Register | Login | |||||
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
| |
0 user currently in Acmlmboard support?. |
Acmlm's Board - I2 Archive - Acmlmboard support? - members become admins | | | |
Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
User | Post | ||
mikeo Tektite Level: 12 Posts: 47/56 EXP: 6795 For next: 1126 Since: 02-12-05 Since last post: 210 days Last activity: 117 days |
| ||
On my board, members suddenly are admins.. How do they do that? I want to stop them doing it but i first need to know how they do it. |
|||
Cellar Dweller Flurry !!! Level: 27 Posts: 207/269 EXP: 107817 For next: 8342 Since: 03-15-04 From: Arkansas Since last post: 16 days Last activity: 34 min. |
| ||
They are using SQL injection. It is possible for users to send pieces of SQL queries when AcmlmBoard is expecting numeric data. If the incoming data is not validated, the user can change the SQL query(s) that use the data. I suggest using is_numeric() ; |
|||
mikeo Tektite Level: 12 Posts: 48/56 EXP: 6795 For next: 1126 Since: 02-12-05 Since last post: 210 days Last activity: 117 days |
| ||
So ppl have a file witch makes them admin??? | |||
dan Snap Dragon Level: 43 Posts: 433/782 EXP: 534516 For next: 30530 Since: 03-15-04 Since last post: 20 hours Last activity: 14 hours |
| ||
No, they know how to use exploits in the board software to become an admin. You'll need to find and patch those exploits. | |||
windwaker Ball and Chain Trooper WHY ALL THE MAYONNAISE HATE Level: 61 Posts: 1175/1797 EXP: 1860597 For next: 15999 Since: 03-15-04 Since last post: 4 days Last activity: 6 days |
| ||
Also; might not best to discuss hte exact way one can fix/exploit a board in public. | |||
dan Snap Dragon Level: 43 Posts: 434/782 EXP: 534516 For next: 30530 Since: 03-15-04 Since last post: 20 hours Last activity: 14 hours |
| ||
Why wouldn't it be a good thing to discuss in public? Sure, you'll get people using exploits on unprotected boards, but doesn't that happen already? If people discussed the exploits in public, and provided fixes to the exploits, people who know squat about security in PHP (i.e. the vast majority of people running Acmlm Boards ), could fix the vulnerabilities, and there would be less of this shit happening. | |||
Dekker Avesque Goomba Level: 10 Posts: 14/32 EXP: 3754 For next: 660 Since: 08-29-04 Since last post: 190 days Last activity: 13 days |
| ||
Ok... Because this seems to be a problem on multiple acmlm boards and I've seen no publicly released patch... I have made one. // Dekk's SQL Injection Patch if (is_numeric($sex)); else { print "$header $tblstart$tccell1>Invalid profile data. ".redirect("editprofile.php",'go back to edit profile',0).$tblend; exit; } // Dekk's SQL Injection Patch if (is_numeric($loguserid)) $logusers=mysql_query("SELECT * FROM users WHERE id=$loguserid AND password='$logpwenc'"); else $loguserid=NULL; For editprofile.php and function.php. It works on 1.92 as well as Erk+1.9. If you want copies of the actual updated files rather than source to insert, than e-mail, IM, or PM me. |
|||
mikeo Tektite Level: 12 Posts: 50/56 EXP: 6795 For next: 1126 Since: 02-12-05 Since last post: 210 days Last activity: 117 days |
| ||
Thnx dude | |||
Apophis Red Super Koopa Level: 45 Posts: 359/882 EXP: 640255 For next: 19909 Since: 03-15-04 Since last post: 15 hours Last activity: 15 hours |
| ||
Originally posted by dan Because now people know exactly how its being fixed and can figure out ways around it. |
|||
dan Snap Dragon Level: 43 Posts: 452/782 EXP: 534516 For next: 30530 Since: 03-15-04 Since last post: 20 hours Last activity: 14 hours |
| ||
Yes, well it's hardly ideal, but it's better than the present situation, where someone sets up a board, everyone knows how to exploit holes, but the person running it has no idea how to fix it. It's hardly doing Acmlmboard's reputation any good, if it has many vulnerabilities that virtually everyone knows how to exploit. Security through obscurity is no security at all. |
|||
DarkSlaya POOOOOOOOOOOORN! Level: 88 Posts: 3462/4249 EXP: 6409254 For next: 241410 Since: 05-16-04 From: Montreal, Quebec, Canada Since last post: 8 hours Last activity: 5 hours |
| ||
Why would it be bad to say what is wrong? Heck, even PHP.net says it (under SQL injection). Edit: Also, what Dekk posted doesn't fix it all. You can pretty much do it with everything that expects numbers... (edited by DarkSlaya on 02-23-05 04:11 PM) |
|||
Gavin Fuzzy Rhinoceruses don't play games. They fucking charge your ass. Level: 43 Posts: 507/799 EXP: 551711 For next: 13335 Since: 03-15-04 From: IL, USA Since last post: 13 hours Last activity: 13 hours |
| ||
Originally posted by dan a good summarization, let me select a paragraph to quote: Wikipedia |
|||
Dekker Avesque Goomba Level: 10 Posts: 15/32 EXP: 3754 For next: 660 Since: 08-29-04 Since last post: 190 days Last activity: 13 days |
| ||
Originally posted by DarkSlaya This is true... But that code can be applied to pretty much everything that expects numbers. Just use the first block (below) and change the variable. // Dekk's SQL Injection Patch if (is_numeric($variable)); else { print "$header $tblstart$tccell1>Invalid profile data. ".redirect("editprofile.php",'go back to edit profile',0).$tblend; exit; } |
|||
Narf Hi Tuvai! (reregistering while banned) Level: 16 Posts: 55/100 EXP: 17634 For next: 2622 Since: 12-26-04 Since last post: 22 hours Last activity: 14 hours |
| ||
As a programmer, when working with scripts that feed themselves on user input, you should make sure all kinds of bad user input is filtered or prevented, and that's what AcmlmBoards majorly lack. Yeah, making sure $id will be NULL when it's not numerical does help, but just for $id. There's a shitload of variables to secure. Not to forget, I sense a major lack of superglobals in the AcmlmBoard source. Bad. Very bad. |
Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
Acmlm's Board - I2 Archive - Acmlmboard support? - members become admins | | | |