Those of you hosting YaBB SE sites should be aware that YaBB SE is resouce intensive and has a significant number of security holes.
The YaBB SE organization has NOT fixed the security holes to date.
Exploits can take over an individual YaBB SE web site and the web host as well.
Part of the problem is in the default YaBB SE installation requires that ALL files and ALL directories be in a writable state. The other part is that the user authentication and administrator authentication apparently relies solely on one single validation check on login. Usernames and passwords are exposed by easily accessed cookies. Once a username is hijacked, administrator status is easily compromised and any type of file can be accepted for upload by anyone using the site. Once the file is on the web host, it can be executed -- exposing the entire web host to any exploit.
The security problems have been known by the development team for more than two months without resolution.
Still want to play russian roullette with your web host?

Any cgi forum will be resource intensive. I didn't know about the exploits though, thanks for the information

YaBB SE is a PHP forum. :)

YaBB Gold and YaBB SP1 are written in Perl, YaBB SE is written in PHP.

I am not sure if there are holes in the Perl versions, but I know the SE version eats up server resources and has a lot of security holes in it.

We do not allow either on our servers.

Originally posted by deadserious
YaBB SE is a PHP forum. :)


yeah it's not too bad :) ...

Originally posted by inteltechs
yeah it's not too bad :) ...

Yes it is.

1.5.1 final has made leaps and bounds. What must be remembered is that YaBBSE is a port from the Perl code which has left some of the code less then great. Version 2, aka Trinity, will be a complete rewrite and any problems that people think it has will be removed since it will be a completly new code base. I think the largest problem YaBBSE has is the common name since people often don't know the difference between YaBB and YaBBSE.

Originally posted by phark
YaBB Gold and YaBB SP1 are written in Perl, YaBB SE is written in PHP.

I am not sure if there are holes in the Perl versions, but I know the SE version eats up server resources and has a lot of security holes in it.

We do not allow either on our servers.

Whats this then? http://www.lowellmi.net/modules/forum/index.php

Originally posted by Scotty_B
Whats this then? http://www.lowellmi.net/modules/forum/index.php

Please see this thread:
Security Risks (http://www.ttcms.com/modules/forum/index.php?board=8;action=display;threadid=787)

That site runs a Heavily modified version of YaBB SE (Security holes plugged). ;)

Originally posted by phark
Please see this thread:
Security Risks (http://www.ttcms.com/modules/forum/index.php?board=8;action=display;threadid=787)

That site runs a Heavily modified version of YaBB SE (Security holes plugged). ;)
They reference this document which shows the hole as not being in 1.5.1.
http://www.securityfocus.com/bid/6663/info/

Not to mention the YSE developers providing a fix for previous versions.
http://www.yabbse.org/community/index.php?board=9;action=display;threadid=17919

Rochen also attributes that this is fixed in 1.5.1, which is now a stable release.
"Option 2: Upgrade to YaBB SE version 1.5.1 (Note: This is a beta version)"

Forgive me for asking, but between vBulletin and InvisionBoard why would anyone want to use other boards at all - what are the advantages of using other forum software?

Originally posted by ice53ltd
Forgive me for asking, but between vBulletin and InvisionBoard why would anyone want to use other boards at all - what are the advantages of using other forum software?
Why is there a Ford, Chevy, Honda, Toyota, Nissian, Caddilac, BMW, Lexus, etc etc etc etc.....

People have prefences.

Yes I understand that, but it seems to me that there are very few differences between the software and Invision and vB seem to be the leaders of the pack.

So you've got the choice of a free BMW (Invision) or a costly Mercedes (vB), and then there are things like YaBB, phpBB2 and XMB which use a lot of server resources and/or have had numerous security exploits so they're more like your Ladas.

Why?

Because some ppl like phpBB, other prefeer iB, and others prefer vBulletin

YSE has a community of 7k+ users, so, is a somehow popular software.

I have used phpBB, vBulleting, iB, and I'll stay with YSE. That's why i wanted to help in that community.

ALL security holes, were fixed on latest 1.5.1 (and all load problems were fixed since 1.5.0).

So, doesn't apply anymore, in the latest version (1.5.1), the stated above.

Originally posted by wyecroft
Those of you hosting YaBB SE sites should be aware that YaBB SE is resouce intensive and has a significant number of security holes.
The YaBB SE organization has NOT fixed the security holes to date.
Exploits can take over an individual YaBB SE web site and the web host as well.
Part of the problem is in the default YaBB SE installation requires that ALL files and ALL directories be in a writable state. The other part is that the user authentication and administrator authentication apparently relies solely on one single validation check on login. Usernames and passwords are exposed by easily accessed cookies. Once a username is hijacked, administrator status is easily compromised and any type of file can be accepted for upload by anyone using the site. Once the file is on the web host, it can be executed -- exposing the entire web host to any exploit.
The security problems have been known by the development team for more than two months without resolution.
Still want to play russian roullette with your web host?

Dont believe this, its all intentional lies. wyecroft is bad mouthing YaBB for personal reasons.

Originally posted by daveman
Rochen also attributes that this is fixed in 1.5.1, which is now a stable release.
"Option 2: Upgrade to YaBB SE version 1.5.1 (Note: This is a beta version)"
Note, this was posted on 12th February and was based on the information we had related to YaBB SE at the time from it's developers and without any independent reviewing of the code.. When that announcement was posted, we based the "fix" solely on the information provided by YaBB SE.

It later turned out after reviewing the code ourselves, there were still some serious security vulnerabilities (specifically related to the login and cookie code) - the YaBB SE development team clearly hadn't reviewed the code well enough and nuked all the bugs.

Besides the security issues of YaBB SE, I also personally wouldn't deal with the product due to the maturity of some of the development team. Posting slander about a web hosting company because your code isn't up to scratch is in my view completely unacceptable and not the way a development team of such a product should act. You don't see the developers of InvisionBoard, vBulletin etc. behaving in this manner. - Those who know the story will understand what I am talking about here.

Putting all the past experiences related to YaBB SE behind, our recommended "fix" route for all YaBB SE users is to upgrade to ttForum: http://www.ttforum.com

It's amazing how much dis-information the YaBB SE community is throwing around.

The latest release of YaBB SE version 1.5.1 has not fixed the security holes reported by INDEPENDENT security evaluations.

YaBB SE user and administrator authentication is still based on one single validation upon login, and that's it. Until a user physically logs out and logs back in, no other validation takes place. That is an invitation to hijack a user's account - and that's as simple as passing username and password variables through the URL.

The YaBB SE requirement ... yes, you read right, default installation requirement ... is that ALL the files and ALL the directories are writable.

Combine that with the virtually non-existent user validation and you have a recipe for an absolute take over of a YaBB SE site and put the entire web host at risk.

Someone suggested this was being said to "bad mouth YaBB SE" and for personal reasons. I'm not sure what bad mouthing I did ... just pointing out facts.

It is quite clear that the YaBB SE developers are either incapable of fixing their software or do not want to fix it. In either case, the risks assumed by the users who install YaBB SE, and the web hosts that have those YaBB SE sites running on their servers are at a major risk.

There is a very simple way to sure-fire fix this problem. Get rid of YaBB SE ... switch to whatever other board software you want.

Better yet, tell all the ISP's about their risk in allowing YaBB SE to run on their servers. This debate shouldn't be focusing on personalities or motives, there is a serious risk that has been recognized by many ISP's and many security sites -- and ignored by the YaBB SE developers.

Who are you going to trust with the keys to your business?

wyecroft, the only one throwing around disinformations is *you*. You are telling intentionally lies, and you do it for personal reasons. What you wrote above is simply wrong and you write it for personal reasons.

Apart from the entire take over of a web host. What wyecroft has said is basically correct.

Originally posted by rochen
Apart from the entire take over of a web host. What wyecroft has said is basically correct.

Nope, it is not basically correct.

Originally posted by ahubacher
Nope, it is not basically correct.
I can assure you it is. The login authentication system that's included with YaBB SE is a joke to put it nicely.

Take a look at the code for the login system on ttForum and compare it to YaBB SE and I am sure you will see clearly what I and many others are talking about ;)

Originally posted by rochen
Besides the security issues of YaBB SE, I also personally wouldn't deal with the product due to the maturity of some of the development team. Posting slander about a web hosting company because your code isn't up to scratch is in my view completely unacceptable and not the way a development team of such a product should act. You don't see the developers of InvisionBoard, vBulletin etc. behaving in this manner. - Those who know the story will understand what I am talking about here.

Putting all the past experiences related to YaBB SE behind, our recommended "fix" route for all YaBB SE users is to upgrade to ttForum: http://www.ttforum.com

*lol*
Yes now we can see how "independent" your point of view is, and who is slandering. And we all can guess who wyecroft is.

I am just giving my opinion of a product and it's development team, based on my experience :) Whatever anyone else in this thread is or isn't doing, who knows...

Unfortunatly wyecroft and rochen believe that they have fixed all these "security holes" when in fact they have not. Given 30 seconds and an easily found script anyone can be an administrator on a ttForum, this is not the case in the final 1.5.1 build.

Also to the login part, Chris, you should look at the code. All ttForum has done is add a second check of the cookie on the admin action even though this exact same check is already preformed on every click.

Yes your experience was that you tried once to host a big YaBB SE board. Your servers were not able to do so and you shut the board off without warning. I would never host any of my sites with you sir.

Originally posted by daveman
Unfortunatly wyecroft and rochen believe that they have fixed all these "security holes" when in fact they have not.
Pardon me? I haven't fixed any "security holes" nor do I have anything what so ever to do with YaBB SE or a spin-off product.

Originally posted by daveman
Also to the login part, Chris, you should look at the code. All ttForum has done is add a second check of the cookie on the admin action even though this exact same check is already preformed on every click.
I shall leave that for you and whoever to argue out the particulars of each line of code :smokin:

The posts are quite specific, they include a fairly detailed description of how the exploits manifest and how they can be taken advantage of.

Two well respected web hosts confirms the details, with a note from Rochen about the web host take over not necessarily being correct.

Rather than let this disintegrate into personal attacks that ahubacher is promoting ... the only message that is worth taking from this is:

There are clearly serious security holes that exist in YaBB SE. Despite many months of knowing about these security holes, the YaBB SE developers have not fixed them. Are you willing to put your web site (and/or web host) at risk by using YaBB SE?

No one, including ahubacher, has spoken to the security holes. The only fixes to YaBB SE are in the ttForum project (a derivative of YaBB SE with all known security holes fixed).

If the YaBB SE developers have fixed that risky software, it would be interesting to get information with substance instead of personal attacks on every one else's discussion about this, ahubacher. Do you have anything of substance to say?

Originally posted by rochen
Pardon me? I haven't fixed any "security holes" nor do I have anything what do ever to do with YaBB SE or a spin-off product.
Now we both know that is not true by all the banners plastered on every site that Andy runs in relation to this. You may not have coded it but you are involved.

No one, including ahubacher, has spoken to the security holes. The only fixes to YaBB SE are in the ttForum project (a derivative of YaBB SE with all known security holes fixed).
This is not the case. More security holes have been fixed in 1.5.1 final then you ever "fixed" in ttForum. Since you have never been willing to provide specifics, why should we?

Originally posted by daveman
Now we both know that is not true by all the banners plastered on every site that Chris runs in relation to this. You may not have coded it but you are involved.
How in the world did you come to this conclusion? I would be very interested to know. We host ttforum.com and apart from that, we have nothing what so ever to do with the development or coding of the product. Please also direct to me to a site that I run which has "banners plastered" on it...

Originally posted by wyecroft
The posts are quite specific, they include a fairly detailed description of how the exploits manifest and how they can be taken advantage of.

Two well respected web hosts confirms the details, with a note from Rochen about the web host take over not necessarily being correct.

Rather than let this disintegrate into personal attacks that ahubacher is promoting ... the only message that is worth taking from this is:

There are clearly serious security holes that exist in YaBB SE. Despite many months of knowing about these security holes, the YaBB SE developers have not fixed them. Are you willing to put your web site (and/or web host) at risk by using YaBB SE?

No one, including ahubacher, has spoken to the security holes. The only fixes to YaBB SE are in the ttForum project (a derivative of YaBB SE with all known security holes fixed).

If the YaBB SE developers have fixed that risky software, it would be interesting to get information with substance instead of personal attacks on every one else's discussion about this, ahubacher. Do you have anything of substance to say?

"wyecroft" why do you not tell anything substantial than those general lies? Give us please the technical details for the security holes. You cannot because there are none. You are trying to sell "your" product which is nothing but a YaBB board. When YaBB is such a bad product why did you base "your" product on it?

Originally posted by rochen
How in the world did you come to this conclusion? I would be very interested to know. We host ttforum.com and apart from that, we have nothing what so ever to do with the development or coding of the product. Please also direct to me to a site that I run which has "banners plastered" on it...
I count two Rochen Host banners here, and every main site page.
http://www.ttforum.com/

One here
http://www.ttforum.com/ttforum/index.php

You are an administrator on the site, most people don't make their host an admin.
http://www.ttforum.com/ttforum/index.php?board=;action=viewprofile;user=chris

From this thread - http://www.ttforum.com/ttforum/index.php?board=5;action=display;threadid=38
"Well.....This board is hosted at Rochen Host. That is why this board has this at the bottom. Rochen Host sponsors the ttForum project."

You have a banner here
http://www.gr8forum.com/ttuser/

You have a few banners here
http://www.ttcms.com/

You offer a special hosting package
http://www.ttcms.com/modules/forum/index.php?board=4;action=display;threadid=432

Of course we have banners on those sites, what did you expect? We sponsor them.... However, that's NOT what you previously said. You stated in your last post....
Originally posted by daveman
on every site that Chris runs
... I run none of the sites you have listed above. Had you said "Chris plasterers banners on every site he sponsors" - then yes, there may be some truth to what you said. However, what you previously said is nothing short of nonsense.

Can you stick to the topic please?

What does banners and who codes what have to do with the security holes in YaBB SE?

I do not have anything to do with coding YaBB SE or ttForum or Rochen or anything else. I am a former YaBB SE users who read about the security holes in YaBB SE from SecurityFocus.com. I then heard about more security holes directly from the YaBB SE web site and again when the ttForum project was announced.

Since reading about the SecurityFocus.com warnings related to YaBB SE security holes, I have noticed that the YaBB SE developers do not respond well to any criticism from anyone - including recognized industry observers.

More important, the YaBB SE developers have never taken security seriously and still have documented security holes that remain unfixed.

Originally posted by rochen
Of course we have banners on those sites, what did you expect? We sponsor them.... However, that's NOT what you previously said. You stated in your last post....

... I run none of the sites you have listed above. Had you said "Chris plasterers banners on every site he sponsors" - then yes, there may be some truth to what you said. However, what you previously said is nothing short of nonsense.
Sorry, meant Andy. Edited my post to reflect that.

Originally posted by wyecroft
I am a former YaBB SE users who read about the security holes in YaBB SE from SecurityFocus.com. I then heard about more security holes directly from the YaBB SE web site and again when the ttForum project was announced.
Once again, please show us evidence of those that have not been fixed.

What I find sad is the fact that this "wyecroft", ttForum (which basically ripped off SE software), and Rochenhost (who is in bed with ttForum) have to bring this childish argument here.

Originally posted by wyecroft
What does banners and who codes what have to do with the security holes in YaBB SE?
They clearly show that the view is not independent and hence is close to the topic.

Originally posted by wyecroft I do not have anything to do with ... ttForum or Rochen or anything else.
This is obviously wrong.

Originally posted by ahubacher
They clearly show that the view is not independent and hence is close to the topic.
Just my opinion - nothing more, nothing less :cool:

Originally posted by halldorr
Rochenhost (who is in bed with ttForum)
Grow up... :emlaugh:

Why? It's true...you support ttForum, host it, advertise on it and should be telling these guys to knock it off as this is reflecting poorly on Rochen.

Originally posted by halldorr
Why? It's true...you support ttForum, host it, advertise on it and should be telling these guys to knock it off as this is reflecting poorly on Rochen.

I fail to see how a report on security holes in YaBB SE has anything to do with reflecting on anyone in particular.

Again, the issue is that web sites and web hosts are compromised by a very insecure YaBB SE software. The exploits are well known and documented on many security web sites.

The only denial there is here is from the YaBB SE zealots ... are oblivious to all that is around you?

ISPs and web site owners have serious investments in web properties, racks, power filtration and conditioning, support staff and more -- and you are asking them to risk it and take your word for it.

My suggestion is to NOT take anyone's word for it, but to research. Check the security web sites, talk to other ISP's that have already banned YaBB SE. Talk to YaBB SE users like myself who have been hit by security exploits.

We only know too well how it works. We're the ones that lose our thousands of member records. We're the ones that lose our tends of thousands of messages. We're the ones that invest the hundreds upon hundreds of hours of work configuration our sites only to have our sites defaced through the security holes you insist don't exist.

Decide what action to take (or not take) based on your own research. Don't take my word for it, check it out.

It is your web host and web site that is at risk. I've switched to another board software. I don't have recommendations to make about which board software to switch to - you should research that too. Good free choices are Invision, and ttForum. Good commercial choice is vBulletin. Anything but YaBB SE.

As a matter of fact ttforum is nothing but a ripped of YaBB SE. The only change consists in taking all visible copyright out. Case there were security flaws in the current YaBB SE they are all in ttforum as well.

Someone asked for a description of things? I'm here to oblige. I'm a programmer.... I breath, eat, and live computers.... so all I like to do is explain this crap.

First note that everything I'm about to say is in no way to be construed as being said, believed, or maintained by any of the other members of the YaBB SE team.

See the code differences here: (whitespace, comments, and formatting have been stripped from both versions, I'll post the regular expressions if anyone asks.)
http://www.yabbse.org/unknown/ttdiff/index.php

Note that this is from the build of 1.5.1 after ttForum. I do not have a copy of the build it is based off of, but only minor bug fixes were made since then . (none of which does ttForum have.)

Specifics:

To 'fix' the possible login problems, Andy Prevost (I will assume he is known as wyecroft here.) decided to do a check on the cookie variables again.
Now, I hope a programmer is reading this... because if he or she is, they will get a good chuckle. Why? Because PHP populates the $HTTP_COOKIE_VARS variable at the start of the script. You can check it as many times as you want, it'll never change.
To 'fix' the login authentication 'problem', he used md5 instead of DES.... which is something I'll admit has a *small* bit of portance. Basically, if a hacker gets access to the database, he *could* read the first to two letters of the password. But, then again.... if he gets that far he's probably going to wipe the db. (btw, I could just type in a URL and all the posts, members, etc on ttForum's forum would be gone. Funny, huh?)
He complains about the permissions of folders. Firstly, the YaBB SE team ALREADY tells people - in the readme, etc. to chmod their files properly.
More importantly, if someone can get to the files (which remain static.) he can EASILY get to the database and wipe it. Can we agree that the database (being dynamic.) is more of a problem than the files? Guess not.
Andy Prevost has a history of stealing code. Go ahead and copy a line from anything he's written and put it in google. I'll give you more than 50/50 odds you'll get results from some other copyrighted work.
This guy doesn't even give people (ie. me.) the same respect they give him. I spent an amount of my time researching the differences between ttForum and YaBB SE before I said anything. On the other hand, he has several times made personal insults toward me, not to mention that he accused me of copying HIS code. (imagine that!) Of course, if anyone were to bother themselves to look at the code, they would see this is not obviously not the case. But, Andy does not want to be as fair as others.
After I showed Andy that he had only changed a minimal amount of code, he reformatted his files (undoubtably with a regular expression-enabled editor....) such that the changes would look like more in the diff. Hence my 'uglifier', which makes everything look the same.
Andy Prevost has illegally removed the e copyright notice displayed at the bottom of pages. I suppose he thinks changing 7% or so of the code justifies this? Not in any court of law I know of.
More than 60% of the changes he has made are mods available for YaBB SE. Worse, he has given absolutely no credit to anyone for their work on these mods. He pretends he wrote it or something.... but does not ever mention anyone did anything.


I even tried to have a conversation with him once. It didn't go well. Near the end, I asked him why he always set the ratings on his files up. (I knew he did, 'cuz I suspected, then went and voted.... brought it down to 7. Days later, it was at 9 with the same number of votes.) Shortly after, he turned off the voting functionality. Funny.

I spread no misinformation. That is the job of the Iraqi Information Minister. If I am wrong in anything I have said here, please explain.... WITH DETAILS... what it is that I am wrong about.

But, remember... I like english. And like my teachers have always said.... SHOW EVIDENCE! No one gets anything without evidence. I've provided mine....

Thank you for your time,
-[Unknown]

[edit:]
More on topic, you must realize that a lot of forums have security holes. YaBB SE does not have any more than others have had, despite what some people would have you believe.

As for the features and how vB and iB are just "so ahead".... I'm working on it. I'll just say the words "30% faster", "templating system that makes vBulletin cry :P", "child boards aka sub boards", and "a lot more".

-[Unknown]

I also am in the process of changing from YaBB SE.

The user "wyecroft" is absolutely correct. I was able to log in to the www.yabbse.org site as an administrator and do a complete dump of the database. I could have deleted the entire database if I were the malicious type. I could have changed any of the settings including the file types for downloads.

The very first member listed in the database happens to also have posted here (halldorr) YaBB SE database ID number 18. I could go on with the 1400 + members, but that would mean sinking to the abhorent behaviour demonstrated here by the YaBB SE team.

The reports of YaBB SE security holes are accurate.

The personal attacks show a lack of common sense.

Originally posted by t_r_white
I also am in the process of changing from YaBB SE.

The user "wyecroft" is absolutely correct. I was able to log in to the www.yabbse.org site as an administrator and do a complete dump of the database. I could have deleted the entire database if I were the malicious type. I could have changed any of the settings including the file types for downloads.

The very first member listed in the database happens to also have posted here (halldorr) YaBB SE database ID number 18. I could go on with the 1400 + members, but that would mean sinking to the abhorent behaviour demonstrated here by the YaBB SE team.

The reports of YaBB SE security holes are accurate.

The personal attacks show a lack of common sense.

The abhorent behaviour and the personal attacks were started by the other side. If you discovered a security leak: did you reveal the hole to the YaBB SE team?

Furthermore: did you test the same with ttforum? I am pretty sure it is also there.

The personal attacks were brought here by the ttForum gang and shows horrible professionalism. This board has now been abused and you've now dragged people that frequent here into this childish crap.

As for t_r_white, interesting that your first post here is involving this little argument.

The people that run this forum should have deleted this thread after the the ulterior motive of this post was discovered.

I have yet to see a host that does not allow YaBB SE that is not associated with ttForum/Rochenhost.

It's sad when open source projects get abused like this...and those doing the abusing can sleep at night.

Originally posted by t_r_white
I also am in the process of changing from YaBB SE.

The user "wyecroft" is absolutely correct. I was able to log in to the www.yabbse.org site as an administrator and do a complete dump of the database. I could have deleted the entire database if I were the malicious type. I could have changed any of the settings including the file types for downloads.

The very first member listed in the database happens to also have posted here (halldorr) YaBB SE database ID number 18. I could go on with the 1400 + members, but that would mean sinking to the abhorent behaviour demonstrated here by the YaBB SE team.

The reports of YaBB SE security holes are accurate.

The personal attacks show a lack of common sense.

t_r_white>
Do you ppl have to be childish? i don't want to play this kind of games. If you truly hacked YSE, why u don't report that to the team? or leaved a index with your message saying hacked? or do something as a proof of what u said?
Simply: It's a lie.
I can say I hacked the NASA, but without a proof, is simply that: a lie.

Plz, stop this childish accusations. YSE is a non-profit organization, i don't see why u enjoy lying and stealing code and mods.
YSE team really is willing to FIX and post all security fixes. We don't hide our software had security hole, but we fix only the one our team believe are securify holes, not "ghost" or "inexistent security holes...

Originally posted by ahubacher
The abhorent behaviour and the personal attacks were started by the other side. If you discovered a security leak: did you reveal the hole to the YaBB SE team?

Furthermore: did you test the same with ttforum? I am pretty sure it is also there.

Yes I did test ttForum. I was unable to duplicate the security holes I found in YaBB SE.

No I did not contact the YaBB SE team. It seems after reading the personal attacks from the wyecroft report that reporting anything to the YaBB SE team is a futile endeavour.

The security leak is as identified by wyecroft.

I have read this entire thread twice and until you mentioned it did not realize there were any "sides" to this discussion. I see many personal attacks that started with your comments about "rochen" and then further deteriorated when daveman and halldorr added their opinions.

The message from obazavil: YaBB SE member id 534, Omar Bazavilvazo from México. Yes the proof of the exploit is in the data that is being given to you. Your suggestion to deface the YaBB SE web site is not proper. The purpose of the test was to determine if the wyecroft report was correct. It was.

Originally posted by t_r_white
No I did not contact the YaBB SE team. It seems after reading the personal attacks from the wyecroft report that reporting anything to the YaBB SE team is a futile endeavour.


