Remember me
Back to forum: This Plaza

Search forums via Google

14 Users appreciate this thread.

! Security Advisory - PZ1 !
 >  >>
Started by NodePoint
(2016-05-16 23:33:29)
NodePoint (2016-05-16 23:33:29)
Before I start, I would like to note that it is planned to unsticky this thread in the near future as everyone around the time this got posted got the message anyway. Perhaps by the end of September 21st 2016.
Hello, users of 3DSPlaza. It has been a while.
This thread will be about a security vulnerability that got fixed very recently and what should be done to reduce the risk as a result of it.
Do read on for more details.
What is going on here?
Around a month ago, a security vulnerability was discovered in the comment system that made SQL injections possible. More preciously, in the comment viewer (status and profile, both shared). This would use a GET query to get the table name and then put it into a query (note that it is arbitrary) and that would be the hole.

Why should I care / how severe is this?
This allowed the ability to grab system and other information such as user credentials, generic user data (email, IPs, points, privileges), misc data. Basically, access to all information stored on 3DSPlaza's database and possibly other databases that are not to do with 3DSPlaza.
It is not known for sure if anyone discovered this previously and stored the captured information for malicious usage later on. There is a chance that is the case, however.
Considering that it had been vulnerable ever since it was first built (presumably back in 2011), it would be a bit of a risk to look away pretending that you have not read this thread.

Am I at risk?
Anyone is. Or at least, the more older users are. More details are in the next section.

What should I do?
** If you have not changed your password before the date 14/04/16 (dd/mm/yy) then it's advised that you change your password. **
You would be more prone to having your current login credentials being in any SQL dumps in any shape or form that might have been created before that date.
Again, there is a chance that this might have happened.

Created an account on or after that date? You are fine. Just ensure that your password is not something as simple as a usernane.
(The date mentioned is put a little later than when the tests got performed and when it got patched because of the time zones, FYI.)
The passwords are hashed in such a way here that you most likely do not need to worry about changing it on external sites if you are using the same one on those for whatever reason. You might decide to do so anyway which would most certainly be a wise move.

What if I choose to ignore what you said?
It is not mandatory, looking at how not so visible the vulnerable script location was.
Not ignoring would ensure that the account is secure enough.
Your account, your choice.

I have a few banned accounts but because of account switches. Should I take action on those?
If you do plan on switching back, go ahead. Banned users can perform some actions but their actions will not do anything major so do not worry if those do happen to get compromised.

My account got compromised because of a method related to this. Help?
The password cannot be changed unless the one accessing the account knows the password in plaintext (AKA the original).
So essentially, you would still be able to access your account and lock the hacker out by simply changing the password to something else that cannot be guessed so easy (something other than reordering your username as your password).
EDIT (30/06/16): It was discovered that passwords can still be changed once the account has been obtained. Change your password if this could affect you. The ID for that issue would be PZ2 (awaiting contact with administration).
EDIT (04/06/16): PZ2 has been patched. Email changes now requires current password.

I have a question / comment ...
Sure. State what you have in mind below and I will try to clarify things. I don't expect everyone to understand some of the technical terms mentioned here right off the bat.
Note that some details will not be provided in regards to this for reasons.

I do not understand what you are saying. Simplify? / Can not be bothered reading all of that. / Tell me in short.
Too Long; Did not Read! If you created your account or last changed your password before 14/04/16 (dd/mm/yy), you might want to consider changing your password just to ensure that your account is secure as it can be.
To reclarify: this has already been patched. Vulnerabilities such as these will never be publicly disclosed unless they get resolved or if they are way less severe.
This entire post is about what might have happened during the time of when it could be attacked and how to deal with it.

This post has been edited one or more times, the last time was:
2016-09-22 09:10:49

Security researcher, web developer, artist, and tech enthusiast.
TheLucarioKid (2016-05-17 01:38:11)
I'll try to forward this to the admins.
NodePoint (2016-05-17 01:41:37)
^ Rob is already aware.
Security researcher, web developer, artist, and tech enthusiast.
BabyBoy647 (2016-05-17 15:41:39)
So, I've been here for a while, without my password being changed. Do I NEED to change it?
They said all
Teenagers scare
The living out of me
They could care less
As long as someone'll bleed
So darken your clothes
Or strike a violent pose
Maybe they'll leave you alone
But not me
ZarktyArk (2016-05-17 15:46:35)
>inb4 Nuenez hacks or get whacked
Gumball (2016-05-17 16:03:49)
Thanks for telling us about the current situation we're having. Will this coding error be fixed?
NodePoint (2016-05-17 16:17:26)
^^^ Depends if you feel that it could be a danger to you. It is recommended to do so.

^ I have added a little something at the end of the post to make it clearer.
Security researcher, web developer, artist, and tech enthusiast.
MissJanie (2016-05-17 18:49:41)
Don't worry. I've done the responsible thing and framed you all for having child porn.

NodePoint (2016-05-17 19:05:00)
^ wrong site.
Security researcher, web developer, artist, and tech enthusiast.
WWTEpicFail (2016-05-17 19:20:22)
Might as I change my password anyways.
SimonGiurca (2016-05-17 19:41:38)
Thx for the warning ,no question ,[password=changed]
[spoiler=Give a WoW to the famous:]
Invalid nesting error at tag #spoiler (phase "spoiler=(.+)") when parsing
### end of error report. extra information that may or may not be useful to developers: *IBV*spoiler*OCTTWO*0*OCT*0*CCT*1*END OF EXTRA INFO*
Nutsy (2016-05-17 20:39:19)

mariotwilght (2016-05-17 22:53:51)
What/where is the comment viewer and what are status on this site.
War, what a great distraction from complicated domestic issues.
TwilightWinter (2016-05-18 11:19:27)

EDIT: Wait, shouldn't this go in the Announcement's forum?

This post has been edited one or more times, the last time was:
2016-05-18 18:21:34

WeKtWaBBit (2016-05-19 01:09:55)
 >  >>

This topic is closed, so you can not post a comment.

This topic's ID: 82592

Back to forum: This Plaza