 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
| 0 user currently in Acmlmboard support?. |
| Acmlm's Board - I2 Archive - Acmlmboard support? - Let's talk about exploits. OR "Please Jesper, can you fix my exploits?" |
 |  |  |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| User | Post | ||
|
Jesper Busy, busy, busy. Level: 69  Posts: 2166/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| ||
| The last few months exploits have been (re-)discovered and used on this board and, primarily, on other, old or relatively new, AcmlmBoards. During this period, me and ||bass have been basically buried under "oh my fucking god, someone has admin and I didn't give him admin, plz help" requests. The good news is that exploits have been fixed in this board version, and that we're planning to put out a new dist before March ends. The good news ends here. To put it simply, AcmlmBoard was *not* designed to be safe from exploits. Not in the slightest. It has basic protection in some cases, but for the most part it's an open wound. By far, SQL injections are the most common tricks, so I'll be detailing here how to fix those. Imagine a typical SQL query. SELECT * FROM table1 WHERE id=$id. Pretty basic. What if $id is "0; UPDATE table2 SET admin=1 WHERE id=insertmyidhere"? Not good. So what can one do to prevent this? Here's what you can do: $id = intval($id); This uses the intval PHP function, which basically says "here's this variable, take whatever integer value - number without decimals - you can find, if any, return that value, and shove the rest of it". This protects you against these kinds of attack. Why are not queries like the following affected? SELECT * FROM table1 WHERE name="$name". Because you have already run - or won't need to run, depending on server configuration - addslashes, another PHP function, on $name. What that does is it escape every occurance of " and \ so that content in $name can't 'break out' of the SQL query by containing something like "; UPDATE table2 SET admin=1 WHERE id=insertmyidhere; SELECT * FROM table1 WHERE " (the quotes are INCLUDED in the variable value). The quotes would be escaped to \", and conversely you couldn't even break the query by just entering \, which would be converted to \\. If you have no idea what I just said through any of this - learn PHP, or get someone who knows to either help you or teach you enough PHP so you'll be able to fix things like this. If you're running or caring for an AcmlmBoard without knowing how to fix it, it's like flying a plane knowing how to steer but not much else. When that gas runs out (those exploits hit you) you're going to wish you knew a little more about flying a plane (use PHP). I'll end on this note: I told you that a new distributable version of AcmlmBoard will be out before the end of March. However, listen closely. There are basically very few copies of AcmlmBoard in circulation that are untouched - that haven't been 'hacked' in one way or another, and I'll wage that that number is zero for those of us who read this forum. You will need to leave your old AcmlmBoard setup, however magnificent, hacks and all, if you want the security that this new version will offer. Either that, or you'll need to close these exploits by yourself. The fact is that I would have preferred a set of patches for closing the most common exploits. But things have moved around a lot in the latest versions and so we'd basically need different patches for different versions of AcmlmBoard, which are at least 1.65, 1.8, 1.9 beta and 1.92, and let's not even get into Acmlm+Erk. (We don't support any of the versions beyond doing it as a courtesy, but Acmlm+Erk is a dist built upon a lot of hacks, which makes it all the more painful to upgrade from or to and which we conversly support even less, if you can believe that.) For those of you that remember which places you changed and what changes you did, I encourage you to make new threads in here with instructions on how to patch what on which version. Oh, and if you're going to patch it on your own? Trust me, you'll want to do this in *every file*, near *every SQL query*, with *everything featured in every SQL query*. Do it, or sit back, moan, and be hit by the exploits. It's not easy. And I'd like it if you ran *here* instead of to me and ||bass regarding fixing exploits on your boards. I'll be spending most of my time regarding these things on working on the development board, and occasionally go in here and set things straight if they need be - but I'll still accept reports of existing exploits via PM. ||bass won't be spending any time on this, because he's no longer on the development team. (edited by Jesper on 03-05-05 01:24 PM) |
|||
MathOnNapkins Math n' Hacks Level: 67  Posts: 1556/2189 EXP: 2495887 For next: 96985 Since: 03-18-04 From: Base Tourian Since last post: 1 hour Last activity: 32 min. |
| ||
| just a suggestion, wouldn't it be good to sticky this? | |||
|
Jesper Busy, busy, busy. Level: 69 Posts: 2173/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| ||
People don't read stickies.  |
|||
|
