Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: Kraken Kratom Red Vein Kratom   PhytoExtractum Maeng Da Thai Kratom Leaf Powder

Jump to first unread post Pages: 1 | 2 | 3 | Next >  [ show all ]
OfflineYthanA
ᕕ( ᐛ )ᕗ
Male User Gallery

Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 21 minutes, 9 seconds
Security Notification * 10
    #22076587 - 08/11/15 02:06 PM (8 years, 5 months ago)

So, I wanted to let everybody know that we've discovered (and fixed) a couple vulnerabilities with the message board. They may have exposed posts which you intended to be private. Basically, by combining two different and unrelated bugs, it was possible to retrieve posts from forums which normally have restricted access. If you posted in a forum which you believed to be exclusive (eg. the Supporters Forum, Gathering and Travel, etc.) it's possible your post could have been seen by someone it was not intended for if they were intentionally abusing these bugs. The problem has existed for a little under a year.

To the best of our knowledge only the staff and the Moderator forum have been targeted, but technically any forum could have fallen victim to this exploit. We are notifying our members in the interest of full disclosure, but you don't have to do anything right now. The bugs have been fixed and the fallout is mostly affecting our staff. We sincerely apologize for this lapse in security and I'll be glad to answer any questions you guys may have.


Extras: Filter Print Post Top
OfflinePLURAL
PLUR
Male

Registered: 01/16/14
Posts: 31,320
Loc: PLUR
Last seen: 2 months, 28 days
Re: Security Notification [Re: Ythan] * 5
    #22076672 - 08/11/15 02:24 PM (8 years, 5 months ago)

Thank you for keeping the site secure.

We appreciate it.


--------------------
PLUR


Extras: Filter Print Post Top
OfflineSoulidarity
With Your Halo Slippin . . .
 User Gallery


Registered: 07/15/12
Posts: 17,617
Loc: Atlantis Flag
Last seen: 8 years, 1 month
Re: Security Notification [Re: PLURAL] * 4
    #22076697 - 08/11/15 02:30 PM (8 years, 5 months ago)

This is fully like CIA level deepness

What makes a talk real? It is this kind of stuff that makes a talk real


--------------------

R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate.
[/url]


Extras: Filter Print Post Top
Invisibleemf
#14
Male

Registered: 11/06/10
Posts: 14,756
Re: Security Notification [Re: PLURAL] * 10
    #22076731 - 08/11/15 02:39 PM (8 years, 5 months ago)

Quote:

Treant said:
Thank you for keeping the site secure.

We appreciate it.




You will never be a Shroomery moderator.


Extras: Filter Print Post Top
Invisiblelarry.fisherman
shoulda died already
I'm a teapot


Registered: 11/03/12
Posts: 36,294
Re: Security Notification [Re: emf] * 1
    #22076748 - 08/11/15 02:45 PM (8 years, 5 months ago)

emf's right guys

ythan, thanks for being on the ball


Extras: Filter Print Post Top
InvisibleSOLID BASTARD
Hella Vampires

Registered: 08/04/08
Posts: 5,087
Loc: 127.0.0.1
Re: Security Notification [Re: Ythan] * 1
    #22076958 - 08/11/15 03:29 PM (8 years, 5 months ago)

I'm going to guess enhanced mouseover preview was exploited, it's happened in a few different ways at this point.  Just curious, obviously security through obscurity is the policy, but if you can speak to what was exploited I am curious.  Thanks Ythan, transparency regarding security issues is rarely a priority on the web because of the appearance of vulnerability most tech admins imagine would be created by admitting a vuln was found (which is sometimes true, depending on the userbase), but the honesty is always appreciated. :hatsoff:


Extras: Filter Print Post Top
OfflinecronicrFacebook
 User Gallery


Registered: 08/07/11
Posts: 61,436
Loc: Van Isle Flag
Last seen: 2 years, 8 days
Re: Security Notification [Re: SOLID BASTARD]
    #22079571 - 08/12/15 12:47 AM (8 years, 5 months ago)

:cheers:


