#82321
03/13/2002 2:03 PM
|
Joined: Dec 2001
Posts: 699
Member
|
Member
Joined: Dec 2001
Posts: 699 |
Has it been all disabled or just in sigs? **tests** If it's all, I guess it's since that redirect thingy...
|
|
|
#82322
03/13/2002 2:31 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
Okay, so we have some locked threads and scarce information about someone using the img tags to grab cookies. There doesn't seem to be any discussion about it or updates and since this place is inhabited by UBB owners I think that's pretty bad.
I think that we deserve more than a couple words and locked threads. If there is a threat then let us know. If there is an interim fix then give it to us. If you have nothing then let us know that.
|
|
|
#82323
03/13/2002 2:43 PM
|
Joined: Feb 2001
Posts: 817
Moderator / Kingpin
|
Moderator / Kingpin
Joined: Feb 2001
Posts: 817 |
Stay tuned. A fix is being worked on right now and an official announcement is forthcoming.
In the mean time you may disable the IMG code on your sites if you are concerned.
Forgot to mention....if your password here was the same as your FTP, Admin, or User accounts on your own web sites shame on you. Go change them as well, and use a unique password for each!
|
|
|
#82324
03/13/2002 2:50 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
The IMG tag was disabled to be 110% sure that the compromise could not be reproduced while I was developing a filter. Now that the filter has been developed, the IMG tag will be re-enabled, though not in signatures.
6.2.1.1 will be released shortly with the additional filtering.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#82325
03/13/2002 2:58 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
Can we have the info on exactly what is different so that we can implement without disturbing the hacked boards?
|
|
|
#82326
03/13/2002 3:00 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
The fix is a little too complicated to post here, unfortunately. However, the changes should not interfere with many existing hacks. The changes are limited to:
- lib_posting's signature appending area - lib's check_html - lib's imageize and related routines
You do NOT need to disable the IMG tag on your board unless you are concerned that someone might try this. I highly doubt that he'll try it anywhere else.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#82327
03/13/2002 3:19 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
|
|
|
#82328
03/13/2002 3:50 PM
|
Joined: Mar 2001
Posts: 7,394
Admin / Code Breaker
|
Admin / Code Breaker
Joined: Mar 2001
Posts: 7,394 |
|
|
|
#82329
03/13/2002 4:00 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
Not until I am 200% sure that the filters work.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#82330
03/13/2002 4:01 PM
|
Joined: Mar 2001
Posts: 7,394
Admin / Code Breaker
|
Admin / Code Breaker
Joined: Mar 2001
Posts: 7,394 |
Oh, I thought they're gone forever!
|
|
|
#82331
03/13/2002 4:04 PM
|
Joined: Dec 2001
Posts: 699
Member
|
Member
Joined: Dec 2001
Posts: 699 |
quote: Originally posted by Charles Capps: Not until I am 200% sure that the filters work.
That'll be forever then -- it's impossible to be 200% sure .
|
|
|
#82332
03/13/2002 4:20 PM
|
Joined: Dec 2001
Posts: 699
Member
|
Member
Joined: Dec 2001
Posts: 699 |
Does this bug affect UBB 5? Just wondering...
|
|
|
#82333
03/13/2002 5:34 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
Mmmm... a variant of it, sure. This EXACT issue is specific only to post 6.1.0 UBBs. UBB5 has not been updated in over one year. In that year+, dozens of security issues have been uncovered. Those using UBB5 need to be very cautious.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#82334
03/13/2002 5:47 PM
|
Joined: Dec 2001
Posts: 699
Member
|
Member
Joined: Dec 2001
Posts: 699 |
quote: Powered by Infopop Corporation Ultimate Bulletin BoardTM 6.2.2 Development Beta 15.1
I wonder what the .1 added?
|
|
|
#82335
03/13/2002 6:04 PM
|
Joined: Jun 2001
Posts: 442
Member
|
Member
Joined: Jun 2001
Posts: 442 |
who exactly caused this trouble? I obviously take a different view to this sort of behavior? If it happened on my board I know alot of people would be seriously p*****, it's obviously very different over here in the UK, sense of humour and tolerance! note to remember.
Audi-Sport.net the only forum guaranteed to kill any server!
|
|
|
#82336
03/13/2002 6:05 PM
|
Joined: Jun 2001
Posts: 442
Member
|
Member
Joined: Jun 2001
Posts: 442 |
that was self censored btw, before someone has has ago at me, jeesh
Audi-Sport.net the only forum guaranteed to kill any server!
|
|
|
#82337
03/13/2002 6:16 PM
|
Joined: Sep 2000
Posts: 4,211
Master Hacker
|
Master Hacker
Joined: Sep 2000
Posts: 4,211 |
quote: Originally posted by Wandoâ„¢: who exactly caused this trouble?