Just another proof that the YaBB SE team is right in being angry, and how ttforum is stealing code and removing illegaly authorships, credits and copyright:

The original thread is here:
http://www.ttforum.com/ttforum/index.php?board=2;action=display;threadid=90;start=0#msg523

I am copying the quote into the thread here, because it is to be expected that the quoted post will be deleted and spaceman-spiff will be banned from ttforum, as it was done with others.


Quote:
4. ttCMS mod "Coppermine Photo Gallery". Beta tested and works great with ttCMS version 2.1.2 and up.
and ... announced that a PHP-based Chat script is on its way for ttCMS.

andy, i dont recall giving you permission for my coppermine gallery mod
and also you've removed my name from the credits
i want you to remove this mod a.s.a.p.

There were other code stolen, for example Big P's "add more smileys mod" was added as ttforum "mod" without asking first the author and giving credits to the original author. The author registered into ttfourm and complained, all his posts were simply removed there.

Originally posted by t_r_white
Yes I did test ttForum. I was unable to duplicate the security holes I found in YaBB SE.

No I did not contact the YaBB SE team. It seems after reading the personal attacks from the wyecroft report that reporting anything to the YaBB SE team is a futile endeavour.

The security leak is as identified by wyecroft.

I have read this entire thread twice and until you mentioned it did not realize there were any "sides" to this discussion. I see many personal attacks that started with your comments about "rochen" and then further deteriorated when daveman and halldorr added their opinions.

The message from obazavil: YaBB SE member id 534, Omar Bazavilvazo from México. Yes the proof of the exploit is in the data that is being given to you. Your suggestion to deface the YaBB SE web site is not proper. The purpose of the test was to determine if the wyecroft report was correct. It was.

Just an FYI all this can be obtained from the memberlist, not an exploit just some research. I can do this for any yabb se based board.

ttforum board:
The message for ajp: ttforum member id 7, phark from long beach, ca. Yes, the proof of the suppose to be exploit of the memberlist research is given to you...

There are two security holes the YaBB SE team is working on and will release a patch soon. The same security hole are also in ttforum.

During the 1.5.1 we even fixed futher security holes not yet discovered, and we have more security fixes in 1.5.1 then ttforum has in theirs. So to say ttforum is more secure then Yabb SE is a lie.

If you descided not to use Yabb SE for security reasons, I also recommend not using ttforum for the same reason. Instead use IBF, or VB boards.

As I said the same security holes effect ttforum. If Andy wants and permits I will exploit his board for proof...

One thing I hate is when competition bashes the other to try and get more publicity through lies. We already have the news media for that...

Hmm..
How to get that data as a normal user:

Go to check my profile:
http://www.yabbse.org/community/index.php?action=viewprofile;user=obazavil
There it says:
-I'm Omar Bazavilvazo
-I'm from Mexico

To get my ID, click on "Show the last 10 posts from this person" button.
There it displays this link:
http://www.yabbse.org/community/index.php?board=;action=usersrecentposts;userid=534;user=obazavil

So... that's all you could get with your "dumped" DB of YSE?

Please, be serious, act as a matture person, and do a honest publicity to ttForum. Open Source projects don't do this for profit, but, is irritating all this BS against YSE team, to give publicity to your software.

I try to not bother with this kind of stuff... but is VERY annoying this kind of attitude...

---
What case is to say that one of your board members, for example:
ajp - Andy Prevost - andy@ttforum.com - id = 1
chris - chris@rochen.com - id = 14
---

... I think I made my point

I'm sure you feel comfortable, obazavil, but have you thought about the possibility that someone actually got the data from the database?

Don't get too smug ...

By the way, let me give you early birthday greetings ... it's May 20 1976, correct? ('1976-05-20', 'Omar Bazavilvazo\'s Homepage', 'http://OmarBazavilvazo.com', 'México',)

That's not on your profile, is it?

Originally posted by t_r_white
I'm sure you feel comfortable, obazavil, but have you thought about the possibility that someone actually got the data from the database?

Don't get too smug ...

By the way, let me give you early birthday greetings ... it's May 20 1976, correct? ('1976-05-20', 'Omar Bazavilvazo\'s Homepage', 'http://OmarBazavilvazo.com', 'México',)

That's not on your profile, is it?
LOL, I can do that with anything, yeah make it look like SQL. :rolleyes:

Originally posted by t_r_white
I'm sure you feel comfortable, obazavil, but have you thought about the possibility that someone actually got the data from the database?

