Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-05-2006, 07:12 PM
TeaTree TeaTree is offline
 
Join Date: May 2005
Location: England
Posts: 100
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default The top x stats fix hasnt worked

Even though the top x stats was updated yesterday with the aparent fix, users are still managing to re-direct via them-

Why please?

Thanks,

Sam
Reply With Quote
  #2  
Old 09-05-2006, 07:52 PM
The Finman's Avatar
The Finman The Finman is offline
 
Join Date: Jun 2006
Posts: 78
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It looks like they have been modifying their scripts.

We had one script kiddie try 3 variations of the meta refresh script. I assume the variations are designed to get by patches for the original.

I added my own fix in addition to cyb-advanced stats (basically the same as TopX Stats).

I simply went to vBulletin Options --> Censorship Options --> Censored Words and add these to your list of censored words.

Code:
content=0 content="0 LANGUAGE= JavaScript {meta} >> >>> >>>> >>>>> >>>>>> {http-equiv} "Refresh" """"
Even though they varied their scripts in order to get by the cyb-advanced stats and TopXStats patches the above fix still stripped out their varibles and they they have all left in a great big script kiddie huff. :laugh:

You know?...actually calling these lamers "script kiddies" is overrating their pathetic abilities.

Anyone using FlashChat needs to upgrade to version 4.6.2 and delete everything in your cmses (chat/inc/cmses/) directory EXCEPT the version of vBulletin you are using (if you are using 3.6 then you want to LEAVE vbulletin36CMS.php Etc). Especially delete anything that says aedating in it's title as it has a serious security flaw in that file.

Also, if you running Apache then you can use an .htaccess file and addi it to the cmses directory.

The .htaccess file should contain the following inside of it

Code:
Order Deny,Allow
Deny from all
Read more about using .htaccess here http://httpd.apache.org/docs/1.3/mod/mod_access.html

Also, something to think about is that a lot of people have "test" forums on their servers to try out new hacks and upgrades before installing them on their "live" board. Please remember that if you installed Cyb-Advanced Stats, TopXStats or FlashChat on your test board and they are still on there or unpatched then you are still at risk, especialy with FlashChat as they are gaining directory access through holes before 4.6.2.

So to recap...if you have Cyb - Advanced Forumhome Statistics3.6.0 or 3.5.4 please update your version.

If you have Top "X" Stats 3.5.4 or 3.0.0 please update your version

If you have FlashChat please update it to 4.6.2

I also recommend adding this quick but highly effective fix.

Quote:
Go to vBulletin Options --> Censorship Options --> Censored Words and add these to your list of censored words.

Code:
content=0 content="0 LANGUAGE= JavaScript {meta} >> >>> >>>> >>>>> >>>>>> {http-equiv} "Refresh" """"
There are other "fixes" available such as vB 3.6.0 Disallow HTML code in Thread Titles, but the above doesn't require any template edits, and like I said has stopped all variations cold.

If you have been hit with these exploits (and you are able to log into your AdminCP)...go to vBulletin Options ---> Plugin/Hook System--->Enable Plugin/Hook System=NO and use the guides I have listed above.

Hope this helps.
Reply With Quote
  #3  
Old 09-05-2006, 08:15 PM
TeaTree TeaTree is offline
 
Join Date: May 2005
Location: England
Posts: 100
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks,

It has helped a lot

Quote:
Originally Posted by The Finman
It looks like they have been modifying their scripts.

We had one script kiddie try 3 variations of the meta refresh script. I assume the variations are designed to get by patches for the original.

I added my own fix in addition to cyb-advanced stats (basically the same as TopX Stats).

I simply went to vBulletin Options --> Censorship Options --> Censored Words and add these to your list of censored words.

Code:
content=0 content="0 LANGUAGE= JavaScript {meta} >> >>> >>>> >>>>> >>>>>> {http-equiv} "Refresh" """"
Even though they varied their scripts in order to get by the cyb-advanced stats and TopXStats patches the above fix still stripped out their varibles and they they have all left in a great big script kiddie huff. :laugh:

You know?...actually calling these lamers "script kiddies" is overrating their pathetic abilities.

Anyone using FlashChat needs to upgrade to version 4.6.2 and delete everything in your cmses (chat/inc/cmses/) directory EXCEPT the version of vBulletin you are using (if you are using 3.6 then you want to LEAVE vbulletin36CMS.php Etc). Especially delete anything that says aedating in it's title as it has a serious security flaw in that file.

Also, if you running Apache then you can use an .htaccess file and addi it to the cmses directory.

The .htaccess file should contain the following inside of it

Code:
Order Deny,Allow
Deny from all
Read more about using .htaccess here http://httpd.apache.org/docs/1.3/mod/mod_access.html

Also, something to think about is that a lot of people have "test" forums on their servers to try out new hacks and upgrades before installing them on their "live" board. Please remember that if you installed Cyb-Advanced Stats, TopXStats or FlashChat on your test board and they are still on there or unpatched then you are still at risk, especialy with FlashChat as they are gaining directory access through holes before 4.6.2.

So to recap...if you have Cyb - Advanced Forumhome Statistics3.6.0 or 3.5.4 please update your version.

If you have Top "X" Stats 3.5.4 or 3.0.0 please update your version

If you have FlashChat please update it to 4.6.2

I also recommend adding this quick but highly effective fix.



There are other "fixes" available such as vB 3.6.0 Disallow HTML code in Thread Titles, but the above doesn't require any template edits, and like I said has stopped all variations cold.

If you have been hit with these exploits (and you are able to log into your AdminCP)...go to vBulletin Options ---> Plugin/Hook System--->Enable Plugin/Hook System=NO and use the guides I have listed above.

Hope this helps.
Reply With Quote
  #4  
Old 09-05-2006, 08:32 PM
optrex optrex is offline
 
Join Date: Sep 2005
Posts: 344
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It does seem a bit of a weak fix just relying on censored words. Easy to get round, if they happen to read the vb.org forum !!!

....might be kiddies this time, what happens if you get someone that knows what they are doing next time?
Reply With Quote
  #5  
Old 09-05-2006, 08:57 PM
The Finman's Avatar
The Finman The Finman is offline
 
Join Date: Jun 2006
Posts: 78
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by optrex
It does seem a bit of a weak fix just relying on censored words. Easy to get round, if they happen to read the vb.org forum !!!

....might be kiddies this time, what happens if you get someone that knows what they are doing next time?
All variations of that script require one or more of the words and/or characters I have listed. Those listed should not have any reasonable place on a discussion board unless it is a computer related site that deals with code. I didn't say it was a perfect fix, I said it was an effective fix. If you know of a variation of the meta refresh script that can get past it I would be more than happy to know about it.
Reply With Quote
  #6  
Old 09-05-2006, 09:34 PM
optrex optrex is offline
 
Join Date: Sep 2005
Posts: 344
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Not taking anything away from your fix for that particular script or variant, or indeed your own skills.

But my point is the loophole is still open for others to exploit.
Reply With Quote
  #7  
Old 09-05-2006, 10:07 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Also, if you can, set "register_globals = Off" in your servers php.ini file - that will stop the Flashchat exploit dead in its tracks (and close an often used/abused security issue in php).
Reply With Quote
  #8  
Old 09-05-2006, 10:10 PM
The Finman's Avatar
The Finman The Finman is offline
 
Join Date: Jun 2006
Posts: 78
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Paul M
Also, if you can, set "register_globals = Off" in your servers php.ini file - that will stop the Flashchat exploit dead in its tracks (and close an often used/abused security issue in php).
True dat!

Thanks Paul!
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:52 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04584 seconds
  • Memory Usage 2,250KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (5)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete