OSDev.org

It's still got some issues that need fixing, look through the results of http://www.google.com/search?safe=off&q ... n+Ford+smf

That can actually happen to any forum software, even the home made ones. Heck I could do it to yours if I wanted to right now. The problem of verifying if the person is real or a bot is extremly hard to fix, plus any person who has the script real or not can spam boards with one click. Not only that, but once you do fix it they rewrite the way the bot works to work around the new measures. As examples, one fix used to be to put put an image with letters on the registration page since a bot couldn't read it. Now these programmers make smarter bots capable of reading those images. Even further another way of preventing it used to be to require a valid email address to register and login and post. That stopped them for a while, but now the bots are actually able to enter an email address, receive the activation email, then use the code in that email to login to spam the board. No matter what measures you use eventually someone will get around it. Then you fix it, then they find a way around your fix. It's a never ending loop. Unfortunately the only true fix to this problem would be to stop posting alltogether... but that defeats the purpose of having forums.

Now you don't have to take my word for it, but you will see it happen eventually.

But I have developed forum software for years and know what I am talking about. I have been part of alot of forum projects, both major, home made, and helping fix bugs for other projects. As example I had a major part in the forum software that runs this board here, YaBBSE. I made 2 homemade forum softwares, 1 of which I still use for my website. I have had ties to other forum software like mercuryboard, azbb, yabb, and smf for coding, themeing, bug fixing, and support as well. Plus I have tried tons of other software and wrote converters for them to move them to my home made ones.

But anway, this same thing could happen to yours, and it can happen regardless of whether the source is available or not. Heck it's even happened to my homebrewn software even when the source wasn't available. Yes I fixed it... but they worked around it and I wrote another fix, basically and endless cycle. All it takes to do so is examine your output to the browser and submit post and get data to your board.

Oh and you might want to get in contact with me in private via instant messaging to talk about some vulnerabilities I have found with your software. I am able to hijack accounts, learn users passwords, and cause the software to automatically log you out of the forums, and I could also spam your board just like what you saw happen with the smf forums. Lucky for you I am not a malicous person or a spammer.

Please remember, obscurity does not always make you safe. Just because your software is homebrewn doesn't make it more secure than others. I have no access to your source code at all, and was able to find these types of vulnerabilites.

Reply Part 1 (message too long)

While I made the comment you responded to I think you got me mixed up with someone else; I run http://www.osdev.org that is currently running phpBB, osm and mr. xsism run http://www.osdever.net. While I talk with the bonafide guys from time to time and I've been trying to give feedback on the custom forum thing the two sites aren't related.

Chris Cromer wrote:

It's still got some issues that need fixing, look through the results of http://www.google.com/search?safe=off&q ... n+Ford+smf

That can actually happen to any forum software, even the home made ones.

The problem with the Harrison Ford thing would happen on any setup that allowed email based PMs without any rate control. This is why I disabled email PMs on my forums. If this did happen I could delete most of the PMs before users logged in to see the offending message.

Chris Cromer wrote: Heck I could do it to yours if I wanted to right now.

If you know of any issues with my forum software I would love to hear them.

Chris Cromer wrote: The problem of verifying if the person is real or a bot is extremly hard to fix, plus any person who has the script real or not can spam boards with one click. Not only that, but once you do fix it they rewrite the way the bot works to work around the new measures. As examples, one fix used to be to put put an image with letters on the registration page since a bot couldn't read it. Now these programmers make smarter bots capable of reading those images. Even further another way of preventing it used to be to require a valid email address to register and login and post. That stopped them for a while, but now the bots are actually able to enter an email address, receive the activation email, then use the code in that email to login to spam the board. No matter what measures you use eventually someone will get around it. Then you fix it, then they find a way around your fix. It's a never ending loop. Unfortunately the only true fix to this problem would be to stop posting alltogether... but that defeats the purpose of having forums.

Agreed, but turning off anonymous posting, tunring on capchas and email verification does stop a lot of the scripts still. Before turning on these features I was getting a large amount of accounts that were created by scripts just to create a profile with a url so the link would appear on the memberlist page and increase their page rank. I know some people suggest removing the memberlist page but I actually don't mind helping with the page rank for osdev type people so I want to leave it, what I did was modify the member list page so only show activated users. I also blocked most of the really bad spam related email domains like *@mail.ru. But I still see spam account and post every once and a while from real people as near as I can tell. This is why I like phpBB better then my last software, decent admin features. Plus I've started appointed moderators for the first time ever in the 6 year history of osdev.org.

Post Part 2 (message too long)

Chris Cromer wrote: Now you don't have to take my word for it, but you will see it happen eventually.

I believe you there is no question about that. I've even tried to learn things from what I've seen go on here at MT. My osdev wiki for instance doesn't allow annoymous posting. I've integrated mediawiki with my phpbb user accounts and only phpbb accounts that belong to wiki group can edit the wiki. I seeded my wiki group by adding all posters with more then a certain number of non-spam posts to the wiki group and I add anyone that wants editor rights as long as they seem to have some clue about osdev. Most people would rather submit changes than request editor rights it seems so I even have a forum for wiki change requests. I've had zero spam related posts to the wiki to clean up.

Chris Cromer wrote: But I have developed forum software for years and know what I am talking about. I have been part of alot of forum projects, both major, home made, and helping fix bugs for other projects. As example I had a major part in the forum software that runs this board here, YaBBSE. I made 2 homemade forum softwares, 1 of which I still use for my website. I have had ties to other forum software like mercuryboard, azbb, yabb, and smf for coding, themeing, bug fixing, and support as well. Plus I have tried tons of other software and wrote converters for them to move them to my home made ones.

I've written perl-based newsgroup->web forum software, I've written my own Java forum software, and I've been an official cvs-commiter on the JBoss portal server that included forum software. I wrote convertors from my last two forums to phpbb and I've already starting a little phpbb mod development with customization of the smartfeed rss generator that I use to turn a forum into a OSDev News rss feed. I like to think I have some clue too

Chris Cromer wrote: But anway, this same thing could happen to yours, and it can happen regardless of whether the source is available or not. Heck it's even happened to my homebrewn software even when the source wasn't available. Yes I fixed it... but they worked around it and I wrote another fix, basically and endless cycle. All it takes to do so is examine your output to the browser and submit post and get data to your board.

Which is why I personally recommend using a community support forum package. Yes with phpbb there are more people trying to find the bugs for bad reasons but there are also more people trying to fix them. I just have to take the time to make sure I stay up to date on exploits and versions which is much easier than fixing my own. If the osdever guys started started a community just about their forum software and it got popular that'd probably remove my objections to it being homegrown but I'm not sure what their plans are.

Chris Cromer wrote: Oh and you might want to get in contact with me in private via instant messaging to talk about some vulnerabilities I have found with your software. I am able to hijack accounts, learn users passwords, and cause the software to automatically log you out of the forums, and I could also spam your board just like what you saw happen with the smf forums. Lucky for you I am not a malicous person or a spammer.

If your talking about my forums please email me but I think you're talking about the osdever forums. If you're talking about the javascript embedding, I found that one too. I pointed it with a little window.onload function that displayed an alert about my site being cool If you find anymore please point them out to the osdever guys. It doesn't look like any new accounts were created to use the javascript exploit and I doubt any of the MT users that have been posting there would have implemented it but if the passwords on the osdever forums are compromised then every account on MT is also compromised since the account information is still in sync for most users.

Aren't most of the bugs Chris mentioned caused by malicious database queries that one could insert? From my experience, those are the hardest to notice without having any prior experience with such security holes.

Chase@OSDev: Sorry, I thought the new forum system being developed was yours. I am not talking about your phpbb board. osm and mr. xsism need to get in touch with me in private because those vulerabilites are pretty serious.

Aren't most of the bugs Chris mentioned caused by malicious database queries that one could insert? From my experience, those are the hardest to notice without having any prior experience with such security holes.

Actually the vulnerabilities I found are totally unrelated to the database and database queries. I only did a 10 minute check on the forum to see what I could find... I am sure with more time than that I could find more security problems than what I listed though.

Sent you a PM, Chris.

In tighting up security, I believe I found the problem that kept logging some of you out every few page views.

So... security is much tighter, and those who were incorreclty getting logged out every page views should no longer have the problem.

Also... if you view the site right now, any password stored in a cookie will be deleted before the page loads; no worries needed about someone using rogue javascript and stealing your password. (This also means that permanent login is disabled right now; though a fix for that is on the way.)

osm wrote: In tighting up security, I believe I found the problem that kept logging some of you out every few page views.

So... security is much tighter, and those who were incorreclty getting logged out every page views should no longer have the problem.

Also... if you view the site right now, any password stored in a cookie will be deleted before the page loads; no worries needed about someone using rogue Java Script and stealing your password. (This also means that permanent login is disabled right now; though a fix for that is on the way.)

As far as the permanent login password thing. Just encrypt the password once in the cookie using sha1();, then encrypt it a second time in the database with sha1(sha1());

This way the password is not viewable in the cookie. And if they somehow get the password from the database by hacking into the database, then they won't be able to use that either. So essentially doubling your security from both the user side and server side.

I will talk to you about the other vulnerabilities later on. Got work to attend to, so cya.

Another issue... spam.

Right now I'm deleting 1-2 spamthreads / day from the "General Programming" forum, all of which have been posted by a freshly-registered user.

Being able to delete a whole thread, or a selection of postings, with just 2-3 clicks is a great help to the mods.

It should also be optionally possible to delete the author's account together with the thread / post, to weed out the one-shot spamguests.

In reference to keeping guest posting available here... Screw that, just looked at the OS board and it's a mess. I vote for disabling guest posting personally, it only takes a second for someone to sign up, and those that don't sign up have a tendency to not be around long anyway. 24 simultaneous spam posts.

Solar wrote: Another issue... spam.

Right now I'm deleting 1-2 spamthreads / day from the "General Programming" forum, all of which have been posted by a freshly-registered user.

Being able to delete a whole thread, or a selection of postings, with just 2-3 clicks is a great help to the mods.

Confirmation that you're not the only one doing that.

It should also be optionally possible to delete the author's account together with the thread / post, to weed out the one-shot spamguests.

It might be an idea to disable registered-user-first-post / guest post direct posting so that the first post or guest post, if containing more than 2/3 links, can be checked by somebody. It's a symptom patch and annoying for new users, but it would at least be a beginning.

Kemp wrote: In reference to keeping guest posting available here... Screw that, just looked at the OS board and it's a mess. I vote for disabling guest posting personally, it only takes a second for someone to sign up, and those that don't sign up have a tendency to not be around long anyway. 24 simultaneous spam posts.

It's pointless.
Spammers sign up and then post a single message, because most other forums on this software have it disabled. You'd have to somehow add a thing to the forum that the rest doesn't have that allows you to distinguish spam from the rest, in such a way that each forum uses a different way or so that it's not worth it to modify the bot to spam your website properly. See my previous reply.

I did consider that but I noticed that virtually all the spam is still guest posts. My assumption was that someone's still using a dumb bot, but I guess it could be trying that method before registering.

The os Board has been spamed into next month. That free ringtone rubish. Along with some typical drug stuff. This is getting ridiculus; I count 21 spam posts, all from guests. I second the motion for block guest posting.

Or at least is there some way to screen posts for words acosiated with spam like casino, viagra, cheap and ringtone?

Thankyou.

Ed Tait

As Candy said disabling guest posts probably won't fix anything. The bots just register accounts to make the post. To actually stop most of the bots for now you can either make a registration form that is dynamic by changing out the form input names(humans won't notice) or you can send out new account activation emails. Very few bots will either have email accounts or are programmed to use them, it's not that it's hard but there are so many other sites like this one that are still open that it's faster just to skip the more secure ones. On my forums I see about 1 spam post or account per week and I'm probably a bigger target than MT simply because I run more popular forum software. Most of the spam that still makes it through appears to be from humans which you'll never be able to stop if you want a public forum. As for automatically screening content I guess you could code something up that would integrate forums with Spamassassin but it'd take time and more server resources.

EDIT: I don't think a lot of people realize how bad the spam is here simply because the mods are so active and spend so much time cleaning things up. I know on more then one occasion I've refreshed my browser and seen spam here and by the time I tried to view the thread it was already deleted. I wish I could turn my email accounts into a forum that the MT mods were in charge of