gov forum hacked

Printable View

March 1st, 2005, 11:39 PM
corvet

gov forum hacked

Look like somebody hacked gov forum
http://www.darebin-libraries.vic.gov.au/forum/
http://www.devon.gov.uk/discussion/index.php

But the admin dunno about this hacking...you can see it left corner on the top one
March 2nd, 2005, 12:56 AM
jbclarkman

doesn't surprise me... both sites are runing phpBB 2.0.10 and there have been some "critical" updates and releases upto 2.0.13.

If you want to be secure, you've gotta keep current.
March 2nd, 2005, 12:57 AM
catch

or use software that doesn't suck
March 2nd, 2005, 01:09 AM
jinxy

Quote:

or use software that doesn't suck

That has got to be the shortest post I have seen you make Catch, :D

So what would you recommend and why?
March 2nd, 2005, 01:52 AM
Double//Cut

Powered by phpBB 2.0.11 © 2001, 2002 phpBB Group

He aint elite, anyone could have hacked that server ... ****'in jesus, the source is public, doesnt make you elite, not completely destroying the site wont make you a skiddie either
March 2nd, 2005, 01:56 AM
catch

Heh, yeah usually a little more long winded.

Just sick of software that requires the user to remain on the bleeding edge, else suffer through serious, well published exploits.

In the past when I used a web based message board system I added my own security additions using an external flatfile with hashes to ensure that users cannot change account accesses within a session. This was joined with a trusted operating system to ensure that the web server or the system itself couldn't be leveraged to alter the BBS. However all of that isn't needed.

Other techniques would be to limit access to files and functions by IP address and direct create several DB accounts with different powers (least privilege) and assign each script to the appropriate DB connection. This dramatically reduces the risk of SQL injection attacks.

These techniques are not full proof, but they greatly add to the overall security and can easily be added to the application even by a crappy programmer like myself. ;)

cheers,

catch
March 2nd, 2005, 02:04 AM
Soda_Popinsky

If you don't trust your software you can try a web application firewall, given you don't have time to hack your app's source.

http://www.modsecurity.org/
March 2nd, 2005, 02:27 AM
jinxy

Well I just fired off an email to the Devon County peeps, asking what they thought of this thread and pointing them to the Elite Hackors, Hacked page.

Hopfuly they will see you post, Catch.
March 2nd, 2005, 02:30 AM
catch

An application firewall only prevents an application from over-extending itself, for example forking a shell (or really anything involving writing to parts of the memory that it shouldn't). An application firewall will not help issues like SQL injection or hacks that otherwise do not violate the applications rights. For example, a normal BBS users using BBS admin rights is not doing anything beyond the scope of the application, just a user that shouldn't be doing it.

cheers,

catch

edited to add:

Quote:

Hopfuly they will see you post, Catch

Perhaps I should add a paypal donate button. ;)
March 2nd, 2005, 02:39 AM
jinxy

Quote:

Perhaps I should add a paypal donate button.

I'll take 15% commision, thank you very much.Lmao
March 2nd, 2005, 02:57 AM
Soda_Popinsky

Hi catch-

It's a web application firewall and it can prevent SQL and XSS. mod_security handles requests with filters by signature before they're handled by apache. Edit made on the other post.
March 2nd, 2005, 03:16 AM
catch

None-the-less, it still can't prevent the application from doing things it is legitimately allowed to do, and since the web application firewall doesn't know how to tell different types of message board users apart, it cannot attcks which remain within the application itself.

That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.

cheers,

catch
March 2nd, 2005, 03:32 AM
Soda_Popinsky

Quick question.. directed at anyone who can answer it.

Quote:

Other techniques would be to limit access to files and functions by IP address and direct create several DB accounts with different powers (least privilege) and assign each script to the appropriate DB connection. This dramatically reduces the risk of SQL injection attacks.

The only free open source CMS/BBS whatever you want to call it I've ever seen that allows you to use multiple db accounts is the one I've been working on for a few months now. I'd be interested in a CMS that does this that is established already, if anyone happens to know of one I'd like to see it. I don't think any of the ones on opensourcecms.com have this capability. (They all seem pretty crappy :/)

Hi catch

Quote:

That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.

Even a "root" account with a separate database user on a multi-user web application can be XSS'ed and be forced to do malicious things, in that case mod_security would be pretty valuable. Personally I would go for that extra layer if mod_security itself doesn't add too much. :D