UGN Security
Posted By: AlienTerror Known bugs or other stuff about Snitz Forum 2000? - 11/28/02 06:33 PM
I just want to know if there are any bugs in that Snitz forum, and if there is any "backdoors" thrue blocks??

I want a safe forum on my site and i'm doing some research if my teacher is right this should be a safe forum? <img border="0" alt="[snowboard]" title="" src="graemlins/Snowboard.gif" />

In other words i would like to know if i can stop ppl getting thrue blocks on forums?
(if it's possible to get thrue a block)
Posted By: Le4rner Re: Known bugs or other stuff about Snitz Forum 2000? - 12/01/02 01:01 AM
A secure BBS... ha ha ha

Any BBS will have holes and back doors man. Check it out.

http://www.undergroundnews.com/cgi-bin/ubbcgi/ultimatebb.cgi?ubb=get_topic;f=1;t=000265

this is the URL for this topic.

you have the normal URL

http://www.undergroundnews.com/cgi-bin/ubbcgi/ultimatebb.cgi

then the command stuff

This command say get topic, as opposed to post or delete or whatever other commands there are
?ubb=get_topic;

This say forum 1. I imagine the forum below this is forum 2
f=1;

Topic number 265
t=000265

Now if someone was to play with your URL long enough I am sure they could get somewhere they aren't supposed to be. Well with some skill.

Just make sure Passwords are encrypted and you exersise all security options you can. Also visit their site often and look for security updates.
Posted By: BackSlash Re: Known bugs or other stuff about Snitz Forum 2000? - 12/01/02 03:22 AM
i got around a e-learning site doin that once, i saw that the free sample lesson was something like /course=1 so i tried putting in 2 and 3 and so forth, and got access to the full course.
Posted By: Gremelin Re: Known bugs or other stuff about Snitz Forum 2000? - 12/01/02 03:46 AM
There is no forum 2 lol... Go try it :x...
Posted By: Le4rner Re: Known bugs or other stuff about Snitz Forum 2000? - 12/01/02 04:02 AM
heh, cute. Deleted on when putting this puppy up hu?
Posted By: AlienTerror Re: Known bugs or other stuff about Snitz Forum 2000? - 12/01/02 07:35 PM
anyone else who knows a bi more about this??
because i've tryed at my teachers forum (with his allowence of course) and i did just get to the "default page" the page wich includes all the forums. =) but that's good then or it maybe is another system/commandoes with the UBB to that page?
Posted By: Le4rner Re: Known bugs or other stuff about Snitz Forum 2000? - 12/02/02 03:45 AM
each board will be a bit different. post an example URL of the main board then 1 level deeper etc etc etc. and I will break it down for you.
Posted By: AlienTerror Re: Known bugs or other stuff about Snitz Forum 2000? - 12/02/02 10:55 PM
http://www.brunns-skola.org/piren/forum/default.asp

breaking it down is not the main reason to this topic, but i'm more curios about the systems.

Besides that adress leads to an adress that you need to be logged on to, the forum is no prob to register in but the page is, it aint something u can register on the net. But good luck any way=)

And i who thought that UBB was some good piece of [censored]=(
Posted By: Le4rner Re: Known bugs or other stuff about Snitz Forum 2000? - 12/03/02 12:50 AM
Okay,

These forums are writen in ASP, Active Server Pages.

UBB is writen in Perl.

ASP is a microsoft server side scripting language. To find out how secure your forums are I would first learn ASP. Then study the code and look at how variables are passed. Now read any and all security bullitens dealing with ASP and Snitz Forums 2000.

Sometimes a language will comeout with a exploit in how variables are passed. That could and usally is a big hole in security on boards.

Second the Logon and password, how are they sent to the server? Is SSL used for the connection, or is is plain text all the way to the server. That is a big weakness.

Break down

http://www.brunns-skola.org/piren/forum/forum.asp?FORUM_ID=5

Root directory of the site
http://www.brunns-skola.org

Some blank page, Little html/javascript code to make it.
http://www.brunns-skola.org/piren
Code
<link rel="stylesheet" href="stil.css" type="text/css">

<script language="JavaScript" src="bada.asp?id=1"></script>
Root directory of the Board
http://www.brunns-skola.org/piren/forum

This seems to actually include default.asp
you can get to the same page using both the below URLS
http://www.brunns-skola.org/piren/forum/forum.asp
http://www.brunns-skola.org/piren/forum/default.asp

This opens the Elever - diskussion forum, which was the 5th forum the web master created. Hence Forum_ID=5
http://www.brunns-skola.org/piren/forum/forum.asp?FORUM_ID=5

I hope I am helping.
Posted By: AlienTerror Re: Known bugs or other stuff about Snitz Forum 2000? - 12/03/02 03:37 PM
Thx, for the info. Too bad it's a bit to advanced for me but i'll try to learn som ASP then as u said...
Posted By: AlienTerror Re: Known bugs or other stuff about Snitz Forum 2000? - 12/04/02 12:52 PM
Anyone who knows any good ASP docs then???
Posted By: Gremelin Re: Known bugs or other stuff about Snitz Forum 2000? - 12/04/02 03:12 PM
I for one find ASP to be completely useless and worthless lol... I'd reccommend you learning PHP if anything.
Posted By: §intå× Re: Known bugs or other stuff about Snitz Forum 2000? - 12/04/02 07:24 PM
I want to learn ASP as well. I'm not a big fan of Microcrooks, but I would like to be familar with the .net frame work.

AlienTerror I will see if I can find a few sites, if I do I will post them here. There are many boards out there is other languages though. ASP is not free, and harder to learn. As Gizmo pointed out PHP would be nice for you to learn. It is free, easy, fun, and very useful on the net.

I for one still want to learn ASP though.
Posted By: Gremelin Re: Known bugs or other stuff about Snitz Forum 2000? - 12/04/02 10:34 PM
::nod:: aka, useless lol... ASP isn't that hard, its about as hard as using SHTML lol...
© UGN Security Forum