Register | Login
Views: 19364387
 Main | Memberlist | Active users | ACS | Commons | Calendar | Online users
Ranks | FAQ | Color Chart | Photo album | IRC Chat 		11-02-05 12:59 PM
0 user currently in Acmlmboard support?.
Acmlm's Board - I2 Archive - Acmlmboard support? - members become admins | |
Add to favorites | "RSS" Feed | Next newer thread | Next older thread
User Post
mikeo

Tektite
Level: 12

Posts: 47/56
EXP: 6795
For next: 1126

Since: 02-12-05

Since last post: 210 days
Last activity: 117 days
Posted on 02-18-05 12:18 PM Link | Quote
On my board, members suddenly are admins.. How do they do that?

I want to stop them doing it but i first need to know how they do it.
Cellar Dweller

Flurry
!!!
Level: 27

Posts: 207/269
EXP: 107817
For next: 8342

Since: 03-15-04
From: Arkansas

Since last post: 16 days
Last activity: 34 min.
Posted on 02-18-05 01:06 PM Link | Quote
They are using SQL injection.

It is possible for users to send pieces of SQL queries when AcmlmBoard is expecting numeric data. If the incoming data is not validated, the user can change the SQL query(s) that use the data.

I suggest using is_numeric();
mikeo

Tektite
Level: 12

Posts: 48/56
EXP: 6795
For next: 1126

Since: 02-12-05

Since last post: 210 days
Last activity: 117 days
Posted on 02-18-05 07:19 PM Link | Quote
So ppl have a file witch makes them admin???
dan

Snap Dragon
Level: 43

Posts: 433/782
EXP: 534516
For next: 30530

Since: 03-15-04

Since last post: 20 hours
Last activity: 14 hours
Posted on 02-18-05 08:46 PM Link | Quote
No, they know how to use exploits in the board software to become an admin. You'll need to find and patch those exploits.
windwaker

Ball and Chain Trooper
WHY ALL THE MAYONNAISE HATE
Level: 61

Posts: 1175/1797
EXP: 1860597
For next: 15999

Since: 03-15-04

Since last post: 4 days
Last activity: 6 days
Posted on 02-19-05 08:24 AM Link | Quote
Also; might not best to discuss hte exact way one can fix/exploit a board in public.
dan

Snap Dragon
Level: 43

Posts: 434/782
EXP: 534516
For next: 30530

Since: 03-15-04

Since last post: 20 hours
Last activity: 14 hours
Posted on 02-20-05 12:54 AM Link | Quote
Why wouldn't it be a good thing to discuss in public? Sure, you'll get people using exploits on unprotected boards, but doesn't that happen already? If people discussed the exploits in public, and provided fixes to the exploits, people who know squat about security in PHP (i.e. the vast majority of people running Acmlm Boards ), could fix the vulnerabilities, and there would be less of this shit happening.
Dekker Avesque

Goomba
Level: 10

Posts: 14/32
EXP: 3754
For next: 660

Since: 08-29-04

Since last post: 190 days
Last activity: 13 days
Posted on 02-23-05 09:39 AM Link | Quote
Ok... Because this seems to be a problem on multiple acmlm boards and I've seen no publicly released patch... I have made one.

// Dekk's SQL Injection Patch
if (is_numeric($sex));
else {
print "$header
$tblstart$tccell1>Invalid profile data.
".redirect("editprofile.php",'go back to edit profile',0).$tblend;
exit;
}


// Dekk's SQL Injection Patch
if (is_numeric($loguserid)) $logusers=mysql_query("SELECT * FROM users WHERE id=$loguserid AND password='$logpwenc'");
else $loguserid=NULL;

For editprofile.php and function.php. It works on 1.92 as well as Erk+1.9.

If you want copies of the actual updated files rather than source to insert, than e-mail, IM, or PM me.
mikeo

Tektite
Level: 12

Posts: 50/56
EXP: 6795
For next: 1126

Since: 02-12-05

Since last post: 210 days
Last activity: 117 days
Posted on 02-23-05 09:32 PM Link | Quote
Thnx dude
Apophis

Red Super Koopa
Level: 45

Posts: 359/882
EXP: 640255
For next: 19909

Since: 03-15-04

Since last post: 15 hours
Last activity: 15 hours
Posted on 02-23-05 09:43 PM Link | Quote
Originally posted by dan
Why wouldn't it be a good thing to discuss in public? Sure, you'll get people using exploits on unprotected boards, but doesn't that happen already? If people discussed the exploits in public, and provided fixes to the exploits, people who know squat about security in PHP (i.e. the vast majority of people running Acmlm Boards ), could fix the vulnerabilities, and there would be less of this shit happening.


