ok, today i helped ptbyjason to take control again over his hacked board.
https://vborg.vbsupport.ru/showthread.php?s=&threadid=35339

while playing, i discovered a way to add myself as admin to any VB board, if i'm able to call the path from the server. FireFly, i want to email you the php file i made. email me so i can send you the file and you can look at it.

the solution is to change the permissions for the admin folder in a way that if any file is called from outside of the server, to display a show_nopermission error message.

UPDATE:
in /admin/config.php add this code, at the top:if(!strstr("$_SERVER[PATH_TRANSLATED]", "$_SERVER[DOCUMENT_ROOT]")) {
die();
}that should prevent to run a script from outside your server. thanks PPN. ;)

try this:

make a info.php file with the code listed below and place it in your root:<?php

phpinfo();

?>i wonder if it is extremly easy to find out what is someone's path and manipulate his(her) board. what i can do, is make a directory for dynamic content (let's call it "dynamic"), and put in an .htaccess file that has the line:ForceType application/x-httpd-phpin it. this will force all accesses from that directory to be processed as a PHP script. then I can just write a PHP script called, say, script (note, not script.php, just script), so if i call the path:http://domain.com/dynamic/script/this/is/all/fake/path/after i call that path, i can check the variable $REQUEST_URI in PHP and strip off everything after /dynamic/script/, and that is the information i want...

you know what? all this info i found it on google.com.

nakkid, email it to me and I'll look at it straight away. I don't think you can do this without FTP access though, and if mysql is setup correctly you shouldn't be able to access it via another server.

I also think that this is not possible without uploading a file into that ftp account.....

hmm how do you explain the problem ptbyjason had? the hacker didnt have access as admin to his board.. he did it from another server!! we need to change the permissions.. is a fact. read the post where i helped jason...

ok, i emailed you the script PPN... do you know a way to don't let any file be called from outside of /admin dir? let me know. i'm not good with permissions.

If he had access on the server, if it was a shared server? Then yes this happens, there is nothing that can be done about this if the permissions are not set correctly by the host then other users can read other users files.

i know i read somewhere about this type of permission, not to let call a script from outside the domain. that's where i need to focus on.. this is where the problem resides..

Simpliest way to do something like this is use

if(!strstr("$_SERVER[PATH_TRANSLATED]", "$_SERVER[DOCUMENT_ROOT]")) {
die();
}

If the document root path is not found in the script filename path then exit the script. This means the script would have to had been executed above the users document root, so if you have /home/username/public_html then the script would have had to be executed in any of these folders. You can add this to the top of config.php but I don't see a point personally.

ok. can you make a quick hack? so we all can add it to the /admin folder? thanks.

Just add that piece of code to the top of config.php in the admin folder, if anyone tries to access the config.php file that wasn't called within the users document root the script simply exits.

at PPN's advice, i decided to keep the adduser.php file private. only admins will be able to have a copy.

why you don't see the point? can you explain more please?

I need to go play in the snow now :D

The code i posted above works on my test board.

If the user has access on the shared server, then they probably have shell access so they can just navigate into your folders open config.php using pico or vi and read the values right off it and then simply access it via phpmyadmin in their own folder.

lol.. ok.. here few snow balls thrown at you..
@ @ @ @ @... ;)

Originally posted by PPN
If the user has access on the shared server, then they probably have shell access so they can just navigate into your folders open config.php using pico or vi and read the values right off it and then simply access it via phpmyadmin in their own folder. si in other words, there is no way to call a path from outside the server and do a mysql_connect?

The hacker would have to be on the same server.

Would you send me the file please so we can investigate the problem.

james.ussher-smith@vbulletin.com

Thanks.

i did send it to firefly ;) this is the first thing i did.

Don't worry - Chen has showed me and there is nothing to worry about. Your boards are secure :)

thanks james. i came to the same conclusion. after discussing with ptbyjason for over 5hrs (reinstead him as admin, upgraded to 222, secured the folder admin) we tried to track down every event the hacker did. the only flaw we saw was this:
a hacker admin can delete the logs and change his identity in admin panel. is there a way that VB could save all this info to a log file that cannot be 'cleaned'? in this way in the event a board is hacked, the info can be retrieved, IP, etc. let me know please.

You can protect the admin log and only allow certain admins, or none at all, to prune it. This is done from config.php.

i understand firefly. i was referring to the event a hacker could somehow gain access to your root.

for some reason, i still believe this was done from outside, not on the root. ptbyjason told me that all the hacker did was to show his hidden forums and delete the admin accounts and reinstead himself as admin. aparently, ptbyjason's site is very succesfull, he had his provider called and requested to have his site down by his competition. his site is:
http://www.anabolicreview.com

if the hacker had acces to the root, he would delete all site, is simplier and more efficient. what do you think?

