Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
  #1  
Old 06-29-2009, 10:54 AM
DragonBlade's Avatar
DragonBlade DragonBlade is offline
 
Join Date: May 2006
Posts: 189
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Bugs, malware, and viruses, oh my!

All righty, I must be missing something here. I keep on reading a bunch of threads here at vB.org about people having their forum site "infected" with something or another, and I'm wondering just how it's possible. I mean, let's subtract the Windows servers from the equation, because they don't count. Let's focus on people running a LAMP stack, here.

How does a WEBSITE get "infected?" I mean, there aren't any Linux viruses out there in the wild that I've ever come across. I've been running Linux on my home computer for many years now, and the only stupid things that happen to it are the stupid things I do to it. XP

Could someone explain to me in simple terms how a virus can get embedded into a website? I just don't get it.
Reply With Quote
  #2  
Old 06-30-2009, 02:11 AM
jchamber2010 jchamber2010 is offline
 
Join Date: Mar 2009
Posts: 50
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'd actually like to hear how this is possible as well, I always thought that files on a website were read-only by clients, and not writeable unless you have access to either FTP, or the server itself... This could be a major security risk for some popular websites if this ever did happen.
Reply With Quote
  #3  
Old 06-30-2009, 04:39 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Most of the time, malicious code (JavaScript) in injected inside a page, this is called XSS (Cross Site Scripting).

The code can get there through the display of user submitted content. If the input is cleaned of bad HTML before being displayed, the output is generally safe, but if not, that content could be interpreted by the browser as HTML. Thankfully, vBulletin has plenty of documentation on input cleaning, and most modification authors adhere to using these APIs.

There are other methods of injecting malicious code, but that gets a little more complex.
Reply With Quote
  #4  
Old 06-30-2009, 02:12 PM
DragonBlade's Avatar
DragonBlade DragonBlade is offline
 
Join Date: May 2006
Posts: 189
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

XSS usually consists of injecting JavaScript and HTML into an application, though, right? If we clean our content properly, I just don't really see much of a threat from it. The way I learned scripting, anytime anywhere that you allow a user to input content, you make sure that the content can't harm your application. And with vBulletin datamanagers, pretty much everything is cleaned unless you specify it NOT to be, right? Not to mention you can choose the type of verification needed, or even make your own verification functions for the datamanagers.
Reply With Quote
  #5  
Old 07-01-2009, 05:02 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by DragonBlade View Post
XSS usually consists of injecting JavaScript and HTML into an application, though, right?
Pretty much. The problem arises when modifications do not properly clean input and thus, allow malicious code to the run. SQL injection is also another problem, allowing hackers to inject malicious code into templates. However, there are more problems to worry about than just your templates if an injection vulnerability is present.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:12 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06372 seconds
  • Memory Usage 2,188KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete