| User | Post |
|
2:07 pm
7 Feb 2008
|
symbian60.mobi
Guest
| | | |
|
| |
|
|
At the very moment i´m having some problems with pages and articles disappearing. This sounds like being related to the latest WP-Security Issues - but it can´t be! Why not? Because i already updated my blog before i had those problems.
There are at least two Plugins i could figure out still producing the problem:
1.) As sorry as i can be: Simple Forum
2.) Wordspew Shoutbox Plugin
Don´t
get me wrong at all - i´m not saying that Simple Forum IS causing those
problems, i just wanted to maybe re-check the code again and maybe
submit possible fix as soon as possible, Andy! Or at least holla a “all
clear signal” 
Thanks in advance! And not matter IF SF is causing the problem: Great Software, keep up the good work!
|
|
|
2:08 pm
7 Feb 2008
|
symbian60.mobi
Guest
| | | |
|
| |
|
|
.. relating to SF 2.1, btw!
|
|
|
2:58 pm
7 Feb 2008
|
Mr Papa
Moderator
| | Arizona, USA | |
|
| posts 1167 |
|
|
if you read the release a bit closer, its not related to this WP plugin but insteadwas related to this other app
http://simpleforum.net
re: (http://weblogtoolscollection.com/archives/2008/01/21/wp-forum-plugin-security-bulletin/)
Unless you are aware of a new advisory that we have not yet seen…
and yes wordspew has 2 advisorys out on it now… one is
http://weblogtoolscollection.com/archives/2008/02/07/2-plugin-security-bulletins/
|
|
|
|
|
And I have not heard of anything removing pages or articles apart from the guy who seemed to delete half his database.
|
|
|
12:31 am
8 Feb 2008
|
symbian60.mobi
Guest
| | | |
|
| |
|
|
still having issues. thanks for the infos though, Mr. papa! Wordspew was one of the plugs installed and may have caused one or the other of the problems. it´s deleted now for the time being.
i originally just mentioned it because quite some forums seem affected right now like phpbb, wp-forums amongst others. interesting thing is that things are still not really all in order. re-activitating the forum - where the original PAGE was just deleted, but forums still intact - has now a group ID 1 called “Hacked by TheWayEnd from 1923Turk”. question is: how did he achieve this?
besides someone seems to have exploited another function, using a /?go=tramadol-online.htm function. No clue what´s causing that yet but i´ll stay on it.
Damage done so far (with latest wp-version and most likely all updated plugins):
1.) One article rewritten to relay to some hackers site (see above)
2.) one deleted page (sf-forum page)
3.) rewritten group name
4.) some included ad-thing as mentioned above
k, i guess that´s still acceptable.
|
|
|
|
|
http://www.milw0rm.com/exploits/5126
FINAL PROOF from the logfiles, one thing lead to another: for anyone who said that the forum ist NOT exploitable - they came through wordspew plugin first and then continued through simple-forum.. and yes, the above posts are from me. any chance to fix that asap? wouldn´t like to resign from the forums.
|
|
|
|
|
|
1:47 am
20 Feb 2008
|
Mr Papa
Moderator
| | Arizona, USA | |
|
| posts 1167 |
|
|
Phantomas, your site is in maintenance mode, so I cant see, but which build of Simple Forum were you running? If it was 237, please advise and let us take a look…
|
|
|
|
|
@Yellow Swordfish - hm, a bit late in my case.. Sorry - you may have published that info somewhere, but excuse me and other users for not reading every plugins site daily. kinda hart to follow when you run several dozen blogs for yourself and your customers.
Well “Your own fault, when you can´t follow the updates”, you may say. “No!” - would be my reply. I have a blog just for one purpose - it has ALL plugins i use anywhere (uninstalled but that doesn´t matter for that case). i visit it daily and check for ALL wordpress AND plugin updates (through the “Plugins” Page). believe me - i take that job very serious, security is my prime focus. If there´s any update i immediately run an update against all the blogs..
Bad thing is: I´ve never seen any update to my version there. And yes, to answer your question, Mr Papa: I was running a pre 237 Built as it seems..
So, i have two suggestions:
* Get rid of any kind of footer/built/version info that´s visible to the user. even if it´s invisible to them - get rid of any signature that could be harvested for in searchengines. Why? Because that was how they found dozens of sites and could play their little game..
* Get rid of “builts” anyway. Release a new subversion if there´s a bugfix. There´s no reason not to release a “2.1.1″ which would be correctly announced through wordpress´ plugin check instead of “builts” that apparently didn´t seem to show up there. Or whyever it didn´t show, please find a solution, because it´s really a security issue that could be avoided somehow..
After all the “ranting” (not without a reason i hope you acknowledged..) finally a “thumbs up” - great software and most of all great support!
.. btw: you may recall me.. i was the guy who was desperately asking for some features at an early state of sf-forums, like the rss-feature for example, which is by now one of the most-used features on my site 
|
|
|
|
|
Whilst I thoroughly sympathise and take on board some of your comments, the responsibility is still yours. You downloaded and installed what was very clearly marked at the time as 'beta' software along with the risks that implies. When 2.1 came out of beta I did everything I could do to inform, make it public and to publicise the security threat. I note you did not sign up for an email notification of updates and have to assume you did not check back on the site here to monitor it coming out of beta.
I am not sure what else I could have done. Certainly when I run beta software as I do from time to time, I consider it my own responsibility to watch for progress. People who take beta software also have a role to play in doing so. The only reason for offering beta's is to get feedback to iron out bugs and problems. That is a part of the role the user accepts when they use such versions.
If your method of checking plugin versions 'daily' is simply to look at the plugin page for a notice then be warned that when this notice was introduced it was only available to plugins hosted at WordPress.org. For the large community of plugin authors who choose not to host their work there, you will not see a notice of updates. That includes plugins that I write. As it happens, that api has now been opened up and I can make use of it and do so in Version 3. But it was not possible for 2.1. I would suggest if you really want to check daily then yes - you are going to have to visit some sites.
I am extremely sorry to hear that you have had problems with attack from the version of this plugin you had installed.
|
|
|
12:26 pm
22 Feb 2008
|
-Radio-
Moderator
| | Florida - USA | |
|
| posts 475 |
|
|
First - Welcome back. We encourage communication in the forums.
Second - do you use 'One Click - Automatic Plugin Updater' as one of your plugins on the main site? If you do, then you should know that there are a great many plugins that do not use the SVN and/or are not recognized by the various repositories.
If you do use the 'Automatic Plugin Updater' plugin, then you would be aware of the repository indicator light, and be able to visually identify the plugins that are not stored in the repositories and be able to check each of those manually when checking for updates.
Andy does not use the SVN for his plugins, and although I do not agree with him on this issue, I understand and respect his decision to remain independent.
As a web service provider and webmaster myself, security must be a priority when dealing with customer accounts, so I fully understand your position on this issue as well. I would recommend the plugin for your main blog, simply to keep up to date, as well as the use of it's abilities on your client's accounts.
|
|
|
|
|
I totally agree with yall. It´s been my own “fault”. In one way or another… And thanks for all your input and suggestions. Most of which i already follow. Simple Forum must have slipped through though.
Andy - don´t get me wrong please! i wasn´t trying to put the blame/responsibility on you at all.
Maybe i was still a bit hackled up when posting the above one. But still - i just feared i was not alone in my situation and tried to make some suggestions on how to maybe improve the whole thing and to keep up to date at least a bit easier..
As with the RSS-Featurewish already posted above - i´m sure you´ll come in with a good solution to all this
|
|
|
|
|
We are debating whether to take the build number off of the version strip. One reason it's good to be there is it can make it easier to work with when I visit other peoples sites to try some troubleshoting.
V3 will report in the plugins page when an update is available but because the plugin is not hosted at WordPress itself there will be no attempt at auto-install.
|
|
Forums
