Forum hack- what happened?

& Crivens & SirDice.

Meanwhile where is Foundation ? Hey , did something happened ?
We are here to collect money :). We are on the high level.
Not this basic stuff which keeps thing going.
Let's make a marketing plan, we need a vision , a mission , a strategy.
 
astyle said:
did everyone else see that same defacing of the Forums, or did anyone see/get a different image?
Click to expand...
I took a screenshot with my cell phone.

Screenshot_20260330-182645_Chrome.jpg

These idiots don't even know what responsiveness is.
 
grandpa said:
I wonder if the XSS hack was combined with other methods to do more damage.
Click to expand...
Not that I could find in our situation. I took apart their injected javascript. It didn't do much besides redirecting to a github repo that hosted the "defacement" page. That defacement page also contained some javascript, but that was nothing more than a basic http/tcp/udp connection flooder. Nothing fancy and most of it didn't even work properly.
 
SirDice said:
No. We were in constant contact with various folks from core, foundation and clusteradmin. So, none of this nonsense please.
Click to expand...
There was a Foundation post on Facebook. Showing they knew nothing. Excuse me if I sometimes over-exagerate. I only tell my feelings. And really have no idea, the good/bad they do. So for me it is something "black".
- Do we really need KDE ?
- Wifi drivers for exotic hardware ?
Are priorities wright ?
---> Me I think more about Netapp & Jupiner.
 
They never were able to access , kernel repo , package repo, or gain root access. Probably only xenforo administator session/cookie/password. And insert there own "front-page".
 
eternal_noob said:
I took a screenshot with my cell phone.

View attachment 25824

These idiots don't even know what responsiveness is.
Click to expand...
i guess that my proxy blocked the bg image. i simply saw a black bg.

a simple cascading stylesheet would solve alot of responsive problems:
Code: 
@media (max-width: 300px) { 
  .haha { display: block;  } 
}

and image sets work wonders these days:

Using responsive images in HTML - HTML | MDN

In this article, we'll learn about the concept of responsive images — images that work well on devices with widely differing screen sizes, resolutions, and other such features — and look at what tools HTML provides to help implement them. This helps to improve performance across different devices.
developer.mozilla.org developer.mozilla.org
 
grandpa said:
This is about the corresponding hack on linux.org from this thread.

"Edit2: more info: https://github.com/methosiea/xenforo-2-xss
So, the attack chain is basically:

  1. Attacker registers an account
  2. New post w/ the xss payload - it goes to the queue
  3. An admin views it, it fires off the xss payload stealing his session
  4. Attacker creates the malicious widget"
I wonder if the XSS hack was combined with other methods to do more damage.

I also wonder why someone would hack a public forum.

/grandpa
Click to expand...
This is literally what happened.
SirDice and myself both caught the defacement live (and in some way, caused it by being online -- see point 3 in quote).
SirDice analyzed the code (which was put in a simple post), nuked the user and their post, found in the admin log what was changed (by "us"), reverted everything.
I was on the server itself, checking possible intrusions in file systems, databases, checking known good file hashes.
Meanwhile, I nudged DanGer to expedite the XF update.
All of this was basically done in under 30 minutes, but the FreeBSD Org wanted a little more detail and reassurance.
And that was it.
 
This was quickly solved. When recently someone, updated package database with a bad package, inserting some bad sql into db, I think it took at least 18hours before fix. Nobody could download any package , not on quarterly ,not on "current".
For other architectures it took 3 days.
Here it is much about nothing.

& About this bad package sql. Not one word from foundation. Not one.
1000_F_70305659_dW2INYCZePHkIsb404sAzqhMjKiAE8Zh.jpg
 
MrBSD said:
how both linux and freebsd are super secure
Click to expand...
The security of the OS isn't going to stop a parsing bug in a web application. That's how most, if not all, hacks happen nowadays. It very rarely happens because of a bug in the OS itself.
 
  • Like
Reactions: mer
MrBSD said:
Exactly. Us open source heads always brag about how both linux and freebsd are super secure, and then we have our forums pwnd like this. Its pretty embarrassing.
Click to expand...
XenForo is not open source. also, XenForo is not Linux or FreeBSD, it's a piece of third-party software.

and anyone claiming that any OS is "super secure" is... possibly misunderstanding how security works. perhaps you could say FreeBSD is "more secure" than, say, AIX, in the sense that it has fewer security advisories (i don't know of any statistics about this off hand, so let's just stipulate that it's true), but that doesn't mean FreeBSD "is super secure". if you don't apply security updates, it's not secure. if you run EOL releases, it's not secure. if you don't attend to physical security, it's not secure. if you run an Internet-accessible sshd with weak passwords, it's not secure.

security is far more about process than it is about choice of software.
 
Alain De Vos said:
This was quickly solved. When recently someone, updated package database with a bad package, inserting some bad sql into db, I think it took at least 18hours before fix. Nobody could download any package , not on quarterly ,not on "current".
For other architectures it took 3 days.
Here it is much about nothing.

& About this bad package sql. Not one word from foundation. Not one.
View attachment 25826
Click to expand...
Yeah, having a good, workable plan on how to get back up and running reasonably quickly after an incident IS one important aspect of administering a public service. Another important aspect is being able to communicate solid info about the status of the said service. But sometimes, it's faster to fix the situation than to fully analyze what happened and write an announcement. Besides, when a situation is solved, analysis stops being that incredibly urgent. Basically, it takes some level-headed thinking to realize that the priority should be on technically rectifying the problematic situation, rather than analysis and announcements. Especially given the fact that the Forums are basically a communication platform with no real alternative method of reaching the users. Kind of like having roads washed out by a flash flood - nothing happens until the road is fixed, and fast, and full analysis of the economic and social impact of that flood can wait.
 
Alain De Vos said:
This was quickly solved. When recently someone, updated package database with a bad package, inserting some bad sql into db, I think it took at least 18hours before fix. Nobody could download any package , not on quarterly ,not on "current".
For other architectures it took 3 days.
Here it is much about nothing.
Click to expand...
If you're referring to this (the recurrence), then you're wrong.
charlie137

Solved Thread 'Updating error on 15.0p1 (pkgbase)'

After updating to 15.0p1 pkg-update now throws errors:

Code: 
$ doas pkg update
Updating FreeBSD-ports repository catalogue...
Fetching data.pkg: 100%   10 MiB   1.1MB/s    00:10   
Processing entries:  99%
pkg: sqlite error while executing grmbl in file update.c:154: NOT NULL constraint failed: packages.path
pkg: sqlite error while executing grmbl in file update.c:154: NOT NULL constraint failed: packages.path
pkg: sqlite error while executing INSERT OR REPLACE INTO packages (origin, name, version, comment, desc, arch, maintainer, www, prefix, pkgsize, flatsize, licenselogic, cksum, path...
  • Thanks
Edit: https://github.com/freebsd/pkg/issues/2575#issuecomment-3665495683
Code: 
That's strange because the cad/cura-engine port has last been updated on
2025-11-05 so if its only a change to that port the logic bomb should've blown up
in all our faces weeks ago.
 
anguisette said:
XenForo is not open source. also, XenForo is not Linux or FreeBSD, it's a piece of third-party software.

and anyone claiming that any OS is "super secure" is... possibly misunderstanding how security works. perhaps you could say FreeBSD is "more secure" than, say, AIX, in the sense that it has fewer security advisories (i don't know of any statistics about this off hand, so let's just stipulate that it's true), but that doesn't mean FreeBSD "is super secure". if you don't apply security updates, it's not secure. if you run EOL releases, it's not secure. if you don't attend to physical security, it's not secure. if you run an Internet-accessible sshd with weak passwords, it's not secure.

security is far more about process than it is about choice of software.
Click to expand...
No need to lecture me about that. You are completely missing the point. The fact that it happened is what makes us all look bad. I mentioned both linux and freebsd in my posts, but im fully aware that it has nothing to do with either. Its a human factor as stated below.
DutchDaemon said:
We had a failure in keeping up with XF and that will not happen again.
Click to expand...
It would be perfectly understandable if this was an agricultural or cooking forum that was run by bunch of incompetent Kares. But its not.It happens, and i understand. But you cant deny the fact that it looks bad.
 
I am confused as to how the Linux Operating System, the FreeBSD Foundation and the FreeBSD Operating system are being accused of being insecure because of a vulnerability in forum software (id est, php files residing on a web server). I'd like to remind folks that JavaScript is a client-side technology, so the vulnerability is not so severe in the first place (php files and the forum's database, which are server side, were not compromised). I remember reading an article about online security when i was studying web site security. The article mentioned CNN being a victim of hacking via a comment system. The exploit allowed cookies to be hijacked. CNN isn't exactly a small fish in the pond either.

The violators are script-kiddies exploiting a known vulnerability in Xenforo. Alot of script-kiddies research vulnerabilities constantly. I have a friend that runs on on-line forum for Nature and he is always a victim of spam and hacking; and he uses commercial, not open source, forum software as well. PHP is always under attack. PDO was implemented to mitigate sql injections which wreaked havoc in many forum software packages. Xenforo devs get paid to fix these problems. The decision to use commercial forum software allows The Foundation to pay devs to make the Operating System better and more secure. At any time, The Foundation could pull the plug on this forum, so i would rather not blame anyone for the vulnerability other than the developers of Xenforo. But noone is perfect. The problem has been resolved and we can leave it in the rear-view mirror.

exploiting a small vulnerability to run a JavaScript overlay declaring victory is quite unimpressive. I once guessed a press/media password at a NCAA football website so that i could download copies of high-res college football logos. Cue rolling eyes. Also unimpressive.
 
astyle said:
Yeah, having a good, workable plan on how to get back up and running reasonably quickly after an incident IS one important aspect of administering a public service. Another important aspect is being able to communicate solid info about the status of the said service. But sometimes, it's faster to fix the situation than to fully analyze what happened and write an announcement. Besides, when a situation is solved, analysis stops being that incredibly urgent. Basically, it takes some level-headed thinking to realize that the priority should be on technically rectifying the problematic situation, rather than analysis and announcements. Especially given the fact that the Forums are basically a communication platform with no real alternative method of reaching the users. Kind of like having roads washed out by a flash flood - nothing happens until the road is fixed, and fast, and full analysis of the economic and social impact of that flood can wait.
Click to expand...
Note i entered bug report, after 90minutes of outage , problem was fixed only one hour later, ok needed some reminder. That was very quick/
In this case fix needed be pushed over DNS mirrors. And that took time. Which i reasonable understand.
 
Setting DNS to localhost (127.0.0.1 or ::1) was a stroke of genius! People running a webserver on the same machine would get 404 Page not Found or similar server errors. The rest of us got Connection Refused errors. It had me puzzled for a while until I ran dig on my desktop and host on my server and realised which address was returned.

As for all the Linux/BSD nonsense, I think most of us know it's just that. The real thing is having diligent admins who spotted this and dealt with it fast.
 
The solvers for the "package sql stuff", here where not the admins, doing great job on the forum bye the way, they where simple mortal users like me, noticing it & the real workhorses fixing it , where it behind in the mailinglists, kudos to them, doing it for free, not wanting to be bothered by random nice. One hour to fix is extremely fast.
I have been in contact with Microsoft Headquarters and a fix would be available in next Microsoft Release, that was 9 months later.
 
I was using the term "admins" to refer to everyone involved in running the FreeBSD operation - from the foundation to the developers and contributors and ... and...

We all have a rôle, however small, in one way or another.
 
You must log in or register to reply here.
Back
Top