free source for bbs

[Jay Tilton]

: I've actually fixed the security glitches now

Bullshit. Security is designed into a product. Your design is inherently
insecure. This is not something you can fix by pecking in a few more lines
of code.

: ....it's really shitty to get
: hacked, but it won't happen again.

You have no idea what you're doing, do you?

 

[Kirk Strauser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I well bet $$$ that if your site ever gets any amount of traffic, then
your message board *will* be compromised again.

That didn't take as long as I thought. As of 2004-04-02 at 10:09PM CST, all
categories were deleted except for one named "Idiot" with a topic of
"pwn3d!!!1".

For the record, I had nothing to do with that, and I do not in any way
condone the defacing of another's website. That's just plain wrong. Still,
I lack the words to express how completely not surprised I am.

Robin, pull your board offline. You need much more experience before
writing a system to let random people write data to your hard drive. Count
yourself lucky that you haven't opened a portal to the rest of your website.
- --
Kirk Strauser
The Strauser Group
Open. Solutions. Simple.
http://www.strausergroup.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAbjns5sRg+Y0CpvERAqdQAJ41P/xHjBJqe5MeMH0r29HUzMZ8jgCdGwca
TTtVDz33qfEoeMrYAyF5ugc=
=adt8
-----END PGP SIGNATURE-----

 

[Tassilo v. Parseval]

Also sprach Robin:

I've actually fixed the security glitches now....it's really shitty to get
hacked, but it won't happen again.

Hmmh, have you really? Appears as though someone is flooding your board
with an automated script or something. I guess he's having fun...

Tassilo

 

[Keith Keller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmmh, have you really? Appears as though someone is flooding your board
with an automated script or something. I guess he's having fun...

I wonder if Robin is a honeypot? Not just in the sense of
attracting crackers to her site, but in attracting onlookers
in clpmisc....

- --keith

- --
(e-mail address removed)-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQFAburJhVcNCxZ5ID8RAqx0AKCEanwEDwMWDP4AJ9dHbIGfla4MzQCfTh6A
8+dd3Ba1b6NkutBzE1gO0Ag=
=Zfxg
-----END PGP SIGNATURE-----

 

[Uri Guttman]

KK> I wonder if Robin is a honeypot? Not just in the sense of
KK> attracting crackers to her site, but in attracting onlookers
KK> in clpmisc....

s/honey/crack/ ;

uri

 

[Uri Guttman]

KK> I wonder if Robin is a honeypot? Not just in the sense of
KK> attracting crackers to her site, but in attracting onlookers
KK> in clpmisc....

s/honey/crack/ ;

uri

 

[Jay Tilton]

: The problem with these types of people (not understanding) is they don't
: realise the rest of the problems they bring to other users on the 'net.
: Whether that BBS could be exploited like formmail I don't know..

Formmail is a regular Fort Knox of security compared to Robin's opus.
Dig this tidbit from admin.pl :

sub checkuser
{
if ($FORM{'showuser'})
{
@userns = &getusersfromfiles;

if ($FORM{'users'})
{
@usrsplit = split (/\./, $FORM{'users'});
foreach $usern (@userns)
{
open (USR, "$FORM{'users'}") or die $!;
...

So there's a two-argument form of open() using completely unlaundered
user-supplied data for the filename. Why not just set the computer on fire
now and avoid the rush?

Seriously, Robin. Your program is a ticking time bomb. Leaving it up and
running is lunacy.

 

[Robin]

7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



You took down the script?

it's back and the password file is not world readable...

 

[Robin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wonder if Robin is a honeypot? Not just in the sense of
attracting crackers to her site, but in attracting onlookers
in clpmisc....

I must be doing both.... it's not a girl. Later,
-Robin

 

[Robin]

Well, it hasn't been hacked again in about half a day, I know how they did
it the first time, fixed that, and I know how they did it the second time
because my password for the admin script was something easily guessable, but
the last time must have been done with some sort of exploiter script that
submitted a lot of stuff through my forms through http. Can someone tell me
a few lines of code I could use in the script - www.infusedlight.net/bbs/
(download here) that would prevent it from being insecure, I know this is
asking a lot, but I'd like to be able to be running a good, safe, secure
message board system. In any event, I have a feeling that it might be really
exploited soon now that I have a feature to mail posts to you, hopefully
that doesn't happen. I also have a feeling that to get a secure script
written I'll have to start over from scratch.

Password files are no longer world readable.

BTW, I'm a he-novice not a she- if you'd like to see some of the stuff I do
as my main field of practice, writing, go to
http://www.infusedlight.net/robin/stories.shtml - I know you're gonna say I
should abandon programming, but why? There's no good reason for abandoning
something once you've started and already have a backbone of knowledge for
it.

Regards,
-Robin

 

[Robin]

Ok, I'll take ya'll's advice, I took down the whole bbs, it got hacked too
much. Later,
-Robin

 

[Jim Cochrane]

Well, it hasn't been hacked again in about half a day, I know how they did
it the first time, fixed that, and I know how they did it the second time
because my password for the admin script was something easily guessable, but
the last time must have been done with some sort of exploiter script that
submitted a lot of stuff through my forms through http. Can someone tell me
a few lines of code I could use in the script - www.infusedlight.net/bbs/
(download here) that would prevent it from being insecure, I know this is
asking a lot, but I'd like to be able to be running a good, safe, secure
message board system. In any event, I have a feeling that it might be really
exploited soon now that I have a feature to mail posts to you, hopefully
that doesn't happen. I also have a feeling that to get a secure script
written I'll have to start over from scratch.

Password files are no longer world readable.

BTW, I'm a he-novice not a she- if you'd like to see some of the stuff I do
as my main field of practice, writing, go to
http://www.infusedlight.net/robin/stories.shtml - I know you're gonna say I
should abandon programming, but why? There's no good reason for abandoning
something once you've started and already have a backbone of knowledge for
it.

If you enjoy it, then by all means, keep doing it, and keep learning how to
do it better.

 

[Uri Guttman]

R> should abandon programming, but why? There's no good reason for
R> abandoning something once you've started and already have a
R> backbone of knowledge for it.

you should abandon it because you have no skills and have show a
proclivity for not listen to those who have them. that does not portend
to your developing to be a good coder. you have no sense of what is
right or wrong about code. you have no sense about why your code is
broken in many ways. no one in their right mind will want your code. it
makes much of the kiddie scriptware out their look good.

now i feel like i want to dabble in brain surgery. i will watch a bunch
of movies and some discovery channel programs. that should be enough to
get started. do you want to me my first victim^Wpatient?

that is how we look at your work. it is amateurish to an extreme. get it
already. you will never be a good coder as you just don't get what it is
about.

uri

 

[Robin]

I think you're on some sort of vendetta against me...please don't become a
brain surgeon...hehe...
-Robin

 

[Uri Guttman]

R> I think you're on some sort of vendetta against me...please don't become a
R> brain surgeon...hehe...

i won't if you won't try to be a programmer. there are already too many
coders in the field who don't know anything. you are just another
statistic. you will be so much smarter if you realize how little about
coding you know. besides all the security problems and lack of cgi
understanding, you lack the basics of simple coding like scoping, api
design and more. but you insist on claiming you know stuff when you
don't. only unelected presidents can make such false claims and get away
with it.

uri

 

[Tassilo v. Parseval]

Also sprach Robin:

Well, it hasn't been hacked again in about half a day, I know how they did
it the first time, fixed that, and I know how they did it the second time
because my password for the admin script was something easily guessable, but
the last time must have been done with some sort of exploiter script that
submitted a lot of stuff through my forms through http. Can someone tell me
a few lines of code I could use in the script - www.infusedlight.net/bbs/
(download here) that would prevent it from being insecure, I know this is
asking a lot, but I'd like to be able to be running a good, safe, secure
message board system. In any event, I have a feeling that it might be really
exploited soon now that I have a feature to mail posts to you, hopefully
that doesn't happen. I also have a feeling that to get a secure script
written I'll have to start over from scratch.

You have to take a few step backwards. At this point it is not so much
about Perl itself. Your first step must be getting familiar with all the
pitfalls in the field of web-programming and CGI. Start at

<http://www.perl.org/CGI_MetaFAQ.html>

There are several topics. The first two (FAQs and Security) are
indispensable. Read a few (or even all of them) from top to bottom.

