A user connected to our SMF site and posted a message in our TP shoutbox that shut down our whole site and posted nothing more than a re-dirct for users trying to access the site. The link was as follows:
Username: Ziygo:
IP: 174.101.172.42
Mail: ziygo@mail.com
Shout Message:
</div> and enter your ZIP code for free access!</div> </div><b style="position:absolute; top:0; left:0; width:100%; height:900%; background-color: red; font-size: 50px; color: #333333; z-index:999999;">Visit http://free100.tk and enter your ZIP code for free access!</div>
Once I deleted this shout, the site came back online.
Hope this help some people.
Mike Vail
I have the same problem - the Forum cannot be accessed anymore, and all I get is "Visit http://free100.tk and enter your ZIP code in order to continue."
Can you be more specific where to find the shout to eliminate it, scso1502?
Click the TinyPortal Admin link in your menu. Scroll down to "TPShout" and you should see all of the shouts. If not select "Shoutbox" instead of "Settings" on that same page.
Thanks, Skhilled - though I managed to eliminate the problem myself by deleting it directly from the database via MySQL. Problem is that when this happens you cannot access the Forum anymore (so no TinyPortal Admin link in your menu...), so there seems to be no other way than to do it directly in the database.
But eliminating the malicious code can only be a temporary measure - a single shoutbox post can still cause havoc if it is reposted. Can this be addressed somehow in a fix?
Try this, it will let you in the admin so you can edit the shoutbox or anything else you need to do in the SMF admin:
www.yoursite.com/index.php?action=admin;noblocks
For those who do not know how to edit the database. ;)
I'm sure Bloc will make this a priority since it is a security issue. :)
Cool - that's really helpful in cases like this! Many thanks, Skhilled! :up:
You're welcome. :)
let us know what IP address they used etc... give us as much info as you can .. so that we can ban that IP address and other details
Uhmmm... Unfortunately I've just eliminated the shout in order to be able to access the Forum, so with that the details are gone. But if he shows up again, I'll post what I can find.
The user must have the IP adress visile in his/hers profile, so if you remember the username of the posteed shout, all you need to do is to look at their profile before you ban them.
I am the said hacker, I will continue to exploit all sites that use that shoutbox until bloc releases a fix for it. The shoutbox is WAY to exploitable, if I was mean I could have used many other tinyportal exploits, but those are coming, prepare yourself :)
So, this was a css hack, what else do you have then? ..Or was that it?
There are many SQL injections brought in mainly due to your scripts, many available purely because of tinyportal and it's lack of security. Email me if you'd like my findings bloc.
Well, I deleted the shout from the database, so I actually never saw the shout on site and the username is represented only via an ID etc. But I looked if I found Ziygo in the database, and there he is, registration yesterday, IP and e-mail are identical as they can be found in scso1502's post.
But anyway, seems friend Ziygo graces us with his presence... So in case you can provide even more details to identify you, Ziygo , that would be a great help ;)
Quote from: Ziygo on April 05, 2010, 10:58:19 AM
There are many SQL injections brought in mainly due to your scripts, many available purely because of tinyportal and it's lack of security. Email me if you'd like my findings bloc.
Ok, mail sent.
Fixed the CSS hack for TP v1.0 beta 5-1.
Is a fix going to be issue for the non-Beta TP users? 0.98 specifically?
Yes, I am afraid it will also work on older Shoutbox versions: as its primary a display "trick" it will not harm the database, but be very annoying for users.
This is whats needed for 0.9.8 users:
- Open up TPmodules.php in the Sources folder and find:
$shout=strip_tags(substr($_POST['tp-shout'],0,300),'<b><u><i>');
Change it to:
$shout=strip_tags(substr($_POST['tp-shout'],0,300));
Thank you very much!
Thanks for the quick response! Great work! :up:
Yep that is the one I reported earlier.
Definitely a shout box fix needed to stop that sort of thing.
His info while visiting my site was:
ConnorB
174.101.172.42
Email: ziygoc@gmail.com