Would it be possible to Add the avatar if i provide the link to the photo for inspection? I couldn't hack a paper bag let alone a website lol
I doubt Theymos will make an exception for you. Many have asked before.
Topic: About the recent attack (Read 13991 times)
global moderator
Activity: 3794
Merit: 2606
Join the world-leading crypto sportsbook NOW!
I doubt Theymos will make an exception for you. Many have asked before.
So, if there are so many problems with SMF, why does thermos still use it? There must be some open-source forum software that could be used. At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use. Right?
Someone must have a good answer.
i think guys be secure
i recomend make strong pasw
and i hope admin fix this bug and we be secure place peace
i recomend make strong pasw
and i hope admin fix this bug and we be secure place peace
So, if there are so many problems with SMF, why does thermos still use it? There must be some open-source forum software that could be used. At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use. Right?
Someone must have a good answer.
Is there anyone else that feels that it's a hell of a coincidence that this happened at almost the exact same time that Silk Road was taken down?
My initial guess was that it was someone with a fairly sizeable amount of cash, who wanted to buy Bitcoins cheap. Just my opinion anyway, is that it was someone who sold their BTC high right after the SR news, saw the price go down by $40 per coin, and stood to make thousands if not more by panicking people further and dropping the BTC price more before buying in.
That or just because they felt like it.
Is there anyone else that feels that it's a hell of a coincidence that this happened at almost the exact same time that Silk Road was taken down?
thanks for your hard work
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??
An administrator can by definition do anything. It is sometimes useful if you want to do something on a user's behalf or for testing whether permissions are respected correctly.
By default the administrator has the power to do that. If not the admin can go to phpadmin and change the hash with other known hash and login using the new password and change the hash again after the login.
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??
An administrator can by definition do anything. It is sometimes useful if you want to do something on a user's behalf or for testing whether permissions are respected correctly.
I wonder if the fact that this site was brought down at the same time as silk road was anymore of a coincidence.
Glad BTCT is up and running again 
You may want to take another look at that.
it was such an awesome site. I hate it.
Heh.. well I use it without any plugins or addons and whatnot. Access to the forum is all I need
Glad BTCT is up and running again
You may want to take another look at that.
Glad BTCT is up and running again
Lock all staff/admin accounts to 1 IP. Thats one way to prevent exploits if someone was to get the password for a admin account.
Admins would be forced to use the same IP via VPN or proxy service
Lock all staff/admin accounts to 1 IP. Thats one way to prevent exploits if someone was to get the password for a admin account.
Admins would be forced to use the same IP via VPN or proxy service
So, if there are so many problems with SMF, why does thermos still use it? There must be some open-source forum software that could be used. At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use. Right?
Someone must have a good answer. 
Thanks Theymos and others who help maintained this forum.
Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.
It seems like you are referring to the same vulnerabilities referenced in this thread:http://www.simplemachines.org/community/index.php?topic=482530.0
The SMF Project Manager had this to say about it:
Quote
this is, essentially, BS...
not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section... and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly.
not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section... and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly.
Not that I really care if we update or not, because I can understand the advantages and disadvantages of both actions. But I would like to see something happen to make this forum a bit more secure.
This reads to me like they don't understand the dangers of XSS. Which is kinda worrying if that is an official response.
The advisory describes a persistent XSS flaw in the Admin section. The comment about admins already having access is completely off the mark. XSS attacks are always executed in the context of the privileged user. The validation flaw could be behind bloody Fort Knox -- it doesn' t matter in the slightest; the attack is still exactly the same as if it were in the front-end.
That forum thread is a face-palm.
If you need a reason to move away from SMF, there it is.
Glad it's back up I lost all information on bitcoin because this is where I get most of it
Great job recovering from the hack!
I know how hard it is to keep an SMF forum secure. I ran a much smaller forum on SMF, and it was a constant battle (both SMF 1 and 2). Eventually, I switched to something else that was easier (for me) to keep secure.
(I'm not suggesting changing to another forum package is the right thing to do here as it sounds like you have a really good understanding of SMF security vulnerabilities and how to mitigate attacks now, and that's really the most important thing).
I know how hard it is to keep an SMF forum secure. I ran a much smaller forum on SMF, and it was a constant battle (both SMF 1 and 2). Eventually, I switched to something else that was easier (for me) to keep secure.
(I'm not suggesting changing to another forum package is the right thing to do here as it sounds like you have a really good understanding of SMF security vulnerabilities and how to mitigate attacks now, and that's really the most important thing).
very happy the forum is back up keep up the good work
keep up the good work Jump to: