|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 21 minutes, 9 seconds
|
Security Notification 10
#22076587 - 08/11/15 02:06 PM (8 years, 5 months ago) |
|
|
So, I wanted to let everybody know that we've discovered (and fixed) a couple vulnerabilities with the message board. They may have exposed posts which you intended to be private. Basically, by combining two different and unrelated bugs, it was possible to retrieve posts from forums which normally have restricted access. If you posted in a forum which you believed to be exclusive (eg. the Supporters Forum, Gathering and Travel, etc.) it's possible your post could have been seen by someone it was not intended for if they were intentionally abusing these bugs. The problem has existed for a little under a year.
To the best of our knowledge only the staff and the Moderator forum have been targeted, but technically any forum could have fallen victim to this exploit. We are notifying our members in the interest of full disclosure, but you don't have to do anything right now. The bugs have been fixed and the fallout is mostly affecting our staff. We sincerely apologize for this lapse in security and I'll be glad to answer any questions you guys may have.
|
PLURAL
PLUR


Registered: 01/16/14
Posts: 31,320
Loc: PLUR
Last seen: 2 months, 28 days
|
Re: Security Notification [Re: Ythan] 5
#22076672 - 08/11/15 02:24 PM (8 years, 5 months ago) |
|
|
Thank you for keeping the site secure.
We appreciate it.
-------------------- PLUR
|
Soulidarity
With Your Halo Slippin . . .



Registered: 07/15/12
Posts: 17,617
Loc: Atlantis
Last seen: 8 years, 1 month
|
Re: Security Notification [Re: PLURAL] 4
#22076697 - 08/11/15 02:30 PM (8 years, 5 months ago) |
|
|
This is fully like CIA level deepness
What makes a talk real? It is this kind of stuff that makes a talk real
--------------------
  R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate. [/url]
|
emf
#14


Registered: 11/06/10
Posts: 14,756
|
Re: Security Notification [Re: PLURAL] 10
#22076731 - 08/11/15 02:39 PM (8 years, 5 months ago) |
|
|
Quote:
Treant said: Thank you for keeping the site secure.
We appreciate it.
You will never be a Shroomery moderator.
|
larry.fisherman
shoulda died already



Registered: 11/03/12
Posts: 36,294
|
Re: Security Notification [Re: emf] 1
#22076748 - 08/11/15 02:45 PM (8 years, 5 months ago) |
|
|
emf's right guys
ythan, thanks for being on the ball
|
SOLID BASTARD
Hella Vampires

Registered: 08/04/08
Posts: 5,087
Loc: 127.0.0.1
|
Re: Security Notification [Re: Ythan] 1
#22076958 - 08/11/15 03:29 PM (8 years, 5 months ago) |
|
|
I'm going to guess enhanced mouseover preview was exploited, it's happened in a few different ways at this point. Just curious, obviously security through obscurity is the policy, but if you can speak to what was exploited I am curious. Thanks Ythan, transparency regarding security issues is rarely a priority on the web because of the appearance of vulnerability most tech admins imagine would be created by admitting a vuln was found (which is sometimes true, depending on the userbase), but the honesty is always appreciated.
|
cronicr



Registered: 08/07/11
Posts: 61,436
Loc: Van Isle
Last seen: 2 years, 8 days
|
|
--------------------
  It doesn't matter what i think of you...all that matters is clean spawn I'm tired do me a favor
|
PanzerCubed



Registered: 11/22/12
Posts: 2,285
Loc: Nauru
|
Re: Security Notification [Re: cronicr]
#22079950 - 08/12/15 05:20 AM (8 years, 5 months ago) |
|
|
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 21 minutes, 9 seconds
|
|
Quote:
SOLID BASTARD said: I'm going to guess enhanced mouseover preview was exploited, it's happened in a few different ways at this point. Just curious, obviously security through obscurity is the policy, but if you can speak to what was exploited I am curious. Thanks Ythan, transparency regarding security issues is rarely a priority on the web because of the appearance of vulnerability most tech admins imagine would be created by admitting a vuln was found (which is sometimes true, depending on the userbase), but the honesty is always appreciated. 
Any "security through obscurity" is just because our BB started as a commercial product which we don't have permission to redistribute. Our CMS is available though! 
The exploit actually consisted of two separate bugs, and had existed since we added the user-created forums.
The first bug allowed a user to view search results for any forum, even ones they don't have access to, by manually changing the forum parameter in a search URL. For example, you could have used this URL to list all the posts referencing "solid bastard" in the mod forum: http://www.shroomery.org/forums/dosearch.php?words=solid+bastard&forum=f17. It displayed the results just as a mod or admin sees them. This wouldn't have been a huge problem, because the mouseover post preview won't show a post you don't have permission to view. It exposes the thread titles, but nothing else, except...
The second bug allowed a user to view any post by specifying its number. The affected script was "quote.php", which returns the text to quote when a user clicks the "quote" link on a post. This script should check that the user had permission to view the post they're quoting. However, this part of the code was broken. By using a link like this, you could view the text for any post: http://www.shroomery.org/forums/quote.php?id=22076958.
Both of these bugs were due to broken code. There were appropriate checks in place, but during development they had been rendered ineffective. Everything is fixed now!
|
Soulidarity
With Your Halo Slippin . . .



Registered: 07/15/12
Posts: 17,617
Loc: Atlantis
Last seen: 8 years, 1 month
|
Re: Security Notification [Re: Ythan] 1
#22088429 - 08/13/15 06:03 PM (8 years, 5 months ago) |
|
|
Pretty interesting stuff. I like hearing stories of stuff like this.
--------------------
  R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate. [/url]
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 21 minutes, 9 seconds
|
|
I like how you and Treant are all up in this thread with your little comments as if you have no idea what I'm talking about. Are you trying to be cute? Because THIS is how to be cute.
|
Soulidarity
With Your Halo Slippin . . .



Registered: 07/15/12
Posts: 17,617
Loc: Atlantis
Last seen: 8 years, 1 month
|
Re: Security Notification [Re: Ythan] 2
#22088515 - 08/13/15 06:27 PM (8 years, 5 months ago) |
|
|
I love you Ythan and I apologise for any hassles that have been created by this. I'm being honest when I say I had nothing to do with these bugs. I'm too stupid and ignorant for all this code play stuff.
--------------------
  R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate. [/url]
|
Soulidarity
With Your Halo Slippin . . .



Registered: 07/15/12
Posts: 17,617
Loc: Atlantis
Last seen: 8 years, 1 month
|
|
Let me buy you some ranch sauce to make up for it 
 <3
--------------------
  R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate. [/url]
|
PLURAL
PLUR


Registered: 01/16/14
Posts: 31,320
Loc: PLUR
Last seen: 2 months, 28 days
|
Re: Security Notification [Re: Ythan]
#22088530 - 08/13/15 06:30 PM (8 years, 5 months ago) |
|
|
I wasn't acting like I had no idea what you were talking about.
I was being genuine.
I didn't ask to see what I saw and I couldn't betray my friend's trust and let you know, for that I am sorry, I just couldn't do it.
FYI, soulidarity genuinely had no Idea what was happening, I had to explain it to him in private.
-------------------- PLUR
|
Amanita86
OTD Keymaster


Registered: 09/26/12
Posts: 89,464
Loc: hades
|
Re: Security Notification [Re: Ythan]
#22088533 - 08/13/15 06:30 PM (8 years, 5 months ago) |
|
|
So let me ask you this.. if a couple of fucking nerds like "treant and soul" can come up with an exploit like this.. where does that leave my resting easy at when I start to consider someone who's actually proficient in acquiring what it is they desire?
--------------------
Orange clock, pencil "They threw me off the hay truck about noon..."
*Mark 15:34  Gam zeh ya’avor...
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 21 minutes, 9 seconds
|
Re: Security Notification [Re: Amanita86] 3
#22088571 - 08/13/15 06:43 PM (8 years, 5 months ago) |
|
|
Several members were aware that private posts were being leaked, but to the best of my knowledge this exploit was only discovered and utilized by a single individual. However, I really can't say for sure. As I mentioned, this problem existed for over a year and we only retain a week of log files for privacy purposes.
Where does that leave you resting easy? It's not supposed to. I'm just being honest about what happened, not trying to sell you a bunch of feel-good BS. Any time you browse the web, you are entrusting your privacy and security to a third-party which is outside your control. You should remain conscious of this fact and plan accordingly. We do our best but we dropped the ball this time. It could happen anywhere. Fortunately, it doesn't appear that this particular incident targeted anyone besides the staff.
|
Soulidarity
With Your Halo Slippin . . .



Registered: 07/15/12
Posts: 17,617
Loc: Atlantis
Last seen: 8 years, 1 month
|
Re: Security Notification [Re: Ythan] 2
#22088594 - 08/13/15 06:53 PM (8 years, 5 months ago) |
|
|
Ythan thank you for your dedication to the community and all the work you do to prevent and reduce any harm that would come to them. You're good peoples.
--------------------
  R.I.P. WoodRuss67, Todcasil, TheMerryIguana, The Rompus, Lord Senate. [/url]
|
Amanita86
OTD Keymaster


Registered: 09/26/12
Posts: 89,464
Loc: hades
|
Re: Security Notification [Re: Ythan]
#22088632 - 08/13/15 07:03 PM (8 years, 5 months ago) |
|
|
Fair enough.. I can respect that answer more than some smoke blowing 'everythings ok' answer.. just what I was looking for.
And as an administrator of this site, I will place the responsibilty on my shoulders personally to bitch smack treant and soul into accordance with the predetermined rules of participation.. because that's what I do.
--------------------
Orange clock, pencil "They threw me off the hay truck about noon..."
*Mark 15:34  Gam zeh ya’avor...
|
SOLID BASTARD
Hella Vampires

Registered: 08/04/08
Posts: 5,087
Loc: 127.0.0.1
|
Re: Security Notification [Re: Ythan]
#22089335 - 08/13/15 09:51 PM (8 years, 5 months ago) |
|
|
Quote:
Ythan said:
Quote:
SOLID BASTARD said: I'm going to guess enhanced mouseover preview was exploited, it's happened in a few different ways at this point. Just curious, obviously security through obscurity is the policy, but if you can speak to what was exploited I am curious. Thanks Ythan, transparency regarding security issues is rarely a priority on the web because of the appearance of vulnerability most tech admins imagine would be created by admitting a vuln was found (which is sometimes true, depending on the userbase), but the honesty is always appreciated. 
Any "security through obscurity" is just because our BB started as a commercial product which we don't have permission to redistribute. Our CMS is available though! 
The exploit actually consisted of two separate bugs, and had existed since we added the user-created forums.
The first bug allowed a user to view search results for any forum, even ones they don't have access to, by manually changing the forum parameter in a search URL. For example, you could have used this URL to list all the posts referencing "solid bastard" in the mod forum: http://www.shroomery.org/forums/dosearch.php?words=solid+bastard&forum=f17. It displayed the results just as a mod or admin sees them. This wouldn't have been a huge problem, because the mouseover post preview won't show a post you don't have permission to view. It exposes the thread titles, but nothing else, except...
The second bug allowed a user to view any post by specifying its number. The affected script was "quote.php", which returns the text to quote when a user clicks the "quote" link on a post. This script should check that the user had permission to view the post they're quoting. However, this part of the code was broken. By using a link like this, you could view the text for any post: http://www.shroomery.org/forums/quote.php?id=22076958.
Both of these bugs were due to broken code. There were appropriate checks in place, but during development they had been rendered ineffective. Everything is fixed now! 
That reminds me, I found another bug, I'm going to you about it now.
|
karode13
Tāne Mahuta




Registered: 05/19/05
Posts: 15,290
Loc: LV-426
|
Re: Security Notification [Re: PLURAL] 1
#22089685 - 08/14/15 12:08 AM (8 years, 5 months ago) |
|
|
Quote:
Soulidarity said: I love you Ythan and I apologise for any hassles that have been created by this. I'm being honest when I say I had nothing to do with these bugs. I'm too stupid and ignorant for all this code play stuff.
Quote:
Treant said: I wasn't acting like I had no idea what you were talking about.
I was being genuine.
I didn't ask to see what I saw and I couldn't betray my friend's trust and let you know, for that I am sorry, I just couldn't do it.
FYI, soulidarity genuinely had no Idea what was happening, I had to explain it to him in private.

It's disgusting you even showed your faces in here and made replies like this.
|
|