Don't get too smug ...

By the way, let me give you early birthday greetings ... it's May 20 1976, correct? ('1976-05-20', 'Omar Bazavilvazo\'s Homepage', 'http://OmarBazavilvazo.com', 'México',)

That's not on your profile, is it?

birthdate, nope, but can be retrieved from calendar.
also homepage and country can be seen in public profile.

I send you a PM. plz respond to that, so i can see what you say is true.
Thanks a lot,
Omar

I have a better solution. If you really have the database dump, give me the contents (and author, if you feel like it...) of the following post:

139868

I'll even describe how to get it.... Find the line that says "INSERT INTO messages" and look for that number somewhere after it. (using ctrl-f...) That is, of course, if you have the dump.... if you don't, you won't be able to find that post's contents anywhere.

-[Unknown]

Unknown, you and I are probably the only two that can appreciate the humour in your message.

Since the YaBB SE site has less than 134000 messages, it would appear that your little game is up.

This will be my last post.

Looks like you'll have to play with yourself.

Originally posted by t_r_white
Unknown, you and I are probably the only two that can appreciate the humour in your message.

Since the YaBB SE site has less than 134000 messages, it would appear that your little game is up.

This will be my last post.

Looks like you'll have to play with yourself.

Well, this answer is the final proof that you do *not* have a dump of that database. I am very shocked about this new lie. Now I am even pretty sure that you "t_r_white" and "wyecroft" are the identical anonymuous person. You registered two false user accounts here only to spread lies. This is again a proof that you are intentionally badmouthing YaBB. I am very shocked about your behaviour and hopefully all people will see the truth.

Sorry but if you had a dump you would see this is not a trick.

Perhaps your database dump was incomplete. (actually, I don't think you have it at all, but assuming you do...)

You said you have up to 134000, yes? Then.... give me 110057. That's certainly in the range you have, correct?

Have another excuse for me this time?

-[Unknown]

I wanted a objetive way to test if YaBBSE truly was hacked. if it was the case, accept it, and fix it, as we did with all security holes reported.

I PM this to t_r_white:

Hi!

If what you said is true, then 1.5.1 seems to have a security hole open, yet.

Last stuff can be retrieved from profile/calendar, but, this one not:

What's my secret answer?
That isn't crypted on DB, so you can answer that.

thanks for the response.

regards,
Omar


I got this:

I appreciate your need to test this, but as you and your cohorts are designing tests to fail I will not be participating after this reply.
If I read the data dump properly (and assume you haven't changed the information since I did the dump), you have no secret question and no secret answer.
Thanks for the test, but you need to get busy plugging up your security holes. In the meantime, I won't be replying to any more of your posts or messages, so you will have to play with yourself now.


I'm not stupid enough or childish to hide information, not doing a last minute change.
I had set my secret answer since 1.5 months ago aprox, if i remember. He says I don't have any secret answer. That makes me wonder maybe he got the DB dump (if any) 2 months ago, maybe when we got hacked much before 1.5.1 came out.

Anyway, he is just lying, He doesn't have any DB data. If the answer he gave me was correct, i would be the first to accept the fact and ask him the exploit. But I can't fix something that doesn't exists.

too bad someone has time to do this BS, and make other lose their time.

anyway, i have nothing to hide, so i'm here if you want to reply.

p.d.: this is a link to reply a post posted today:
http://www.yabbse.org/community/index.php?board=7;action=post;threadid=21477;quote=144335;title=Post%2Breply;start=0
Just to make a note that posts exists up to 144335. Even if statistics says there are 133746, seems that almost 10k messages have been deleted :P

again, my best regards,
Omar

hehe.

Let me put it this way:
I'm able to log into to any ttForum without any problems. I was able to dump the full database, even was able to acquire root access to the server.

Proof I'm wrong.

Sounds incredible? It's the same you did, no proof, just some vague story. Oh I see, you run a competiting board...

if anyone actually reads the yabbse cummunity forums, they will find that all bug fixes that are reported are fixed, if not by a dev team member, then a forum member.

yabb se is not resource intensive in my experience

I think the only way to solve this is an independant code audit, unfortunately, that costs.

I do not know of any security flaws in YaBB, however, the removal of copyright is unethical and illegal, I suggest you start legal action against those responsible as it is utterly disgraceful.