New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hacking attempt while calling latest-news.js #3766

Closed
albertlast opened this Issue Dec 31, 2016 · 36 comments

Comments

Projects
None yet
9 participants
@albertlast
Collaborator

albertlast commented Dec 31, 2016

Was trying to run all schedule task to look what happen,
notice that the process run endless.
After long debugging i find out that the admin_info_files create the issue specialy by calling this url:
http://www.simplemachines.org/smf/latest-news.js?language=english&format=%25b+%25d%2C+%25Y%2C+%25I%3A%25M+%25p
the included ; are trapped than in:
https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Subs-Db-postgresql.php#L441
https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Subs-Db-mysqli.php#L482
this create an error the error included the entry of this query again and create again an error etc...

So in my eyes is no db issue.

@Yoshi2889

This comment has been minimized.

Show comment
Hide comment
@Yoshi2889

Yoshi2889 Dec 31, 2016

Contributor

I don't understand, do you mean that if the data is gathered from the database it doesn't get loaded properly? What does this have to do with a hacking attempt?

Contributor

Yoshi2889 commented Dec 31, 2016

I don't understand, do you mean that if the data is gathered from the database it doesn't get loaded properly? What does this have to do with a hacking attempt?

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Dec 31, 2016

Collaborator

The problem is that we gather js from unsafe place(http),
safe this code database and
run this js on the admin page.
Many things are wrong here...

Collaborator

albertlast commented Dec 31, 2016

The problem is that we gather js from unsafe place(http),
safe this code database and
run this js on the admin page.
Many things are wrong here...

@Yoshi2889

This comment has been minimized.

Show comment
Hide comment
@Yoshi2889

Yoshi2889 Dec 31, 2016

Contributor
[12:08] <albertlast> smf pull the data: http://www.simplemachines.org/smf/latest-news.js?language=english&format=%25b+%25d%2C+%25Y%2C+%25I%3A%25M+%25p and insert them into db
[12:08] <albertlast> in the data is js code with ;
[12:08] <albertlast> and this notice the database layer as hacking attemp
[12:08] <NanoSector> why do we even store JS code in the database
[12:09] <albertlast> this is the point where i cry
[12:09] <NanoSector> if we store it, at least encode it with base64 or something before storing it
[12:09] <NanoSector> then decode it when you want to use it
[12:09] <albertlast> we pull js from an unsafe place (http) and store them in database and let them run on admin page
[12:10] <NanoSector> yes
[12:11] <NanoSector> albertlast: we should probably use JSON to store these things
[12:11] <NanoSector> or just use a text field for the announcement
[12:12] <albertlast> i'm fine with everything better as this...

EDIT: I give up, Markdown is shit. Period.

live627 edit: fixed.

Contributor

Yoshi2889 commented Dec 31, 2016

[12:08] <albertlast> smf pull the data: http://www.simplemachines.org/smf/latest-news.js?language=english&format=%25b+%25d%2C+%25Y%2C+%25I%3A%25M+%25p and insert them into db
[12:08] <albertlast> in the data is js code with ;
[12:08] <albertlast> and this notice the database layer as hacking attemp
[12:08] <NanoSector> why do we even store JS code in the database
[12:09] <albertlast> this is the point where i cry
[12:09] <NanoSector> if we store it, at least encode it with base64 or something before storing it
[12:09] <NanoSector> then decode it when you want to use it
[12:09] <albertlast> we pull js from an unsafe place (http) and store them in database and let them run on admin page
[12:10] <NanoSector> yes
[12:11] <NanoSector> albertlast: we should probably use JSON to store these things
[12:11] <NanoSector> or just use a text field for the announcement
[12:12] <albertlast> i'm fine with everything better as this...

EDIT: I give up, Markdown is shit. Period.

live627 edit: fixed.

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Dec 31, 2016

Member

We are working on resolving https for the site. Some stuff is holding this back.

I wanted to move to using JSON as well for 2.1 to pull from latest-* files. I haven't got around to making that happen yet, but if we decide that is what we want to do, we can change up the format.

Member

jdarwood007 commented Dec 31, 2016

We are working on resolving https for the site. Some stuff is holding this back.

I wanted to move to using JSON as well for 2.1 to pull from latest-* files. I haven't got around to making that happen yet, but if we decide that is what we want to do, we can change up the format.

@Yoshi2889

This comment has been minimized.

Show comment
Hide comment
@Yoshi2889

Yoshi2889 Dec 31, 2016

Contributor

JSON would be the better option. Have a parameter to the file to pass your current version. It could return an empty object if no patch is available, or a JSON object with stuff like checksum, download URL and a short announcement if there is. Then we can either store the whole object, base64-encode it, or store it in parts.

Contributor

Yoshi2889 commented Dec 31, 2016

JSON would be the better option. Have a parameter to the file to pass your current version. It could return an empty object if no patch is available, or a JSON object with stuff like checksum, download URL and a short announcement if there is. Then we can either store the whole object, base64-encode it, or store it in parts.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Dec 31, 2016

Collaborator

Why not use github for such infos?
Github got https and got logs..

Collaborator

albertlast commented Dec 31, 2016

Why not use github for such infos?
Github got https and got logs..

@illori

This comment has been minimized.

Show comment
Hide comment
@illori

illori Jan 2, 2017

Contributor

other softwares have had hacks because of github accounts being hacked that are used to host files like this. I don't think the risk is worth it.

Contributor

illori commented Jan 2, 2017

other softwares have had hacks because of github accounts being hacked that are used to host files like this. I don't think the risk is worth it.

@Yoshi2889

This comment has been minimized.

Show comment
Hide comment
@Yoshi2889

Yoshi2889 Jan 2, 2017

Contributor
Contributor

Yoshi2889 commented Jan 2, 2017

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Jan 2, 2017

Collaborator

And i blieve that can happen on smf.org too.
On github changes are logged,
i'm not sure if smf loggs all and no one is able to delete this logs.

Collaborator

albertlast commented Jan 2, 2017

And i blieve that can happen on smf.org too.
On github changes are logged,
i'm not sure if smf loggs all and no one is able to delete this logs.

@illori

This comment has been minimized.

Show comment
Hide comment
@illori

illori Jan 2, 2017

Contributor
Contributor

illori commented Jan 2, 2017

@Yoshi2889

This comment has been minimized.

Show comment
Hide comment
@Yoshi2889

Yoshi2889 Jan 2, 2017

Contributor
Contributor

Yoshi2889 commented Jan 2, 2017

@live627

This comment has been minimized.

Show comment
Hide comment
@live627

live627 Jan 3, 2017

Contributor

All accounts with push access are required to use 2fa

EDIT: I give up, Markdown is shit. Period.

(I fixed that)

Why not use github for such infos?

+1

Contributor

live627 commented Jan 3, 2017

All accounts with push access are required to use 2fa

EDIT: I give up, Markdown is shit. Period.

(I fixed that)

Why not use github for such infos?

+1

@colinschoen

This comment has been minimized.

Show comment
Hide comment
@colinschoen

colinschoen Jan 3, 2017

Member

Agreed, I have quite a bit of trust in Github's security considering the size and nature of the organization and their work.

Member

colinschoen commented Jan 3, 2017

Agreed, I have quite a bit of trust in Github's security considering the size and nature of the organization and their work.

@illori

This comment has been minimized.

Show comment
Hide comment
@illori

illori Jan 3, 2017

Contributor

i am still not sold on it being on github as that means it can be updated too easily and without any review. these files dont need to be updated that frequently in the first place. if this were to be changed IMO it should be suggested to the team for feedback.

Contributor

illori commented Jan 3, 2017

i am still not sold on it being on github as that means it can be updated too easily and without any review. these files dont need to be updated that frequently in the first place. if this were to be changed IMO it should be suggested to the team for feedback.

@live627

This comment has been minimized.

Show comment
Hide comment
@live627

live627 Jan 4, 2017

Contributor

it can be updated too easily and without any review

wow, just wow.

/me unsubs from this thread

Contributor

live627 commented Jan 4, 2017

it can be updated too easily and without any review

wow, just wow.

/me unsubs from this thread

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Jan 4, 2017

Member

No mater where the data is hosted, there is always a risk of hacking issues. Whether on GitHub or on SimpleMachines.org. On GitHub we can control who can push files to update the latest-*.js files. On our website we limit who has access to update this information as well via other methods than what GitHub does.

Pushing a fake release is entirely possible if somebody knows hows. Off the top of my head Putty had their software infected and released to users. Notepad++ had their site hacked and a bad release pushed.

So you need to pick your battle of where you want to do damage control when (not if) such a thing where to happen.

Oh and if you think GitHub is secure, they had an issue where they revealed private repositories recently. https://github.com/blog/2273-incident-report-inadvertent-private-repository-disclosure

Member

jdarwood007 commented Jan 4, 2017

No mater where the data is hosted, there is always a risk of hacking issues. Whether on GitHub or on SimpleMachines.org. On GitHub we can control who can push files to update the latest-*.js files. On our website we limit who has access to update this information as well via other methods than what GitHub does.

Pushing a fake release is entirely possible if somebody knows hows. Off the top of my head Putty had their software infected and released to users. Notepad++ had their site hacked and a bad release pushed.

So you need to pick your battle of where you want to do damage control when (not if) such a thing where to happen.

Oh and if you think GitHub is secure, they had an issue where they revealed private repositories recently. https://github.com/blog/2273-incident-report-inadvertent-private-repository-disclosure

@Yoshi2889

This comment has been minimized.

Show comment
Hide comment
@Yoshi2889

Yoshi2889 Jan 5, 2017

Contributor
Contributor

Yoshi2889 commented Jan 5, 2017

@NegativeIQ

This comment has been minimized.

Show comment
Hide comment
@NegativeIQ

NegativeIQ Aug 12, 2017

Maybe im a bit late to the party since 2.1 RC is close but here are my two cents.

Af far as i can see that news are just new releases...so why not use github api for that? https://api.github.com/repos/SimpleMachines/SMF2.1/releases
https://api.github.com/repos/SimpleMachines/SMF2.1/releases/latest

Note: latest release does not work on SMF2.1 repo atm. as there is no true release, only pre-release

Here is example for rainmeter repository, all releases and only latest release.

NegativeIQ commented Aug 12, 2017

Maybe im a bit late to the party since 2.1 RC is close but here are my two cents.

Af far as i can see that news are just new releases...so why not use github api for that? https://api.github.com/repos/SimpleMachines/SMF2.1/releases
https://api.github.com/repos/SimpleMachines/SMF2.1/releases/latest

Note: latest release does not work on SMF2.1 repo atm. as there is no true release, only pre-release

Here is example for rainmeter repository, all releases and only latest release.

@Arantor

This comment has been minimized.

Show comment
Hide comment
@Arantor

Arantor Aug 23, 2017

Contributor

The problem with just changing this endpoint is that you have to deal with not breaking all existing 2.0 installations that still hit that same point.

The fact that the time format is thrown into the URL for little good reason is another matter entirely.

Contributor

Arantor commented Aug 23, 2017

The problem with just changing this endpoint is that you have to deal with not breaking all existing 2.0 installations that still hit that same point.

The fact that the time format is thrown into the URL for little good reason is another matter entirely.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Aug 24, 2017

Collaborator

Well you could create a new endpoint,
that the existing solution take the old one and
the newer version takes the new endpoint.

Collaborator

albertlast commented Aug 24, 2017

Well you could create a new endpoint,
that the existing solution take the old one and
the newer version takes the new endpoint.

@Arantor

This comment has been minimized.

Show comment
Hide comment
@Arantor

Arantor Aug 24, 2017

Contributor

That would be best, yes, and have it serve up just JSON. You'd still want it cached and retrieved only once a day like the current setup is, but yeah.

Contributor

Arantor commented Aug 24, 2017

That would be best, yes, and have it serve up just JSON. You'd still want it cached and retrieved only once a day like the current setup is, but yeah.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Sep 23, 2017

Collaborator

I close the issue because it's combined issue of smf.org and smf2.1 and so long smf.org provide no new api we can't fixit on smf 2.1 side.

Collaborator

albertlast commented Sep 23, 2017

I close the issue because it's combined issue of smf.org and smf2.1 and so long smf.org provide no new api we can't fixit on smf 2.1 side.

@albertlast albertlast closed this Sep 23, 2017

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 23, 2017

Member

Whats wrong on the sm.org side?

Member

jdarwood007 commented Sep 23, 2017

Whats wrong on the sm.org side?

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Sep 23, 2017

Collaborator

ther is no api which provide us the data in a safe format.
When you ask what is not safe,
mostly writen down here already: ther is program(javascript) code in the api

Collaborator

albertlast commented Sep 23, 2017

ther is no api which provide us the data in a safe format.
When you ask what is not safe,
mostly writen down here already: ther is program(javascript) code in the api

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 23, 2017

Member

We can move it to a different format for 2.1 and above. Every SMF release always sends the version info in the query string, so it isn't difficult to handle at all.

Are we wanting to do a json format instead?

I should note I wanted to do a change for 2.1 on how we handled those files retrieved from our servers.

Member

jdarwood007 commented Sep 23, 2017

We can move it to a different format for 2.1 and above. Every SMF release always sends the version info in the query string, so it isn't difficult to handle at all.

Are we wanting to do a json format instead?

I should note I wanted to do a change for 2.1 on how we handled those files retrieved from our servers.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Sep 23, 2017

Collaborator

when you ask me: yes
I don't want that javascript code runs on admin panel(so the active user could be a admin)
which came from "outside".

Collaborator

albertlast commented Sep 23, 2017

when you ask me: yes
I don't want that javascript code runs on admin panel(so the active user could be a admin)
which came from "outside".

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 23, 2017

Member

Without creating another file the only way to do this would be to have the json array containing everything in a multi-dimensional array.

Member

jdarwood007 commented Sep 23, 2017

Without creating another file the only way to do this would be to have the json array containing everything in a multi-dimensional array.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Sep 24, 2017

Collaborator

For me is important that the json array contain no program logic/javascript code.

Collaborator

albertlast commented Sep 24, 2017

For me is important that the json array contain no program logic/javascript code.

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 24, 2017

Member

I think something like this for Latest-news.js, which would most likely be changed to .json.

$array = array(
	'announcements' => array(
		array(
			'subject' => #SUBJECT#,
			'herf' => #HREF#,
			'time' => #TIME FORMATED FROM INPUT FORMAT#,
			'author' => #AUTHOR#,
			'message' => #MESSAGE#,
		),
		# REPEATS ANNOUNCEMENTS LIMITED TO 15#
	),
	'updates' => array(
		array(
			'version' => 'SMF 2.0',
			'operator' => '<',
			'message' => 'SMF 2.0 Final has now been released. To take advantage of the improvements available in SMF 2.0 we recommend upgrading as soon as is practical.',
			'critical' => false,
			'package' => null,
		),
		array(
			'version' => 'SMF 1.0.4',
			'operator' => '==',
			'message' => null,
			'critical' => false,
			'package' => 'http://custom.simplemachines.org/mods/downloads/smf_1-0-5_package.tar.gz',
		),
		# REPEATS FOR ALL PACKAGES FOR MATCHING "version" (IN BRANCH) IN URL OR CURRENT STABLE BRANCH#
	),
);

echo json_encode($array);

All the others would have to change, but that is what I think would have to happen and then change the code in SMF.

Member

jdarwood007 commented Sep 24, 2017

I think something like this for Latest-news.js, which would most likely be changed to .json.

$array = array(
	'announcements' => array(
		array(
			'subject' => #SUBJECT#,
			'herf' => #HREF#,
			'time' => #TIME FORMATED FROM INPUT FORMAT#,
			'author' => #AUTHOR#,
			'message' => #MESSAGE#,
		),
		# REPEATS ANNOUNCEMENTS LIMITED TO 15#
	),
	'updates' => array(
		array(
			'version' => 'SMF 2.0',
			'operator' => '<',
			'message' => 'SMF 2.0 Final has now been released. To take advantage of the improvements available in SMF 2.0 we recommend upgrading as soon as is practical.',
			'critical' => false,
			'package' => null,
		),
		array(
			'version' => 'SMF 1.0.4',
			'operator' => '==',
			'message' => null,
			'critical' => false,
			'package' => 'http://custom.simplemachines.org/mods/downloads/smf_1-0-5_package.tar.gz',
		),
		# REPEATS FOR ALL PACKAGES FOR MATCHING "version" (IN BRANCH) IN URL OR CURRENT STABLE BRANCH#
	),
);

echo json_encode($array);

All the others would have to change, but that is what I think would have to happen and then change the code in SMF.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Sep 24, 2017

Collaborator

What should be in version number the SMF ? and in my eye the different length 2.0 vs 1.0.4 i don't like :)
i would like to see 'version' => '1.0.4' or 'version' => '2.0.0'

Collaborator

albertlast commented Sep 24, 2017

What should be in version number the SMF ? and in my eye the different length 2.0 vs 1.0.4 i don't like :)
i would like to see 'version' => '1.0.4' or 'version' => '2.0.0'

@albertlast albertlast reopened this Sep 24, 2017

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 24, 2017

Member

I will look into it, but I don't know when I will get around to changing this.

Member

jdarwood007 commented Sep 24, 2017

I will look into it, but I don't know when I will get around to changing this.

@jdarwood007 jdarwood007 self-assigned this Sep 24, 2017

@jdarwood007 jdarwood007 added this to the RC 1 milestone Sep 24, 2017

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Sep 28, 2017

Collaborator

I want to mention because of this api,
my test installation failed,

Reason is that this kind of query is generated which get in hacking attemp trap
comming from https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/ScheduledTasks.php#L1251:
update smf_admin_info_files set data = substring( %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s s new %s }, { subject: %s smf 1.1.3 %s , href: %s https://www.simplemachines.org/community/index.php?topic=178757.0 %s , time: %s jun 24, 2007, 09:52 pm %s , author: %s thantos %s , message: %s a number of small bugs and a potential security issue have been discovered in smf 1.1.2. we urge all forum administrators to upgrade to smf 1.1.3—simply visit the package manager to install the patch. %s }, { subject: %s smf 1.1.2 %s , href: %s https://www.simplemachines.org/community/index.php?topic=149553.0 %s , time: %s feb 11, 2007, 08:35 am %s , author: %s grudge %s , message: %s a patch has been released to address a number of outstanding bugs in smf 1.1.1, including several around utf-8 language support. in addition this patch offers improved image verification support and fixes a couple of low risk security related bugs. if you need any help upgrading please visit our forum. %s }, { subject: %s smf 1.1.1 %s , href: %s https://www.simplemachines.org/community/index.php?topic=134971.0 %s , time: %s dec 17, 2006, 09:33 am %s , author: %s grudge %s , message: %s a number of small bugs and a potential security issue have been discovered in smf 1.1. we urge all forum administrators to upgrade to smf 1.1.1 - simply visit the package manager to install the patch. %s }, { subject: %s smf 1.1 %s , href: %s https://www.simplemachines.org/community/index.php?topic=131008.0 %s , time: %s dec 02, 2006, 02:53 pm %s , author: %s grudge %s , message: %s smf 1.1 has gone gold! if you are using an older version, please upgrade as soon as possible - many things have been changed and fixed, and mods and packages will expect you to be using 1.1. if you need any help upgrading custom modifications to the new version, please feel free to ask us at our forum. %s } ]; if (window.smfversion < "smf 2.0") { window.smfupdatenotice = %s smf 2.0 final has now been released. to take advantage of the improvements available in smf 2.0 we recommend upgrading as soon as is practical. %s ; window.smfupdatecritical = false; } if (document.getelementbyid("yourversion")) { var yourversion = getinnerhtml(document.getelementbyid("yourversion")); if (yourversion == "smf 1.0.4") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-0-5_package.tar.gz"; else if (yourversion == "smf 1.0.5" || yourversion == "smf 1.0.6") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.7_1.1-rc2-1.tar.gz"; window.smfupdatecritical = false; } else if (yourversion == "smf 1.0.7") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-0-8_package.tar.gz"; else if (yourversion == "smf 1.0.8") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1-0-9_1-1-rc3-1.tar.gz"; else if (yourversion == "smf 1.0.9") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-0-10_patch.tar.gz"; else if (yourversion == "smf 1.0.10" || yourversion == "smf 1.1.2") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.3_1.0.11.tar.gz"; else if (yourversion == "smf 1.0.11" || yourversion == "smf 1.1.3" || yourversion == "smf 2.0 beta 1") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.12_1.1.4_2.0.b1.1.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.12" || yourversion == "smf 1.1.4" || yourversion == "smf 2.0 beta 3 public") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.13_1.1.5_2.0-b3.1.zip"; else if (yourversion == "smf 1.0.13" || yourversion == "smf 1.1.5") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.14_1.1.6.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.14" || yourversion == "smf 1.1.6") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.15_1.1.7.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.15" || yourversion == "smf 1.1.7") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.16_1.1.8.zip"; window.smfupdatecritical = false; } else if (yourversion == "smf 1.0.16" || yourversion == "smf 1.1.8" || yourversion == "smf 2.0 rc1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.17_1.1.9_2.0-rc1-1.zip"; else if (yourversion == "smf 1.0.17" || yourversion == "smf 1.1.9" || yourversion == "smf 2.0 rc1-1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.18_1.1.10-2.0-rc1.2.zip"; else if (yourversion == "smf 1.0.18" || yourversion == "smf 1.1.10") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.19_1.1.11.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.19" || yourversion == "smf 1.1.11") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.20_1.1.12.tar.gz"; } else if (yourversion == "smf 1.0.20" || yourversion == "smf 1.1.12") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.21_1.1.13.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.14") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.15.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.1.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.15" || yourversion == "smf 1.0.21") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.22_1.1.16.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.1") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.2.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.16" || yourversion == "smf 1.0.22") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.23_1.1.17.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.17") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.18.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.2") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.3.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.3") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.4.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.4") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.5.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.18" || yourversion == "smf 2.0.5") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.19_2.0.6.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.19" || yourversion == "smf 2.0.8") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.20_2.0.9.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.20" || yourversion == "smf 2.0.9") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.21_2.0.10.zip"; else if (yourversion == "smf 2.0.10") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.11.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-1-1_patch.tar.gz"; else if (yourversion == "smf 1.1.1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-1-2_patch.tar.gz"; else if (yourversion == "smf 2.0.11") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.12.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.12") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.13.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.13") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.14.tar.gz"; window.smfupdatecritical = true; } } if (document.getelementbyid( %s credits %s )) setinnerhtml(document.getelementbyid( %s credits %s ), getinnerhtml(document.getelementbyid( %s credits %s )).replace(/anyone we may have missed/, %s anyone we may have missed %s )); %s , 1, 65534) where id_file = 3

Collaborator

albertlast commented Sep 28, 2017

I want to mention because of this api,
my test installation failed,

Reason is that this kind of query is generated which get in hacking attemp trap
comming from https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/ScheduledTasks.php#L1251:
update smf_admin_info_files set data = substring( %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s s new %s }, { subject: %s smf 1.1.3 %s , href: %s https://www.simplemachines.org/community/index.php?topic=178757.0 %s , time: %s jun 24, 2007, 09:52 pm %s , author: %s thantos %s , message: %s a number of small bugs and a potential security issue have been discovered in smf 1.1.2. we urge all forum administrators to upgrade to smf 1.1.3—simply visit the package manager to install the patch. %s }, { subject: %s smf 1.1.2 %s , href: %s https://www.simplemachines.org/community/index.php?topic=149553.0 %s , time: %s feb 11, 2007, 08:35 am %s , author: %s grudge %s , message: %s a patch has been released to address a number of outstanding bugs in smf 1.1.1, including several around utf-8 language support. in addition this patch offers improved image verification support and fixes a couple of low risk security related bugs. if you need any help upgrading please visit our forum. %s }, { subject: %s smf 1.1.1 %s , href: %s https://www.simplemachines.org/community/index.php?topic=134971.0 %s , time: %s dec 17, 2006, 09:33 am %s , author: %s grudge %s , message: %s a number of small bugs and a potential security issue have been discovered in smf 1.1. we urge all forum administrators to upgrade to smf 1.1.1 - simply visit the package manager to install the patch. %s }, { subject: %s smf 1.1 %s , href: %s https://www.simplemachines.org/community/index.php?topic=131008.0 %s , time: %s dec 02, 2006, 02:53 pm %s , author: %s grudge %s , message: %s smf 1.1 has gone gold! if you are using an older version, please upgrade as soon as possible - many things have been changed and fixed, and mods and packages will expect you to be using 1.1. if you need any help upgrading custom modifications to the new version, please feel free to ask us at our forum. %s } ]; if (window.smfversion < "smf 2.0") { window.smfupdatenotice = %s smf 2.0 final has now been released. to take advantage of the improvements available in smf 2.0 we recommend upgrading as soon as is practical. %s ; window.smfupdatecritical = false; } if (document.getelementbyid("yourversion")) { var yourversion = getinnerhtml(document.getelementbyid("yourversion")); if (yourversion == "smf 1.0.4") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-0-5_package.tar.gz"; else if (yourversion == "smf 1.0.5" || yourversion == "smf 1.0.6") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.7_1.1-rc2-1.tar.gz"; window.smfupdatecritical = false; } else if (yourversion == "smf 1.0.7") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-0-8_package.tar.gz"; else if (yourversion == "smf 1.0.8") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1-0-9_1-1-rc3-1.tar.gz"; else if (yourversion == "smf 1.0.9") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-0-10_patch.tar.gz"; else if (yourversion == "smf 1.0.10" || yourversion == "smf 1.1.2") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.3_1.0.11.tar.gz"; else if (yourversion == "smf 1.0.11" || yourversion == "smf 1.1.3" || yourversion == "smf 2.0 beta 1") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.12_1.1.4_2.0.b1.1.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.12" || yourversion == "smf 1.1.4" || yourversion == "smf 2.0 beta 3 public") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.13_1.1.5_2.0-b3.1.zip"; else if (yourversion == "smf 1.0.13" || yourversion == "smf 1.1.5") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.14_1.1.6.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.14" || yourversion == "smf 1.1.6") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.15_1.1.7.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.15" || yourversion == "smf 1.1.7") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.16_1.1.8.zip"; window.smfupdatecritical = false; } else if (yourversion == "smf 1.0.16" || yourversion == "smf 1.1.8" || yourversion == "smf 2.0 rc1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.17_1.1.9_2.0-rc1-1.zip"; else if (yourversion == "smf 1.0.17" || yourversion == "smf 1.1.9" || yourversion == "smf 2.0 rc1-1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.18_1.1.10-2.0-rc1.2.zip"; else if (yourversion == "smf 1.0.18" || yourversion == "smf 1.1.10") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.19_1.1.11.