Because now people know exactly how its being fixed and can figure out ways around it.
dan

Snap Dragon
Level: 43

Posts: 452/782
EXP: 534516
For next: 30530

Since: 03-15-04

Since last post: 20 hours
Last activity: 14 hours
Posted on 02-23-05 10:43 PM Link | Quote
Yes, well it's hardly ideal, but it's better than the present situation, where someone sets up a board, everyone knows how to exploit holes, but the person running it has no idea how to fix it. It's hardly doing Acmlmboard's reputation any good, if it has many vulnerabilities that virtually everyone knows how to exploit.

Security through obscurity is no security at all.
DarkSlaya
POOOOOOOOOOOORN!
Level: 88

Posts: 3462/4249
EXP: 6409254
For next: 241410

Since: 05-16-04
From: Montreal, Quebec, Canada

Since last post: 8 hours
Last activity: 5 hours
Posted on 02-24-05 01:09 AM Link | Quote
Why would it be bad to say what is wrong? Heck, even PHP.net says it (under SQL injection).

Edit: Also, what Dekk posted doesn't fix it all. You can pretty much do it with everything that expects numbers...

(edited by DarkSlaya on 02-23-05 04:11 PM)
Gavin

Fuzzy
Rhinoceruses don't play games. They fucking charge your ass.
Level: 43

Posts: 507/799
EXP: 551711
For next: 13335

Since: 03-15-04
From: IL, USA

Since last post: 13 hours
Last activity: 13 hours
Posted on 02-24-05 06:07 AM Link | Quote
Originally posted by dan
Security through obscurity is no security at all.


a good summarization, let me select a paragraph to quote:

Wikipedia
Often, such designers or vendors, or executives thereat, actually believe they have ensured security by keeping the design of the system secret. It appears to be difficult for those who approach security in this way to have enough perspective to realise they are inviting trouble, sometimes very big trouble. Self delusion or ignorance are very difficult problems generally and have many, almost universally unfortunate, consequences.
Dekker Avesque

Goomba
Level: 10

Posts: 15/32
EXP: 3754
For next: 660

Since: 08-29-04

Since last post: 190 days
Last activity: 13 days
Posted on 02-24-05 09:28 AM Link | Quote
Originally posted by DarkSlaya
Why would it be bad to say what is wrong? Heck, even PHP.net says it (under SQL injection).

Edit: Also, what Dekk posted doesn't fix it all. You can pretty much do it with everything that expects numbers...


This is true... But that code can be applied to pretty much everything that expects numbers. Just use the first block (below) and change the variable.

// Dekk's SQL Injection Patch
if (is_numeric($variable));
else {
print "$header
$tblstart$tccell1>Invalid profile data.
".redirect("editprofile.php",'go back to edit profile',0).$tblend;
exit;
}
Narf
Hi Tuvai!
(reregistering while banned)
Level: 16

Posts: 55/100
EXP: 17634
For next: 2622

Since: 12-26-04

Since last post: 22 hours
Last activity: 14 hours
Posted on 02-24-05 05:23 PM Link | Quote
As a programmer, when working with scripts that feed themselves on user input, you should make sure all kinds of bad user input is filtered or prevented, and that's what AcmlmBoards majorly lack.

Yeah, making sure $id will be NULL when it's not numerical does help, but just for $id. There's a shitload of variables to secure. Not to forget, I sense a major lack of superglobals in the AcmlmBoard source. Bad. Very bad.
Add to favorites | "RSS" Feed | Next newer thread | Next older thread
Acmlm's Board - I2 Archive - Acmlmboard support? - members become admins | |


ABII


AcmlmBoard vl.ol (11-01-05)
© 2000-2005 Acmlm, Emuz, et al



Page rendered in 0.009 seconds.