Register | Login | |||||
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
| |
0 user currently in Acmlmboard support?. |
Acmlm's Board - I2 Archive - Acmlmboard support? - An exploit that I have no idea how it works... | | | |
Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
User | Post | ||
FreeDOS Lava Lotus Wannabe-Mod :< Level: 59 Posts: 29/1657 EXP: 1648646 For next: 24482 Since: 03-15-04 From: Seattle Since last post: 6 hours Last activity: 4 hours |
| ||
...and therefore how to fix. I'm using AcmlmBoard 1.8a This one user seemed to find an exploit that allows him to log in as any user without knowing the password... I have added these lines in function.php: if(strstr($PHP_SELF,"function.php")) exit("You're not supposed to be here. ;D"); if(!is_numeric($id)) $id=0; Anyone know the problem? |
|||
Sokarhacd Ball and Chain Trooper Resistance is Futile You Will Be Assimilated Hab SoSlI' Quch Level: 61 Posts: 23/1757 EXP: 1799888 For next: 76708 Since: 03-15-04 Since last post: 6 days Last activity: 4 hours |
| ||
never heard of that exploit before (edited by Chaosflare on 03-14-04 11:38 PM) |
|||
Elric Chasupa Currently Playing: You Like A Lute. Level: 40 Posts: 2/687 EXP: 440016 For next: 1293 Since: 03-15-04 From: Melniboné Since last post: 6 hours Last activity: 6 hours |
| ||
Hmm... when I read this, I was gonna add it to my board, since I'm also running v1.8a, but when I opened up function.php, I found it was already there. Odd, that. I'm guessing that I got the issue resolved waaaay back when (when? I dunno... ) |
|||
Cellar Dweller Flurry !!! Level: 27 Posts: 2/269 EXP: 107817 For next: 8342 Since: 03-15-04 From: Arkansas Since last post: 16 days Last activity: 34 min. |
| ||
The only way I know of to expoit a properly patched AcmlmBoard is to use JavaScript to steal cookies from other users. If your host provides log access you may be able to find out what steps the attacker takes in the process of performing the attack. The attacker could be exploiting any process on the server, so don't limit your search to AcmlmBoard. |
|||
Tuvai Permanently banned for account hacking. Level: 24 Posts: 3/211 EXP: 74894 For next: 3231 Since: 03-15-04 Since last post: 566 days Last activity: 339 days |
| ||
A few exploits I remember from when I had an Acmlm Board: Put if(!is_numeric($id)){$id=0;} in the top of function.php, otherwise the possibility of screwing around with the $id register global is there, which allows users to see random posts (including the ones in admin/mod forums). Put if(stristr($PHP_SELF,'config.php') or stristr($PHP_SELF,'function.php')){die('Nope, go away.');} in the top of function.php also. This prevents people from looking at config.php and function.php. Leaving this open allows people to 'overload' by using a constantly refreshing script. Basically being able to make a lot of connections at a time and cause the MySQL database to go haywire. (edited by Tuvai on 03-15-04 01:40 AM) |
|||
VGFreak877 Buzz Blob Level: 28 Posts: 16/294 EXP: 123189 For next: 8149 Since: 03-15-04 From: Hillsborough, NH Since last post: 60 days Last activity: 1 hour |
| ||
* goes to put those two lines of code into function.php * I've done that just to be on the safe side -- just makes me feel better, that's all. (edited by VGFreak877 on 03-15-04 01:49 AM) |
|||
FreeDOS Lava Lotus Wannabe-Mod :< Level: 59 Posts: 42/1657 EXP: 1648646 For next: 24482 Since: 03-15-04 From: Seattle Since last post: 6 hours Last activity: 4 hours |
| ||
Thanks, Tuvai. I'll try that when I get home. | |||
Xeolord - B l u e s - Power Metal > All Level: 81 Posts: 58/3418 EXP: 4884196 For next: 108653 Since: 03-15-04 From: Yeah Since last post: 15 hours Last activity: 15 hours |
| ||
Originally posted by Tuvai A few exploits I remember from when I had an Acmlm Board: Put if(!is_numeric($id)){$id=0;} in the top of function.php, otherwise the possibility of screwing around with the $id register global is there, which allows users to see random posts (including the ones in admin/mod forums). Put if(stristr($PHP_SELF,'config.php') or stristr($PHP_SELF,'function.php')){die('Nope, go away.');} in the top of function.php also. This prevents people from looking at config.php and function.php. Leaving this open allows people to 'overload' by using a constantly refreshing script. Basically being able to make a lot of connections at a time and cause the MySQL database to go haywire. Man I have got to thank you much. It's been pissing me off at my board quite often, I get a lot of people using search to get through restricted forums. *Puts this in* |
