Announcement

Collapse
No announcement yet.

Email list susceptible to hackers easily

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Email list susceptible to hackers easily

    A user just went through our board with a simple script which does nothing more than submits to member.php each user id 1 through whatever number you stop the loop at (maximum number of members) and submits the form along with the message of their choice.

    I disabled the member list options as first I thought he did it manually but after looking closely at the logs I see it was done this way which by the way is very simple. How can I stop this or shut this down or do I need to set every users option to not allow email?

    Seems like an extreme way to fix it. Any ideas for a solution or could the programmers here put a fix on what I believe is a large hole in the application now?

    Any registered member could write this short script and run through the list and get emails out to any that have allowed it in their profile.

    A floodcheck might be one solution. If there are ideas for other ways to close this hole I might try to hack a fix myself.

    Thanks.
    Marc
    -------

  • #2
    Re: Email list susceptible to hackers easily

    Originally posted by mvigod
    A user just went through our board with a simple script which does nothing more than submits to member.php each user id 1 through whatever number you stop the loop at (maximum number of members) and submits the form along with the message of their choice.
    That sucks! Abusers are lamers! They ARE causing damage, and if your board is commercial one, I see no reason why not to charge this user for the damage done. The damage that is done, is that users trust your policy and still get spam mails and other unwanted stuff. Causing you possible registrations and even worse, clients.

    I disabled the member list options as first I thought he did it manually but after looking closely at the logs I see it was done this way which by the way is very simple. How can I stop this or shut this down or do I need to set every users option to not allow email?
    Nah, a choice made by a member 'should' be respected. And yes, I think members see the need for this option, but I think you can fix this otherwise then restrickting your members. See if the other way around; restrickt the abuser. If he was a registered member, ban him through the Moderators Control Panel 'forum/mod' and ban his E-mail and host address (ip) through the Admin Control Panel 'forum/admin'.

    A nice 'extra' step you can take against this abuser is to report his behaviour 'with the date/time/logs' to his ISP and request direct action and a reply to what their 'official statement' of this kind of abuse is.

    Seems like an extreme way to fix it. Any ideas for a solution or could the programmers here put a fix on what I believe is a large hole in the application now?
    This is not a whole in the application .. nor a bug in the forum software

    This are just abusers finding every possible way to be abusive.
    And to continue my advice as I see it, if the user isn't a registered member, alter the permissions of your guest (unregisterd) users through the Admin Control Panel 'forum/admin' to not allow guests to view the memberlist and/or to E-mail in any way. (that way he has to register, that way you get MORE info about this user (another nice touch, Enable the E-mail -check system, so on registration, a user has to active the account (so fake addresses are filtered).

    Any registered member could write this short script and run through the list and get emails out to any that have allowed it in their profile.
    Does this count too, if you have the option for E-mail set like; publicly display E-mail address?

    A floodcheck might be one solution. If there are ideas for other ways to close this hole I might try to hack a fix myself.
    Floodchecking restrickts your registered users too, who aren't abusive.

    Thanks.
    No problem.


    Keep in mind that I am new to the forum too, and that I just post what I know Hope a more official member can either add to my suggestions or correct, adjust my advices.

    Every little bit helps, right!

    Comment


    • #3
      Thanks for the reply...

      Registered users were the only ones allowed to use this feature. It was a registered user and his ip and email are all banned of course. But..if he or another wanted to exploit this hole than it could be easily done. It's not a secure situation and there really must be a security check to guard against this. It's not enough to hope that all registered members will not abuse the system unfortunately.

      Here is why it's too easy. The forum system works by id numbers. The email form in vbulletin makes a simple post to member.php. Write a script with a loop from 1 to whatever and post to the script with the other needed parameters and just like that every user who has his option set to receive email will and it's through your smtp server!

      There are other "holes" like this which need floodchecks too which could really create havoc by abusers. I won't list more than I have here for fear of giving any ideas but the developers can contact me back channel to discuss them if they like.

      These features are great when they are used as intended. When they are not it can be a disaster. Fortunately for me in this case the email that was sent by this guy was to promote his site and he had his url and toll free number in it. So all the headers had my sites name in it along with the links/messages generated by vbulletin and then below his spam. This backfired terribly on the guy and there were alot of people very angry with him.

      If it happens over and over they will get angry at me for not patching the whole. I can disable all the board emails but that strips that feature away from users. Each vbulletin is susceptible to this. Even this board!

