HomePortalFAQSearchMemberlistUsergroupsRegisterLog in
Meet the new KITO admins & hear their plans here.
You can use google search to find threads and posts here now. Example

Share | 
 

 [solved] Feral Heart - huge bug on the website, possible forums database leak

View previous topic View next topic Go down 
AuthorMessage
Nassati



Posts : 32
Join date : 2011-11-11

PostSubject: [solved] Feral Heart - huge bug on the website, possible forums database leak   Mon Jul 15, 2013 11:37 pm

I'm so (un)lucky...
I wasn't playing FH for about 6 months.
Yesterday (for me, I'm from Poland ;P) - 15 July 2013 about 18:30 UTC (20:30 in Poland) I've visited FH website for the first time in months.
I've tried to sign in but instead, by accident, I've downloaded source code.


Something was wrong with the php parser:
http://www.feral-heart.com/index.php - worked fine
http://feral-heart.com/index.php?option=com_alpharegistration&view=register&Itemid - returned this:
Code:
<?php
//Turn SSL off
$url = "http://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
if ($_SERVER['SERVER_PORT'] != "80") {
    header("Location: $url");
    exit;
}
/**
* @version $Id: index.php 14401 2010-01-26 14:10:00Z louis $
* @package Joomla
* @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

// Set flag that this is a parent file
define( '_JEXEC', 1 );

define('JPATH_BASE', dirname(__FILE__) );

define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;

/**
 * CREATE THE APPLICATION
 *
 * NOTE :
 */
$mainframe =& JFactory::getApplication('site');

/**
 * INITIALISE THE APPLICATION
 *
 * NOTE :
 */
// set the language
$mainframe->initialise();

JPluginHelper::importPlugin('system');

// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');

/**
 * ROUTE THE APPLICATION
 *
 * NOTE :
 */
$mainframe->route();

// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);

// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');

/**
 * DISPATCH THE APPLICATION
 *
 * NOTE :
 */
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);

// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');

/**
 * RENDER  THE APPLICATION
 *
 * NOTE :
 */
$mainframe->render();

// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');

/**
 * RETURN THE RESPONSE
 */
echo JResponse::toString($mainframe->getCfg('gzip'));

I've tried the same thing with config.php, and unfortunately - it worked. :/


I wasn't able to log in on FH forum, so I tried to warn Red, or anyone from the staff in the game.

Around 19:30 UTC (21:30 in Poland) Red and Shady were online on FH.
I was whispering to him, but he wasn't answering.
In the same time FH website went down with an error:
Quote :
Database Error: Unable to connect to the database:Could not connect to MySQL

Some time later I've tried talking to Red again. I've asked him if he recived my messages, he replied something like "what messages?" and a few minutes later FH gameserver went down.

Now FH website looks like this:
[Joomla]
FeralHeart
We will be back shortly


I was (probably, I didn't checked that) able to use data from config.php to download SQL database, remove files by FTP etc, but I'm not a blackhat. I'm not even a hacker. I'm a webmaster that konws something about IT security, but not really much.
If I was able to do this - there's a pretty high possibility that someone, whos not a white-hat found this bug too and used it to download FH database.

So - if you are an FH player change your password, just in case.

I hope that Red will check the server logs to check if anyone downloaded the database and give an official announcement about this.

And sorry for my bad english.


Edit: FH website is back.

Edit 2:
Quote :
The issues was brought to Raz earlier, and he took care of the issue in the forum. He also mentioned passwords, and he assured there is no reason to change passwords, since they are safe now.

Thank you for caring, though, but the issue has been resolved.

Locking this since everything is in check again.
Back to top Go down
 
[solved] Feral Heart - huge bug on the website, possible forums database leak
View previous topic View next topic Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
Keeping I.T. Open :: GENERAL :: Discussion :: Off-Topic-
Jump to: