HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
help glitch or hacker
RedWulf
New
_help I was on my website when the page suddenly started saying (the page says lol rekt) my website is sbforums.esy.es actually I can go in it by mobile but not on computer plz help as fast as possible
Tagged:
0
Comments
Seems to have something to do with the tagging plugin. Try to disable it.
I took another look at your files for your forum and fixed it again. The default theme had something wrong with it . It looks like the only themes that work are the ones I made.. very odd.
There might have been something hacked because that popup was not normal and it came from the default theme. Not sure what you did.
It works again, please enable plugins one by one and test each one to see if any of them were the cause of your problems..
Something is not allowing themes that use default.master.tpl to work… Only themes that use a default,master.php work on your forum. I do not know what could be causing this.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Upon some research I have found this
http://stackoverflow.com/questions/1932556/smarty-outputs-blank-page
http://www.smarty.net/forums/viewtopic.php?p=83590
I replaced all your files for the forum. I have no more time to check things but I hope later to be able to test more.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
@RedWulf
You should also know that your User Name is not working because you are using characters like /// and \\ in your name and they are not the proper html so it's not being recognized and makes the link to your profile throw a 404 not found. This name does not work //RedWulf\ //:OWNER:\ you need to just Use RedWulfOWNER with out the slashes...
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Ok thank you once again vr im gonna look at that stack and remember those
I enables plugins and The lol rekt started again pls help
Disable all plugins.
Enable one at a time to find the problem one.
When you know which one it is, it would be worth posting a question in the relevant plugin page, in case it has a security vulnerability.
@RedWulf
Please make me an admin account at your forum and send me the login instructions via private message.
I fixed it again but from ftp I can't see what is inputed in the fields. Don't turn anymore plugins on until I see what is entered that is causing this issue.
I think someone entered some code into a tag or other , maliciously. This user according to R_J needs to be banned and his content deleted.
And you should ban that user: http://sbforums.esy.es/forum/profile/16/JamesDoh7
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Ok , I fixed your forum again and got rid of the bad tags that had a script… hmm very bad that people would exploit your forum. Don't trust people … no one other than yourself or people like us that have Ethics. In other words , will do no harm.
I think my theme and the banner image I made for you works well for now since you are building your community … keep it that way until you learn how to fix problems you encounter with other themes or plugins.
Yo te ayudo si me ayudas, ok ?
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
just as important (besides sorting out issue).
how did they enter a script into the tag??? what was the vulnerability? did you burn the evidence?
tagging plugin??? or some other plugin.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
There was a vulnerability where the text entered into the tag was not being stripped of non htmlcharacters…
R_J gave me the code to patch the vulnerability for them. And said he reported it.
There were 3 tags with
<script>
in them. I deleted them and deleted the one who posted them and any content they had. The tags can be seen in the dashboard.I would avoid using the tagging plugin until it is fixed.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
I don't think anyone will see this info about not using tagging plugin
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
It was reported and I am sure they are working on it and are aware, I would post the fix here if anyone has the same issues.. but announcing that there is a problem on a discussion may bring unwanted people to test out how bad they can fckup some poor person's forum.
I would wait until others have the same issue. This could have been an isolated incident, due to their installation being totally wrong and I had to upload all the files again to make sure it was working again.
I try not to get involved in these kinds of issues with staff, I am terrible about reporting , coz I'm incompetent from lack of practice , those issues I reported are very low in the totem pole of their priorities. So hopefully they will fix this pronto for everyone.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
In addition to tagging plugin, disable profileextender plugin as well.
also change your admin passwords, it is a good idea to do this especially after patching and fixing things after an exploit is used to compromise your site
disclosed to linc via pm.
keep your fingers crossed.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
I will..
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Would anyone please pm me a link to the vulnerability fix? As 2.3 is still in the cooker, and I don't think a release would be made right now, I would appreciate a pm for the fix if possible. I need tags to work without issues if possible.
@data66 compare enhanced tags plugin https://vanillaforums.org/addon/tagging-plugin with the staff plugin regarding panel. the much older enhanced plugin in the add-ons has the vulnerability corrected (although other aspects may not work).
If you are a patient we should expect a release soon to correct this vulnerability for thousands of users.
or the better option if you are impatient may be to replace with master which also doesn't have vulnerability at least doesn't appear to looking at the code, I don't use tagging.
https://github.com/vanilla/vanilla/blob/master/plugins/Tagging/class.tagmodule.php
fwiw - the master is not vulnerable, and both 2.3b1 and 2.2.1 are vulnerable with regards to above issues reported.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Be careful using debugger plugin (it can increase your vulnerabilities if you don't pay attention) not to be confused with the debug config statement.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.