Quote:
Originally Posted by ServerGenius
This part I wasn't suppose to paste, it doesn't have anything todo with the rest
off it......I noticed after I still was able to edit the post.......
php?action=add&add%5Busername%3A1%3A6%3A16%5D=fran k1&add%5Bpassword%3A1%3
|
Nice.
Quote:
|
Originally Posted by borked
If they keep backups, then a check of nats/includes/config_override.php from around the same date will show -
if the array:
$config['ADMIN_IPS']
is not present in this file, then they didn't have IP restrictions in place.
|
I wonder then: if there were no admin restrictions put in place and the GET request pasted by ServerGenius adds a user to the system -- wouldn't that mean that anyone could add admin users to the system by crafting up similar GET requests?
If that is true then this is not an isolated incident involving some backdoor user into the system, or some disgruntled ex-employee, but an actual vulnerability in the software itself. Unsanitized variables.
But I am just guessing that was the case. For all I know you DO need to be an authenticated admin to add new users to the system using that php script/GET request ServerGenius pasted. And if thats the case; it then validates what TMM has been stating all along - that someone had access to their shit. Now then I wonder; WHO had access and HOW did they get it. and WHY did it take so long for TMM to discover this issue. or better yet, why didn't they handle such privy information with much more care.
In the security industry you have to follow standards; if we were to look at this situation from the point of view of a security expert (or database engine. e.g., OSVDB . ORG) this incident (backdoors/unauthorized user/ex-employee and/or vulnerability) would still violate two of the three concepts from the C.I.A. Triad of Information Security(
http://en.wikipedia.org/wiki/Information_security):
Availability -
http://en.wikipedia.org/wiki/Informa...onfidentiality
and
Integrity -
http://en.wikipedia.org/wiki/Informa...rity#Integrity
Just my
though. I am bored.