Bugs, malware, and viruses, oh my!

[DragonBlade]

All righty, I must be missing something here. I keep on reading a bunch of threads here at vB.org about people having their forum site "infected" with something or another, and I'm wondering just how it's possible. I mean, let's subtract the Windows servers from the equation, because they don't count. Let's focus on people running a LAMP stack, here.

How does a WEBSITE get "infected?" I mean, there aren't any Linux viruses out there in the wild that I've ever come across. I've been running Linux on my home computer for many years now, and the only stupid things that happen to it are the stupid things I do to it. XP

Could someone explain to me in simple terms how a virus can get embedded into a website? I just don't get it.

[jchamber2010]

I'd actually like to hear how this is possible as well, I always thought that files on a website were read-only by clients, and not writeable unless you have access to either FTP, or the server itself... This could be a major security risk for some popular websites if this ever did happen.

[Dismounted]

Most of the time, malicious code (JavaScript) in injected inside a page, this is called XSS (Cross Site Scripting).

The code can get there through the display of user submitted content. If the input is cleaned of bad HTML before being displayed, the output is generally safe, but if not, that content could be interpreted by the browser as HTML. Thankfully, vBulletin has plenty of documentation on input cleaning, and most modification authors adhere to using these APIs.

There are other methods of injecting malicious code, but that gets a little more complex.

[DragonBlade]

XSS usually consists of injecting JavaScript and HTML into an application, though, right? If we clean our content properly, I just don't really see much of a threat from it. The way I learned scripting, anytime anywhere that you allow a user to input content, you make sure that the content can't harm your application. And with vBulletin datamanagers, pretty much everything is cleaned unless you specify it NOT to be, right? Not to mention you can choose the type of verification needed, or even make your own verification functions for the datamanagers.

[Dismounted]

Quote:

Originally Posted by DragonBlade

XSS usually consists of injecting JavaScript and HTML into an application, though, right?

Pretty much. The problem arises when modifications do not properly clean input and thus, allow malicious code to the run. SQL injection is also another problem, allowing hackers to inject malicious code into templates. However, there are more problems to worry about than just your templates if an injection vulnerability is present.