Jump to content

Why is the ACP So insecure if you have my password?


OctoDev

Recommended Posts

On IPB3, you were able to literally add straight PHP code to the templates which allow people to 'shell' your forum. Same thing on IPB4, it's not secure.

You can also dump the entire database using ACP?

 

Let's take XenForo as an example;
- You hack the ACP user, what do you do? You can't shell the site.. You can't dump the database.. All/Most actions can be reverted.

Or IPS 3-4:
- You hack the ACP user, what do you do? shell the site using the template editor??

Why this?

When you make someone admin, or give them access to edit your templates. You expect it's safe right? But they have full server access by doing so.. It's ridiculous, why not learn from XenForo ^_^ 

Link to comment
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Because IPS gives you the ability to give certain users restricted acp permissions. I actually enjoy the built in features IPS has.

Also in case of hacking or social engineering.... Backups are your friend. I can't stress that enough. 

As for xenforo, I've looked at their suite as others have suggested me to switch as my license was going to expire the beginning of March. I did look. I was offended on the lack of features and care they provide. Both are paid. I would rather pay IPS. So I do. I don't plan on switching ever.

 

But security is always both parties. You and IPS. IPS will always fill in security holes and fix bugs as long as we keep paying them :D . but you have to also secure your site and accounts.

 

Also with the SQL sandbox in the acp there's only so much you could do it in it anyway. There are restricted commands built in iirc.

Link to comment
Share on other sites

39 minutes ago, MADMAN32395 said:

Also with the SQL sandbox in the acp there's only so much you could do it in it anyway. There are restricted commands built in iirc.

The only restrictions are that you can't modify the ACP login logs or ACP permissions, and you can't DROP or FLUSH anything, but aside from that, you are free to DELETE * FROM `core_members` or to add yourself to a super administrator group.

Link to comment
Share on other sites

4 minutes ago, Colonel_mortis said:

The only restrictions are that you can't modify the ACP login logs or ACP permissions, and you can't DROP or FLUSH anything, but aside from that, you are free to DELETE * FROM `core_members` or to add yourself to a super administrator group.

true, i couldnt remember the exact restrictions. but as for the Sadmin group, I dont see giving sql access to anyone who isnt in that group anyway lol

Link to comment
Share on other sites

2 hours ago, MADMAN32395 said:

Because IPS gives you the ability to give certain users restricted acp permissions. I actually enjoy the built in features IPS has.

Kidding right? When someone gets your password for your root account, in some scenario. How will setting certain ACP Permission work out? ^_^

We're not talking about features that IPS/Xen has, we're talking about security. XenForo has much better security system to prevent shelling of your server, shelling could end up in your server getting rooted.

I am friends with two other site owners, they both was hacked. One of their servers was also rooted, same way. The hacker cracked hes password, went into hes admin account and uploaded a shell via the template editor. That shell allowed file uploads, which he then uploaded a file with.. and so on.

Now, what could he do on XenForo.. If he had an admin account, other than deleting posts and members that can be restored rather easily? He can't dump anything? He can't shell anything? ^_^ 

 

Link to comment
Share on other sites

Just now, Jimmy Gavekort said:

Kidding right? When someone gets your password for your root account, in some scenario. How will setting certain ACP Permission work out? ^_^

We're not talking about features that IPS/Xen has, we're talking about security. XenForo has much better security system to prevent shelling of your server, shelling could end up in your server getting rooted.

 

gets it how? Social Engi? You giving it to them? I have been running IPS sites for over 6 years, have yet to have any issues that you seem to be going on about. Most issues I have seen and helped fix for other clients are from installing backdoored apps/plugins. (or giving PWs out.)

Link to comment
Share on other sites

Just now, MADMAN32395 said:

gets it how? Social Engi? You giving it to them? I have been running IPS sites for over 6 years, have yet to have any issues that you seem to be going on about. Most issues I have seen and helped fix for other clients are from installing backdoored apps/plugins. (or giving PWs out.)

Cracking. There are multiply websites out here, that allows you to search up on email, or even username/name that will give you all your victims hashes, that you can so crack. Please don't be too naive and think the only way for them getting is you giving them it.

I've been hacked my self this way, luckily not rooted but the hacker uploaded shells which ended up in him dumping my database. How? He shelled the site via ACP Template Editor; once you do that, you can view all files (config, upload more files to dump your site).

Not talking about one-time-situation, this happens on a regular basis with IPS site. 

Link to comment
Share on other sites

2 minutes ago, Jimmy Gavekort said:

Kidding right? When someone gets your password for your root account, in some scenario. How will setting certain ACP Permission work out? ^_^

 

 

 

You should really think about how you keep your passwords secure and how good they are - using something like Jimmy just wont last long :innocent

Link to comment
Share on other sites

1 minute ago, Cloud 9 said:

 

You should really think about how you keep your passwords secure and how good they are - using something like Jimmy just wont last long :innocent

That's not the solution - OR - issue,.