It makes no difference, and it doesn't concern you, so stop asking. Your other thread was already closed for asking once, so you'd think that you'd learn after one time...
|
|
|
#82338
03/13/2002 6:22 PM
|
Joined: Jun 2001
Posts: 442
Member
|
Member
Joined: Jun 2001
Posts: 442 |
I think it does concern me, as I'm a license owner and someone is hacking UBB's
Audi-Sport.net the only forum guaranteed to kill any server!
|
|
|
#82339
03/13/2002 7:00 PM
|
Joined: Mar 2000
Posts: 21,079 Likes: 3
I type Like navaho
|
I type Like navaho
Joined: Mar 2000
Posts: 21,079 Likes: 3 |
They'll be releasing bew versions for 6.2x tonight I believe... grab a copy of the latest now and tonight again when they release - then file compare the changes in.
|
|
|
#82340
03/13/2002 7:11 PM
|
Joined: Feb 2000
Posts: 4,625
Member
|
Member
Joined: Feb 2000
Posts: 4,625 |
Wando - A fix is being worked on and should be done soon if not already as I type this. Relax. No more information is usually provided...
|
|
|
#82341
03/13/2002 8:12 PM
|
Joined: Jun 2001
Posts: 442
Member
|
Member
Joined: Jun 2001
Posts: 442 |
thanks Greg and Allen. Matt don't over react (looks like tomorrow night I've got no choice but to beyond compare to the latset version(why do people get their kicks mucking around with others good work???))
Audi-Sport.net the only forum guaranteed to kill any server!
|
|
|
#82342
03/13/2002 8:31 PM
|
Joined: Jun 2001
Posts: 442
Member
|
Member
Joined: Jun 2001
Posts: 442 |
well I've locked down my board for the night, I've too much to lose there I'm afraid.
Audi-Sport.net the only forum guaranteed to kill any server!
|
|
|
#82343
03/14/2002 12:29 AM
|
Joined: Feb 2001
Posts: 817
Moderator / Kingpin
|
Moderator / Kingpin
Joined: Feb 2001
Posts: 817 |
6.2.1 .1 is now available in the Member's Area.
|
|
|
#82344
03/14/2002 3:15 AM
|
Joined: May 2001
Posts: 6,708
Member
|
Member
Joined: May 2001
Posts: 6,708 |
Yeah I was wondering what the hell happened, all my questions have been answered. The fix is in 6.2.1.1 right?
|
|
|
#82345
03/14/2002 9:11 AM
|
Joined: Feb 2001
Posts: 817
Moderator / Kingpin
|
Moderator / Kingpin
Joined: Feb 2001
Posts: 817 |
|
|
|
#82346
03/14/2002 1:01 PM
|
Joined: Apr 2001
Posts: 711
Spotlight Winner
|
Spotlight Winner
Joined: Apr 2001
Posts: 711 |
The new version was made for the fix.
|
|
|
#82347
03/15/2002 1:01 AM
|
Joined: May 2001
Posts: 6,708
Member
|
Member
Joined: May 2001
Posts: 6,708 |
quote: Originally posted by dende: The new version was made for the fix.
I thought so. Better upgrade. I deserve a rolleyes.
|
|
|
#82348
03/15/2002 1:29 AM
|
Joined: Apr 2001
Posts: 711
Spotlight Winner
|
Spotlight Winner
Joined: Apr 2001
Posts: 711 |
crazy guy.
|
|
|
#82349
03/15/2002 4:10 AM
|
Joined: May 2001
Posts: 6,708
Member
|
Member
Joined: May 2001
Posts: 6,708 |
Exactly. Just wondering, what files have changed from 6.2.1 to 6.2.1.1?
|
|
|
#82350
03/15/2002 9:35 AM
|
Joined: Nov 2001
Posts: 745
Admin Emeritus
|
Admin Emeritus
Joined: Nov 2001
Posts: 745 |
|
|
|
#82351
03/15/2002 6:28 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
And you didn't just download the Upgrade Only zip because...? Sheesh.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#82352
03/16/2002 4:30 AM
|
Joined: May 2001
Posts: 6,708
Member
|
Member
Joined: May 2001
Posts: 6,708 |
quote: Originally posted by Sub Zero: Lord Dexter: check here
Thanks Sub Zero.
|
|
|
#82353
03/16/2002 11:35 AM
|
Joined: Jun 2001
Posts: 729
Coder
|
Coder
Joined: Jun 2001
Posts: 729 |
CC, what about those of us on 6.1.0.4? Can you release a patch for us?
|
|
|
#82354
03/16/2002 12:30 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
Unfortunately the changes rely on routines only present in the 6.2 series...
UBB.classic: Love it or hate it, it was mine.
|
|
|
#82355
03/16/2002 1:48 PM
|
Joined: Jun 2001
Posts: 729
Coder
|
Coder
Joined: Jun 2001
Posts: 729 |
Sigh, will have to talk to someone about looking at this then for me. Even if it is 1 person who found it there might be more down the road unfortunatly. Expecialy on the type of board I run tends to attract stuff like this a times.
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 5,833
Joined: January 2000
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|