Announcement

Collapse
No announcement yet.

I was just hacked by user, very easily.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • I was just hacked by user, very easily.

    I went to my board vbskins.com and noticed there was someone logged as an admin, but his profile said " Junior Member" so I Pm him and got this response:

    quote:
    --------------------------------------------------------------------------------

    Alex wrote on Today 06:11 PM:
    Excuse me are you trying to hack my board??

    I will remove you if you attempt it again.

    --------------------------------------------------------------------------------


    i don't try to hack

    i'm testeing security
    please put htaccess on it it's too easy to enter admin control
    and please delete getadmin.php

    with that your board is too easy to entre
    i deleted nothing
    it's just for seeing
    not for doing like asholle hacker

    sorry for my bad english i'm french

    i'm leaving now

    but please protect it bettre

  • #2
    yep you should not leave getadmin.php in place

    its designed for people who have lost admin power so they can regain it and then delete the file.

    You dont need to .htaccess the admin directory but if you can it can be a good precaution.
    Scott MacVicar

    My Blog | Twitter

    Comment


    • #3
      Thanks, I removed it now, can anyone hack it now?

      Comment


      • #4
        nope

        the reason that you shouldn't leave getadmin.php is that anyone can just register and use getadmin.php to make them an admin and they then have access.
        Scott MacVicar

        My Blog | Twitter

        Comment


        • #5
          The "extras" in the distribution really needs moving outside of the core folder - during an upgrade a long while back I was in a massive hurry and worked directly on the new files (rather than a copy as I normally do) then uploaded the whole structure... a good month later I suddenly realise that forums/extras/getadmin.php was on my system!!!

          Needless to say I immediately nuked the extras folder and, each time I download an updated VB, I nuke the extras folder from the decompressed files immediately.

          Given the dangerous nature of that file shouldn't extras at least be located within the admin folder of the structure, if not outside of the structure all together? 99% of the time those files should never get onto a live system, but given where they are it's all too easy (as with my experience above) for it to eventually turn into an accident that could be disasterous...

          Cheers

          Comment


          • #6
            the getadmin file needs to connect to the database and you can't place it in the admin folder as you would need to be an admin to access the file as it relies on global.php and the whole reason you are using it is that you've lost admin access.
            Scott MacVicar

            My Blog | Twitter

            Comment


            • #7
              I beg your pardon? Unless vBulletin has suddenly integrated itself into Apache then one does NOT need to log into vBulletin in order to access the admin folder - folder security is managed by the web server, not a PHP script!

              Comment


              • #8
                what i said was that if you placed it in the admin folder and the getadmin.php script includes global.php then you would need to login using your vBulletin username and password, is that more clear?

                And you would be unable to do this as thats the whole point of using the script because you had lost the admin username or password.
                Scott MacVicar

                My Blog | Twitter

                Comment


                • #9
                  The "extras" in the distribution really needs moving outside of the core folder
                  It is, isn't it? The upload folder contains all the files to be uploaded, and the extras folder contains...well, extras!
                  John Percival

                  Artificial intelligence usually beats real stupidity ;)

                  Comment


                  • #10
                    Originally posted by PPN
                    what i said was that if you placed it in the admin folder and the getadmin.php script includes global.php then you would need to login using your vBulletin username and password, is that more clear?
                    So will printing the script and leaving it in the bathroom will cause toilet flushes to need a vBulletin login as well? The worst a file relocation can do is break any hardcoded paths, nothing more.

                    Originally posted by PPN
                    And you would be unable to do this as thats the whole point of using the script because you had lost the admin username or password.
                    One would think you'd use vBulletin's built in password request option to have a new password issued rather than create a new account and assign it admin rights...

                    Originally posted by John
                    It is, isn't it? The upload folder contains all the files to be uploaded, and the extras folder contains...well, extras!
                    Hmmmm, just checked the latest zip and you're right... was it perhaps moved a while back? I definitely ended up with the whole extras folder on my system once... but alas definitely wouldn't be a problem now in any case.

                    Comment


                    • #11
                      you need to create a new account first.

                      I'll try and explain this clearly again.

                      The global.php in the admin folder checks your login, this involves making sure that you have permission to access the control pannel by checking the cancontrolpannel in the usergroup table for the users usergroup. If they dont then they are prompted with the login else the script is allowed to execute.

                      The only case you will be using the getadmin.php is to restore admin rights, so placing this in the admin directory will prevent it from working as you wont have a user login with admin permissions. This means that it would have to be placed in the root vBulletin folder as there is no checks to make sure that you are an admin.

                      The extras folder has never been inside the upload folder.
                      Scott MacVicar

                      My Blog | Twitter

                      Comment


                      • #12
                        So you're saying getadmin.php references "global.php" (ie current folder) instead of "forumhome/global.php" and rather than fix that problem you just declare it must be run from forumhome?

                        I find that rather weird... why not fix the problem rather than publish a procedure that places security of a server that is world-accessible at risk (even if for only minutes)?

                        Comment


                        • #13
                          even if you did make it "./../global.php" and placed it in the admin folder anyone would still be able to access it.

                          Its the global.php in the admin folder that does the check for username and password.
                          Scott MacVicar

                          My Blog | Twitter

                          Comment


                          • #14
                            Originally posted by PPN
                            even if you did make it "./../global.php" and placed it in the admin folder anyone would still be able to access it.
                            Exactly HOW can "anyone" access it? The SERVER is protecting that folder, you can place whatever script you like in there and nobody will have access to it because your SERVER will deny access - it has nothing to do with vBulletin.

                            Comment


                            • #15
                              this may be your case but for the majority of users the server does not protect the admin folder.
                              Scott MacVicar

                              My Blog | Twitter

                              Comment

                              Loading...
                              Working...
                              X