Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
alexwise
Regular
Regular


Joined: Oct 15, 2005
Posts: 80

PostPosted: Mon Mar 06, 2006 12:08 pm Reply with quote

A month back our site got hacked, so I scrapped it and now use Raven distro, wich works like a dream and hacking has stopped ..... but.

In my profile I noticed that in my sig were I have 2 pictures inseted of just
[img] Only registered users can see links on this board! Get registered or login! [/img]

I have ..

[img:3517d7e297]http://www.outsite/sig.jpg[/img:3517d7e297]

Which looks like part of a md5 pass or somthing in base64 code.

Ive changed my pass, and mine looks nothing like that in md5 hash so I don't think it's that unless it's part of my old pass from the old site.
We moved acrros the old site's forum along with the theme template but the rest of the site is new.

The only prob with this, is that I can't change it.
If I try to just edit it back to the [img] it changes back to the [img:3517d7e297]

So ........ what is this?
Is this somthing left behind from the hacker, is it somthing to do with the new site, info from the old, or a still active xxs?

Thanks.
 
View user's profile Send private message
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Mon Mar 06, 2006 12:36 pm Reply with quote

that is a needed component of seeing the image in your bb. it is bbcode. it must be there for every signiuter so taht it shows. that number is unique to each user. do not remove it or your sig will not show.

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
alexwise
PostPosted: Mon Mar 06, 2006 12:46 pm Reply with quote

Odd, why is it showing in the profile? I'm sure it never used to show up.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Mar 06, 2006 6:51 pm Reply with quote

Is it still showing through the Forums profile? It should be recognizing it as proper bbcode

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
alexwise
PostPosted: Wed Mar 08, 2006 2:01 pm Reply with quote

No it's not showing there just in My account.
I must be loosing my marbels, I'm sure it didn't show before.
 
evaders99
PostPosted: Wed Mar 08, 2006 3:00 pm Reply with quote

Your_Account does not use BBCode, that's why it is showing.
You are better off using HTML
 
Rumbaar
Regular
Regular


Joined: Apr 16, 2004
Posts: 78
Location: Melbourne, Australia

PostPosted: Thu Mar 09, 2006 5:56 pm Reply with quote

I'm not code writer but couldn't a 'simple' check be performed in the Your_Account module that if the [img] tags are found in a persons signature a substitution to the <img src=> tags takes place and it would display correctly in that profile display.

_________________
Victim's aren't we all! 
View user's profile Send private message Visit poster's website
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Thu Mar 09, 2006 7:42 pm Reply with quote

Rumbaar - Yes that might be possible. However, that wouldnt work if html was turned off in the forum and may cause complications with possible vulnerabilities in which a harmful file can be disguised as an image file.
 
View user's profile Send private message Send e-mail
Rumbaar
PostPosted: Thu Mar 09, 2006 9:28 pm Reply with quote

OK but my understanding is that the Your_Account module is separate to the forum in it's display so it wouldn't have to rely on any forum settings. Also it would only really be an issue if the BBCodes have been disabled as what I imagine is that the new code would do exactly the same checking and function as the forum BBCode would already do.

Also it would effectively perform the same function as the BBCode does to convert [img] to <img src=> so I can't see any securty issues that aren't already present in phpBB.

But it's just a thought.
 
Blind-Summit
Hangin' Around


Joined: Mar 27, 2006
Posts: 27

PostPosted: Sat Apr 01, 2006 8:44 am Reply with quote

He's got a good point. It's nothing serious - just a little messy. Why should it be fine in the forum, yet not in the your account. Seems easy enough to fix?
 
View user's profile Send private message
Guardian2003
PostPosted: Sat Apr 01, 2006 9:43 am Reply with quote

Blind-Summit wrote:
He's got a good point. It's nothing serious - just a little messy. Why should it be fine in the forum, yet not in the your account. Seems easy enough to fix?

Are you volunteering?
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 9:48 am Reply with quote

Well if I have this correct. The [img:3249823] tags work for the forum OK and display exactly as that in the your_account. So if we search for [img: then copy the text after the following ] and up to the next instance of [/ into the img src html - would that be ok? Or is that the part about security? If this is then insecure - why would it be OK in the forums where the html is generated from BBcode?

If that's all OK - then yeah - I may just add that fix.

I also have a fix in your account where it's listed about 3 times "you are / are not a subscribed"

Is it just me that sees all these tiny simple aesthetic changes?
 
Guardian2003
PostPosted: Sat Apr 01, 2006 10:41 am Reply with quote

Actually, that reminds me thank you.
The reason for the multiple echo to the page for the You are subscribed/not subscribed only occurs when you have an admin (God) and user accounts with different usernames.
Not actually bug but it should be cleaned up a little to differnetiate between the 2 accounts.

The forums were ported to work with nuke and as far as I know, carries out its own security checks (hence the reason why so many forums got hacked). Yes, at some point it would be nice to have them share the same security checking functions but I think this might require extensive re-writing of the code - hence the reason why no one has done it to date. Most excercises of this nature just used a redirect from the forum profile to the Your Account module - but of course that doesnt help you with your forum sig problem.
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 10:45 am Reply with quote

mine are the same though! I'm just hacking this nuke_marketing code so that I can have a userlist instead of letting people enter the refering user's name - so many just put things like "Alex refered me" or stuff like that - so it screws up the lists.

I have a combo box made from an SQL do while loop and i added a null value at the top, but for some reason it defaults to the second item in the list - ie the first user.

Here's the link on my new user page

and my code:

Code:


      $combobox = "<select name=\"user_referral\">";
      $combobox .= "<option value=\"\" selected>--NOT REFERED--</option>";
      
      $sql = "SELECT username FROM ".$prefix."_users";
if( !($result = $db->sql_query($sql)) )
{
        message_die(GENERAL_ERROR, 'Could not get userlist', '', __LINE__, __FILE__, $sql);
}

if ( $row = $db->sql_fetchrow($result) )
{

        do
        {
         $userrefer = $row['username'];
         $combobox .= "<option value=\"$userrefer\">" . $userrefer . "</option>";
        }
        while ( $row = $db->sql_fetchrow($result) );
}

      $combobox .= "</select>";
      
      echo $combobox;
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 11:05 am Reply with quote

No matter - I fixed it. For some reason - mozilla just likes to select the second item - so I added an <option value=\"\"></option> tag and that's fixed it

drop me a line if anyone wants to use my code for that. Just stops people from entering invalid usernames for the rerering username
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©