2021-08-04, 09:47 PM
(2021-08-04, 08:55 PM)Omar G. Wrote: Which Newpoints plugins do you use ? Could you share all your Page Manager pages ?I only use the standard currency for Newpoints. It doesn't have any other plugins in use on the Newpoints Plugins page.
I fixed the following in my OUGC Awards plugin : (should be fixed in 1.8.22)
https://github.com/Sama34/OUGC-Awards/co...26b92c3432
But this would only be a treat if you don't trust your moderators, as they are the only ones that can assign a custom "reason" for awards.
(2021-08-04, 08:58 PM)Omar G. Wrote:(2021-08-04, 08:34 PM)Moonface Wrote: Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user.
Could you share the DB rows for awards granted to that user? It might be possible this plugin is what caused the "backdoor".
But please note, for the moderator to exploit this the moderator account should had been compromised first or the moderator should have been untrustworthy from the beginning, no bug up to today found in the plugin would grant access to accounts in any way.
Well, my moderator is my wife so I can definitely attest she is trustworthy, plus she was not online when her account was compromised. Where can I find the DB rows exactly (I'm still not very tech savvy with looking inside databases), and would the ones they had prior to the attack suffice? I removed all the extra awards they were granted during the attack.
If it's of any help, this was the website linked back to during the attack: https://payload.sh/
Universal Gaming | Let's Explore Video Games, Together