Yup, I noticed the AOL proxies were banned.

I unbanned them but we'll make a help page on the "Access denied" page to explain how to get rid of the AOL or any other ISP caches.

You know, Loriel...not everyone can read html, or code, or script like you can. I made a mistake, end of story...
Most of the time, I can tell....and I have never had anything like this happen before, and it never will again because I will click on no links what-so-ever
Good idea, maybe I will quit getting a million AIM messages about it ^^

Hehe, yes. I was on this old computer were a proxy was set. I removed it though.
EDIT: Was the graal user database (not just forum, but the game) restored too? It went back to my old password o.O

VeX_RaT_Boy you must have received an email about your password in that case :p

MT

I changed my password wednesday (21. April), and it have worked till now, because now I had to use the old one again (the one I had before 21. april)..

I don't know why o.O

Unixmad told me there was a problem with the database, I had the same problem...just go change it again ;)

My guess (pretty much confirmed by moonie's post) is XSS exploits. With VBulliten 3 came increased support for cross site scripting, which (expolits have been around for a long time) lets you able to easily take cookies.

A well crafted pm/thread does not even need you to click a link to steal your session (and since Vbulliten sessions are perminant, its pretty deadly)

I'm not aware of a release to fix it, or any automatic way to disable the XSS, I suggest downgrading the forum personally =p

Disable html everywhere on the forum for starters. (I believe this has been done)

The bad news for us "non moderators" is many of us have our graal passwords set as our forums passwords... yeah...

http://www.securityfocus.com/bid/9943 is an example, there are many.

*edit
okay after reading around, i see it was angels pass stolen... Protect the forums against the above anyway =p

Kristi, the XSS problem was on the old forums (where Moonie got her password stolen).

Now we're using version 3.0.1 of vBulletin. I tested the XSS you mentionned and this version is not vulnerable to this.

Also the people are getting a hash of the password, and not the password. They can login to the forum with that but they still have no idea of what the password is.

*high five*
Well then it's all good (ps: i realized and put an edit)

I didn't know 3.0.1 wasnt vunerable to it, ill have to toy around later and see what I can find in 3.0.1

If you find anything, PM it to me. I'll fix it so everyone will be in security ;)

Okie dokie
oh, and the hash can be matched, it just takes a lot of time (how often do we update our passwords though ::ahem::)

The moderators and administrators should have a password policy, I do not believe one is set up yet =p

Thank you for explaining that, I was having a hard time >_<
I try to change my game password about once a month (though I have been lazy lately). Unfortunately, stupid as it sounds, I didnt know I could change my password on the forums :\
I totally agree, it should be mandatory for admins and mods to change their passwords frequently, both on the forums and in game, and I am going to change them often from now on, you can bet money on that... x_x

Hoy, supermod.

Haha at Tseng's post.

Anyways I began to be worried a little bit. Said I was banned from the forums so I decided to see if IE would work and it does. I'll mess with the AOL cache thing later. Good to see them back and that MT was able to fix everything.

I have had an old password for about two years or so, I never had any problems... I think the problem is less the frequency with which you change your pasword but what other things you do or do not.

what does changing your password a lot do? o.o it only takes a few mins for someone who has your pass to mess everything up on the forums... I don't see how changing the password every month, or even every week would solve anything...

That's a fair point: Only thing it really helps against is bruteforcers, people who got your encrypted password a long time ago and eventually figured out how to decrypt it.

Another semirelated tangent, or tangentially related semi?: I've never agreed with the theory that you must never write down your password. On a local network it's very much true; if I had a dime for every guidance councellor who wrote her password on a sticky note ON HER MONITOR and left kids unattended within 3 feet of the system to change their own grades, I could retire...but on Graal, if you wrote your password in your diary, not gonna matter much to a script kiddy in Australia. That's in no way a blanket recommendation; if you've got a little brother whose best friend idolizes Pachuka, might not be the wisest thing to write it down and leave it out, but I'd personally rather people change their passwords every few months and write it down until it's memorized.

That was the point, the hash is stolen through a cookie, and no its not just brute force, you can use cryptology, which is faster. For many of us the password on the forum is the same as our account, so you, as administrators, should have it different, and probably change so often.

The data in the cookie is using one-way encryption. There is no formula to get back the original password.

The only way is to try all combinaisons until you find the good one. It usually takes one or two months.

People will first try dictionnaries. Searching for common words. After they will try simple combinaisons.

Use password with random symbols, such as d8@m^x!v\a . Bruteforcers will need a lot of time to find it. Change it every month, and they won't be able to find it before you change it.

But the best way : always be careful, and don't open weird links (always look at the status bar of your browser to see the real link target).

EDIT: Note that trying dictionnaries or bruteforcing against the forum won't work. You probably noticed, you only have 5 tries to login.

EDIT2: Registrations are now fixed. You can register again to the forum if you have a gold/vip account.

Well, hijacking a session in progress is not a good thing, if that is what the cookie hash stealing allows. You can do a lot of damage in one session.

If I read that right, it may be best to flag the IP (or maybe limited range) in use when the user first logged in and entered username and pass to generate the hash, and if that hash is attempted from a different IP, force them to log in, which would flag whatever new IP is now in use. If they fail an IP check while the same session is in use on a good IP at the very same time (A, then B, then A, then B, try to use the session), then send a reverse ionic nutreno pulse back through the connection to the attacker and blow out his plasma conduits.

That would allow you to log in from anywhere, on any ISP, and at worse would mean, that the 'stay logged in' feature would cop out now and then if you are connecting again with a dif IP.

Also, if you are worried about staff using same pass for GK as forums, when you set password, you could run a php app to connect to the server list and test the username and pass, if it is same, reject the new password set attempt.



Still, if restricted IP range's were simply setup for mod/supermod accts, that would solve 99% of the threat, though anyone could steal a normal fellow's acct and post 'POOPY HORSE' all over or some dumb thing, as it seems people will spend the time to do.

That's a really good idea; at least for the admins, but I figure the admins should have a locked range anyway. But for the players, for it to ask another login when your IP range change completely on the same "session"?

Me, I get logged out every five minutes or so, which is odd but I suppose a blessing.

My only concern is the poor buggers on dialup who connect, sign in, then their IP changes when they have to reconnect so they have to sign in again...but mods, supermods, and admins alike should have a locked range. Maybe have it configured so the admin can approve of a new range (Class C) every time a mod or supermod tries any action more dangerous than a normal post; that way when Valder tries to delete a post from his gramma's house, he can talk to me and I can say Okay, Valder's gramma's house is now part of the range. But when Minoc's account gets stolen (please don't tell me they couldn't possibly steal another mod's account, something always comes up over infinite time) and he tries to delete everything from Australia, he can't without an admin's Ok.

In such an eventuality, we'd need every mod to have a confirmation code which is never entered and known only to them and the admins...

Well, I had had my forum password ever since I started playing Graal, never changed it. I agree it is harder for a person to get your password if you dont click on anything you shouldn't and your computer is well protected against viruses, but it's better to be safe then sorry and change the password every month or so I think.

angel probably got it stolen by trusting some one to send her something, in time you'll do the same. !splash did it to me ^^

Oy vey oy vey magicaltux

If the hash is stolen you dont need to brute the forum, just offline. You already have the hash

As for information on cryptology
http://www.hackfaq.org/cryptology/md5.shtml

Yay... youd be suprised
Most likely people will not succeed fast enough, my concern isnt getting into the forum, its the fact that through the forum the hash can be taken, then cracked to get my GRAAL password (since i like many users have the same password for both).

Nah I dont accept files sent to me


Sadly I trusted IE and a Link ;) Anyway all is well apart from my AIM Screen names and if you need to contact me just use [email protected] or 178178315

Thanks

I never see you on
:frown:
I have both on my buddy list...

If the issue is a hash that is stolen by say, following a link, perhaps the best way is a rotating hash. When I have written user control systems, I usually check the username/password at log in, assign a randomized token (not really a hash as I generally used random char generators not tied to the password) and stored a copy both on the server and on the client as a cookie.

As the user views each page, the server compares the cookie token to the user's db token, and if they match, assign a new randomized token to both the database and the broswer.

If you follow an evil link and have the token stolen, it is invalid the very next link you click in the forums. If a person steals your hash and uses it before you view another forum page, you'll be forced to relogin (and it could easily tell you its for an invalid security token, alerting you that someone may be trying to hijack your session). Once you go to login again, it is not comparing the tokens at all - just username and password, and generating a fresh token - thus invalidating the hijacker's session immediately.

The down side is that if you are on a page that crashes before it tries to produce the HTML headers and after the new token is generated and stored in the database, the new cookie is never set, the database and client are out of sync, and you are forced to log in again.

I guess if you really got into it, you could store 'prev Token' on the server too, and if the current token failed, but it matched the prev token, AND the IPs matched, you could prevent the logout on that sort of crash, if it was really worth it (not that pages crash that often I would hope).


Secondary question:
This 'steal your cookie by an evil link' thing - does that use special browser HTML/JS/ETC or is it all serverside?

If it is serverside, then I would worry that any image in any sig could be used with a source="abc.pl" etc, and do the same thing silently, but I don't know the mechanics of this type of cookie stealing.

A known Internet Explorer bug (read: glaring security hole - still around in 5.5 with all the latest Windows Update patches, not sure about 6) allows you to steal cookies using simple JavaScript - all you'd need is for someone to visit a page laced with the deadly cookie-bewildering toxin and their cookies for ANY domain anywhere can be acquired. The exploit doesn't even need to be visible to the user - the script could be run in the background in a tiny IFRAME and the user would have no idea their cookies had been compromised. A serverside script is often used to record this acquired data, but I'm not aware of any major cross-browser exploits which operate on the serverside alone.

Whether or not this was the method used in this particular situation, I am uncertain. Of course, corrections or clarifications would be welcomed.

(first post in months! hooray!)

That's an excellent explanation of the problem. Thanks Growlz. ^^

Avatars and titles. Please?

Oh yeah, we do need to get that back too...^_^

testing post, im sure I had an avatar...
do normal members not?

So Firefox/Linux wins! Weeeh!

Hense the reason it wasnt that bug, but an XSS one as i explained eariler, its not browser specific =p

We have 'em, just can't change 'em

How very interesting. I suppose that the PHP $_REQUEST array (made up of all values sent by the user - ones sent in the URL, stuff POSTed by a form, and cookie data) was being used in these scripts instead of a specific global dealing with wherever the input should be coming from, allowing for falsified cookie or POSTed values to be passed along in the URL. Or, say, cookie-stealin' JavaScript. But that's just a semi-educated guess.

As I stated previously, corrections and clarifications are always good. Instead of knowing only about the cookie vulnerability which was actually used, we now know about two! And knowing more is usually better than knowing less. :)

(However, I'll agree with Loriel's point just because it's dangably valid. Hooray for Firefox!)

Uh oh, I guess I am screwed, all my passwords are ********.

OMG YOU STOLE MY PASSWORD!!

Hmm, yeah, I'd guess this is already known, but sometimes attachments point me to the wrong address :eek:

Try refreshing?
(Donald found that out)

Nah, didn't work, actually it was your post in the wallpaper thread :eek:
Hmm, someone tell me if this link is the chainsaw smilie or ETD's desktop, I'm just curious if the page is loading incorrectly for me, or if the link is directing me wrong somehow
http://forums.graal2001.com/forums/a...chmentid=28110