I say this is serious. I am pasting below a copy of an email I received from my web hosting company that contains some details:


ATTACHED IS A COPY OF THE DETAILS. FOR SOME REASON IT WOULD NOT GO INTO THE POST.


Again, perhaps this is the security issue that was already repaired. The problem is it may not be and I have not yet heard from Paul. The problem is now that they have targeted WSN links you can be sure that if the issue is not resolved they will not only do it again, but will probably find this forum and learn where other copies of WSN Links are to attack. Could be a big problem. Appearantly, this is an organization of hackers that have weekly competitions to see who can hack the most sites. Really sucks. But they share what they have learned. I am told they are based at a web site that is: http://www.zone-h.org.


And check out this: http://www.zone-h.org/component/option,com_topatt... These guys are hacking hundreds of sites and even have a top list. Hope this post is not a waste of everyones time. Best, Ed

Attached Files:
eeyipes
Member

Usergroup: Customer
Joined: Nov 12, 2004

Total Topics: 9
Total Comments: 20
eeyipes
Posted Aug 30, 2006 - 10:01 AM:

I've also been hacked by that organization, just this week in fact. I'm also running an older version. Fortunately they only aimed at defacing my main page for the prestige of it and I caught it right away and had things fixed up in about an hour.

I would also be interested if the security updates address these issues. Updating my WSN Links is on the top of my list of things to do this weekend.

Often if your hacked it's your own fault for not keeping updated on your software. I really only have myself to blame.

The day after the hack I had Acunetix run one of their free vulnerability scans. While the free report does not give you the complete details (you need to purchase the software for that) it was interesting - it found numerous SQL injection and some cross site scripting vulnerabilities. It should be noted that I'm also integrated with PHPBB, so whether those are related to WSN Links or the forum side I'm still not certain of. My PHPBB is up to date.

Are you also integrated with outside forum software?
scriptwiki
Member

Usergroup: Customer
Joined: Aug 04, 2005

Total Topics: 11
Total Comments: 47
Posted Aug 30, 2006 - 11:26 AM:

I have been hacked, too. The reason it happened to me was because I had my directories chmod to 777. You need to make them 755 if you want to avoid being hacked again. For some reason Paul says in the manual to have them at 777, that is a huge risk.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Aug 30, 2006 - 1:02 PM:

eharris wrote:
I have already sent some emails to Paul yesterday, 8/29, but have not yet received a reply


I certainly did reply to your email, at 8:05 AM on the 29th, so you must be filtering me. Check your email filters.

If you refuse to update to 19 new maintanence releases over the course of a year, even 6 months after I sent an email to all customers stating that using old versions is painting a giant target on yourself, you're begging to be hacked. The only reason people manage to last so many months with old versions is the relative difficulty of identifying unbranded WSN-powered sites, but obscurity is not security.

Most hackers are lazy, they find security holes by reading the security updates I put out. They read that I say a certain version had a problem, they run a quick diff to see what changed since that version, and simply read the exploit from that and put it into action. Any 8 year old can do it. If you don't care enough about your site to keep up with security updates as well as the hackers do then your site is basically auto-gifted to the new owner who wants it more, that's just how the internet works.

Although 3.3.8 fixed the main issue through which many sites are known to have been hacked (95% of them being hacked after the fix was released), which was the admindir url override you can see in the attachment, note that http://www.wsnlinks.com mentions a security update in 3.3.21 as well (though I've yet to see a version later than 3.3.7 that has been hacked).

scriptwiki wrote:
The reason it happened to me was because I had my directories chmod to 777. You need to make them 755 if you want to avoid being hacked again. For some reason Paul says in the manual to have them at 777, that is a huge risk.


No, everyone should please ignore this advice. 777 does allow easier and more vigerous exploiting once you've already been hacked but is not a risk if you stay up to date, and using 755 will prevent attachments etc from working properly (on most servers).

If 755 is your security model, you may still getting hacked, but in less obvious ways that you don't notice (for example, a template could be modified), and have given yourself a false sense of security so that you're not doing the thing (staying up to date) which would keep you safe.


Anyhow, as more and more people get stuck further in the past I've been thinking about this lately. What could I do that would encourage people to stay up to date? I'd consider an autoupdate, but since CPanel's autoupdate keeps killing my server I gather those aren't so great.
scriptwiki
Member

Usergroup: Customer
Joined: Aug 04, 2005

Total Topics: 11
Total Comments: 47
Posted Sep 01, 2006 - 10:39 AM:

No, everyone should please ignore this advice. 777 does allow easier and more vigerous exploiting once you've already been hacked but is not a risk if you stay up to date, and using 755 will prevent attachments etc from working properly (on most servers).


I was running 3.3.22 or 3.3.21 at the time on Tidget.com. It happened a few weeks ago. I found the hacker in my referral log. www.zone-h.org/component/op...,43/filter_ip,72.29.76.231

They got into the admin directory and made an index.htm, that's about it. How do you suppose they got in then? If they had figured out my password, they would have done a whole lot more than that. I talked with my host and they said having a directory 777 is asking for trouble. Can’t you use a phpshell to upload into an open directory like one set to 777?
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Sep 02, 2006 - 12:34 PM:

You're sure about that, and you're not confusing your sites? http://scriptwiki.org/?checkversion=docheck shows you're still using a known to be flawed version on scriptwiki, and scriptwiki is the site which shows up on the hacked list at the link you have there.

If it's a shared host which isn't in safe mode they could've gotten in by hacking someone else on the same server -- but it's not a good idea to use hosts that aren't smart enough to use safe mode for what it's intended for.

Can’t you use a phpshell to upload into an open directory like one set to 777?

Yes, exactly -- and to have a phpshell, you have to have already hacked the server. Only by injecting arbitrary code into a file somehow (such as the method in the opening post of this thread) can you get a phpshell -- and once you do have one, if you can't upload files you can still read any file you want (such as your config.php, to get your database info) and write to any 666 files (such as, presumably, all your templates and language). Frankly it's almost better to let them upload something, because then at least there's something obvious to notice to be able to tell that you've been hacked.

I talked with my host and they said having a directory 777 is asking for trouble.

Perhaps the host finds it easier to tell you that you shoudn't do anything with your site, rather than securing their server. Many people do need to use attachments and the like.
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
Posted Sep 02, 2006 - 2:36 PM:

Paul,
Would it be worth to have, at readme.html, a recomendation to move the configuration file to a non publicly accesible directory and to modify the reference to it at the corresponding file...
Also wouldn't it be worth to include index.html files inside all subdirectories ?
zippo
Forum Regular

Usergroup: Customer
Joined: Jan 11, 2006

Total Topics: 48
Total Comments: 166
zippo
Posted Sep 02, 2006 - 6:11 PM:

Paul wrote:
Anyhow, as more and more people get stuck further in the past I've been thinking about this lately. What could I do that would encourage people to stay up to date?
While I can see the concern, it's a waste of energy in my opinion. Beyond providing the information it's really up to me/anyone else what to do with it..
Paul wrote:
Perhaps the admin panel could phone home, and refuse to let the administrator continue using a known-to-be-compromised version until they update?
That's the kind of 'phone home' that gives a bad name to the practice.
Paul wrote:
The problem there is that people don't like scripts phoning home or locking them out, but I suppose it's better to get a bad reputation for that than to get it for security.
I couldn't care less if the 'phone home' was to simply tell me of a new version and maybe a little blurb about it, just as long as it doesn't somehow freeze or otherwise cause trouble if your server can't be reached.

If a bad rep for having vulnerabilities is what you're trying to avoid that's admirable and expected. However not much can be done about it with the thousands of unique configurations, human error, etc -- If your script gets targeted or a machine with your script on it you can recieve some critics since it (machine or script) can and will be hacked. Period.

Kind of like the saying with spam (If you don't want it, stay off the internet).. Plugging the holes as they are found is fair practice and people are generally aware that is common practice and we don't live in a utopia.

I run links 3.3.14 on two sites, no issues so far I am aware of. I've been busy with other things and face it, upgrading can be very time consuming with even moderate customizations. I know that I'd be really upset if I found my site was 'locked' since whenever because I am apparently running a vulnerable version. Do what you wish but I will cease to run the script(s) if you gain the ability to shut down my site as you've described.

Anyhow, enough rant on that. So when will the 'fix' propagate into WSN Forum? Nothing new with it since 5/3/2006 so presumably it's adopted whatever plagues Links?

Frankly it'd be nice if that product got some attention one day. I realize it's not the flagship product but I like it and feel there is still much potential with it.

My one forum is gaining momentum slowly and it's more of a website make or break situation than my links repository. If something were to cause the loss of all forum content, which users often pour much effort into, users may simply migrate elsewhere.
scriptwiki
Member

Usergroup: Customer
Joined: Aug 04, 2005

Total Topics: 11
Total Comments: 47
Posted Sep 03, 2006 - 6:29 PM:

You're sure about that, and you're not confusing your sites? http://scriptwiki.org/?checkversion=docheck shows you're still using a known to be flawed version on scriptwiki, and scriptwiki is the site which shows up on the hacked list at the link you have there.

I haven't updated SW in a while, I didn't care if that got messed up. It was Tidget.com I was worried about, and that always has the latest version.

Perhaps the host finds it easier to tell you that you shoudn't do anything with your site, rather than securing their server. Many people do need to use attachments and the like.

I don't doubt what your saying, cheaper hosts do tend to have more problems. I'll ask them about it again and see what they say. But all the attacker did was upload a file to my /admin directory. If they did have access to all my files using a PHP shell, how come they didn't mess up more since you say they could have gotten the config file information?






Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
#10 - Quote - Permalink
Posted Sep 04, 2006 - 10:59 PM:

zippo wrote:
face it, upgrading can be very time consuming with even moderate customizations.


That's the sort of thing I want to change. What is it that makes upgrades (within a series, where there are no significant non-admin template changes) time consuming?

So when will the 'fix' propagate into WSN Forum? Nothing new with it since 5/3/2006 so presumably it's adopted whatever plagues Links?

WSN Forum Pro is already fixed. WSN Forum free has the 3.3.8 fix but not the 3.3.21 fix... if you have the free version, delete setup.php and you'll be safe. I'll fix it in a minute.

Frankly it'd be nice if that product got some attention one day. I realize it's not the flagship product but I like it and feel there is still much potential with it.

Since it's bringing me an average of $40/month revenue and vBulletin, invision and phpBB are rather hard to draw anyone away from, I'd expect updates to WSN Forum to fall into two categories: (1) Ports of WSN Links code (2) Things I want for my own forums.

peumus wrote:
Paul, Would it be worth to have, at readme.html, a recomendation to move the configuration file to a non publicly accesible directory and to modify the reference to it at the corresponding file...


In 3.x it doesn't really make much differnce that I can see (it could be more worthwhile in 4.x since FTP connection info will be stored in config.php). Mysql servers typically only allow connections from localhost anyhow, so having your mysql info stolen allows hacking only by people who've already hacked into your filesystem, I believe -- and if they're in the filesytem they can always write a quick file that uses WSN Links itself to alter the database without direct access to config.php.

Also wouldn't it be worth to include index.html files inside all subdirectories ?

What would the point of that be? The one in attachments has nothing to do with security, it's to enforce usergroup permissions on attachment downloads.

scriptwiki wrote:
how come they didn't mess up more since you say they could have gotten the config file information?


Hackers don't generally go for maximum damage to a site, they just want to deface as many sites as possible. Finding and using all your info would've taken time they didn't care to spend.

If there was no defacement -- as was the case when I was hacked at the beginning of the year (leading to the original bug fix) -- then they're probably just keeping access in case they want to host illegal materials on your space in the future.

Also, there's a simple pre-made hacking script for uploading the php shell. Some attackers may simply not know or care to learn how to do more, or may plan to come back for that later.

scriptwiki wrote:
It was Tidget.com I was worried about, and that always has the latest version.


Then I need information on the vector of attack. I don't see how the admindir method would work in 3.3.21+. Did you or your host determine what URL they used for the attack?
zippo
Forum Regular

Usergroup: Customer
Joined: Jan 11, 2006

Total Topics: 48
Total Comments: 166
zippo
#11 - Quote - Permalink
Posted Sep 06, 2006 - 11:29 PM:

zippo wrote:
face it, upgrading can be very time consuming with even moderate customizations.
Paul wrote:
That's the sort of thing I want to change. What is it that makes upgrades (within a series, where there are no significant non-admin template changes) time consuming?
I'll detail my next upgrade and see if I can shed some light on the spots that always I have to comb through and modify after an upgrade. I have a list that grows some every now and then. I think somewhere from one version to another I had to expand the list of things to modify post-upgrade.



zippo wrote:
So when will the 'fix' propagate into WSN Forum? Nothing new with it since 5/3/2006 so presumably it's adopted whatever plagues Links?
paul wrote:
WSN Forum Pro is already fixed. WSN Forum free has the 3.3.8 fix but not the 3.3.21 fix... if you have the free version, delete setup.php and you'll be safe. I'll fix it in a minute.
I have the Pro but also a free version I think in some obscure directory that I test on from time to time.



zippo wrote:
Frankly it'd be nice if that product got some attention one day. I realize it's not the flagship product but I like it and feel there is still much potential with it.
paul wrote:
Since it's bringing me an average of $40/month revenue and vBulletin, invision and phpBB are rather hard to draw anyone away from, I'd expect updates to WSN Forum to fall into two categories: (1) Ports of WSN Links code (2) Things I want for my own forums.
Understood. It wasn't exactly my understanding that WSNF was a hot product but nor did I suspect it was lagging. I can understand the attention commiserating with the sales but at the same time SMF hasn't gotten where it's at by being stagnent and unresponsive to their audience -- it's not so popular only because it's free.

There are probably many people who don't know they would love WSNF given a chance. It's nice looking, works pretty well, is fast and has a lot of functionality all without requiring top tier hosting or bloat to operate.