--------------------

It doesn't matter what i think of you...all that matters is clean spawn

I'm tired do me a favor


Extras: Filter Print Post Top
InvisiblePanzerCubed
 User Gallery

Folding@home Statistics
Registered: 11/22/12
Posts: 2,285
Loc: Nauru Flag
Re: Security Notification [Re: cronicr]
    #22079950 - 08/12/15 05:20 AM (8 years, 5 months ago)

:fedora:


--------------------
Trade List - updated 16/10/15/


Extras: Filter Print Post Top
OfflineYthanA
ᕕ( ᐛ )ᕗ
Male User Gallery

Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 21 minutes, 9 seconds
Re: Security Notification [Re: SOLID BASTARD] * 3
    #22088356 - 08/13/15 05:43 PM (8 years, 5 months ago)

Quote:

SOLID BASTARD said:
I'm going to guess enhanced mouseover preview was exploited, it's happened in a few different ways at this point.  Just curious, obviously security through obscurity is the policy, but if you can speak to what was exploited I am curious.  Thanks Ythan, transparency regarding security issues is rarely a priority on the web because of the appearance of vulnerability most tech admins imagine would be created by admitting a vuln was found (which is sometimes true, depending on the userbase), but the honesty is always appreciated. :hatsoff:




Any "security through obscurity" is just because our BB started as a commercial product which we don't have permission to redistribute. Our CMS is available though! :smile:

The exploit actually consisted of two separate bugs, and had existed since we added the user-created forums.

The first bug allowed a user to view search results for any forum, even ones they don't have access to, by manually changing the forum parameter in a search URL. For example, you could have used this URL to list all the posts referencing "solid bastard" in the mod forum: http://www.shroomery.org/forums/dosearch.php?words=solid+bastard&forum=f17. It displayed the results just as a mod or admin sees them. This wouldn't have been a huge problem, because the mouseover post preview won't show a post you don't have permission to view. It exposes the thread titles, but nothing else, except...

The second bug allowed a user to view any post by specifying its number. The affected script was "quote.php", which returns the text to quote when a user clicks the "quote" link on a post. This script should check that the user had permission to view the post they're quoting. However, this part of the code was broken. By using a link like this, you could view the text for any post: http://www.shroomery.org/forums/quote.php?id=22076958.

Both of these bugs were due to broken code. :tongue: There were appropriate checks in place, but during development they had been rendered ineffective. Everything is fixed now! :cheers:


Extras: Filter Print Post Top
OfflineSoulidarity
With Your Halo Slippin . . .
 User Gallery


Registered: 07/15/12
Posts: 17,617
Loc: Atlantis Flag
Last seen: 8 years, 1 month
Re: Security Notification [Re: Ythan] * 1
    #22088429 - 08/13/15 06:03 PM (8 years, 5 months ago)

Pretty interesting stuff. I like hearing stories of stuff like this.


--------------------

R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate.
[/url]


Extras: Filter Print Post Top
OfflineYthanA
ᕕ( ᐛ )ᕗ
Male User Gallery

Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 21 minutes, 9 seconds
Re: Security Notification [Re: Soulidarity] * 6
    #22088481 - 08/13/15 06:16 PM (8 years, 5 months ago)

I like how you and Treant are all up in this thread with your little comments as if you have no idea what I'm talking about. Are you trying to be cute? Because THIS is how to be cute. :nono:


Extras: Filter Print Post Top
OfflineSoulidarity
With Your Halo Slippin . . .
 User Gallery


Registered: 07/15/12
Posts: 17,617
Loc: Atlantis Flag
Last seen: 8 years, 1 month
Re: Security Notification [Re: Ythan] * 2
    #22088515 - 08/13/15 06:27 PM (8 years, 5 months ago)

I love you Ythan and I apologise for any hassles that have been created by this. I'm being honest when I say I had nothing to do with these bugs. I'm too stupid and ignorant for all this code play stuff.


--------------------

R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate.
[/url]


Extras: Filter Print Post Top
OfflineSoulidarity
With Your Halo Slippin . . .
 User Gallery


Registered: 07/15/12
Posts: 17,617
Loc: Atlantis Flag
Last seen: 8 years, 1 month
Re: Security Notification [Re: Soulidarity] * 3
    #22088522 - 08/13/15 06:28 PM (8 years, 5 months ago)

Let me buy you some ranch sauce to make up for it :laugh:

:thousandisland:
<3


--------------------

R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate.
[/url]


Extras: Filter Print Post Top
OfflinePLURAL
PLUR
Male

Registered: 01/16/14
Posts: 31,320
Loc: PLUR
Last seen: 2 months, 28 days
Re: Security Notification [Re: Ythan]
    #22088530 - 08/13/15 06:30 PM (8 years, 5 months ago)

I wasn't acting like I had no idea what you were talking about.

I was being genuine.

I didn't ask to see what I saw and I couldn't betray my friend's trust and let you know, for that I am sorry, I just couldn't do it.

FYI, soulidarity genuinely had no Idea what was happening, I had to explain it to him in private.


--------------------
PLUR


Extras: Filter Print Post Top
InvisibleAmanita86
OTD Keymaster
 User Gallery

Registered: 09/26/12
Posts: 89,464
Loc: hades
Re: Security Notification [Re: Ythan]
    #22088533 - 08/13/15 06:30 PM (8 years, 5 months ago)

So let me ask you this.. if a couple of fucking nerds like "treant and soul" can come up with an exploit like this.. where does that leave my resting easy at when I start to consider someone who's actually proficient in acquiring what it is they desire?


--------------------
:mushroom2:Orange clock, pencil:bouncysmoke:
"They threw me off the hay truck about noon...":fishing:
:mushroom2:*Mark 15:34:levitate::mushroom2::blueninja:
Gam zeh ya’avor...:sunny:


Extras: Filter Print Post Top
OfflineYthanA
ᕕ( ᐛ )ᕗ
Male User Gallery

Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 21 minutes, 9 seconds
Re: Security Notification [Re: Amanita86] * 3
    #22088571 - 08/13/15 06:43 PM (8 years, 5 months ago)

Several members were aware that private posts were being leaked, but to the best of my knowledge this exploit was only discovered and utilized by a single individual. However, I really can't say for sure. As I mentioned, this problem existed for over a year and we only retain a week of log files for privacy purposes.

Where does that leave you resting easy? It's not supposed to. I'm just being honest about what happened, not trying to sell you a bunch of feel-good BS. Any time you browse the web, you are entrusting your privacy and security to a third-party which is outside your control. You should remain conscious of this fact and plan accordingly. We do our best but we dropped the ball this time. It could happen anywhere. Fortunately, it doesn't appear that this particular incident targeted anyone besides the staff.


Extras: Filter Print Post Top
OfflineSoulidarity
With Your Halo Slippin . . .
 User Gallery


Registered: 07/15/12
Posts: 17,617
Loc: Atlantis Flag
Last seen: 8 years, 1 month
Re: Security Notification [Re: Ythan] * 2
    #22088594 - 08/13/15 06:53 PM (8 years, 5 months ago)

Ythan thank you for your dedication to the community and all the work you do to prevent and reduce any harm that would come to them. You're good peoples.

:murray:


--------------------

R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate.
[/url]


Extras: Filter Print Post Top
InvisibleAmanita86
OTD Keymaster
 User Gallery

Registered: 09/26/12
Posts: 89,464
Loc: hades
Re: Security Notification [Re: Ythan]
    #22088632 - 08/13/15 07:03 PM (8 years, 5 months ago)

Fair enough.. I can respect that answer more than some smoke blowing 'everythings ok' answer.. just what I was looking for.

And as an administrator of this site, I will place the responsibilty on my shoulders personally to bitch smack treant and soul into accordance with the predetermined rules of participation.. because that's what I do.


--------------------
:mushroom2:Orange clock, pencil:bouncysmoke:
"They threw me off the hay truck about noon...":fishing:
:mushroom2:*Mark 15:34:levitate::mushroom2::blueninja:
Gam zeh ya’avor...:sunny:


Extras: Filter Print Post Top
InvisibleSOLID BASTARD
Hella Vampires

Registered: 08/04/08
Posts: 5,087
Loc: 127.0.0.1
Re: Security Notification [Re: Ythan]
    #22089335 - 08/13/15 09:51 PM (8 years, 5 months ago)

Quote:

Ythan said:
Quote:

SOLID BASTARD said:
I'm going to guess enhanced mouseover preview was exploited, it's happened in a few different ways at this point.  Just curious, obviously security through obscurity is the policy, but if you can speak to what was exploited I am curious.  Thanks Ythan, transparency regarding security issues is rarely a priority on the web because of the appearance of vulnerability most tech admins imagine would be created by admitting a vuln was found (which is sometimes true, depending on the userbase), but the honesty is always appreciated. :hatsoff:




Any "security through obscurity" is just because our BB started as a commercial product which we don't have permission to redistribute. Our CMS is available though! :smile:

The exploit actually consisted of two separate bugs, and had existed since we added the user-created forums.

The first bug allowed a user to view search results for any forum, even ones they don't have access to, by manually changing the forum parameter in a search URL. For example, you could have used this URL to list all the posts referencing "solid bastard" in the mod forum: http://www.shroomery.org/forums/dosearch.php?words=solid+bastard&forum=f17. It displayed the results just as a mod or admin sees them. This wouldn't have been a huge problem, because the mouseover post preview won't show a post you don't have permission to view. It exposes the thread titles, but nothing else, except...

The second bug allowed a user to view any post by specifying its number. The affected script was "quote.php", which returns the text to quote when a user clicks the "quote" link on a post. This script should check that the user had permission to view the post they're quoting. However, this part of the code was broken. By using a link like this, you could view the text for any post: http://www.shroomery.org/forums/quote.php?id=22076958.

Both of these bugs were due to broken code. :tongue: There were appropriate checks in place, but during development they had been rendered ineffective. Everything is fixed now! :cheers:



That reminds me, I found another bug, I'm going to :pm: you about it now.


Extras: Filter Print Post Top
Invisiblekarode13Facebook
Tāne Mahuta
 User Gallery


Folding@home Statistics
Registered: 05/19/05
Posts: 15,290
Loc: LV-426
Re: Security Notification [Re: PLURAL] * 1
    #22089685 - 08/14/15 12:08 AM (8 years, 5 months ago)

Quote:

Soulidarity said:
I love you Ythan and I apologise for any hassles that have been created by this. I'm being honest when I say I had nothing to do with these bugs. I'm too stupid and ignorant for all this code play stuff.






Quote:

Treant said:
I wasn't acting like I had no idea what you were talking about.

I was being genuine.

I didn't ask to see what I saw and I couldn't betray my friend's trust and let you know, for that I am sorry, I just couldn't do it.

FYI, soulidarity genuinely had no Idea what was happening, I had to explain it to him in private.






:facepalm:



It's disgusting you even showed your faces in here and made replies like this.


--------------------


Extras: Filter Print Post Top
Jump to top Pages: 1 | 2 | 3 | Next >  [ show all ]

Shop: Kraken Kratom Red Vein Kratom   PhytoExtractum Maeng Da Thai Kratom Leaf Powder


Similar ThreadsPosterViewsRepliesLast post
* Notification about changes concerning private messages
( 1 2 3 4 all )
AnnoA 10,060 68 02/20/04 04:37 AM
by Anonymous
* attn needed in safety and security
( 1 2 all )
Banez 3,702 26 06/21/07 08:16 AM
by Banez
* New Feature: Secure Private Messages!
( 1 2 3 4 all )
YthanA 14,885 76 05/03/15 01:33 PM
by milonix
* Why am I getting the security certificate warning when I open threads? JunkFood 1,439 9 02/22/07 07:40 PM
by JunkFood
* SECURITY ISSUES SHOULD BE DEALT WITH IMMEDIATELY World Spirit 2,753 15 05/16/02 04:31 PM
by World Spirit
* secure private messages KerbouchardS 586 5 04/07/06 01:56 AM
by Kerbouchard
* NO Post Reply Notification! :( TM 1,821 15 10/21/04 05:52 PM
by TM
* An idea for e-mail notification about PM's Brasco 383 1 10/29/07 12:38 PM
by Ythan

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Ythan, Thor, Seuss, geokills
2,389 topic views. 0 members, 2 guests and 0 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.033 seconds spending 0.009 seconds on 16 queries.