Page 1 of 1

Holy mother of pearls! an up and coming CMS has serious hole

Posted: Sat Aug 26, 2006 1:51 am
by matt1019
Hi Guys,

Early mornin' to all!

I cannot believe this... an up-and-coming CMS php-fusion users such as it's beta site ( http://www.beta.phpfusion-mods.com/ ), another mod site ( http://www.ausimods.com ), and other "popular" sites running php fusion got hacked.

Recently, the author released a "patch" for his quite popular CMS for protection against XSS type attacks.

I am no genius per-say, but his CMS looks a LOT buggy!!!! (This is the 2nd attack/security-hole that I know of)

Dont the hackers/crackers/script kiddies (or whatever the hell you wanna call them) have better things to do???

it's people like these that should be behind bars!

-Matt

Posted: Sat Aug 26, 2006 7:08 am
by Chris Corbyn
Malicious hackers are being clamped down on hard now... it's being seen as a serious offence.

This kid (only 16 yo) lost his job to a company, so decided to bomb send billions of emails to users at the company in a DoS attack. The emails included text informing employess that they were going to die soon and wot-not. The kid is now in jail. That's the first case of it's kind to actually result in imprisonment but I believe we'll start to see a lot more of this... hopefully. That's off-topic though.

I'm not aware of this CMS but given that's still only in beta, isn't that why they make beta versions.... I'd be concerned if this was considered a stable release.

EDIT | OK i recalled that news story wrong. He's not in jail but he was sentenced. He has been electronically tagged and put under a curfew.

Posted: Sat Aug 26, 2006 11:14 am
by RobertGonzalez
Beta software means do not rely on it for complete functionality or security. At least in my opinion. Not that anyone deserves that type of attention, but beta is beta.

Posted: Sat Aug 26, 2006 11:16 am
by matt1019
no, no, no... sorry probably my mistake:
Php fusion is considered a stable release (v6.014 right now). The beta site if for people who make "mods" for this cms... they submit and other users try it out etc etc etc.

but no, phpfusion is not in beta version. it is available as stable version.


Good to know that people such as these are getting punished! Otherwise, if no punishment is given, then such people would think that they will never get caught and start doing it more often... and this is where it would get ugly.

-Matt

Posted: Sat Aug 26, 2006 11:25 am
by matt1019
As many of you are aware a number of PHP-Fusion Support Sites have been hacked in the last 12 hours. This incident occured because one admin on Open Beta had his password leaked. The hacker used this password to login and steal all registered users passwords including members of many support sites. The hacker has used this information to cause wide-spread damage to PHP-Fusion Support Sites generally by destroying the user database tables. I am extremely angered by this attack, and I can only apologise for this incident.

My advice to everyone is to change your password, and never use the same password for more than one site. As far as I know there is no security hole involved in this attack so try not to panic. Thanks.
Huh, I guess this is the part where the Author/Admin says... "BUT THE GOOD NEWS IS:" bleh.

just makes me sick!!! wanna punch (and keep punching) that mofo like a punching bag----> talking about the hacker

-Matt

Posted: Sat Aug 26, 2006 1:23 pm
by RobertGonzalez
Technically this is not a hack as this person was given full access by an admin. That was a simple 'malicious intent carried out' type of thing. But still, that guy should pay for what he did. And that admin should be demoted, in my opinion.

Posted: Sat Aug 26, 2006 2:21 pm
by Chris Corbyn
WRT malicious hackers. They'll always track them. It might take a long time if they cover their tracks well but no matter what level of disguise you make, TCP packets always carry information about the origin of the request (even with IP spoofing). TCP relies upon such information to even function.

Posted: Sat Aug 26, 2006 4:54 pm
by daedalus__
I think it's fine most of the time.

Security holes need to be indentified and patched.

Yin and Yang.. lol