Whoops - a Xenforo XSS vulnerability bit us!
- Thread starter Rob
- Start date
CaffeineAddict
Well-Known Member
OP
oh, i use the solarized dark theme lol.. i think someone else was testing/creating the dark test one.That and the other two links at the top are the same color as the footer background in Dark Test. FYI
And good on you for the excellent site backup schedule!
Nice find!
Excellent. I'm surprised they acted that quickly. I'd have expected it to have some sort of notice, appeal process, and then closure. How long did it take them to nuke their repositories?
I'll add something that's probably important to mention...
There's no information that suggests that they made off with any personally identifiable information. No accounts appear to be hacked. No data was exfiltrated. So, you're all set to go.
We were mentioned on the FreeBSD forums, as they are running the same forum software.
Forum Outage
Hi guys, sorry that the FreeBSD Forums were offline for a couple of hours. We were hit by an exploit against a slightly outdated XenForo version that we were still running. The same exploit hit quite a number of XenForo installations today, including linux.org. The FreeBSD Forums showed a...forums.freebsd.org
I emailed them yesterday with the fix.
I thought that it'd be the polite thing to do.
Sure, FreeBSD isn't Linux, but they're still FOSS and are still awesome. So, I found their webmaster's email address and sent them an email.
For the future, there's this URL that you can use to contact me.
Contact Me • Linux Tips
Linux Tips helps you get your Linux skills up to speed, by making Linux approachable.
linux-tips.us
(This is long enough. I'll now check the next page of comments!)
Rocketing-warp9
Well-Known Member
Thanks @KGIII!For the future, there's this URL that you can use to contact me.
Contact Me • Linux Tips
Linux Tips helps you get your Linux skills up to speed, by making Linux approachable.
I took a look at the process, but it was above my level/time consuming. So, I tabled it.
If I get time, I'll make that a bit more of a priority. The problem is, I'm not sure how much time to set aside. I'm also limited to using the ACP (which isn't a bad thing, I suppose) instead of using CSS.
There...
That was a lot of stuff to reply to in one thread. I didn't even say 'you're welcome' to those who said thanks. So, collectively, you're welcome. I did what I could to diagnose the problem and to find the source of the problem, but @Rob did the heavy lifting.
It was obviously a script injection. You could verify this by blocking scripts on the site. (You could also still access the forum by doing so, but I had no way to let regular users know that.) The only question was what script it was and how they managed to do it.
Our fearless leader did not take any chances. Instead of trying to remove the scripts (and the widgets), he reverted to a time before the defacing. Which is a perfectly cromulent way of doing things. It was also a good idea just in case there were things we missed,
If you opened the page's source and searched for 'script', you'd eventually have come across a script that included 'hahaha' in the text. Well, two of them... And that's what the problem was.
My last post was long. So, I'll say it again, because it should be said.
There is no evidence (especially when looking at the XenForo bug) that user data was compromised. They didn't make off with your username, email, or password. Well, the passwords would be salted and hashed before being stored in the database. That'd make things more difficult for them.
Anyhow, you should be good to go.
Rocketing-warp9
Well-Known Member
Now that explains why I was able to see it for a bit for a little before the Image came back up..
I was on a Mac at the time and tried to Inspect it/disable it but not much of an option that i found to do it.
BTW- I use the dark
-test theme as my main, and it seems all good!
Mostly for full disclosure, this is the timeline as I know it:
When I first noticed it, you wouldn't have been likely to encounter it.
The inserted script was only on two different pages. It was on our approval queue page (which you can't see), and it was on the user's account that had made the comment that was in the approval queue. You'd have been very unlikely to have clicked on their profile, so you'd not have encountered it.
Then, it took over the whole site. That's when I loaded up Firefox, installed NoScript, and started looking at the site.
That's also about the time that @f33dm3bits sent an email to Rob and me.
As that was going down, I juggled email for a bit while looking the site over to see what I could find. (I found the script, but hadn't worked out how to remove it quite yet.)
Which is when the site went down. @Rob very quickly did that. We exchanged some emails, and he restored to a previous date after doing some software updates.
It appears to have happened right about the time I came online. They may have hijacked my session to insert the code. I do not know. That was around 14:00 EST (UTC-5, I'm pretty sure).
The updates went quickly, and the site was soon up and running again, albeit with the loss of some posts and comments.
And that's the timeline as far as I know, without giving all of the details.
It's not that the details are secret; it's just that this is enough typing for one comment.
That's nice of you to have done so!
I thought it was a good idea at the time. My email was pretty short and to the point, including a sign-off of 'there's no obligation to reply'. I just shared the details and the snippet of HTML that inserted the scripts into the page.
A part of me thinks that I meant to mention that yesterday, but I forgot to do so in the moment.
I sent the email at 16:29, so not too long after this site was up and running again, and after I'd verified that the scripts were gone.
Yeah... I'm pretty sure that I meant to mention it but just completely forgot to do so in the din. It was a hectic couple of hours!
I just checked. Rob's emails saying that the site was up was at 16:19. So, I emailed them 10 minutes after that.
(I figured they'd want to know.)
Can you share the link to your post there?
Nope. It's still awaiting moderator approval. LOL
Nah, you're all set.