It's quite unlikely it was done from the outside, unless an older version of vBulletin was being used. The hacker may have had a reason to only do certain things rather than trash the whole forum...but we certainly don't know of any security risks with the latest vBulletin.

One way to find out would be to look at the apache server logs to see if any vb scripts were exploited to gain access...it's not a sure-fire way of telling but if it was done from the outside it was likely to be through that.

Also make sure that only scripts running on the local server can access MySQL...that's a huge security risk if that isn't the case. Check that out with the host to make sure that couldn't have been what happened.

pybyjason had 2.03 installed. i got him upgraded to 222. he downloaded himself the latest version from vb.com members area.
do you know if he opened a support ticket for this matter?

Originally posted by PPN
Simpliest way to do something like this is use

if(!strstr("$_SERVER[PATH_TRANSLATED]", "$_SERVER[DOCUMENT_ROOT]")) {
die();
}


Hhmmm....
If I add this on top of my config.php the only thing happen is that it is show in the header. :(

And this error will be shown:
if(!strstr("$_SERVER[PATH_TRANSLATED]", "$_SERVER[DOCUMENT_ROOT]")) { die(); }
Warning: Cannot add header information - headers already sent by (output started at /home/www/*****/forum/admin/config.php:5) in /home/www/*****/forum/admin/functions.php on line 1603

Sorry for editing the real Server-Path ;)

this presumes your running php 4.1.0 or greater

you'll need to use $HTTP_SERVER_VARS instead of $_SERVER

em one question your adding this below the <? tags right?

No, on the top of the file.

If adding aber "<?php" same error.

Just checked, PHP 4.0.6 is running.

ok the top of config.php should look like

<?php

if(!strstr("$HTTP_SERVER_VARS[PATH_TRANSLATED]", "$HTTP_SERVER_VARS[DOCUMENT_ROOT]")) {
die();
}
/////////////////////////////////////////////////////////////
// Please note that if you get any errors when connecting, //
// that you will need to email your host as we cannot tell //
// you what your specific values are supposed to be //
/////////////////////////////////////////////////////////////

Reading over this, I appreciate the thought that went into it.

I now know who and why they did this to our vbulletin. nakkid knows the details of it and I am sure the proper people will know. It could have been a database hack or a hack into vbulletin since it was 2.03. I don't know. I still want to believe it was a database hack, but the time frame between this guy getting mad and the time that he hacked the website was very short. Whatever it was, he did it fast, got in, and then got out. We will be checking the logs tomorrow and hopefully will have more detail on what happened. I will inform nakkid and if James, PPN, or Firefly want to know you can get in touch with me or get in touch with Nakkid. Either way, I just don't want this to happen to anyone again. I will be in touch about it as soon as I find out how he got in.

also update your IE browsers for latest security bug fixes some are pretty nasty and can you could expose your entire hard drive to crackers...

i.e.

Another IE security/critical update patch here http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp


Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files

Technical description:


Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame.

A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user's local machine or capture the contents of third-party web sites the user visited after leaving the attacker?s site. The latter scenario could, in the worst case, enable the attacker to learn personal information like user names, passwords, or credit card information.

In both cases, the user would either have to go to a site under the attacker's control or view an HTML email sent by the attacker. In addition, the attacker would have to know the exact name and location of any files on the user's system. Further, the attacker could only gain access to files that can be displayed in a browser window, such as text files, HTML files, or image files


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-009.asp


Tools -> Windows Update -> Product Updates -> Check Critical Updates -> Download

which will download and install the latest bug fixes for IE browsers ;)

Thanks! Now it's working. :D

If anyone is from Sweden or can speak Swedish, we could use your help if you would like to help us find this guy. We just need a little bit of help. We have a lot of the info on him already, but we don't speak the language.

Thanks,
Jason

I got those patches last week eva, there seems to be a new one from Micro$soft every couple of months, I'm glad that Bill decided to focus on security :D

thanks alot for the info.

i hate to drudge up an old topic.. but i've recently had the same problem with a member of mine hacking the crap outta my forum.. so i was wondering.. what is the minimum chmod values i should have set per file to keep .. users.. out.. and.. if i were go to into cpanel and simply pass protect the entire admincp directory.. would that do the same as listed above since it requires me to login now not only to the acp but also to the pass protected directory before i can ever see the acp?

This dosen't even have effect anymore of what we use now..
________
medical marijuana patients (http://mmjp.org)