Software discussion

The most alarming thing about this incident is that a security firm may inadvertently have helped the hackers. The hacker who found the security hole placed a short notice on an obscure hacker website on May 9. The next day, the security company Secunia published this information in several languages, including all details necessary to exploit the security hole. In fact, they published more details than the hacker website had. It is quite likely that this has attracted the attention of more hackers, although I cannot know for sure because the first attacks happened on May 9.

I think it is irresponsible of Secunia to publish technical details about a security hole without informing the person responsible for closing the hole. I was not aware of the hole until May 13 when I got a mail from a hacking victim.

When I asked Secunia why they hadn't informed me, they answered

Note that the vulnerability was made available on a third party website, which is not affiliated in any way to Secunia.

Secunia always encourages researchers to contact vendors prior to disclosure and always follows this practise for vulnerabilities discovered internally by the Secunia Research team.

However, Secunia policy dictates that vulnerability reports available in public websites, forums, and mailing lists are considered as publicly available information. Hence we deem it necessary to publish an advisory in order to inform our mutual customers of the security flaw.

Needless to say, I blocked all access to the vulnerable files immediately and started an investigation of what had happened. On May 19 I published a security update of my AForum software and informed all traceable users who had the same vulnerability. My sincere apologies to everybody who may have been affected by this.

The security hole can only be exploited when register_globals is turned on in the PHP configuration file. All PHP manuals recommend to turn register_globals off, but unfortunately my web host does not follow the security recommendations. If you are using AForum software version 1.33 or earlier then please turn off register_globals or update to the newest version of AForum.

This story also shows that there are thousands of hackers out there having nothing else to do than exploiting security holes that others have found. I wish these people would use their time and skills for something more productive. For example, contributing to the many open source software development projects. This would earn them much more of the fame and recognition that they apparently are longing for. Finding security holes is a good thing. Exploiting such holes for destructive purposes is a bad thing.

My traffic logs showed an excessive amount of traffic to one of the hacked files referred from a particular Persian website. Since I don't read Persian, I asked an Iranian friend to help me find out what was going on. What he found out was quite interesting:

A hacker has placed a secret proxy on my website which allowed Iranian internet users to circumvent government censorship and access blocked websites with pornography or political dissidence. In fact, 33,000 people have tried to use this proxy in just a few days.

I actually feel sorry for removing this backdoor to freedom of information from the suppressed Iranian people. But my Iranian friend told me that my website would probably be banned as well if I left the proxy there. And I don't think my server could carry the heavy traffic from millions of porn-starving Iranian internet users :-)

So I just removed the proxy and placed a friendly message in its place.