2005-08-28, 07:34 PM
2005-08-28, 08:07 PM
Ok. The developers have had a report from your post n00b2kill. Yes, that may be how it happened. But one of the two security patches released lately fixes that. MyBB 1.0 should also fix most, if not all holes where hackers could get in vie SQL attacks.
2005-08-30, 12:23 AM
Anyone had this guy attack them yet?
[attachment=1126]
I just applied the patches cos of that, No data lost, better late than never i guess *blush*
[attachment=1126]
I just applied the patches cos of that, No data lost, better late than never i guess *blush*
2005-08-30, 12:58 PM
I was attacked too with the trick of the slash and asterisk. I seriously guess this f****ing lamer hides in this forum. >:|
2005-09-06, 07:01 PM
Hi, its me again.
Well, each time i post in this forum i have very bad feeling...
myBB forum database on my page has been TRUNCATED...
I have asked you in my previous posts if there were possible to disable SQL injections at all? Now i can give you an answer: YES, damn it! There are lot of ways, the simpliest one is to pass SQL query args through mysql_real_escape_string() (RTFM at php.net). A good practice is to have a database layer object which generates and executes queries instead of using mysql_query() from everywhere around your program.
You have already experienced security problems with SQL injections, and you still closing that holes all around your software and waiting new ones. Can't you do something to avoid that?
Forum on my page is about 4 years old, 3 of them were spent under phpBB. Then it was hacked. SQL injection hole in phpBB. I have spent about 20 hours writting migration script that have imported all threads and posts from phpBB into myBB with a good hope that myBB will be more secure. After that my "poor" forum has been hacked/defaced 3 TIMES WITHIN A YEAR! Is myBB really more secure than phpBB?
Since last security problems (for about a year) phpBB team has rewritten its database security concept in order to avoid SQL injections.
I don't see any reasons to keep using myBB at the moment. It's nice, friendly, powerful - really great job, but it still unsecure.
Thank you for the software i've used, you have done the great work writting it! Pay more attention to security aspects and you will have the best open source forum in the world!
Kind regards.
P.S. There is a more correct name for the people doing that bad and stupid things: script kiddies. One as##ole with PHP programming experience finds security holes in software and posts an exploit at the script kiddies forums (they calling themselves loudly "underground" or even "hackers"). Thousands of such "underground hackers" downloading the script and attacking all sites they can found. The only one thing they mostly have to do is to change target URL and press ENTER key. Their knowledges ends at that point.
And about "hackers". I can't say that better than Linus Torvalds:
Well, each time i post in this forum i have very bad feeling...
myBB forum database on my page has been TRUNCATED...
I have asked you in my previous posts if there were possible to disable SQL injections at all? Now i can give you an answer: YES, damn it! There are lot of ways, the simpliest one is to pass SQL query args through mysql_real_escape_string() (RTFM at php.net). A good practice is to have a database layer object which generates and executes queries instead of using mysql_query() from everywhere around your program.
You have already experienced security problems with SQL injections, and you still closing that holes all around your software and waiting new ones. Can't you do something to avoid that?
Forum on my page is about 4 years old, 3 of them were spent under phpBB. Then it was hacked. SQL injection hole in phpBB. I have spent about 20 hours writting migration script that have imported all threads and posts from phpBB into myBB with a good hope that myBB will be more secure. After that my "poor" forum has been hacked/defaced 3 TIMES WITHIN A YEAR! Is myBB really more secure than phpBB?
Since last security problems (for about a year) phpBB team has rewritten its database security concept in order to avoid SQL injections.
I don't see any reasons to keep using myBB at the moment. It's nice, friendly, powerful - really great job, but it still unsecure.
Thank you for the software i've used, you have done the great work writting it! Pay more attention to security aspects and you will have the best open source forum in the world!
Kind regards.
P.S. There is a more correct name for the people doing that bad and stupid things: script kiddies. One as##ole with PHP programming experience finds security holes in software and posts an exploit at the script kiddies forums (they calling themselves loudly "underground" or even "hackers"). Thousands of such "underground hackers" downloading the script and attacking all sites they can found. The only one thing they mostly have to do is to change target URL and press ENTER key. Their knowledges ends at that point.
And about "hackers". I can't say that better than Linus Torvalds:
Quote:"...but the original hackers were researchers, students, engineers, and other computer professionals who formed informal circles in which to exchange ideas, promote knowledge, solve problems, and advance the science and the art of programming".
2005-09-07, 01:21 AM
Quote:I have asked you in my previous posts if there were possible to disable SQL injections at all? Now i can give you an answer: YES, damn it! There are lot of ways, the simpliest one is to pass SQL query args through mysql_real_escape_string() (RTFM at php.net). A good practice is to have a database layer object which generates and executes queries instead of using mysql_query() from everywhere around your program.Yes, its possible to close them all however there is still the slight chance you may miss a variable or two when escaping them. I don't mean to be harsh but i'd give you a "Captain Obvious" award about the string escaping: Yes its known and yes we do it.
Quote:You have already experienced security problems with SQL injections, and you still closing that holes all around your software and waiting new ones. Can't you do something to avoid that?It's called MyBB 1.0 PR2 and its been released for a while now - we're not to be held responsible if you don't check back on these forums for updates.
Quote:Forum on my page is about 4 years old, 3 of them were spent under phpBB. Then it was hacked. SQL injection hole in phpBB. I have spent about 20 hours writting migration script that have imported all threads and posts from phpBB into myBB with a good hope that myBB will be more secure. After that my "poor" forum has been hacked/defaced 3 TIMES WITHIN A YEAR! Is myBB really more secure than phpBB?The thing is - you seem to be missing the idea of "Release Candidate" software. There are bugs, when we find out about them we patch them - and that is usually before the bugs are publicly released - its once again, your job to check back here for updates.
2005-09-07, 09:06 AM
Have you missed my sentence about database layer? I'll try to expand it.
There must be an object that opens the database connection, prepares queries and executes them. All other classes are deriving from that object.
How can such object look like?
There must be three methods:
1. Open database connection
2. Prepare SQL query
3. Execute SQL query
The method 2 can be some kind of following:
A call of such method will look like:
If you will use ONLY that method to generate queries, then you will get 100% insurance against SQL injections.
Don't forget: you don't need magic_quotes_gpc anymore. Check if the server has it "On": if yes, unescape all GPC vars recursively.
I have implemented that concept into my new development version, here was only the simplifyed example. If you are good with OOP in PHP then you can use full power of it (like, for example, passing database connection as a reference to all child methods). Also, you can create some "basic query" classes like getList($table_name, $where, $limit, $order) or loadObject($table_name, $id) and so on...
Greets.
There must be an object that opens the database connection, prepares queries and executes them. All other classes are deriving from that object.
How can such object look like?
There must be three methods:
1. Open database connection
2. Prepare SQL query
3. Execute SQL query
The method 2 can be some kind of following:
PHP Code:
/*
* This method passes variables to pre-defined query template and
��* returns safe query.
* @param��int��$query_nr��Number of pre-defined query template
* @param mixed ...��All variables to pass to template
* @return string Safe query
*/
function prepareQuery($query_nr){
��// Read query template
��switch($query_nr){
����case 1 : $query="SELECT * FROM user WHERE id = \\arg1\\";
����break;
����case 2 : $query="SELECT se.* FROM session se LEFT JOIN user us ON us.id = se.user_id WHERE us.login = '\\arg1\\' AND us.password=MD5('\\arg2\\')";
����break;
��}
��// Pass arguments to a query
��$argv=function_get_args();
��$argc=function_num_args();
��for($i=1; $i<$argc; $i++){
����$arg=mysql_real_escape_string($argv[$i]);
����$query=str_replace("\\arg$i\\", $arg, $query);
��}
��return $query;
}
A call of such method will look like:
PHP Code:
$query=$db->prepareQuery(1, 124);
// Will return: SELECT * FROM user WHERE id = 124
$query=$db->prepareQuery(2, "foo", "bar");
// Will return: SELECT se.* FROM session se LEFT JOIN user us ON us.id = se.user_id WHERE us.login = 'foo' AND us.password=MD5('bar')
If you will use ONLY that method to generate queries, then you will get 100% insurance against SQL injections.
Don't forget: you don't need magic_quotes_gpc anymore. Check if the server has it "On": if yes, unescape all GPC vars recursively.
I have implemented that concept into my new development version, here was only the simplifyed example. If you are good with OOP in PHP then you can use full power of it (like, for example, passing database connection as a reference to all child methods). Also, you can create some "basic query" classes like getList($table_name, $where, $limit, $order) or loadObject($table_name, $id) and so on...
Greets.
2005-09-07, 12:28 PM
Quote:Have you missed my sentence about database layer? I'll try to expand it.You mean what's in db_mysql.php at the moment? Right now it doesnt do full abstraction and such but we're moving towards it (as you can see by the update_query and insert_query functions inside the class which build updates and inserts.
There must be an object that opens the database connection, prepares queries and executes them. All other classes are deriving from that object.
The same goes for slashing, at the moment we're only using addslashes() however in 1.1 we'll be moving to an abstracted version of mysql_real_escape_string for when querying.
We're moving toward full abstraction, further use of OOP in some circumstances, and hopefully toward a board which can use the features introduced in PHP5 for data handling, as well as supporting PHP4 in a compatibility mode.
By the way, sorry if I seemed harsh with my earlier reply.
2005-09-07, 12:42 PM
nothing is 100% secure though.... its when you start thinking that it is that quality control and security performance is harshly penalised