Holy mother of pearls! an up and coming CMS has serious hole

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
matt1019
Forum Contributor
Posts: 172
Joined: Thu Jul 06, 2006 6:41 pm

Holy mother of pearls! an up and coming CMS has serious hole

Post by matt1019 »

Hi Guys,

Early mornin' to all!

I cannot believe this... an up-and-coming CMS php-fusion users such as it's beta site ( http://www.beta.phpfusion-mods.com/ ), another mod site ( http://www.ausimods.com ), and other "popular" sites running php fusion got hacked.

Recently, the author released a "patch" for his quite popular CMS for protection against XSS type attacks.

I am no genius per-say, but his CMS looks a LOT buggy!!!! (This is the 2nd attack/security-hole that I know of)

Dont the hackers/crackers/script kiddies (or whatever the hell you wanna call them) have better things to do???

it's people like these that should be behind bars!

-Matt
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Malicious hackers are being clamped down on hard now... it's being seen as a serious offence.

This kid (only 16 yo) lost his job to a company, so decided to bomb send billions of emails to users at the company in a DoS attack. The emails included text informing employess that they were going to die soon and wot-not. The kid is now in jail. That's the first case of it's kind to actually result in imprisonment but I believe we'll start to see a lot more of this... hopefully. That's off-topic though.

I'm not aware of this CMS but given that's still only in beta, isn't that why they make beta versions.... I'd be concerned if this was considered a stable release.

EDIT | OK i recalled that news story wrong. He's not in jail but he was sentenced. He has been electronically tagged and put under a curfew.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Beta software means do not rely on it for complete functionality or security. At least in my opinion. Not that anyone deserves that type of attention, but beta is beta.
matt1019
Forum Contributor
Posts: 172
Joined: Thu Jul 06, 2006 6:41 pm

Post by matt1019 »

no, no, no... sorry probably my mistake:
Php fusion is considered a stable release (v6.014 right now). The beta site if for people who make "mods" for this cms... they submit and other users try it out etc etc etc.

but no, phpfusion is not in beta version. it is available as stable version.


Good to know that people such as these are getting punished! Otherwise, if no punishment is given, then such people would think that they will never get caught and start doing it more often... and this is where it would get ugly.

-Matt
matt1019
Forum Contributor
Posts: 172
Joined: Thu Jul 06, 2006 6:41 pm

Post by matt1019 »

As many of you are aware a number of PHP-Fusion Support Sites have been hacked in the last 12 hours. This incident occured because one admin on Open Beta had his password leaked. The hacker used this password to login and steal all registered users passwords including members of many support sites. The hacker has used this information to cause wide-spread damage to PHP-Fusion Support Sites generally by destroying the user database tables. I am extremely angered by this attack, and I can only apologise for this incident.

My advice to everyone is to change your password, and never use the same password for more than one site. As far as I know there is no security hole involved in this attack so try not to panic. Thanks.
Huh, I guess this is the part where the Author/Admin says... "BUT THE GOOD NEWS IS:" bleh.

just makes me sick!!! wanna punch (and keep punching) that mofo like a punching bag----> talking about the hacker

-Matt
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Technically this is not a hack as this person was given full access by an admin. That was a simple 'malicious intent carried out' type of thing. But still, that guy should pay for what he did. And that admin should be demoted, in my opinion.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

WRT malicious hackers. They'll always track them. It might take a long time if they cover their tracks well but no matter what level of disguise you make, TCP packets always carry information about the origin of the request (even with IP spoofing). TCP relies upon such information to even function.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I think it's fine most of the time.

Security holes need to be indentified and patched.

Yin and Yang.. lol
Post Reply