The issue here is that with admin access that has TEMPLATE ACCESS, you can dump the database and run malicious code.

Link to comment
Share on other sites

1 minute ago, Jimmy Gavekort said:

Cracking. There are multiply websites out here, that allows you to search up on email, or even username/name that will give you all your victims hashes, that you can so crack. Please don't be too naive and think the only way for them getting is you giving them it.

I've been hacked my self this way, luckily not rooted but the hacker uploaded shells which ended up in him dumping my database. How? He shelled the site via ACP Template Editor; once you do that, you can view all files (config, upload more files to dump your site).

Not talking about one-time-situation, this happens on a regular basis with IPS site. 

if they want in they will get in... but its your job to secure your own server. that includes limiting what even IPS software can do. you can stop the software from dishing it out. 

Link to comment
Share on other sites

5 minutes ago, Jimmy Gavekort said:

Cracking. There are multiply websites out here, that allows you to search up on email, or even username/name that will give you all your victims hashes, that you can so crack. Please don't be too naive and think the only way for them getting is you giving them it.

I've been hacked my self this way, luckily not rooted but the hacker uploaded shells which ended up in him dumping my database. How? He shelled the site via ACP Template Editor; once you do that, you can view all files (config, upload more files to dump your site).

Not talking about one-time-situation, this happens on a regular basis with IPS site. 

That would mean the person reused the password they used on other sites, a crazy crazy stupid thing to do. I dont know why more dont use LastPass etc to ensure each sites password is unique removing that simple vector.

Although I would like to see email verification for new ip's accessing the admin system. That or 2 factor would be a sensible upgrade which would mitigate a lot of these issues.

Link to comment
Share on other sites

6 minutes ago, Jimmy Gavekort said:

Yes.. The best solution is to use random passwords everywhere, but we both know that will never happen. IPS has a large customer base, i see people disagreeing with this - that i can gain full access to their site in matter of seconds.

People who dont understand the stupidity of using the same password to access their sites admin as on other unsecured sites really shouldnt run sites.

You do realise Xenforo recently had a spate of sites getting hacked with template edits that sent the login passwords for all the users to a 3rd party site? It was left in place on one site for ages undiscovered and was a much more valuable hack than a db hack as they got passwords in clear text and as it was a website for site admins to talk any admins who used the same password there as their own site would have been easy pickings. Maybe a warning to say "Dont be stupid enough to use this accounts password ANYWHERE else" as a message when admins change/set their password but password reuse is crazy stupid and like I say people who do it shouldnt run websites.

2 factor and email verification for new ip's would mitigate that though. We even secure the admin area with a separate password not linked to the account to further prevent this.

Link to comment
Share on other sites

3 minutes ago, ZeroHour said:

People who dont understand the stupidity of using the same password to access their sites admin as on other unsecured sites really shouldnt run sites.

You do realise Xenforo recently had a spate of sites getting hacked with template edits that sent the login passwords for all the users to a 3rd party site? It was left in place on one site for ages undiscovered and was a much more valuable hack than a db hack as they got passwords in clear text and as it was a website for site admins to talk any admins who used the same password there as their own site would have been easy pickings. Maybe a warning to say "Dont be stupid enough to use this accounts password ANYWHERE else" as a message when admins change/set their password but password reuse is crazy stupid and like I say people who do it shouldnt run websites.

Possible. But it's a lot harder to do it on there, it require private methods.

Same with other forum softwares, where is the challenge in IPS? There is nothing done to prevent it. 

Yes, 2fa or mail verification would make it secure.. But the vurln is still here, we can do malicious code in template editor ^_^ 

IPS Team, are great developers. I can't imagine this would take them too long to add? Maybe even a option that could be hardcoded into the config, or constants to enable security on template editor.

Link to comment
Share on other sites

2 minutes ago, Jimmy Gavekort said:

Possible. But it's a lot harder to do it on there, it require private methods.

Same with other forum softwares, where is the challenge in IPS? There is nothing done to prevent it. 

Yes, 2fa or mail verification would make it secure.. But the vurln is still here, we can do malicious code in template editor ^_^ 

You can do it in vBulletin pretty easily (vb3-4 anyway, never touched the crap that is vb5)

I have a license for Xenforo but I have not played around with it for a while but I do think I could probably find a way to do what I needed to do.

I do see what you are trying to say but my point is more once they are in using an admin to mitigate how far they get is the wrong approach, better security for accessing the admin is a far better time sink even if you htaccess password protect your admin area with an additional password.

Link to comment
Share on other sites

Just now, ZeroHour said:

You can do it in vBulletin pretty easily (vb3-4 anyway, never touched the crap that is vb5)

I have a license for Xenforo but I have not played around with it for a while but I do think I could probably find a way to do what I needed to do.

Maybe, but it's harder. It's about challanging the hackers. 

Who would thank no to extra security? This is one of the main reasons most IPS sites are hacked, and i know a few site owners that have been hacked. Their database was dumped.. How? ^_^

Uploading shell via template editor.

Link to comment
Share on other sites

3 minutes ago, Jimmy Gavekort said:

You would need to know how to make a plugin that will bypass their security to prevent malicious code.

They have security to stop malicious code in the addon upload?? I have a strong feeling they dont, you can write some complex stuff in addons so I am not sure if it would be able to block a simple shell wrapped in a plugin.

Never played with MyBB but tbh any software which allows you to install addons via the admin system would have the possibility.

Thats why I think notifying via email "X Addon was installed" "this new ip wants access to the admin please confirm by clicking the link" would be far better and would prevent the issue and you get the added benefit of notifying the admin that their account has been breach straight away rather than being unaware while the hacker tries to find a way around the admin system security.

Link to comment
Share on other sites

1 minute ago, ZeroHour said:

They have security to stop malicious code in the addon upload?? I have a strong feeling they dont, you can write some complex stuff in addons so I am not sure if it would be able to block a simple shell wrapped in a plugin.

Never played with MyBB but tbh any software which allows you to install addons via the admin system would have the possibility.

 

Complex, of course. There will always be a way to do anything, but 99% of the hackers won't be able to do that. Same with XenForo, and once it happen and they figured out - they can patch the addon rather easily with a update.. What do you do next? Try again, but it'll be harder each time. 

 

Not too sure what you are trying to state, that there is no need to even attempt adding more security? ^_^ 

Link to comment
Share on other sites

4 minutes ago, Jimmy Gavekort said:

Not too sure what you are trying to state, that there is no need to even attempt adding more security? ^_^ 

My point is more if they have your password and you are unaware thats more dangerous than anything else.

Link to comment
Share on other sites

2 minutes ago, ZeroHour said:

My point is more if they have your password and you are unaware thats more dangerous than anything else.

Obviously, but there are security measures that your software can also take. Currently? None. It's wide open.

Link to comment
Share on other sites

5 minutes ago, Jimmy Gavekort said:

Obviously, but there are security measures that your software can also take. Currently? None. It's wide open.

I think in addition to my suggestions above possibly adding a hardened config variable which would disable any uploads/db dump related functions when accessing the admin system. That way you disable hardened in the config file when you want to do anything involving uploads etc and turn it back on after and the admin area is then purely for setting manipulation rather than anything too serious. That allows flexibility for admins without breaking things too much.

Link to comment
Share on other sites

Just now, ZeroHour said:

I think in addition to my suggestions above possibly adding a hardened config variable which would disable any uploads/db dump related functions when accessing the admin system. That way you disable hardened in the config file when you want to do anything involving uploads etc and turn it back on after. That allows flexibility for admins without breaking things too much.

Honestly, i'd appreciate anything.. At the moment, it has nothing.

Link to comment
Share on other sites

We are talking about finding the acp password... 

What about if they find the server root password? Will we tell centos/ubuntu etc etc that the OS is flawed because if someone finds the root password, they can do everything in the server?

Btw, IPS4 tells users to change the the acp path and to protect it with another password. It would be something like "wow"   for someone to find the new path and both passwords. 

Link to comment
Share on other sites

4 minutes ago, RevengeFNF said:

We are talking about finding the acp password... 

What about if they find the server root password? Will we tell centos/ubuntu etc etc that the OS is flawed because if someone finds the root password, they can do everything in the server? 

Most of the IPS users run on shared web hosting servers, but if you are unlucky and uses same password you use everywhere as root then yes you are ed. But in my scenario that's not a option.

 

You use shared web hosting, or a random generated password for your server ^_^ Stop twisting it so god damn much. "What if, what if".

 

4 minutes ago, RevengeFNF said:

Btw, IPS4 tells users to change the the acp path and to protect it with another password. It would be something like "wow"   for someone to find the new path and both passwords. 

And you are telling me that will fix the issue where you can upload malicious code to template editor? come on man! The vulnerability is still here. No matter if they don't have your password or they do!!

Even it's in admin panel, it's considered as a vulnerability when I can do anything with it.

When you give a theme developer like Ehren for example template access. Only that, you don't expect him to also have full control of your *entire* website database? ^_^ Well he does technically, since he can shell your server.

Link to comment
Share on other sites

5 minutes ago, RevengeFNF said:

We are talking about finding the acp password... 

What about if they find the server root password? Will we tell centos/ubuntu etc etc that the OS is flawed because if someone finds the root password, they can do everything in the server? 

Yeah a password for admin level login should be locked down but it does happen, I have seen a few other forums have their data wiped but the crucial thing was they didnt get a db dump or direct file upload access which prevented *some* of the issues as they couldnt get the salted passwords etc, although blowfish is pretty hard to brute force right now, in future who knows.

A few tweaks like email notifications/2 factor and a hardened mode would help mitigate end user stupidity and also who knows if there turned out to be a security hole somewhere.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...