Security breach?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Ms Givings
Registered User
Posts: 17
Joined: Tue Feb 22, 2005 10:44 pm

Security breach?

Post by Ms Givings »

Today we noticed that our ACP was showning a 'guest' browsing a hidden forum on our board. This forum is both hidden and restricted to moderators only. AFAIK this is (theoretically) impossible with phpBB. The IP in question was: 24.235.141.218. d235-141-218.home1.cgocable.net. Location: Burlington (43.350N, 79.783W). CGOCABLE.NET.

This particular forum contains private information which we do not want guests to read.
FYI our board is updated to the latest version (2.0.14)
Has anyone else experienced this and should we be worried?
Miranda
a fool and his honey are soon parted

SoBeNet
Registered User
Posts: 15
Joined: Mon Apr 18, 2005 3:19 pm

Post by SoBeNet »

well i had the same kinda thing but my site was over run...accounts taken the kid made himself admin and deleted all my threads...i no have no forum since i cant find my back up

starfoxtj
Registered User
Posts: 3714
Joined: Tue Jul 29, 2003 2:01 am
Contact:

Post by starfoxtj »

If it is hidden, he is most likley seeing a login screen (and it might even be a bot).

You COULD try scanning the account with my toolkit to see if any extra admin accounts exist, but I doubt it is a hack or anything.
Admin ToolKit v2.1a - An Admins most helpful tool for user management. Now Supports Mass User Deletion!
Change User's: names, passwords, emails, active status and avatar/pm permissions.
Ban/Unban Users, change Post and Resync Counts, and promote/demote users to admin.
Completely independent from your phpbb user account settings. No installation required, just upload one file.
User Upload ToolKit Beta - A quick and easy, 30 second-install, attachment mod. Now Supports Dynamic Thumbnails!

Ms Givings
Registered User
Posts: 17
Joined: Tue Feb 22, 2005 10:44 pm

Post by Ms Givings »

SoBeNet wrote: well i had the same kinda thing but my site was over run...accounts taken the kid made himself admin

I am sorry to hear that. I take it your board was not updated to the latest version? It's absolutely critical that phpBB admins keep their boards bang up to date. The phpBB developers do their bit by releasing new versions as soon as a vulnerability is reported and support us well beyond the call of duty. I feel that the least we can do is to keep our boards bang up to date at all times. I hope you get it back.

starfoxtj wrote: If it is hidden, he is most likeley seeing a login screen (and it might even be a bot).

I assure you it is hidden. It did occur to me that it might have been a bot as Google were madly crawling the board all day yesterday. But the IP is not one that I know Google or any other SE to use. That's what worried me.

Are you saying that the ACP will show a guest browsing a hidden forum even though all they are seeing is a login screen? The ACP showed that IP browsing that hidden forum for fifteen minutes. Isn't that rather a long time to be viewing a login screen? ;-)
You COULD try scanning the account with my toolkit to see if any extra admin accounts exist.

Thank you, but firing up phpMyadmin was the first thing I did. There are no extra admin accounts. Also the board is at version 2.0.14 and I'm not using AWstats, so in theory there shouldn't be any way to hack into it, should there?
;-)

So..to repeat my questions: what AM I seeing and should I be worried that a guest is able to access a private, hidden forum, access to which is restricted to mods and admins only?
Miranda
a fool and his honey are soon parted

flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 »

your question was answered he is viewing the login screen, he may have left the computer, it may not update bur every 15 minutes, or whatever, but I have never heard of anyone that was not an admin being able to see hidden forums ect. log out and try it yourself.


robert

Ms Givings
Registered User
Posts: 17
Joined: Tue Feb 22, 2005 10:44 pm

Post by Ms Givings »

Thanks Robert, I did and do get that. I'm sorry if I'm being irritatingly pedantic, but I still don't understand why the ACP is telling me that a guest is viewing a specific, named, hidden, forum. Where is it getting that information from? Surely, if the guest is merely seeing the login screen the ACP would report 'Forum Index'?

The fact that I can't view this forum as a guest does not particularly reassure me. I'm only a dim-witted woman. What concerns me is that someone considerably brighter than me can and nothing anyone has told me so far has reassured me that that's not possible. Meanwhile I am naturally worried that someone may be reading my member's private information. Can someone please give me a definitive answer?
Miranda
a fool and his honey are soon parted

flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 »

Ms Givings wrote: Thanks Robert, I did and do get that. I'm sorry if I'm being irritatingly pedantic, but I still don't understand why the ACP is telling me that a guest is viewing a specific, named, hidden, forum. Where is it getting that information from? Surely, if the guest is merely seeing the login screen the ACP would report 'Forum Index'?

The fact that I can't view this forum as a guest does not particularly reassure me. I'm only a dim-witted woman. What concerns me is that someone considerably brighter than me can and nothing anyone has told me so far has reassured me that that's not possible. Meanwhile I am naturally worried that someone may be reading my member's private information. Can someone please give me a definitive answer?


how definitive do you want, I and others have told you that it is very very unlikely if not impossible for someone to be viewing that page. we have also told you that when the bots (like googlebot ) are viewing your site, that they show up like this. That is the answer, whoever it is, is not viewing the page, but the login screen or the error screen. that is the way phpbb works, that is what it will show you. let's test it out.

give me alink to your board and tell me what hidden place to try to access, and then you go look in the admin panel for me and I will tell you what I am seeing.

robert

Ms Givings
Registered User
Posts: 17
Joined: Tue Feb 22, 2005 10:44 pm

Post by Ms Givings »

Ok. Thanks for that. I believe you. It's obviously no good me giving you a link to the board because the forum in question is not visible to guests or to registered users. It just puzzles me why bots can (apparently) 'see' a forum neither guests nor registered users can. But let's drop it as it's clearly not a security issue from what you say and I don't want to waste your time.
Last edited by Ms Givings on Tue Apr 19, 2005 1:06 am, edited 1 time in total.
Miranda
a fool and his honey are soon parted

User avatar
thecharmed01
Former Team Member
Posts: 2637
Joined: Sun May 16, 2004 10:07 am
Location: Wellington, NZ
Contact:

Post by thecharmed01 »

I know what you mean, I have had the same problems.

It seems weird that they appear to be reading forums they shouldnt be able to see, but from what I understand, its just the way php works and they really CANT read the forums.

Someone told me once that php cannot name the error page or the 5 or so pages that are loaded between page loads that we dont see, so it often uses page names it knows...........although they arent what the person is seeing.
If that makes sense?

I often see guests and bots browing my moderator forum, or other hidden forums, but if I log out, there is no way I can see them........so dont panic, I think its just something you learn to not worry about with phpbb.
If your up to date, and onto it about checking the Db every now and again for rogue admin accounts, dont stress.
:D
Please refrain from PM'ing me for support unless I specifically ask you to.......

Helpful Pages: ~ [Styles FAQ] ~ [Styles User Guide] ~ [Styles Submission Policy]
My Site: [C1 Web Design]
| Mummy | Web Designer | Slave | Digi-Scrap Addict | Vampire |

Ms Givings
Registered User
Posts: 17
Joined: Tue Feb 22, 2005 10:44 pm

Post by Ms Givings »

thecharmed01 wrote: Someone told me once that php cannot name the error page or the 5 or so pages that are loaded between page loads that we dont see, so it often uses page names it knows...........although they arent what the person is seeing.
If that makes sense?

Yes it does. Perfect sense. I am very grateful for the reply; thank you for taking the time to post such a full answer.
don't stress.

I won't now. I'll cut back to just the fifty fags a day and the one bottle of Bacardi... ;-)
Miranda
a fool and his honey are soon parted

User avatar
thecharmed01
Former Team Member
Posts: 2637
Joined: Sun May 16, 2004 10:07 am
Location: Wellington, NZ
Contact:

Post by thecharmed01 »

damn!!! you will die of cancer of something with fun hobbies like that :P

on second thoughts, stress about the php Im sure its less hazardous to your health LOL
:P
Please refrain from PM'ing me for support unless I specifically ask you to.......

Helpful Pages: ~ [Styles FAQ] ~ [Styles User Guide] ~ [Styles Submission Policy]
My Site: [C1 Web Design]
| Mummy | Web Designer | Slave | Digi-Scrap Addict | Vampire |

Locked

Return to “2.0.x Support Forum”