|||
FreeDOS Lava Lotus Wannabe-Mod :< Level: 59 Posts: 79/1657 EXP: 1648646 For next: 24482 Since: 03-15-04 From: Seattle Since last post: 6 hours Last activity: 4 hours |
| ||
Apparently, this didn't stop him. Any other suggestions? |
|||
Tuvai Permanently banned for account hacking. Level: 24 Posts: 45/211 EXP: 74894 For next: 3231 Since: 03-15-04 Since last post: 566 days Last activity: 339 days |
| ||
Well, about someone being able to login as everyone; then it's obviously a glitch in the login script itself. Haven't dived in Acmlm Board's code for months now, so I can't guarrantee I'll be too helpful on this. Anyway, I take it you're using AcmlmBoard 1.8a so I just took a look at 1.8a's login.php. And there is one thing I'm really worried about: - part from login.php: $userid=checkuser($username,$password); if($userid!=-1){ setcookie("loguserid",$userid,ctime()+900000000,$folder,$domain); setcookie("logpassword",$password,ctime()+900000000,$folder,$domain); $msg="You are now logged as $username."; } - checkuser() function in funcion.php: function checkuser($name,$pass){ $users=mysql_query("SELECT id FROM users WHERE name='".addslashes($name)."' AND password='".md5($pass)."'"); $user=@mysql_fetch_array($users); $u=$user[id]; if($u<1) $u=-1; return $u; } First of, replace the checkuser() function in function.php by this: function checkuser($name,$pass){ $u=mysql_result(mysql_query("select count(*) from users where name='".htmlspecialchars($name)."' and password='".md5($pass)."' "),0,0); return $u; } Then, replace the part from login.php I showed above by the following: if(checkuser($_POST[username],$_POST[password])==1){ setcookie("loguserid",$userid,ctime()+900000000,$folder,$domain); setcookie("logpassword",$password,ctime()+900000000,$folder,$domain); $msg="You are now logged as $username."; } Try that and let me know if it worked or not. Like I said above, it's most likely a problem with the login script, but there's no guarrantee. Furthermore, if the above doesn't work, try to find out how and where the person does this; monitor him/her. |
|||
Xeolord - B l u e s - Power Metal > All Level: 81 Posts: 174/3418 EXP: 4884196 For next: 108653 Since: 03-15-04 From: Yeah Since last post: 15 hours Last activity: 15 hours |
| ||
Mike could this possibly be going on at a school? I've heard from a few people over at my board that a LAN setup is really glitchy for Acmlm boards. People will appear to be logged in as someone else, and when they refresh they might be in another name yet again. (edited by Xeogred on 03-16-04 11:15 AM) |
|||
Tuvai Permanently banned for account hacking. Level: 24 Posts: 54/211 EXP: 74894 For next: 3231 Since: 03-15-04 Since last post: 566 days Last activity: 339 days |
| ||
It's not really something to do with LANs, but with cookies. If you're on a computer more people will use, and you're using a default profile to log on to that computer, cookies that aer stored when you login at a website are stored under the profile's cookie folder. So, if someone else uses the same computer and same profile after you, and you didn't delete your cookies, then that person can have access to your accounts. However, I don't think that's the problem Mike's having, considering his problem is apperantly someone being able to log in as anyone. |
|||
FreeDOS Lava Lotus Wannabe-Mod :< Level: 59 Posts: 81/1657 EXP: 1648646 For next: 24482 Since: 03-15-04 From: Seattle Since last post: 6 hours Last activity: 4 hours |
| ||
Tuvai, my problem isn't with cookies... I can tell this person has logged in as other people when their IP addresses recorded matches this one person...and it seems that he bypasses IP bans with a proxy. It doesn't matter the password. I've scrambled the passwords into random keyboard punches. It doesn't stop him. |
