A little while ago, I blogged about why I considered "full disclosure" to be a potentially damaging way of dealing with security issues that arise in internet software.
Yesterday saw a simple vulnerability in phpBB responsible for "hacking" over 40,000 websites. This so-called "Santy Worm" used a very simple exploit in the phpBB code to spread to other websites. Once a phpBB installation had been infected, it used a Google search to indentify other exploitable phpBB installations to further spread.
The exploit itself is nothing too clever. A simple and innocent urldecode() allowed unsafe data to be passed into PHP. Usually, this kind of vulnerability is fixed and a patch issued and thats about as far as it goes. Even though the phpBB developers released a fix pretty quickly, its uptake was pretty slow which allowed the worm to do so much damage.
This is quite a turn of events as this means that any simple vulnerability in any piece of internet software can be turned into something quite malicious and in a matter of hours deface thousands of installations leaving webmasters and software developers with quite a mess on their hands.
Google have said that they are going to do more to respond quicker to these type of attacks but it’s not really their fault. It’s also not the fault of the phpBB team. This is the problem – no one is to blame and no one can do anything to really prevent this from happening in the future.
In the mean time, it might be an idea to remove the version number from the board copyright.
{ 14 comments… read them below or add one }
> In the mean time, it might be an idea to remove
> the version number from the board copyright.
It was exactly what I firstly thought. In this case, if the phpBB forums didn’t have the version number published publicly, the worm would have more difficult to find vulnerable forums; or wouldn’t?
aa.
Not a bad idea at all.
But for those of who want to keep it…
Can you make it an image maybe? Something that changes with version, skinable…
Wait… that might be too easy to remove…
I want to keep it, but be safe.
Maybe there is some way for the google spiders to be disallowed to scan and copy that part?
There are several ways to obfuscate it. You could simply create an image, but unless you want the overhead of making it dynamic – it’ll have to be a static file which will need to be updated with each new release.
The other way of doing it is to randomize the characters and print some as ASCII entities making a direct match from Google difficult.
Personally, I don’t see the issue with removing the version number from the public facing side of the board.
Lets face it, the actual number means nothing to the average site visitor.
It still would take time to update different parts of Google Cache and results.
So unless you we’re to start doing this all the time from the time you install IPB, chances are you will be able to find the exact number still somewhere on google.
It’s likely that as of IPB 2.1, the version number won’t be shown in the public facing side of the board.
Would be a good move. Any issues that may come up with 2.1 would be harder to exploit, and wouldn’t be in googles cache.
Grant people shouldn’t consider this as an easy way out of upgrading. You need to upgrade you’re version as soon as possible when security updates are released.
Removing the version numbers will hurt those listed as Tier 1 and Tier 2 resources and possibly even resellers depending on how you work that because when asking for help, people invariably forget to mention what version of IPB they are using. A profile field will not help because it is not kept up to date. This isn’t for people who do general feature support who pull money from your bank account, this is for those who deal in products based on your product like those that support their own skins running on IPB.
So if you remove it from the board copyright, it would be prudent to add an ipscheck system for the version. You wouldn’t want to do it in plain text because that is just as bad as putting it in the copyright. You could do a plain image but you can byte-check that easily for a person writing a virus. Why not generate an image using the GD security image code, shown when making an ipscheck? That would make everybody happy.
Good point. Nice solution.
lol, that is nasty.
Hiya Outlaw
I wonder if there is an IPB one that hasn’t been put out yet
Yea, I’d hate to see it go.
There must be SOME way that google cannot chache it.
Matt, what about that “Bots”: group idea that is in the Tips and tricks area?
It could be an option on a group basis to show the Version, and then the bots group and be set by default to no?
That would make no sense at all and be a waste of time.
Why not make a simple little graphic that shows the version number?
That’s easy to do, skinnable, removable and recognizable and “invisible” to bots…
And everybody’s happy…
I don’t think it will solve any problem. The worm can check for a page AND a board name, whatever version it is : if the board is safe its attack won’t succeed else … it will succeed and infest it. So, version is not a problem i think.
Really nice suggestion.
it should be implemented by all the web designer and seo too…