FA admin account compromised (yet again)

[yak]

Yeah I know. It's being worked on. Every admin will probably have an @fa.net email address in the end and additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication. For now basic auth will do, it'll be improved later.

[Jim Demintia]

Yeah I know. It's being worked on. Every admin will probably have an @fa.net email address in the end and additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication. For now basic auth will do, it'll be improved later.

Since you're here, what about this:

the code probably still has as many holes as it did this time last month.

Confirming that FA is still completely vulnerable to the same attack that caused FAleaks.  It'd be slightly more complicated to pull off, but that's all.

[Conan]

Yeah I know. It's being worked on. Every admin will probably have an @fa.net email address in the end..

[12:29:42] <net-cat> Also, all the staff have @furaffinity.net email addresses. Some of us opt to not use it. It is not, as you say, a "paid privilege."

Will they be forced to use them or will they be allowed to "opt out" like net-cat says they can? Sounds to me like if they already all have them anyways, the easiest thing to do right now is to force them to use their FA email on their FA accounts. No exceptions. If someone has trouble checking a second email address every day than maybe their position on FA staff is too difficult for them as well.

[ProvincialTwit]

They'll just pop them with whatever popular webmail service they prefer, leaving the whole thing just as open and insecure as ever.

[Fiz]

Yeah I know. It's being worked on.

 

[Pi]

additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication.

That's nice. How about protecting your users from XSS?

For now basic auth will do, it'll be improved later.

Will it, now. Do you realize that you just offered to put yet another a band-aid fix on top of a band-aid fix that doesn't fully solve the problem?

[Ben]

Honestly Yak, I don't even get why you bother with FA anymore. The whole operation seems to be bugged on so many levels, that it just seems like a criminal waste of time to even bother with the site. This isn't to say you're completely free of liability here, but unlike Dragoneer, you can jump ship. What on earth is keeping you on the staff?

[Eevee]

and additional session security will be implemented for admin cp to prevent a leaked session/hijacked admin account from causing damage without going through the secondary authentication. For now basic auth will do, it'll be improved later.

Will be implemented?  This attack was a month ago now; why isn't it long since implemented?  You still have plenty of other holes.  Stop taking this lightly.

By the way, I believe your basic auth can be trivially circumvented at least two ways—one obscure but simple, the other well-known but tricky.

[Arche Kruz]

Honestly Yak, I don't even get why you bother with FA anymore. The whole operation seems to be bugged on so many levels, that it just seems like a criminal waste of time to even bother with the site. This isn't to say you're completely free of liability here, but unlike Dragoneer, you can jump ship. What on earth is keeping you on the staff?

He wants all the laudations and the elevated community status while doing the least amount of work.

[Fiz]

He wants all the laudations and the elevated community status while doing the least amount of work.

Naw, that's not Yak. He doesn't say enough of anything to warrant that. That is more of Dragoneer's thing.

Most of the tech staff on FA really keep quiet. For good reason, really. If they talked more, people would remember "Hey! The site has coders!".

[a pigeon]

http://www.furaffinity.net/system/sql.sys

http://pastebin.com/6XWucRUF

Someone posted that link on lulz.  Apparently one ought to block random requests to things like that and its credentials are bad.

[Pi]

Code: [Select]

$sql->server   = '192.168.1.1';
$sql->user     = 'furaffinity';
$sql->password = 'kayWrolv~quoles6';
...
are these...
are these the fucking PRODUCTION CREDENTIALS? Holy jesus fuck, this shouldn't ever be anywhere near the web root. What in the fklasd;glkjsadlg

[Freehaven]

See, between this and the whole "We're redesigning the site, honest to God!" crap, I have no faith in Dragoneer to actually fix the site.

[Pi]

Apparently /functions.sys is also sitting out there. These files just shouldn't be sitting around accessible to the whole world. What in the fuck are they smoking over there?

[Ben]

Could an explanation of the seriousness be explained for people who probably don't quite get it? It would probably be most helpful.

[ProvincialTwit]

That's the username and password information that the website uses to read (and presumably write) data to the database.

[Pi]

Could an explanation of the seriousness be explained for people who probably don't quite get it? It would probably be most helpful.

FA's database password is now a matter of public record. They left it in a publicly visible location. This is an such amateurish and shortsighted mistake that I am reduced to staring at my screen and frowning.

[Freehaven]

FA's database password is now a matter of public record.

In before even more hacking.

[loki]

Apparently /functions.sys is also sitting out there. These files just shouldn't be sitting around accessible to the whole world. What in the fuck are they smoking over there?

I like the SHA1 and MD5 hashes:

Code: [Select]

function _encrypt($string)
{
$first = crypt($string, '$2a$07$'.sha1('d67c5cbf5b01c9f91932e3b8def5e5f8').'$');
$final = sha1($first);

return $final;
}


//
// Part of the newer authentication system
//
//
function _password_hash($password, $salt)
{
$static_salt = md5('g>m$`w6;8+BL/(p7`dvn+$n2mtjU7}3`');
return hash('whirlpool', $salt.md5($password).$static_salt);
}


I don't know much about how those PHP functions work but doesn't knowing the salt allow you to more easily brute force/dictionary attack those passwords?

Edit:

Looks like they exposed SQL tables in functions.sys as well. Hooray!

Code: [Select]

$query = 'INSERT INTO messagecenter_comments_submission VALUES ('.$target_id.', '.$comment_id.')';
$sql->query($query, 'send subm. comment notification', __FILE__);

Edit2:

More exposed files:

http://www.furaffinity.net/system/header.sys
http://www.furaffinity.net/system/end.sys

That hard-coded nesting function is still there too, unchanged:

Code: [Select]

function _nest($newnestid, $nestswitch, $rowid, $table='comments_submission')
...


[Jim Demintia]

Between this, the money issues, and, well, everything else I'd say their days are numbered but that goddamn site is unkillable. Dragoneer will somehow stumble through this, I'm sure.

That and if they really were about to go offline due to lack of funds some dumb white trash furfag would offer up their tax refund or something. They'll never face a financial apocalypse.