      I'll work on some fixes but am open to ideas on how to implement besides floodchecks if you have any.
      Marc
      -------

      Comment


      • #4
        Good suggestion, but this again, falls on Moderation.

        How is any different than the many email bots that run rampant on the net siphoning email addresses from websites and webpages?

        IF your user's email is open to all (even they are not registered) and is posted anywhere in anythread on your forum it will be picked up the many bots that are already out there.

        All one has to do is search on their email address through google and they will see where they've used it; on which forums they've used it on, and if its been posted anywhere on the net.
        There are only 10 types of people in the world: Those who understand binary, and those who don't

        Comment


        • #5
          I do agree with you on those points WizyWyg but what is different here is that they are using YOUR server to send those emails. Your SMTP server will be spamming every single member on your list at full speed through your own server and it's resources! It's different if somebody mines your pages and sends the spam out themselves on their own servers. This is coming from your own though. This should at least be prevented.

          The other stuff your right, you just can't stop it completely but you don't want your own server taken over to do the dirtywork using your bandwidth, resources, smtp, and mail relay! What if they send out spam to 10,000 members and 50 messages to each one...next thing you know your on the MAPS blackhole list. This is a matter of securing your own server to guard against this. I think this is a serious oversight that should be addressed. The post and pm features are floodchecked...same thing here and this exploit would cause potentially more damage than those.

          Working on a fix now...hopefully I can make it work.
          Marc
          -------

          Comment


          • #6
            Ok...have most of it done...

            Need some help here...how does "$pmfloodtime" get it's value from inside private.php? I don't see it defined in private.php or globals.php. I see it in the database but don't see how it's getting it's value into the private.php page. Also, this is usually set to 60 but in the private.php routine it appears that the "long" date format is used so if $pmfloodtime converted to the long format somewhere. Can't figure out where it's actually getting the value into the variable?

            Any ideas?

            Thanks.
            Marc
            -------

            Comment


            • #7
              Assuming you want your users to continue using this function, a floodcheck is the only solution.

              I don't agree that it is a hole. It works exactly as it is supposed to and does not allow unauthorized users to use it. Unfortunately one of your authorized users abused it but that can happen with almost anything.

              Comment


              • #8
                Thanks tubes...I guess it is a hole if a registered user abuses it since there is a pm floodcheck and a post floodcheck. Anyway...I'm almost done with the patch/hack.

                Seems like that would be the only solution.
                Marc
                -------

                Comment


                • #9
                  Originally posted by mvigod
                  Thanks tubes...I guess it is a hole if a registered user abuses it since there is a pm floodcheck and a post floodcheck. Anyway...I'm almost done with the patch/hack.

                  Seems like that would be the only solution.

                  It is no hole, but if you want to believe so, sure it is. Also; if I register on your forum and put in ": website: http://www.CLICKHEREANDEARN500EURO.com/ " that is abuse too, thaz a whole too then ? . .. instead of the email, they can get the www address and put [email protected] in front of it, and do it there too.. I can think up zillion more options that use the uid, but that doesn't make it a hole. And I doubt you find any system which doesn't have this feature, that can't be abused.


                  Anyway, you are altering code? You have to be on www.vbulletin.org for code hacking support.

                  Comment


                  • #10
                    I guess calling it a hole is a matter of semantics. I think the pm or post floodcheck is in place to stop flooding so all I am saying is there should be a floodcheck for emails. This is much worse of a situation than your example of a user putting something like a web address in and sending to @whatever.com. So if I don't call it a hole I will call it a potential area for large and damaging abuse by a user so willing to cause it.

                    This is somebody hijacking your server, turning it into a spam mail relay, running down your entire id list and sending each one as many mails as they want using your own server. Try 2000 emails in an hour or less.

                    I don't think it is vbulletin's developers fault as often we rely on these systems being used for their intended purposes as opposed to the fool that came on my boards. I myself studied some of the code and systems and completely missed this potential area of abuse.

                    Yes there are many other options that could be abused to varying degrees as you say and your right that doesn't necessarily make them a hole. I just felt that, for example, a site like vbulletin.com any member can write a 20 line perl script and email EVERY member via vbulletins own mail server. They can send 1 message or 100 to EACH user using only vbulletins server, smtp server, relays, etc. Call it whatever makes you comfortable and makes sense for you. I had it happen to me so to guard against it there must be code in place because the magnitude of damage by this is much more than the examples you describe. What if a guy sends out to the 10's of thousands of people here on vbulletin and it's spam. Now they get blocked by MAPS blackhole and no more email services?

                    Again, this isn't culling an email list off of some site and then mailing it yourself. Your server is the mailer doing all the dirty work.

                    I wrote the patch for a floodcheck and it is complete. I know it is supposed to go to vbulletin.org and I will post it over there in awhile.
                    Marc
                    -------

                    Comment


                    • #11
                      Originally posted by mvigod
                      I guess calling it a hole is a matter of semantics. I think the pm or post floodcheck is in place to stop flooding so all I am saying is there should be a floodcheck for emails. This is much worse of a situation than your example of a user putting something like a web address in and sending to @whatever.com. So if I don't call it a hole I will call it a potential area for large and damaging abuse by a user so willing to cause it.

                      VIA vbulletin, its impossible to flood with emails. Since either you have to do it through a form (if the adminstator set it up that way) or you physically click on the person's name and get the email address.

                      Its not a "hole". I suggest looking into how your smtp is set up as that would control all outgoing mail. IT could be a combination of both. YOUr SMTP could be set up to allow "mass emailing".


                      This is somebody hijacking your server, turning it into a spam mail relay, running down your entire id list and sending each one as many mails as they want using your own server. Try 2000 emails in an hour or less.
                      Then its your smtp server that's set up wrong. NOT vbulletin.

                      I don't think it is vbulletin's developers fault as often we rely on these systems being used for their intended purposes as opposed to the fool that came on my boards. I myself studied some of the code and systems and completely missed this potential area of abuse.
                      Look into your smtp server and see what its settings are.
                      There are only 10 types of people in the world: Those who understand binary, and those who don't

                      Comment


                      • #12
                        Hmmm....I see your not understanding this and that is why you have said what you said above.

                        VIA vbulletin, its impossible to flood with emails. Since either you have to do it through a form (if the adminstator set it up that way) or you physically click on the person's name and get the email address.


                        Not impossible...if you want me to prove it to you let me know what your board url is and I'll shoot an email off to every single user you have USING THE FORM. I don't know if you are a programmer but to use the form by posting with the proper variables is what I'm talking about. Using the form is what was happening and has nothing to do with SMTP on my server. All mail relay to outside hosts/users is closed off but not to vbulletin since it's on our server.

                        Don't believe me than tell me how many "test" emails you want me to fire off on your server and I'll show you just so you can understand what I'm trying to explain here. If you want I can fire off 20 or 30 just to show you. You can check your mail logs and see how I can use your server to do the dirty work as well.

                        The form method does not make it secure at all. All your script does is put in the userid of each member (1 through whatever number) and post the message via the form using the script and each member will get the email. I hope this finally explains what I'm talking about to you and as I said if not give me the board url and how many "test" spam mails you want fired off just so I can show you it can be done. For the test you tell me how many members you want me to send to or all and how many you want each one to get (1, 5, 100, more) and then I'll prove to you this exploit.

                        BTW, I don't condone this in any way and think it stinks that people have abused this feature but on the other side that's why a checking routine needs to be in place which I now have. I don't know if anybody ever had this happen to them but I'm just making them all aware it is possible so they can protect themselves.
                        Marc
                        -------

                        Comment


                        • #13
                          Originally posted by WizyWyg
                          VIA vbulletin, its impossible to flood with emails
                          That is not correct.
                          His SMTP server has nothing to do with it.

                          Comment


                          • #14
                            Re: Re: Email list susceptible to hackers easily

                            Originally posted by xiphoid



                            This are just abusers finding every possible way to be abusive.
                            And to continue my advice as I see it, if the user isn't a registered member, alter the permissions of your guest (unregisterd) users through the Admin Control Panel 'forum/admin' to not allow guests to view the memberlist and/or to E-mail in any way. (that way he has to register, that way you get MORE info about this user (another nice touch, Enable the E-mail -check system, so on registration, a user has to active the account (so fake addresses are filtered).
                            Pardon my ignorance, but were exactly can i ban a guest NOT
                            to see the memberlist. I see permissions only in a forum basis
                            and the ability to use memberlist, but no permissions for it.
                            THanks

                            Comment


                            • #15
                              Originally posted by gospina
                              Pardon my ignorance, but were exactly can i ban a guest NOT
                              to see the memberlist. I see permissions only in a forum basis
                              and the ability to use memberlist, but no permissions for it.
                              THanks
                              I'm also searching for this ability. I want to keep visitors from seeing the member list and information.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X