After that, read the documents relating to CGI and Perl in particular.
Sooner or later (but probably rather soon) they will mention CGI.pm
which is the module you should be using. Using that alone will eliminate
quite a few security holes.

Password files are no longer world readable.

Well, that's already a start, isn't it?

BTW, I'm a he-novice not a she- if you'd like to see some of the stuff I do
as my main field of practice, writing, go to
http://www.infusedlight.net/robin/stories.shtml - I know you're gonna say I
should abandon programming, but why? There's no good reason for abandoning
something once you've started and already have a backbone of knowledge for
it.

There is no need to abandon it. But in order to prove Uri wrong (he
who says you shouldn't be programming at all), go back to some of the
elementary things first. Closing these gaps will help you on the long
run.

Tassilo

 

[Joe Smith]

Can someone tell me
a few lines of code I could use in the script - www.infusedlight.net/bbs/
(download here) that would prevent it from being insecure.

A few lines won't do it. To be secure requires an entire rewrite.

I know this is
asking a lot, but I'd like to be able to be running a good, safe, secure
message board system.

That's a good goal, but you'll need to learn about how to avoid tainted data.
Have you been using Perl's taint-checking mode?

#!/usr/bin/perl -T

-Joe

 

[Tad McClellan]

Well, it hasn't been hacked again in about half a day, I know how they did
it the first time, fixed that, and I know how they did it the second time
because my password for the admin script was something easily guessable, but
the last time must have been done with some sort of exploiter script that
submitted a lot of stuff through my forms through http.

There are exploits numbers 1, 2 and 3.

Only about a dozen more to go, hang in there until you are shown all
of them!

(or if you can't wait months or years, install an existing message
board that already knows the potential exploits.
)

Can someone tell me
a few lines of code I could use in the script - www.infusedlight.net/bbs/
(download here) that would prevent it from being insecure,

Just in case it is not perfectly clear yet:

That is impossible.

Give up on that idea. Switch to some other idea.

"a few lines of code" and "prevent it from being insecure" should
not appear in the same sentence.

I know this is
asking a lot, but I'd like to be able to be running a good, safe, secure
message board system.

The easy way to do that would be to find an existing message board
that is good, safe and secure.

The very hard way is to write one yourself (and if you do, you will
surely miss some or all of the "target" features listed).

In any event, I have a feeling that it might be really
exploited soon now that I have a feature to mail posts to you, hopefully
that doesn't happen.

<metaphor type="ridiculous extreme">
I have a feeling that my car might be stolen now that I leave it
unlocked with the keys in it.

Hopefully that doesn't happen.
</metaphor>


"Hoping" that a possible exploit is not exploited demonstrates that
you do not yet have the mindset appropriate for considering security.

Arranging things so that the possible exploit is no longer possible
is how you should be thinking.

You need (perhaps a lot) more background before you will be able to do it.



There are lots of rather obvious places to look for more background:

Have you read Perl's standard doc with the title "Perl security"?

perldoc perlsec

Have you seen the Questions that are Asked Frequently regarding
the application area that you are working in?

perldoc -q CGI
Where can I learn about CGI or Web programming in Perl?

What is the correct form of response from a CGI script?

My CGI script runs from the command line but not the browser. (500
Server Error)

How can I get better error messages from a CGI program?

How do I make sure users can't enter values into a form that cause my
CGI script to do bad things?

How do I decode a CGI form?


Besides "Perl security" you will also need to know about "OS security",
"web server security" and "CGI security", so you will need to find
non-Perl security info too.

I also have a feeling that to get a secure script
written I'll have to start over from scratch.

Now you're talking!

I know you're gonna say I
should abandon programming, but why?

There is no need to abandon programming.

There is a need to abandon offering code to The World that
can damage anyone foolish enough to trust it.

If you insist on putting it where the public can find it, you
are remiss if you don't plaster it with prominent warnings
and caveats.

What you are doing can hurt people. Figure out how to do what
you want without hurting people.

(or at least warning them that they could be hurt.)




_You_ can be exploited as many times as you like. That's up to you.

Spreading your pain to unsuspecting people is what is disreputable.

 

[Michele Dondi]

i won't if you won't try to be a programmer. there are already too many ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
coders in the field who don't know anything. you are just another
statistic. you will be so much smarter if you realize how little about
coding you know. besides all the security problems and lack of cgi
understanding, you lack the basics of simple coding like scoping, api
design and more. but you insist on claiming you know stuff when you
don't. only unelected presidents can make such false claims and get away
with it.

I would tend to disagree, for one! Granted, your observations are
fundamentally correct, but who are you to tell him not to be a
programmer?!? In fact it's true that in the beginning he seemed to be
refusing to understand the good pieces of advice he was being given,
especially the ones about "take this thing off!", but eventually IMHO
he has shown to be much more reasonable and not to be the kind of
arrogant crackpot he looked like at first!

Now, at this point one may start an in-depth discussion more of a
philological nature about what is to be understood for "programmer",
e.g.: "professional programmer"? "Hobbyist programmer"? Ad libitum...
but *in any case* if he turns out to be willing to improve his
programming/perl skills, then why should he be advised to avoid doing
so a priori?!?


Michele

 

[A. Sinan Unur]

Well, it hasn't been hacked again in about half a day, I know how they
did it the first time, fixed that, and I know how they did it the
second time because my password for the admin script was something
easily guessable, but the last time must have been done with some sort
of exploiter script that submitted a lot of stuff through my forms
through http.

Get real. No one needs anything remotely that involved when they can just
go to:

http://www.infusedlight.net/design/bbs/admin.pl

which gives them the user names and passwords. Since admin.pl is not
protected, no one needs to guess anything. (At least, this was the state of
affairs when I last checked.)

No one hacked/cracked your site. It was wide open. People here have
patiently tried to tell you to learn something ... anything before you make
such stuff available to the rest of the world.

And, if someone had used the 'feature' of emailing posts to arbitrary email
addresses to launch an attack or just send random spam, you would have been
in a world of trouble.

Can someone tell me a few lines of code I could use in
the script - www.infusedlight.net/bbs/ (download here) that would
prevent it from being insecure,

Learn how to program first. For example:

use strict;
use warnings;

# From lib.pl (see http://www.infusedlight.net/bbs/)
sub out_println {
no strict;
my (@content) = @_;
foreach $content (@content) {
print ($content);
}
print ("\n");
}

sub out_println_2 {
print for (@_);
print "\n";
}

my @lines = qw(one two three four five six seven eight);

print "Robin's version: \n";
out_println(@lines);

print "Modified version: \n";
out_println_2(@lines);

print "The Perl way:\n";
print @lines, "\n";
__END__

C:\Home\asu1> t.pl
Robin's version:
onetwothreefourfivesixseveneight
Modified version:
onetwothreefourfivesixseveneight
The Perl way:
onetwothreefourfivesixseveneight

The moral of the story: There is absolutely no sense in writing stuff like
that. You need to learn the basics.

I know this is asking a lot, but I'd
like to be able to be running a good, safe, secure message board
system.

Buy Programming Perl (http://www.oreilly.com/catalog/pperl3/). Start with
the cover page and read every single letter. Work all the examples.

In any event, I have a feeling that it might be really
exploited soon now that I have a feature to mail posts to you,
hopefully that doesn't happen. I also have a feeling that to get a
secure script written I'll have to start over from scratch.

In a few years maybe.

Password files are no longer world readable.

What does it matter that the file itself is not readable. The admin.pl
script makes the contents visible to anyone who cares to enter the URL.

I know you're gonna say I should abandon programming, but why? There's
no good reason for abandoning something once you've started and already
have a backbone of knowledge for it.

Have you ever heard of the phrase "cutting your losses"?

You have zero knowledge of anything at this stage. Yes, you have wasted
some time (yours and ours) in the process of learning absolutely nothing
but that is no justification for continuing to waste everyone's time.

You have been given advice. You chose not to take it.

It is hard to ignore you because you provide much laughter at precisely the
right moment. I don't remember laughing this much in the last couple of
months.

But we are not laughing with you. We are laughing at you.

The only way you will get any respect and advice is by showing an inkling
of a glimmer of an attempt to learn. That is not too hard to do. The choice
is yours.

Sinan.