Firefox PHP

user table dump

user table dump
August 22, 2008 12:21AM
Is it possible that there is a security problem in Phorum 5.0 that someone can dump the user table out?
Re: user table dump
August 22, 2008 01:24AM
There is no known vulnerability of this type.

Brian - Cowboy Ninja Coder - Personal Blog - Twitter
Re: user table dump
August 22, 2008 02:05AM
Why do you ask? You got hacked?


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: user table dump
August 22, 2008 03:03AM
who would still use phorum-5.0.x which is kinda ancient by now.


Thomas Seifert
Re: user table dump
August 22, 2008 04:12PM
Or someone inject php through Phorum 5.0?
Re: user table dump
August 22, 2008 04:20PM
What the heck are you targeting at?
You really expect to get some hacking recipe or so?
Or like I put it before: "Why do you ask? You got hacked?"

Since you seem to have started with Phorum 5.2 as your first Phorum and not with 5.0, this sounds a lot like you are trying to find a convenient way to hack into somebody else's board and rip their user database, possibly for trying to steal the other board's users. Maybe this is not the case, but you have been asking similar stuff in the past (how to find all hidden forums with a script) and with the very limited info that you provide and with targeting Phorum 5.0 , I get really really suspicious about your intentions.

To get rid of that suspicion, you really need to explain what you are targeting at, instead of doing some baitless fishing in here.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: user table dump
August 22, 2008 04:34PM
Get hacked with another forum with 5.0. Someone injected a php file in. not sure whether it is from Phorum 5.0. Still have not figured out where it is from.

Don't want to disclose which site it is because it may happen again.



Edited 2 time(s). Last edit at 08/22/2008 04:37PM by SecretNinjaMan Maker.
Re: user table dump
August 22, 2008 04:39PM
We have seen injections that were never tracked down to Phorum. They were more likely done through other code on the server, directly in the MySQL database. These also appeared in many applications, not only Phorum, making it less likely to be a Phorum specific hack.

Like Brian said: "There is no known vulnerability of this type." That still stands.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: user table dump
August 22, 2008 04:45PM
What kind of code defficiency may cause php injection? I am not a good coder, any ideas you may share?

If you don't want to discuss this in public, please PM me.

Thanks!
Re: user table dump
August 22, 2008 04:56PM
I don't want to discuss this in public, nor in private.
The main problem would be bad coding.

Go search the net. There are many resources on web application programming and security. Some standard topics: XSS (cross site scripting), SQL injections, poisoned null byte, remote inclusion, register_globals, etc. etc.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: user table dump
August 23, 2008 05:00PM
what functions should I use to prevent attacks from user input? Or should I ask what 5.2 is using to do that?

Mysql_real_escape_string()
Htmlspecialchars()
add_slashes()
Re: user table dump
August 23, 2008 06:54PM
That depends on what you are using the data for. I cannot choose one from your three proposed functions, since they target different fields of protection and they all have their needs. There is no magic function that you can call to protect your code. You need to understand what is going on and write your code based on that.

Phorum 5.2 uses mysql_real_escape_string() and mysqli_real_escape_string() to build valid SQL queries that do not suffer from SQL injections. It also uses htmlspecialchars() and htmlentities() to protect against XSS vulnerabilities. It also uses various other techniques like protecting against remove inclusions by validation of variables that can be provided by users in URLs for example.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: user table dump
August 23, 2008 09:30PM
thanks!
Sorry, only registered users may post in this forum.

Click here to login