UseBB Community

Hi,

First of all, I have to congratulate Dietrich, useBB is a great Forum system. I have created some forums with this tool and I'm very happy with the results

I have a problem with one of them, I'm using the 1.0.6 version and someone have posted without permission. I have the write post funcition enabled only for members, but someone have posted without a member account. I think it could be a security problem, but I'm not sure because I think the SQL injection problem was solved in previous versions of useBB.

I have noticed 2 "hacking actions", 2 post created without user....

I was testing some security features in the server, for example this PHP snipet:

<?
if(!isset( $_GET [ "injection" ])){
header ( "location: ?injection='" );
} else {
    echo 'Your server ' ;
    if( $_GET [ "injection" ] != "'" )echo 'no ' ;
    echo 'have injection problems' ;
}
?>

And it says "Your server no have injection problems" so I suppose magic quotes are enabled... (I'm proving it now)

Can anyone help me?

Thanks in advance,

Marcos

What are the forum's permissions set like? Do you have a link to the forum?

Hi Dietrich,

thanks a lot for your quick response.

You can access the forum here: http://www.diariosol.es/foro/

We have removed the posts created by the hacker because our client was not very happy with them The hacker attacks the ESTEPONA > Politica forum and its permissions are:

View Forum - Visitors
Read Topics - Visitors
Write new posts - Members
Answer posts - Members
Edit posts - Moderators
Move posts - Moderators
Delete topics and posts - Moderators
Blocking topics - Moderators
Paste topics - Moderators
HTML Messages - Administrators

We found a post in a topic created by a guest (that's not possible in this forum) and a topic in this forum created by other person but signed as a registered user (someone posted with the name of other registered user).

I was trying to simulate the attack, but I can't, my server add slashes in GET and POST data always so I can't inject SQL sentences in the search form.

The general minimum access levels for the forum are:

Active topics - Visitors
See the admin contact link - visitors
See online users - members
see statistics - members
see members - members
serach engine access - visitors
see forum staff - visitors

If you need more information to find an answer about this, just ask for it!

Thanks in advance,

Marcos

A little more information.

Searching in the member list, I have found a invalid user in the DataBase, with values that are not possible, like 0 for the level field in the members table. The user has no data in the data base, no register date...

I suppose this user is not created via register form....

I don't know if this info could help you.

Thanks a lot,

Even though I can never exclude a security problem in UseBB, I don't think the user was created through an SQL injection in UseBB itself. The code has basically been the same for a few years now and was audited by several people.

It could be very well possible the row in the members table was created through a hole in another script on the server, or perhaps manually by another user on the server which discovered how to access and manipulate other people's databases.

Hi Dietrich,

Thank you very much for this information and your opinion. I'm going to talk to the client to explain the situation. I was trying to inject SQL and I wasn't be able to do it. I also think that the problem is not in useBB software.

Regards,