DarkSlaya POOOOOOOOOOOORN! Level: 88 Posts: 3476/4249 EXP: 6409254 For next: 241410 Since: 05-16-04 From: Montreal, Quebec, Canada Since last post: 8 hours Last activity: 5 hours |
| ||
| Then again, people don't need these kinds of thread when they need them. For the record, I don't really ask for fixes for a few exploits. I ask about which exploits there are, and try to fix them myself And often steal the idea from someone else, on nearly anything |
|||
Xeolord - B l u e s - Power Metal > All Level: 81  Posts: 1452/3418 EXP: 4884196 For next: 108653 Since: 03-15-04 From: Yeah Since last post: 15 hours Last activity: 15 hours |
| ||
| I thank you Jesper, for posting this, and passing up some folks ignorance. I do have a question though, originally in a PM (or maybe when I talked with you over AIM) you told me to even put Useranks through intval. Well that just turned out to mess things up. Whenever users would edit their profile, ranks would be set to 'off' for that user. But ... keep in mind I use Acmlm+Erk ... (We don't support any of the versions beyond doing it as a courtesy, but Acmlm+Erk is a dist built upon a lot of hacks, which makes it all the more painful to upgrade from or to and which we conversly support even less, if you can believe that.) I won't even get started ...  Honestly, this is why I wanted to use Acmlm+Erk in the first place. Not because it has a few "hacks" that have been released in the past "included" in the package, but because at the time it was released (several months before 1.92) it was much better and safer to have than the 1.8a version, so I just simply wanted to go with the better deal. Now it seems I should have been patient, but hopefully in time I can fix things up, and clean up some of Erk's random / unfinished work in nearly every file ... Most of these fixes, that have recently been discussed and talked about in this thread, applied to my board just fine. But honestly, for my own personal use ... Acmlm+Erk is not pretty ... |
|||
|
Jesper Busy, busy, busy. Level: 69 Posts: 2174/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| ||
Originally posted by XeogredIt seems you just used the intval function before the variable was correctly set in the first place, so it'd be empty, which would translate into 0 which might very well be Rank set. Solution: move the intval-line to after the line where it's being set for real. (If you're uncertain, always "intval" as soon as possible!) This is something right out of the proverbial manual, by the way. You should be able to debug and deduce these kinds of things, or you should strongly consider getting another board. AcmlmBoard is very easily hackable, but the downside is that you *should* be able to go into every nook and cranny when things go wrong and fix them! Thankfully we have a helpful few in here that *do* have this sort of knowledge and are willing to share. This is worth very much. To re-iterate my point, if it hasn't been driven home already, I'll always enjoy doing code work on AcmlmBoard to develop it. That's the fun part. Fixing bugs is still productive if it's done at the core and these fixes will benefit other people... but fixing bugs or exploits for others where the code might even vary (and thus be based on code that I or Acmlm didn't even write and that I am thusly not familiar with) is - relatively seen - a chore. I try to help out where I can, but between other personal projects and jobs where actual money is offered, I can't help everyone, and I can't even guarantee that I won't be tired as hell and just want to rest. I don't want to come off as greedy, but I make my money by working, and I can't do good work eight hours per day, go home and work on the development version of the board and then spend even another hour or so helping others fix bugs. It's just not tenable. In a large percentage of the cases, you can get competent help here too. So I ask of you atleast during this period to please consider posting about your worries here instead of bugging me first thing you do. |
|||
Gywall Silver axe Level: 30 Posts: 334/356 EXP: 164069 For next: 1800 Since: 03-15-04 From: In front of my moniter, where you're not! Since last post: 104 days Last activity: 14 hours |
| ||
| I could take time out and fix any known 1.8a bugs to make a bug fix version. I fixed some of them, but not all yet, I plan on making a logout lock, which should stop loguot images totaly. | |||
SyntaxLegend Double metal axe Level: 25  Posts: 151/222 EXP: 78264 For next: 11356 Since: 04-21-04 From: Australia Since last post: 20 days Last activity: 10 hours |
| ||
Originally posted by GywallWhy would you want to fix 1.8a bugs? Edit by Jesper: Style removed until you learn how to limit it to your own posts. (Hint, put a div around your whole post with a special class name (say "gywall"), then prefix all your CSS rules with ".gywall") (edited by Jesper on 03-06-05 06:26 AM) |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| Acmlm's Board - I2 Archive - Acmlmboard support? - Let's talk about exploits. OR "Please Jesper, can you fix my exploits?" |
| | |