Like your WSNF motivation, cash in can make a difference. Something like shareasale with a minimal % or couple dollar commission could get people to put buttons/banners for WSNF around with the possibility of making an easy buck or two.

I'd love to promote it and help sales but I am not a very savy admin for my dedicated server and the obscurity the pro licenses allowed was meaningful to me, thus promoting it via itself isn't happening on my site. Frankly it would be a ever-so-slight chance any of my target audiences would want to host a website, let alone monkey around with their own forum.
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
#12 - Quote - Permalink
Posted Sep 07, 2006 - 5:22 AM:

There are probably many people who don't know they would love WSNF given a chance. It's nice looking, works pretty well, is fast and has a lot of functionality all without requiring top tier hosting or bloat to operate

Paul, Just to comment that I believe you should not emphasize on the "Reasons not to use WSN Forum" as you have on the features list. I would just not mention it.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
#13 - Quote - Permalink
Posted Sep 08, 2006 - 2:48 AM:

zippo wrote:
SMF hasn't gotten where it's at by being stagnent and unresponsive to their audience -- it's not so popular only because it's free.


I really like SMF, it's my favorite forum to use as a poster (it's not as new as it may seem though, I believe it split from YaBB). Fact is, I can't take a year off from everything else to try to beat SMF and vBulletin at everything they're best at on the off chance that it'll pay off. I believe WSN Forum does have a niche, it offers some superior customization options, but most people are probably better off using SMF or vB -- not least because they're prettier.

The WSN Links 4 features should improve Forum a bit too.

Like your WSNF motivation, cash in can make a difference. Something like shareasale with a minimal % or couple dollar commission could get people to put buttons/banners for WSNF around with the possibility of making an easy buck or two.

The WSN Links affiliate program didn't go well, so a WSN Forum one is sure to go far worse. I will make another marketing push for Forum at some point (including a site redesign like the WSN Links one) -- but for now it's on the back burner.

pemus wrote:
Paul, Just to comment that I believe you should not emphasize on the "Reasons not to use WSN Forum" as you have on the features list.


Perhaps, but there's no sense in wasting time on support issues and refunds for people who misunderstand it.
mrowton
Forum Regular

Usergroup: Customer
Joined: Feb 19, 2004
Location: Michigan

Total Topics: 57
Total Comments: 185
mrowton
#14 - Quote - Permalink
Posted Sep 08, 2006 - 4:33 AM:

"Paul, Just to comment that I believe you should not emphasize on the "Reasons not to use WSN Forum" as you have on the features list."

I loved it. Everything has Pros and Cons, seems refreshing that the author would admit this and help you make an educated decision.
peumus
Forum Regular

Usergroup: Customer
Joined: Aug 09, 2004
Location: Chile

Total Topics: 172
Total Comments: 462
peumus
#15 - Quote - Permalink
Posted Sep 09, 2006 - 5:46 AM:

"Paul, Just to comment that I believe you should not emphasize on the "Reasons not to use WSN Forum" as you have on the features list."

I loved it. Everything has Pros and Cons, seems refreshing that the author would admit this and help you make an educated decision.

Hello mrowton,

I also like the idea of presenting: 'Reasons not to use',
But I also believe it would be better not to run any risk of people misinterpreting this reasons and getting afraid of purchasing the script due to them.

Is possible let me be more detailled on my comment:

Reasons not to use WSN Forum

# You require telephone or IM-based support. These are not available here. -> I would add, .Support is served via email and comunity forum and is highly responsive. Also a detailed manual is frequently updated. You can suggest new features to be added if considered to be usefull for all users.

# You require customizations be done by the script author. While you are free to hire freelancers to do WSN Forum customizations for you, the script's author rarely takes on such projects due to time limitations.-> I understand authour is available for customizations for a fee. I am wrong?

# You want the fastest possible forum. Due the features and the extensibility-oriented design, WSN Forum is not the fastest around. It is, however, very scalable -- as the database size increases the load times stay fairly stable. -> Speed can be improved on a near future as part of the normal process of development, maybe the use of cache (as vbulletin uses) can improve this. Also zippo has commented he find the forum fast, so I believe it's not necessary to remark the negative side of this. Also I believe it's not necessary to make a comparison. I would delete this point as this can be improved on the future as a normal process of upgrade and implementation of users suggestions/optimizations for this.

# You're looking for a GPL or BSD-style license to redistribute altered versions of the forum. While you're welcome to make a proposal for developing your own altered script based on WSN Forum Pro source code and selling it in exchange for a split of the revenue, WSN Forum is not open source so you must work out a deal with the author. -> I would maintain this.
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



This thread is closed, so you cannot post a reply.