About the hack...
Asked Modified Viewed 3,281 times
asked
While it was no one's fault (except for the douche who did the hacking) shouldn't all PHPFusion support sites run up2date version of Fusion? Also are the passwords encrypted in the database? If so what cipher(s)? If not...then could we get that (or at least get an infusion that does that?).
Thanks!
Thanks!
Yes, the passwords are encrypted in the database. The technique the hacker used did not need for the password to be decrypted. All he had to do was copy and paste the encrypted password into a cookie and he was able to gain access. He used the encrypted password of a member of his own site. Took it and put it in a cookie for the BETA site. That member of his site is an Admin on BETA. He had the same password for nearly all the fusion sites he was registered on. Therefore, since the password was the same at the hacker's site as it is on Open BETA, he automatically had admin access. Code was used in Custom Pages admin to gain the encrypted passwords of members, and those who had Admin status at Support sites were used.
This is why it is extremely important to use different passwords on different sites. That's the only reason the hacker got as far as he did.
This site and themes is running on 6.01.4. Beta and MODS site are just recently getting back up. I believe one or the other needs updated from 6.01.3 to 6.01.4 which should be happening soon.
This is why it is extremely important to use different passwords on different sites. That's the only reason the hacker got as far as he did.
This site and themes is running on 6.01.4. Beta and MODS site are just recently getting back up. I believe one or the other needs updated from 6.01.3 to 6.01.4 which should be happening soon.
Edited by Bad Boy on 30-08-2006 17:42,
answered
Adding to what Bad Boy wrote, the patch for 6.01.1 to 6.01.3 do not include messages.php. This file was renewed earlier and is included in the files for 6.01.4.
Hence if some skipped messages.php manual upgrade, and runs 6.01.3, that site will be vulnerable.
Hence if some skipped messages.php manual upgrade, and runs 6.01.3, that site will be vulnerable.
Falk
Falk 148
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 12 questions
the new messages.php was added in v6.01.1. It was released as a patch for v6.00.xxx
answered
As an infusion writer (well, at least in the past, on hiatus), I know that I could easily slip some code in my infusions that would allow me to obtain hashed passwords if you installed my infusions. I could do the same to get your db name, prefix and password. So please always be sure you don't install infusions from just anywhere and from trusted sources. Also, it would be wise to look do a search through the code for user variables, etc. to be sure they are not doing just that.
If its as simple as copying and pasting a hashed password in a cookie to get in, this needs to be changed. Much too easy to exploit IMO.
If its as simple as copying and pasting a hashed password in a cookie to get in, this needs to be changed. Much too easy to exploit IMO.
Super admins have access to everyone's hashed password. That is in mostly all CMS's I do believe.
What it comes down to is signing up to a site where the super admin has bad intentions. If this is the case or if you are not sure, simply choosing a password that you do not use for a site where YOU have admin powers should suffice.
What it comes down to is signing up to a site where the super admin has bad intentions. If this is the case or if you are not sure, simply choosing a password that you do not use for a site where YOU have admin powers should suffice.
— 30 days later —
Check out very nice documentation of how the php-fusion hack was carried out:
http://www.youtube.com/watch?v=gChouWPyjOs&mode=related&search=
http://www.youtube.com/watch?v=gChouWPyjOs&mode=related&search=
Falk
Falk 148
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 12 questions
Old. Yawn.
Category Forum
General DiscussionLabels
None yet
Statistics
- Views 0 views
- Posts 7 posts
- Votes 0 votes
- Topic users 6 members
6 participants
Falk 148
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 12 questions
Homdax 10
- Fusioneer, joined since
- Contributed 2,247 posts on the community forums.
- Started 108 threads in the forums
kejonn 10
- Member, joined since
- Contributed 160 posts on the community forums.
- Started 16 threads in the forums
Bad Boy 10
- Member, joined since
- Contributed 155 posts on the community forums.
- Started 1 thread in the forums
docmike 10
- Member, joined since
- Contributed 68 posts on the community forums.
- Started 8 threads in the forums
mlw4428 10
- Junior Member, joined since
- Contributed 15 posts on the community forums.
- Started 8 threads in the forums
- Started this discussions
Notifications
Track thread
You are not receiving notifications from this thread.
Related Questions