Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 18 Mar 2013, 23:23
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
Question vB 3.8.7 PL 3 XSS Leak in Email Link to Friend?

I'm not sure if this is really the right forum for this. Please move if it's not "best fit".

This in on a fully patched 3.8.7 Patch Level 3 install. It IS an old forum which is highly modified - Too many mods to list here.

Someone has figured out how to use a phrase in one of my sites and cause spam emails to be sent. It uses the "Email Link to Friend" phrase and some of its variables. I *assume* it is a cross site XSS issue but I am not sure. I know this is happening because of Bounce messages I am getting.

1. I never did have the email to friend feature enabled for any user group and my tests show the people do get the error message if they try.

2. I "emptied" the sendtofriend template so now all a person gets is a message ""Send Link To Friend" DISABLED due to potential spam issues."

3. It is (now was) obviously using some of the "$vbphrase[sendtofriend]" phrase variables, so I emptied that out and put in my own message (without any variables) with an apology. Prior to doing that it gave a link to a web site using the "$vbphrase[sendtofriend]" phrase somehow, and used a couple "real" variables in that phrase.

Now that I have completely eliminated the variables in the phrase and put in my own text (an apology and brief explanation of what I *think* is happening) the spam content they were sending doesn't show - Only the text I put in shows in the emails which are sent.

4. No emails are going to forum members. They are somehow using a mailing list.

5. Somehow they are getting the email address set in the vB adminCP > Options > Site Name / URL / Contact Details as the "Sent By" - If I change that the spam email "From" address changes with it.

6. They are able to put in their own "Subject" in the spam emails being sent.

7. I have vBulletin set up to use php to send outgoing emails.

Has anyone heard of anything like this? And/or any ideas on how it is being done, not to mention how to stop it?

What is surprising is that now that I can control the spam email contents, it seems to me they would stop, which they haven't.
__________________
Elsmar Marc

Last edited by Smitty; 19 Mar 2013 at 00:00.
Reply With Quote
  #2  
Old 19 Mar 2013, 04:08
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
If they were able to change your phrases, then they have access to the server and were then using a script to do what they wanted (modified vbulletin file?). I would suggest checking your server access logs and contacting your host about this.
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #3  
Old 19 Mar 2013, 06:09
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
They can not change any phrases. I changed the "$vbphrase[sendtofriend]" phrase which changed their spam emails, or at least the body of the emails. See 3 above. They don't have access to the box (it's a dedicated server). I can tell by looking at the ssh and sftp logs. I haven't slogged through the access logs yet to see what's happening with http.
__________________
Elsmar Marc
Reply With Quote
  #4  
Old 21 Mar 2013, 11:38
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
As a followup, this turned out to be an xss exploit from another site (a phishing site) which I fixed. I also got the site taken offline. There were some files in my includes directory with the wrong permissions set. I recently did a migration to a new server and some of the file permissions I had set didn't carry over.
__________________
Elsmar Marc
Reply With Quote
  #5  
Old 21 Mar 2013, 17:30
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
I'm glad you got the issue resolved!
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #6  
Old 21 Mar 2013, 18:10
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
Actually it ended up being sort of fun once I realized what they were doing and how to stop it. It took them about 36 hours before they realized that I changed their spam email message body. That gave me time to watch the http log file and gather info on them before I changed permissions on the files which stopped them dead in their tracks. I also got their web site taken offline by submitting my info to the hosting company whose server they were on. The hosting company was using Amazonaws, but I won't mention the host company here for obvious reasons.

The spammers were rather upset (to say the least). I had gotten the Amazonaws people involved as well as the us-cert.gov people, and they were monitoring things when who ever it was tried to DoS the site. They failed to even slow the site down for more than 10 to 20 seconds at a time. They gave up after about an hour.

Getting their site taken offline gave me a good feeling, so all ended well.
__________________
Elsmar Marc
Reply With Quote
  #7  
Old 07 Sep 2013, 03:46
Hall of Famer Hall of Famer is offline
 
Join Date: Apr 2009
Umm is there a way to fix the problem? I am having the second XSS attack through showthread.php page on my VB3.8 forum in 3 months, I am not sure if its the same problem as this one but it may have some connection. The problem is, my webhost will suspend my account even if this is not my fault in any way(unless its a crime to use VB software?).
Reply With Quote
  #8  
Old 07 Sep 2013, 12:03
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
I can't remember exactly what I did now other than what I described herein. I do remember it had something to do with file permissions which had changed when the site was migrated to another server. I wish I could tell you more.
__________________
Elsmar Marc
Reply With Quote
  #9  
Old 12 Sep 2013, 02:39
Hall of Famer Hall of Famer is offline
 
Join Date: Apr 2009
Thats too bad... I just received another XSS attack on showthread.php, its getting serious. *sigh*
Reply With Quote
  #10  
Old 12 Sep 2013, 02:50
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
showthread.php?

Exactly what is happening?

Screen shot?
__________________
Elsmar Marc
Reply With Quote
  #11  
Old 12 Sep 2013, 04:31
joeychgo's Avatar
joeychgo joeychgo is offline
 
Join Date: Mar 2004
Real name: Joey
I always recommend forum owners hire Securi. I use them for all my sites. they monitor the sites for intrusions, and track down and repair successful malware / virus attacks on my sites. They have been fantastic for me and they monitor all my sites.
__________________
Lincoln vs Cadillac Forums -

Last edited by Paul M; 14 Sep 2013 at 02:16. Reason: No affiliate links may be posted anywhere on vbulletin.org
Reply With Quote
  #12  
Old 12 Sep 2013, 15:22
Hall of Famer Hall of Famer is offline
 
Join Date: Apr 2009
Originally Posted by joeychgo View Post
I always recommend forum owners hire Securi. I use them for all my sites. they monitor the sites for intrusions, and track down and repair successful malware / virus attacks on my sites. They have been fantastic for me and they monitor all my sites.
Well I ran two free scans on my forum and the showthread.php page, it says theres no security threat. *sigh* You sure this is correct?
Reply With Quote
  #13  
Old 12 Sep 2013, 15:48
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
This is something only a vB *expert* can deal with. I also have a person dedicated to security on my dedicated servers, but he isn't a vB pro. I fixed my problem but with no help from him. That said my servers are secure and I do not expect him to deal with vB issues.

Other than that, not much I can say other than:

How do you know it's showthread.php?
__________________
Elsmar Marc
Reply With Quote
  #14  
Old 12 Sep 2013, 19:07
Hall of Famer Hall of Famer is offline
 
Join Date: Apr 2009
Originally Posted by Smitty View Post
This is something only a vB *expert* can deal with. I also have a person dedicated to security on my dedicated servers, but he isn't a vB pro. I fixed my problem but with no help from him. That said my servers are secure and I do not expect him to deal with vB issues.

Other than that, not much I can say other than:

How do you know it's showthread.php?
'cause the host was able to trace the activity of the hacker, and showthread.php was where he/she accessed to send spammails.
Reply With Quote
  #15  
Old 12 Sep 2013, 20:11
Smitty's Avatar
Smitty Smitty is offline
 
Join Date: Sep 2002
Real name: Marc Smith
Ah. Well, it looks like only you and I have run into what ever it was/is. I haven't seen it mentioned anywhere by anyone else. I feel for you. I wish I could help you. I do hope if you find out what it is and how they're doing it you will let me and others know.
__________________
Elsmar Marc
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 15:43.

Layout Options | Width: Wide Color: