Safe forums?

[reason3]

Hello guys, i've been registered on this site for quite a while now, but i was focusing in doing the challenges and learning rather than taking part in your forum conversation.That's until now.

I was thinking to create a site in a free forum hosting server, probably because i don't have the knowledge required to make my own.Can you probably help listing the best, fastest and safest?

About 3-4 months ago i made a forum rather quickly on forumotion, and it was hacked by a "guest" who defaced my site and as soon as i joined i was redirected to a page which rick-rolled me.

Can you inform me about the methods he used to did this?I don't think it was sql, as i check it by myself.Maybe CSS?
A few sites concerning how forums works and the ways the so called "hackers" use to acquire access whould help me learn and choose the right one.

Thanks...

[Goatboy]

I don't know of too many forum-hosting servers, but if you are looking for a good forum suite, phpBB (PHP Bulletin Board) is great. That's what we use here on HTS, albeit somewhat modified. I'd suggest taking a look.

As far as how he got in, it very well could have been SQL injection. There's a chance you missed something. XSS (I read CSS as Cascading Style Sheets) is also a possibility, as is CSRF, or pretty much any other attack. Without knowing how your site is laid out and how it's built, it's hard to tell. And no, that was not a hint that I want to look at it. I'm tired and have classes to keep me busy. Someone else might, though.

[reason3]

I will try to provide you with more info then...

Like all forums, i had 3 groups of users.1 were the guests, they weren't allowed to post topics neither to perfrom any other actions than just search(that might was my forum downfall) and read the topics.2 was the registered users, which were allowed to post and edit more info about their profile.3 group was the one of the moderators, they had full access and could change the forum as they wished.

I was the only moderator, and i had about 20-30 registered users.I can't tell for sure the one who "hacked" my site was either a registered member or a guest, but the next time i joined my forum i saw weird things.

First of all, he had made 1 post to all of my sections, which were just empty i couldn't see anything and the name of the poster was simply Guest.
Then after a few seconds, i was redirected to a page which rick-rolled me(i think you know what this is).
In order to use stop the rick-roll i had to close my browser(mozzila).
Summarizing, by doing this strange posts he was able to stop my and all of the other members posting cause we were getting rick-rolled.

If someone has any prior-experience about similar problem, i wish to know how he did this in order to protect my self from it.


EDIT:After reading about it, i have come to believe that he may used CSS, as i read articles that said he could simply redirect me to another page by his post using <script> .... </script> tags.

I know how CSS works and that you can easily craft "magic" sentences to check if a site is vulnerable.What i don't get is how do they use it to manipulate my site?

[Goatboy]

Here's something to help demonstrate XSS:

In your address bar, clear out all the text and replace it with this:

Code: Select all

javascript: alert("h4x0r3d!1");


Now hit enter. See what happens? If you did it right, a popup should show. In the same sense, if he were to write

Code: Select all

<script type="text/javascript">alert("h4x0r3d!1");</script>


it would do the same thing on your page. Now imagine what else he could do. Redirect, perhaps?

Now as for how he managed to post as a guest, I don't know for sure. He may have found a flaw in the code that allowed him to do so, or he may have registered a name of Guest.

[cilpolir]

you could easy check if it's a <script> </script> thing by just disabling javascript in your browser and check the sourcecode of the post. On the guest thing I could only agree with goatboy, if you could post the sourcecode we can be of more assistance.

[insomaniacal]

There might have been a vulnerability in that version of the forum you were using, which he could have exploited in order to put some code into your page.

If he made a bunch of threads, and you got rick-rolled by visiting them, then it's probably some form of CSRF.

[reason3]

C'mon guys don't take me that lightly, i said that i'm not that good with the codes but not that i am completely unaware about programming.I have completed all of the javascript missions...

I have also said that i had come to this conclusion, too, that he used CSS or CSRF.The problem is that i want to know how me managed to do this, and if it is possible to be done again in my new forum.
If someone is willing to help me understand this, i would be gratefull.Let's say i find a forum site.I try all possible combinations of CSS(at least those that i know) and i find that it is vulnerable to 3 of them.How can i benefit from this?Running an alert script would only be displayed in my browser, so i cannot affect others.I've read articles saying i can make a redirect to my server and prepare a cookie-stealer for them to steal their PHP SESSID.That's now what i want to know, is there a possibility for him to change my code?If so how?

Is there a way to get logged in a forum without registering?The old "or 1=1" trick(neither varations of this) doesn't work, and he also wasn't able to run SQL commands.

Well after the gained access and could post, its probably the host's fault that the inputs were not sanitized so he was able to execute those nasty script commands that they allowed him to redirect and rick-roll me.

*The forum was deleted, so i cannot copy and paste the source code here.I can help you by letting you know that my host was forumotion and the forum was created about 5-6 months ago.

[Goatboy]

<sarcasm>
Well hell, you completed all the javascript missions. You should be able to figure this out.
</sarcasm>

Look, the simple truth is we cannot really help you much if we can't see code. The best we can do is give a fairly broad estimate of what could have happened. We cannot say "Based on the rickroll, we can tell he was using the rrpwn exploit" It just doesn't work like that. We affirmed your suspicion about XSS. We don't know how he did it, but we've already given you some good guesses. What more do you want?

Now as far as how you could benefit, the javascript does not just run on your browser. If the attacker places this javascript on the page, it runs for anyone viewing that page. That's most likely how he was redirecting you. The cookie stealer is fairly simple. The attacker redirects the victim to a page s/he controls, passing the valid cookies/information as arguments. The page s/he controls then logs this info and redirects back to the forum. This all happens to fast that you don't notice it.

[reason3]

I wasn't bragging about completing all the javascript missions, they were fairly easy, and sorry if it looked that way...

So..you mean that if i use something like this.. " ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> "

to check for CSS vulnerabilities and i get 3 alerts, other people viewing the same page will get the alert messages too?
Wow, i didn't knew this, this could be used in many ways

I'm saying that me might have used it to change my code, and alter the login-function to let him login without any username or password.What else beside alert you can use?

[Goatboy]

Well, you'd have to actually put the code on the page. Like right now, I'm typing words that will go on this page. If this site were vulnerable to XSS (which would be quite embarrassing) I could put malicious code within script tags and they would execute.

You should be able to enter any valid javascript functions. After all, alert() is just a function, so others should be the same. I don't think (someone correct me if I am wrong) you can actually change the page's code with javascript. He could, however, bypass simple authentication, as you suggested.