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.0.19" || yourversion == "smf 1.1.11") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.20_1.1.12.tar.gz"; } else if (yourversion == "smf 1.0.20" || yourversion == "smf 1.1.12") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.21_1.1.13.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.14") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.15.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.1.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.15" || yourversion == "smf 1.0.21") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.22_1.1.16.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.1") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.2.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.16" || yourversion == "smf 1.0.22") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.23_1.1.17.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.17") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.18.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.2") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.3.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.3") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.4.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.4") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.5.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.18" || yourversion == "smf 2.0.5") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.19_2.0.6.tar.gz"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.19" || yourversion == "smf 2.0.8") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.20_2.0.9.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1.20" || yourversion == "smf 2.0.9") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.21_2.0.10.zip"; else if (yourversion == "smf 2.0.10") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.11.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 1.1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-1-1_patch.tar.gz"; else if (yourversion == "smf 1.1.1") window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_1-1-2_patch.tar.gz"; else if (yourversion == "smf 2.0.11") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.12.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.12") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.13.zip"; window.smfupdatecritical = true; } else if (yourversion == "smf 2.0.13") { window.smfupdatepackage = "http://custom.simplemachines.org/mods/downloads/smf_patch_2.0.14.tar.gz"; window.smfupdatecritical = true; } } if (document.getelementbyid( %s credits %s )) setinnerhtml(document.getelementbyid( %s credits %s ), getinnerhtml(document.getelementbyid( %s credits %s )).replace(/anyone we may have missed/, %s anyone we may have missed %s )); %s , 1, 65534) where id_file = 3

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 28, 2017

Member

What is up with that query. That looks really wrong.

Member

jdarwood007 commented Sep 28, 2017

What is up with that query. That looks really wrong.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Sep 29, 2017

Collaborator

In my eye the query is correct, the source (the api) is wrong.
the api provide js code, js code means ";" is included, ; -> hacking attemp

Collaborator

albertlast commented Sep 29, 2017

In my eye the query is correct, the source (the api) is wrong.
the api provide js code, js code means ";" is included, ; -> hacking attemp

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 29, 2017

Member

All the %s makes it seem weird right at the start. Not sure what is going on there.

Member

jdarwood007 commented Sep 29, 2017

All the %s makes it seem weird right at the start. Not sure what is going on there.

@albertlast

This comment has been minimized.

Show comment
Hide comment
@albertlast

albertlast Dec 17, 2017

Collaborator

So with my pr #441 i was able to run this job without breaking stuff.
But in my eyes a more stricter api where no program code is included would be nice.

Collaborator

albertlast commented Dec 17, 2017

So with my pr #441 i was able to run this job without breaking stuff.
But in my eyes a more stricter api where no program code is included would be nice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment