Pages:
Author

Topic: About the recent attack (Read 14041 times)

global moderator
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
February 12, 2014, 08:58:04 AM
Would it be possible to Add the avatar if i provide the link to the photo for inspection?  I couldn't hack a paper bag let alone a website lol

I doubt Theymos will make an exception for you. Many have asked before.
hero member
Activity: 658
Merit: 502
Doesn't use these forums that often.
October 23, 2013, 10:08:50 AM
So, if there are so many problems with SMF, why does thermos still use it?  There must be some open-source forum software that could be used.   At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use.  Right? 
Someone must have a good answer.
Surprised no one in this thread has a comment on open-source forum software and potential alternatives to SMF. 
Maybe we should use Discourse.
newbie
Activity: 42
Merit: 0
October 18, 2013, 12:11:39 PM
i think guys be secure
i recomend make strong pasw

and i hope admin fix this bug and we be secure place peace  Roll Eyes
legendary
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
October 12, 2013, 10:58:25 PM
So, if there are so many problems with SMF, why does thermos still use it?  There must be some open-source forum software that could be used.   At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use.  Right? 
Someone must have a good answer.
Surprised no one in this thread has a comment on open-source forum software and potential alternatives to SMF. 
legendary
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
October 12, 2013, 01:20:40 AM
Is there anyone else that feels that it's a hell of a coincidence that this happened at almost the exact same time that Silk Road was taken down?

My initial guess was that it was someone with a fairly sizeable amount of cash, who wanted to buy Bitcoins cheap. Just my opinion anyway, is that it was someone who sold their BTC high right after the SR news, saw the price go down by $40 per coin, and stood to make thousands if not more by panicking people further and dropping the BTC price more before buying in.

That or just because they felt like it.
hero member
Activity: 490
Merit: 500
October 12, 2013, 12:29:56 AM
Is there anyone else that feels that it's a hell of a coincidence that this happened at almost the exact same time that Silk Road was taken down?
legendary
Activity: 1316
Merit: 1000
Varanida : Fair & Transparent Digital Ecosystem
October 11, 2013, 01:20:06 AM
thanks for your hard work
sr. member
Activity: 374
Merit: 250
October 10, 2013, 08:37:59 AM
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??

An administrator can by definition do anything.  It is sometimes useful if you want to do something on a user's behalf or for testing whether permissions are respected correctly.



By default the administrator has the power to do that. If not the admin can go to phpadmin and change the hash with other known hash and login using  the new password and change the hash again after the login.
sdp
sr. member
Activity: 469
Merit: 281
October 10, 2013, 06:21:15 AM
#99
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??

An administrator can by definition do anything.  It is sometimes useful if you want to do something on a user's behalf or for testing whether permissions are respected correctly.

sdp
sr. member
Activity: 469
Merit: 281
October 10, 2013, 12:23:45 AM
#98
I wonder if the fact that this site was brought down at the same time as silk road was anymore of a coincidence.
sr. member
Activity: 252
Merit: 250
October 09, 2013, 12:40:24 PM
#97
Glad BTCT is up and running again Smiley

You may want to take another look at that.

Sad it was such an awesome site. I hate it.
full member
Activity: 152
Merit: 100
October 09, 2013, 11:17:27 AM
#96
Heh.. well I use it without any plugins or addons and whatnot. Access to the forum is all I need Smiley
hero member
Activity: 952
Merit: 1009
October 09, 2013, 11:09:23 AM
#95
Glad BTCT is up and running again Smiley

You may want to take another look at that.
full member
Activity: 152
Merit: 100
October 09, 2013, 10:58:06 AM
#94
Glad BTCT is up and running again Smiley

Lock all staff/admin accounts to 1 IP.  Thats one way to prevent exploits if someone was to get the password for a admin account.
Admins would be forced to use the same IP via VPN or proxy service
legendary
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
October 09, 2013, 09:52:24 AM
#93
So, if there are so many problems with SMF, why does thermos still use it?  There must be some open-source forum software that could be used.   At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use.  Right? 
Someone must have a good answer.
sr. member
Activity: 266
Merit: 250
October 09, 2013, 07:11:10 AM
#92
Thanks Theymos and others who help maintained this forum.
full member
Activity: 238
Merit: 100
RMBTB.com: The secure BTC:CNY exchange. 0% fee!
October 08, 2013, 08:12:19 PM
#91
Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.
It seems like you are referring to the same vulnerabilities referenced in this thread:

http://www.simplemachines.org/community/index.php?topic=482530.0

The SMF Project Manager had this to say about it:
Quote
this is, essentially, BS...

not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section...  and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly.

Not that I really care if we update or not, because I can understand the advantages and disadvantages of both actions. But I would like to see something happen to make this forum a bit more secure.

This reads to me like they don't understand the dangers of XSS. Which is kinda worrying if that is an official response.

The advisory describes a persistent XSS flaw in the Admin section. The comment about admins already having access is completely off the mark. XSS attacks are always executed in the context of the privileged user. The validation flaw could be behind bloody Fort Knox -- it doesn' t matter in the slightest; the attack is still exactly the same as if it were in the front-end.

That forum thread is a face-palm.

If you need a reason to move away from SMF, there it is.
hero member
Activity: 532
Merit: 500
Currently held as collateral by monbux
October 08, 2013, 05:16:29 PM
#90
Glad it's back up I lost all information on bitcoin because this is where I get most of it
newbie
Activity: 40
Merit: 0
October 08, 2013, 02:03:50 PM
#89
Great job recovering from the hack!

I know how hard it is to keep an SMF forum secure. I ran a much smaller forum on SMF, and it was a constant battle (both SMF 1 and 2). Eventually, I switched to something else that was easier (for me) to keep secure.

(I'm not suggesting changing to another forum package is the right thing to do here as it sounds like you have a really good understanding of SMF security vulnerabilities and how to mitigate attacks now, and that's really the most important thing).
sr. member
Activity: 308
Merit: 250
October 08, 2013, 01:07:41 PM
#88
very happy the forum is back up Smiley keep up the good work
Pages:
Jump to: