Astaran
Addict
Reged: 12/21/00
Posts: 1552
Loc: Germany
|
|
Mod Name / Version: Input validation mod (Security fix) 1.1.1
Description: You all probably noticed that several vulnerabilities have been found in ubb.threads over the last months/weeks. Some of them have been fixed by Infopop, but that's only the tip of the iceberg.
There's no proper input validation in ubb.threads, which makes the door wide open for sql injections. Additionally, the output of ubb.threads isn't escaped properly also. This can be used by "hackers" to start XSS (cross site scripting attacks).
Both types of attacks can used to compromise your boards. Either to damage it or to gain unauthorized access.
During a security audit of ubb.threads, I found more than 10 vulnerabilities.
Infopop is aware of this problem and will "take care" of it in the next release. As this will take at least "some weeks", I created a modification that will prevent most of this attacks.
Note that all current installations of ubb.threads are vulnerable at the moment and that some exploits have already been published to security mailing lists (last one yesterday).
If the modification detects a possible attack an error message is displayed and the attack is logged to a logfile.
Working Under: UBB.Threads 6.3-6.4-6.5
Mod Status: Finished
Any pre-requisites:
Author(s): Astaran
Date: 04/20/05
Credits:
Files Altered: ubbt.inc.php
New Files: Validate.php
Database Altered: no
Info/Instructions: Note that there are three versions of this modification (depending on the ubb.threads version you're using).
Just follow the instructions in instructions.txt.
More experienced users can enhance this class to also validate variables that are used in installed hacks/modifications. See the readme.txt for details.
Disclaimer: Please backup every file that you intend to modify.
If the modification modifies the database, it's a good idea to backup your database before doing so.
Note: If you modify your UBB.Threads code, you may be giving up your right for "official" support from Infopop.If you need official support, you'll need to restore unmodified files.
Edited by Astaran (05/11/05 05:17 PM)
|
scroungr
Old Hand
Reged: 10/17/03
Posts: 2429
Loc: Richmond, VA
|
|
Thanx Astaran!
--------------------
Couchtomatoe - www.couch-tomatoe.cc
My abilities are for hire for installs, upgrades, custom themes and custom modifications.
|
Medar
Code Monkey
Reged: 07/13/00
Posts: 609
|
|
Thanks Astaran! Glad to know this is being taken seriously over here.
--------------------
Medar
Bladekeep Forums • Bicenet Design
|
AllenAyres
Wizard
Reged: 10/12/01
Posts: 5562
Loc: Texas
|
|
--------------------
- Allen
- Join Team ThreadsDev
- It's not about you.
|
Dalantech
Old Hand
Reged: 06/24/02
Posts: 2410
Loc: Naples, Italy
|
|
Excellent!
--------------------
Da LAN Tech
Network News and Reviews
|
AllenAyres
Wizard
Reged: 10/12/01
Posts: 5562
Loc: Texas
|
|
Any word on an 'official' fix (6.5.2) from IP yet?
--------------------
- Allen
- Join Team ThreadsDev
- It's not about you.
|
ksanuk
Member
Reged: 02/06/02
Posts: 290
Loc: Bangkok, Thailand
|
|
Hi,
I'm running 6.4b1, so which of these 2 do I implement (attachment only has instructions for 6.3.x and 6.5.x)?
Sanuk!
|
Calpy
User
Reged: 12/17/02
Posts: 40
|
|
* Thanks for the mod! I installed it, and when I peep at the logfile it looks like it's validating everything just fine, but should I clean out the logfile occasionally or something. It looks like it's gonna get pretty big as the days go by.
|
DLWebmaestro
Addict
Reged: 01/16/03
Posts: 1696
Loc: North Carolina
|
|
Quote:
AllenAyres said:
Any word on an 'official' fix (6.5.2) from IP yet?
Beta testers are currently testing 6.5.2b1, which addresses many security issues.
--------------------
ThreadsDev 2003 Member Spotlight Winner
JoshPet was here. 
Miserable Failure
|
Astaran
Addict
Reged: 12/21/00
Posts: 1552
Loc: Germany
|
|
Quote:
ksanuk said:
Hi,
I'm running 6.4b1, so which of these 2 do I implement (attachment only has instructions for 6.3.x and 6.5.x)?
Sanuk!
If you're able to modify the hack a bit you can take the version for 6.5.x Use the Validation.php from version 6.5, but the installation instructions from 6.3.x.
Install it, but run it with
define('ABORT_ON_ERROR',false);
for some days. Browse the logfiles and look for unknown parameters. You can manually add them into the validation script. The the readme.txt for further details.
If you're not able to modify it yourself, send over the logfile and I'll have a look at it.
--------------------
Running a community? -> Keep informed and take it to the next level
|
Astaran
Addict
Reged: 12/21/00
Posts: 1552
Loc: Germany
|
|
Quote:
Calpy said:
* Thanks for the mod! I installed it, and when I peep at the logfile it looks like it's validating everything just fine, but should I clean out the logfile occasionally or something. It looks like it's gonna get pretty big as the days go by.
Yes, delete it from time to time. Currently, there's no mechanism to do this automatically.
--------------------
Running a community? -> Keep informed and take it to the next level
|
caymuc
Enthusiast
Reged: 01/17/01
Posts: 449
|
|
Hi,
great script. i tried it with 6.5.1 and got an alert from the Google-Bot:
Quote:
ERROR: SECURITY ALERT: POSSIBLE XSS ATTACK DETECTED!\nERROR: Script "/Cat/0/Number/23157/page/vc/1" has been called with an invalid parameter.\nERROR: parameter named "page" with a value of "vc" contained invalid characters. Valid type is: num.\nERROR: Script has been called from: 66.249.65.206\nERROR: User agent was: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\nERROR: Referer was: \nERROR: Full URI was: /FORUM/php/forum/showthreaded.php/Cat/0/Number/23157/page/vc/1\nERROR: END OF SECURITY ALERT.\nDEBUG: Data "forumbugs" contains alphanumeric characters only. Validation was successful.
Is there anything I can do to accept this request?
My second question is:
How can you limit the logfile that it only shows errors and not everything.
The log is increasing 10KB per minute! right now.
I better switch logging off for a while.
Greetings
carl
--------------------
Carl
Colour-Ize-Forums (test entry: user: 'test' pw: 'test2')
|
AllenAyres
Wizard
Reged: 10/12/01
Posts: 5562
Loc: Texas
|
|
Quote:
DLWebmaestro said:
Quote:
AllenAyres said:
Any word on an 'official' fix (6.5.2) from IP yet?
Beta testers are currently testing 6.5.2b1, which addresses many security issues.
oh really, odd how the .threads beta testers know nothing of that 
--------------------
- Allen
- Join Team ThreadsDev
- It's not about you.
|
DLWebmaestro
Addict
Reged: 01/16/03
Posts: 1696
Loc: North Carolina
|
|
Yes, really.
I was not aware Infopop still had a separate beta group for .threads. And if they don't know about it, then I agree, that is odd.
--------------------
ThreadsDev 2003 Member Spotlight Winner
JoshPet was here.
Miserable Failure
|
ksanuk
Member
Reged: 02/06/02
Posts: 290
Loc: Bangkok, Thailand
|
|
Hi,
"If you're not able to modify it yourself, send over the logfile and I'll have a look at it. "
Thanks, but seeing that I am leaving on a vacation in about 16 hrs I think this will have to wait until after I get back.
Sanuk!
|
Astaran
Addict
Reged: 12/21/00
Posts: 1552
Loc: Germany
|
|
Quote:
caymuc said:
Hi,
great script. i tried it with 6.5.1 and got an alert from the Google-Bot:
...
Is there anything I can do to accept this request?
My second question is:
How can you limit the logfile that it only shows errors and not everything.
The log is increasing 10KB per minute! right now.
I better switch logging off for a while.
Greetings
carl
I'll release a new version on thursday, that will address both of it.
Isn't possible in the current version.
The new version will also include a version for ubb.threads 6.4.2
--------------------
Running a community? -> Keep informed and take it to the next level
|
Astaran
Addict
Reged: 12/21/00
Posts: 1552
Loc: Germany
|
|
I updated the with a new version.
Changes in version 1.1.0:
- added a version for ubb.threads 6.4.x
- fixed several small bugs in the validation routines and added some new parameters
- changed the login so that only errors and unknown variables are logged by default
- added option to notify you by mail of possible attacks or unknown vars (disabled by default, see the instructions.txt for details on how to enable it)
- error message is a lot nicer now and includes some extra information
- explained the configuration options in instructions.txt
--------------------
Running a community? -> Keep informed and take it to the next level
|
Astaran
Addict
Reged: 12/21/00
Posts: 1552
Loc: Germany
|
|
Upgrade instructions if you already have version 1.0 running:
1. Extract the zip file and open the Validate.php that fits to your ubb.threads version.
2. Adjust the path to the logfile like you did during the inital installation
3. Optionally change the settings (see instructions.txt for a list of configuration options)
4. Upload the new Validate.php to your server
You don't need to alter ubbt.inc.php during the upgrade.
It's a good idea to delete the logfile to start fresh before doing the upgrade.
--------------------
Running a community? -> Keep informed and take it to the next level
|
SchoolScandals
Journeyman
Reged: 07/27/02
Posts: 130
|
|
humm. Any idea why now everything on my page is comming up blank? http://www.schoolscandals.com
|
SchoolScandals
Journeyman
Reged: 07/27/02
Posts: 130
|
|
Fixed it I think.
I had 7 occurences of "return $thisvar;
so i just left out the last one.
edit: how can I test the log? Make sure I got everything right.
Edited by SchoolScandals (05/06/05 06:55 PM)
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
