I just received this message from BizWiz about how he has been hacked. He believes something he posted here might have damaged this forum. As requested, I have contacted Boonex support, but if anyone has them on an IM please also contact them so they know right away.
--------------------
My site was hacked. The exploit is documented here.
http://milw0rm.com/exploits/7931
I tried to search for it, but there was no mention on Dolphin forums.
I attempted to put the code problem in the Dolphin Forum at Boonex, and apparently caused a problem.
Please contact the engineering people at boonex and have them delete my last entry in the dolphin forums.
The content that cause the problem is an exploit. I have added the hypens in the critical script line below.
First you must login then write new topic
write in the topic
-"->-<-s-c-r-i-p-t->-a-l-e-r-t-(-d-o-c-u-m-e-n-t-.-c-o-o-k-i-e-)-<-/-s-c-r-i-p-t>-
demo:
http://www.demozzz.com/orca/demo/?action=goto&topic_id=test--2009-01-30#topic/-script-alert-document-cookie-script-.htm
|
Update - Arthur says all they have to do to fix this is delete the corrupted post. |
Hahahaha, I'm laughing for two reasons:
1. All that code does is pop up a box that shows the user their cookie, no one else can see it but them so it doesn't hurt anything.
BUT
2. If it worked and the box popped up when you looked at his post that means boonex.com is vulnerable to XSS (cross site scripting) and it COULD be used for something that is dangerous.
All those updates to Dolphin to fix the security problems and their own forum still had a hole.. I mean IF the box actually popped up, I didn't see his post.
|
Wen i clicked his post, the only thing what was happening, that the body of the forum was going down under the menu. Kids first |
The post that I put up, has caused a corruption of the entire thread. Until Boonex remove that entry, it will remain corrupt.
Don't take my word for it. Search google for the key word and you can read the hack.
It is not a trivial hack. Running any kind of script through a form is a serious hole.
Thank you all.
Arthur
|
killerhaai, buckmcgoo, and others. You will find the exploit detailed here.
http://milw0rm.com/exploits/7931
The mistake I made was to copy the content
of that exploit into the dolphin forum tinymce text area. This caused
the entire 6.1 and other forums to disappear completely.
So...be careful
Arthur
|
Boonex apparently knew of this problem. Here is code from an unaltered file in Dolphin inc/classes/BxDolGroups.php
// Ma-an it is crazy. I don't know what they'll enter in search form =)
// Our testers entered <script>alert(1)</script> it has broken everything
function unbreak_js( $sText ) {
return str_replace( '</script>', "</scr'+'ipt>", $sText );
}
Once they remove my post with the <script>alert code, the forum will be fine, BUT they need to fix this quickly.
Arthur |
If the box didn't pop up and show you the contents of your boonex cookie then the exploit won't work here... they just have their xss "cleaner" set up wrong so that the page is broken if you try and insert a script. If you put that code somewhere and the box actually pops up then that site is running any code that is inserted into an input, which is a BAD thing. |
Can someone please tell us, where in the dolphin form posts code, preferably universally, we can add a filter that will prevent adding a -<-s-c-r-i-p-t>- of any type?
Arthur
|
To get rid of this problem replace the following code in inc/util.inc.php file:
function prepare_to_db(&$s, $iAllowHTML = 1)
{
if ($iAllowHTML)
cleanPost($s);
}
to this:
function prepare_to_db(&$s, $iAllowHTML = 1)
{
if ($iAllowHTML)
cleanPost($s);
else
$s = strip_tags($s);
}
Rules → http://www.boonex.com/terms |
Thank you SO much AlexT and Sammie for the soluition code to prevent this exploit.
I apologize to all of you for cutting and pasting the malicious code into the forum. I just didn't think that it would have the effect it did. I was just trying to make the problem known, and see if someone had a way to block the hole.
Thanks to all of you for you help.
One other useful piece of information. My first line of defense was to delete the malicious user, thinking that the forum that the user was attached to would also be deleted. It was not. This is a flaw I think.
Here is what needs to be done in mysql to get rid of the actual code with a script in it:
SELECT post_id, post_text FROM pre_forum_post WHERE post_text LIKE
'%<script%' AND user='THE USER NICKNAME'; Once you have identified the the unique entries in mysql, DELETE that entry in order to fix
the forum.
Arthur
|
Is anyone at Boonex going to fix the database for this Forum. I am unable to review My Topics for any of the Forums.
.
.
Here is what needs to be done in mysql to get rid of the actual code with a script in it:
SELECT post_id, post_text FROM pre_forum_post WHERE post_text LIKE
'%<script%' AND user='THE USER NICKNAME'; Once you have
identified the the unique entries in mysql, DELETE that entry in order
to fix
the forum.
Arthur
|
praveenkv1988 advises that this is an XSS attack.
I just read this.... http://ha.ckers.org/xss.html Suggest my dolphin friends do the same.
http://shiflett.org/blog/2005/dec/google-xss-example
http://www.securecomputing.com/SWAT/SWAT_web2.0ex.html
-
MySpace XSS Worm
-
A
worm written to exploit an XSS vulnerability in MySpace brought the
service down for nearly two days. The exploit injected JavaScript into
users’ pages and when the Web page was visited the JavaScript was
executed in the visitors’ browsers.
-
Yahoo XSS
-
XSS
vulnerability in Yahoo tricked users to click on a booby-trapped link.
After each user clicked on the link, the hacker gained access to the
users’ Yahoo account including email, address book and calendar entries.
It
should also be noted that a security researcher recently uncovered 40
flaws in Google’s YouTube Web site. The vast majority of these flaws
were XSS issues that put users at risk of having their profiles
infected with a fast-spreading worm that could potentially steal users’
credentials.
Arthur
|
