Integramod security

[florida4x4]

Well I dont know that this is the exact proper forum to discuss this but the recent hack allowed a remote user to completely own my system. I played with the tool they were using and it was bad. beyond bad. So it raises the question should I move my site to another brand of software? I mean the update to 1.4.1 has taken soooo long and now this hack. It's like getting your head torn off and someone sh*tting down your neck. I know the folks who work on this software have put a lot of effort into it and it is opensource (if it breaks you get to keep both pieces). I guess I'm just a little surprized at how easily a small omission can turn into a big, major problem. I host other sites on this server and they were all defaced. One entire subdirectory was deleted along with /var/log.

So should I stay with IntegraMOD? Am I over reacting? What kind of programming quality should I expect from this project? I like the way it looks anyway... Maybe I should just move the BBS stuff on to a dedicated machine that is labled expendable.... sigh.

[evolver]

Well I dont know that this is the exact proper forum to discuss this but the recent hack allowed a remote user to completely own my system. I played with the tool they were using and it was bad. beyond bad. So it raises the question should I move my site to another brand of software? I mean the update to 1.4.1 has taken soooo long and now this hack. It's like getting your head torn off and someone sh*tting down your neck. I know the folks who work on this software have put a lot of effort into it and it is opensource (if it breaks you get to keep both pieces). I guess I'm just a little surprized at how easily a small omission can turn into a big, major problem. I host other sites on this server and they were all defaced. One entire subdirectory was deleted along with /var/log.

So should I stay with IntegraMOD? Am I over reacting? What kind of programming quality should I expect from this project? I like the way it looks anyway... Maybe I should just move the BBS stuff on to a dedicated machine that is labled expendable.... sigh.

It is true that things like this makes us all think more serious about security...
That is the one good thing that comes after such critical moments.

But integraMOD is not the only one...
And I would even say more...there are even bugs in PHP itself

If you look around on other CMS forums, they all have had such moments from time to time...
It's a pity that there are always people looking for ways to break into every security hole they can find...

And it's not only PHP scripts...
Operating systems, protected software, protected music, protected videos,...
Have you ever seen anything succeeding in protecting their stuff completely?
There are companies working day and night on security alone...
And after every new protection another way around it will be found...
The only thing that seems to be impossible in computerworld is the word 'impossible' itself...
There will always be risks...no matter what script, no matter what software, no matter what operating system, no matter what house you live in,... That's life...
The only thing that can make a difference is the attention an dedication to avoid and repair any possible dammage...
Like I said...'impossible' is just a word...but not only for hackers...

After moments like this, everyone wakes up to look for better protection...
I'm sure that every developer will put more attention on protection after this, also many of their own sites have been hacked as well...

Keep this in mind:
What doesn't kill IM only makes it stronger. <img>

The safest sites have been hacked before getting there...
Most sites who haven't been hacked yet, don't even know what to expect...
A broken leg will never break at the same place again...

[Fubie]

Extremley well put Evolver.

And just a note on 141. This is one reason why we are not rushing release.

[florida4x4]

A broken leg will never break at the same place again...

evolver, I understand all your points. here's hoping that a bug of this magnatude never comes again. My site was OWNED!!!

[cbrin44]

FYI, I also read a local forum that is powered by Invision. They to are having hacking issues as we are.

Christian

[Solomon]

Indeed, well put evolver. Didn't know that about bone breaks. <img>
[hr:1a6xbahy]
Some regular phpBB sites were hacked this past weekend too. Here's the [url=http]link[/url].

[Michaelo]

Well put Evolver...

Whether 'tis nobler in the mind to suffer the slings and arrows of outrageous fortune, or to take arms against a sea of troubles, and by opposing end them? (Mr. Shakespeare)

Over the past ninety-six hours I have dealt with hundreds of queries, so many pms I lost count, I read hundreds of pages of text, visited countless sites and all because a bunch of children hacked our sitesà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

I was sorely tempted to give up, quit, get drunk... indeed if we were a small group I might have said, guys lets do something else, we don't need this crap but alas the community needed support and thats what we do...

Everybody rallied around and supported each other. People I have never heard off tested and retest the security fixes and thanks to their efforts we managed to fill the security holes. I do not recall anyone once say they give upà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ sure there was anger, frustration and panic but no one wanted to moveà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Dont get me wrong, I would not blame anyone moving to another system but even after the trials and tribulations brought about by the mindless hackers I would still choose IntegraModà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Its all about communityà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Every time we add a mod, do an update, sneeze even, we risk hacking but do we let them get the best of usà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ not on my shiftà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

We have to face facts peopleà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ we cannot protect against every thingà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ all we can do is our best. We provide and support a seriously good integrated portal system flaws and all, there are no guarantees, there never will beà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Mike

[florida4x4]

You all have very valid points and I agree with them. My worry has been that 1.4.1 has been around the corner since last year and there has been a split from the integramod.com site. with the old site releasing integramod "2" and this site working on 1.4.1, I've gotten confused. Mind you I don't have the time to keep up with the politics and every post so I may not be the best informed. It's just that having waited for so long for the update and then a hack based on a uninitilized variable (correct me if I am wrong), I wonder if I am backing the wrong horse... true, hacks are everywhere in all forums... I digress...

[Solomon]

You all have very valid points and I agree with them. My worry has been that 1.4.1 has been around the corner since last year and there has been a split from the integramod.com site. with the old site releasing integramod "2" and this site working on 1.4.1, I've gotten confused. Mind you I don't have the time to keep up with the politics and every post so I may not be the best informed. It's just that having waited for so long for the update and then a hack based on a uninitilized variable (correct me if I am wrong), I wonder if I am backing the wrong horse... true, hacks are everywhere in all forums... I digress...

I was very confused to by the split and I was compelled to come right out and [url=http]ask[/url] the other day what is going on. Simply put (thx Fubie), if your looking for 1.4.0 support then either site can assist you. If your looking for 1.4.1. help then you should come here. If your looking for 2.0 help then you shold go to the "other site". Maybe down the road they can both come up with seperate software names with "Powered by IntegraMOD x.x.x" to signify their engine.

[Michaelo]

I believe all with the exception of Wekke have made this site their home. The reasons for the move are many and dont need rehashing hereà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

The old site may be able to support question in relation to 140 but is doubtful, as wekke is the only remaining staff member with programming skills and he is currently busy developing another product loosely based on phpBB2.0.21, categories hierarchy and IM Portal, which he calls IntegraMod 2... A point worth making isà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ phpBB in this version has been modified by CH to the extent that most would not recognise the codeà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Here we have continued to fix bugs, update and more importantly support IntegraMod 140. Additionally we have developed the next version (141) are almost ready to release it. As to version 2, to my knowledge we do not intend to produce any additional code for phpBB2xx and instead we may very well introducing a phpBB3 compatible package, but of course this has to be decided...

Mike

[computerz]

Speaking of the other site, well then someone should come up with a new name for the 1.4.1 project, because thats whats confusing people (as I admit, I'm still confused). And if not its going to get worse. And their will be copyright issues. Its becoming obvious that 1.4.1 will never merge into IntegraMOD 2.0. So there should be a new name for the project. And if not, then all of these question will continue to arise, and when "this" version (the one we're posting on now) goes to phpbb3 then its going to become even more confusing.

All in all, this is great project, hindered by a lack of developers to support its numerous complexities. A project of this nature needs at least 10 full-time dedicated devs....."devs"..... who together can manage support questions, releases, and updates effectively, so that little things like Input Sanitization don't go overlooked.

What I take from the first post of this thread is not the far extreme of impossibilities, but rather what can we expect that "little" things, the things we should know don't get overlooked. Its that kind of quality which speaks to the difference of poor coding and exceptional coding.

We can't excuse the former for the sake of impossibilities.

[evolver]

Yesterday, I received a mail from Zencart...
I had Zencart installed (just to look at it's possibilities) on my domain...
Zencart, for who doesn't know, is a shop-script...
They have an update out now, and they are asking to do the updates as quickly as possible...
I wasn't using it, so I deleted Zencart from my server immediately.
This shows how important it is not to leave any other unused scripts on your server...
Every single php-file can hold a security risk, not only integraMOD files...

While looking at other script-communities, I can see that they are all watching their security very close at this moment in time...
It even makes me wonder if 9-11 has something to do with it, maybe they are just practising for something bigger?
OK, maybe I've watched to many movies... <img>

[IntegraMOD]

Speaking of the other site, well then someone should come up with a new name for the 1.4.1 project, because thats whats confusing people (as I admit, I'm still confused). And if not its going to get worse. And their will be copyright issues. Its becoming obvious that 1.4.1 will never merge into IntegraMOD 2.0. So there should be a new name for the project. And if not, then all of these question will continue to arise, and when "this" version (the one we're posting on now) goes to phpbb3 then its going to become even more confusing.

I agree with this statement if we are to work on future projects and even for 1.41 that there are many people who mught be confused, so a new name and even possible a new domain would also be nice.

[Fubie]

The new name subject has come up with the team, unfortunatly it was set on the backburner when the hacking issue reared it's ugly head.

Please give us some time to address things. We may even hold a name contest who knows. But right now we are working on a few more urgent issues.