Welcome, Guest. Please Login or Register.
November 23, 2024, 08:53:58 AM
Home Help Search Log in Register
News: If you are still using YaBB SE, please consider upgrading to SMF as soon as possible.

YaBB SE Community  |  YaBB SE Info  |  News From the YaBB SE Team  |  SECURITY FIX! Users using any version prior to 1.5.1 « previous next »
Pages: 1 ... 9 10 [11] 12 Reply Ignore Print
Author Topic: SECURITY FIX! Users using any version prior to 1.5.1  (Read 99655 times)
Dude
Guest
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #150 on: February 19, 2003, 08:47:51 AM »
Reply with quote

Quote from: Spaceman-Spiff on February 19, 2003, 05:41:54 AM
a better way is to upgrade to 1.5.1RC1

uh huh cept on the the download page it says:

We are currently in an open beta test of version 1.5.1RC1. The download location and current build can be acquired here. Please note that version 1.5 is now termed "experimental". If you are installing a fresh copy of YaBB SE, please install version 1.4.1 or 1.5.1RC1.

so since folks are being encouraged to download 1.4.1 I agree with oldford. It shouldn't be that hard to apply the fix and repackage the download.

and btw, I think you may need a little sun......... ;D
Logged
Peter Duggan
Llama Chameleon
Global Moderator
YaBB God
*****
Posts: 1793


You come and go...

WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #151 on: February 19, 2003, 09:00:12 PM »
Reply with quote

Quote from: oldford on February 19, 2003, 05:34:18 AM
Should this fix maybe be implemented in all the files in the download section?

While I can see where you're coming from here, surely changing previous versions retrospectively stops them being what they purport to be?

Quote from: old dan on February 19, 2003, 08:47:51 AM
so since folks are being encouraged to download 1.4.1 I agree with oldford.

But this also makes sense, so perhaps the download version of 1.4.1 should be 'rebadged' somehow? :)
« Last Edit: February 19, 2003, 09:04:03 PM by Peter Duggan » Logged

Spaceman-Spiff
Mod Team
YaBB God
*****
Posts: 3689


My $txt[228]

Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #152 on: February 19, 2003, 09:22:07 PM »
Reply with quote

if u're using 1.4.1, u can apply this mod: http://www.yabbse.org/community/index.php?board=158;action=display;threadid=12512
and "everything" will be fixed
Logged

   My mods, ysePak, codes, tutorials
    Support question IMs = bad.
Jaxom
Noobie
*
Posts: 34


Damn llama ate my karma...

WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #153 on: February 20, 2003, 01:04:09 AM »
Reply with quote

Unfortunately, I've been added to the list of people that got nailed by this, got hit yesterday. For some reason  (no doubt my end, probably my spam filter!) I never got notified of any security holes - and I don't check this board that often, don't need to. D'oh!

From the access logs, I have a webserver in brazil which was was used to nail me. They altered the front page, and deleted one of my yabbse folders. I've taken the site down while I do repairs, alter passwords et al.

If anyone wants my access logs, or info from the board itself in order to build evidence or somesuch (they appear to have left the sql database intact) they're more than welcome, and my email address does appear to be working now :)

As for being hacked... well, such is life, I don't see anything more the yabb team could have done to let me know, I haven't even needed to login to the board admin for a while so even an xml update proably wouldn't have got to me.

:-\
Logged

Linux is like wigwam - no windows, no gates, apache inside.

My wigwam - The Guildhouse
luisr
Full Member
***
Posts: 120


Left blank to save space.

Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #154 on: February 21, 2003, 08:47:20 PM »
Reply with quote

What about these two vulnerabilities?  I found these by searching Google with " YaBB SE vulnerability":

This one is for a vulnerability with News.php
http://www3.ca.com/virusinfo/Threat.asp?ID=14136

And this one for news_template.php
http://www.securiteam.com/unixfocus/5BP051F8VE.html
Logged
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #155 on: February 22, 2003, 12:17:40 AM »
Reply with quote

Both have been fixed in 1.5.1.

-[Unknown]
Logged
iamdamnsam
Full Member
***
Posts: 225


RamchargerCentral.Com

WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #156 on: February 24, 2003, 10:26:47 PM »
Reply with quote

Quote from: [Unknown] on February 22, 2003, 12:17:40 AM
Both have been fixed in 1.5.1.

-[Unknown]

Well....how do you fix them in 1.3 and 1.4?
Logged

Gobalopper
Mod Team
YaBB God
*****
Posts: 993


Cookie Monster

WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #157 on: February 24, 2003, 10:33:00 PM »
Reply with quote

Check Compuart's posts in the bug boards, I'm pretty sure it has fixes for the 1.4.1 version.
Logged
iamdamnsam
Full Member
***
Posts: 225


RamchargerCentral.Com

WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #158 on: February 24, 2003, 10:49:14 PM »
Reply with quote

what about 1.3?  It doesn't list it as vulnerable on those sites.  I have tried it on my own site, and I don't see how they can get hijacked, it is only showing your own cookie.
Logged

Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!

WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #159 on: February 24, 2003, 11:08:15 PM »
Reply with quote

Using 1.3, if you're not using it, I'd delete Packages.php
Logged

iamdamnsam
Full Member
***
Posts: 225


RamchargerCentral.Com

WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #160 on: February 25, 2003, 12:49:04 AM »
Reply with quote

Quote from: Jeff Lewis on February 24, 2003, 11:08:15 PM
Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?
Logged

[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #161 on: February 25, 2003, 12:53:32 AM »
Reply with quote

Quote from: iamdamnsam on February 25, 2003, 12:49:04 AM
Quote from: Jeff Lewis on February 24, 2003, 11:08:15 PM
Using 1.3, if you're not using it, I'd delete Packages.php

done already, but what about the other security issues?

I very much recommend going to 1.5.1 if you want full security.

-[Unknown]
Logged
luisr
Full Member
***
Posts: 120


Left blank to save space.

Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #162 on: February 25, 2003, 02:32:20 PM »
Reply with quote

I am in a similar situation, using 1.3.1 at present and waiting for 1.5.1 to be released in its final form before I upgrade.  Don't want to deal with release candidates.   Already deleted the Packages.php file.  I don't use the news feature.  Can I safely delete the other files?

By the way, I tried the one that allegedly allows stealing of cookies but as iamdamnsam said, I just see my own cookie.  But it shows a vulnerability anyway because it should not allow running scripts that way.
Logged
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #163 on: February 25, 2003, 10:58:39 PM »
Reply with quote

The problem is, if you can see your cookie.... then the java script can see it.

If the javascript can see your cookie, it can send that cookie to someone else.

If someone else has your cookie, they can login to your forum - as you.

If that happens you are dead.

-[Unknown]
Logged
luisr
Full Member
***
Posts: 120


Left blank to save space.

Re:SECURITY FIX! Users using any version prior to 1.5.1
« Reply #164 on: February 26, 2003, 03:17:07 PM »
Reply with quote

But that involves inserting the malicious code somehow in a message or somewhere that other users can see as well, not just me.  May be I cannot think of a way of doing it because I am not a hacker.
Logged
Pages: 1 ... 9 10 [11] 12 Reply Ignore Print 
YaBB SE Community  |  YaBB SE Info  |  News From the YaBB SE Team  |  SECURITY FIX! Users using any version prior to 1.5.1 « previous - next »
 


Powered by MySQL Powered by PHP YaBB SE Community | Powered by YaBB SE
© 2001-2003, YaBB SE Dev Team. All Rights Reserved.
SMF 2.1.4 © 2023, Simple Machines
Valid XHTML 1.0! Valid CSS

Page created in 0.148 seconds with 20 queries.