|||
Tuvai Permanently banned for account hacking. Level: 24 Posts: 56/211 EXP: 74894 For next: 3231 Since: 03-15-04 Since last post: 566 days Last activity: 339 days |
| ||
Originally posted by Mike Tuvai, my problem isn't with cookies... Did I say it was, then? I don't think so. And again, it's most probably a glitch in the login script, you just confirmed that by saying whatever password you use doesn't matter. |
|||
Zemus Sand Crab Level: 25 Posts: 124/233 EXP: 86920 For next: 2700 Since: 03-15-04 Since last post: 281 days Last activity: 111 days |
| ||
Hey Mike... your board says Baord stats instead of Board stats ;-) Just thought I'd point that out.... and I've never seen an acmlm board that gives out addresses for porn and warez before :-P Odd. Anyway, check for a Bouche script - ie password stealing script. It was pretty clever, just a little javascript in a post (possibly through an iframe) which records the cookie data and sends it to his database for him to browse at a later time... that's the most likely culprit for your problem, but I thought it was fixed with the no javascript and no iframe rule being implemented into Acmlm Board, and you're using the latest public release.... *shrug* also an odd feature is requiring a person to be logged in to view threads... what's the purpose of that? If no one can read threads, why should they be enticed to join? (edited by K-Pel on 03-16-04 03:47 PM) |
|||
Luigi Red Koopa Level: 19 Posts: 6/126 EXP: 34570 For next: 1207 Since: 03-15-04 From: Friday the 13th Since last post: 521 days Last activity: 96 days |
| ||
First of all, stop blaming Bouche for that script. Second of all, don't name it after him. Someone hacked Bouche and edited the javascript he used in his post layout. The changes were steal passwords and rate Skydude a 0. | |||
Tuvai Permanently banned for account hacking. Level: 24 Posts: 58/211 EXP: 74894 For next: 3231 Since: 03-15-04 Since last post: 566 days Last activity: 339 days |
| ||
Originally posted by K-Pel Anyway, check for a Bouche script - ie password stealing script. It was pretty clever, just a little javascript in a post (possibly through an iframe) which records the cookie data and sends it to his database for him to browse at a later time... that's the most likely culprit for your problem, but I thought it was fixed with the no javascript and no iframe rule being implemented into Acmlm Board, and you're using the latest public release.... *shrug* Don't refer to that as Bouche's script. Also, a cookie stealing script would do shit on AcmlmBoard 1.8 and higher, because passwords are encrypted and AcmlmBoard doesn't use them in sessions like Vbulletin does. DOH. |
|||
Cellar Dweller Flurry !!! Level: 27 Posts: 5/269 EXP: 107817 For next: 8342 Since: 03-15-04 From: Arkansas Since last post: 16 days Last activity: 34 min. |
| ||
I have a copy of AcmlmBoard 1.8a, and I can certify that it does not encrypt password in cookies. Encrypting the cookies will not prevent them from being used, if they are stolen, because an attacker can put them in the local cookie jar. Not only can an attacker impersonate a user after doing that, (s)he can recover the plaintext password from some forms, such as the new reply form. |
|||
Tuvai Permanently banned for account hacking. Level: 24 Posts: 62/211 EXP: 74894 For next: 3231 Since: 03-15-04 Since last post: 566 days Last activity: 339 days |
| ||
Originally posted by Cellar Dweller I have a copy of AcmlmBoard 1.8a, and I can certify that it does not encrypt password in cookies. Not by default, but in this case they are: Originally posted by Tuvai - checkuser() function in funcion.php: function checkuser($name,$pass){ $users=mysql_query("SELECT id FROM users WHERE name='".addslashes($name)."' AND password='".md5($pass)."'"); $user=@mysql_fetch_array($users); $u=$user[id]; if($u<1) $u=-1; return $u; } It seems < EDIT: I see now, I was looking at the files of MY old AcmlmBoard, which had MD5() encryption. (edited by Tuvai on 03-17-04 05:04 AM) |
Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
Acmlm's Board - I2 Archive - Acmlmboard support? - An exploit that I have no idea how it works... | | | |