IMPORTANT - WebPortal Security fixes release

Everything about the STHS Web Portal - Open Source Version / Tout ce qui touché le STHS WebPortal – Open Source
JimToupet
The Crazy / Le Fou
Posts: 265
Joined: Wed Jul 02, 2014 10:55 am

IMPORTANT - WebPortal Security fixes release

Post by JimToupet » Wed Jul 13, 2016 10:53 pm

Simon. Can you please stick this post. Thanks

FIRST OF ALL, I won't repeat it enough, change your WebPortal Admin and news password. The default passwords are widely known and publicly available on GitHub.

I've seen a case and heard of others that some league site has been hacked and used for phishing and frauding. This is cause by the fact that the WebPortal didn't have any check of what file is uploaded. That says, anyone that gain access to upload files can upload some malicious .php file and start taking control of the site, put copy of bank site and collecting debit or credit card data or any other illegal stuff. Don't forget that you are responsible of the content of your site and a webhoster can put down your site and/or delete your files and account.

I just put on GitHub an important release correcting a security issue in the WebPortal. This fix check the uploaded file extension to prevent upload of malicious files. Prevent any script execution from WebPortal upload folder with .htaccess

There's two way of updating your portal

1) If you have made some changes on the portal, look at the files change commit here and apply or download the changes files. To upload by ftp.

2) Download the latest release here. Unzip and upload all files EXCEPT Connections/settings.php by ftp.

I want to remember that I'm not the creator of the portal. But because the portal is used by many league and this security hole is important I share those fixes.

SimonT
STHS Owner / Propriétaire du STHS
Posts: 13211
Joined: Sat Oct 08, 2005 4:18 pm
Location: Montreal, Canada
Contact:

Re: IMPORTANT - WebPortal Security fixes release

Post by SimonT » Thu Jul 14, 2016 12:05 pm

1) Topic is now sticky.
2) This is another reason why you should upgrade to version 3 of the STHS with the dynamic website.
-SimonT
Forum Administrator / Administrateur du Forum
STHS Owner / Propriètaire du STHS
English V2 & V3 Manual - Manuel V2 & V3 Français

JimToupet
The Crazy / Le Fou
Posts: 265
Joined: Wed Jul 02, 2014 10:55 am

Re: IMPORTANT - WebPortal Security fixes release

Post by JimToupet » Thu Jul 14, 2016 1:22 pm

SimonT wrote:1) Topic is now sticky.
2) This is another reason why you should upgrade to version 3 of the STHS with the dynamic website.
Thanks.

The important job done for giving the default website dynamic is a big step but it's not at the same level of the WebPortal right now I think. So I understand why league stick with the portal (I'm not usging it myself but can understand).

Owen
The Crazy / Le Fou
Posts: 453
Joined: Tue Jan 01, 2013 12:43 pm
Contact:

Re: IMPORTANT - WebPortal Security fixes release

Post by Owen » Mon Jul 18, 2016 5:27 pm

I haven't looked the fixes over yet but I CAN confirm there is a security flaw as you described. I know that someone attempted to redirect TUFHL's client file upload page toward a malicious application about a month ago. That was caught, luckily.

Owen
The Crazy / Le Fou
Posts: 453
Joined: Tue Jan 01, 2013 12:43 pm
Contact:

Re: IMPORTANT - WebPortal Security fixes release

Post by Owen » Fri Jul 22, 2016 2:54 pm

Oh those .htaccess files are perfect! This is something I've been wanting to look into for a couple of years! Only thing for me is that I'd prefer for them to redirect back to the main home page instead of a 404 File Not Found.
Elite Hockey Experience

We're not just any league. We're the competitive league that you've waited years to find!
Now available en Français & auf Deutsch!
www.elitehockeysim.com

JimToupet
The Crazy / Le Fou
Posts: 265
Joined: Wed Jul 02, 2014 10:55 am

Re: IMPORTANT - WebPortal Security fixes release

Post by JimToupet » Sat Jul 23, 2016 1:30 pm

Owen wrote:Oh those .htaccess files are perfect! This is something I've been wanting to look into for a couple of years! Only thing for me is that I'd prefer for them to redirect back to the main home page instead of a 404 File Not Found.
Good idea. I'll take a look for that.

JimToupet
The Crazy / Le Fou
Posts: 265
Joined: Wed Jul 02, 2014 10:55 am

Re: IMPORTANT - WebPortal Security fixes release

Post by JimToupet » Sun Jul 31, 2016 10:42 am

Owen wrote:Oh those .htaccess files are perfect! This is something I've been wanting to look into for a couple of years! Only thing for me is that I'd prefer for them to redirect back to the main home page instead of a 404 File Not Found.
Can you try this .htaccess ?

Code: Select all

RewriteEngine on
RewriteCond %{REQUEST_URI} \.(cgi|html|php)$
RewriteRule (.*) http://www.change_for_your_wanted_url.com/ [R=301]

Owen
The Crazy / Le Fou
Posts: 453
Joined: Tue Jan 01, 2013 12:43 pm
Contact:

Re: IMPORTANT - WebPortal Security fixes release

Post by Owen » Mon Aug 08, 2016 8:43 pm

JimToupet wrote:Can you try this .htaccess ?

Code: Select all

RewriteEngine on
RewriteCond %{REQUEST_URI} \.(cgi|html|php)$
RewriteRule (.*) http://www.change_for_your_wanted_url.com/ [R=301]
Unfortunately that didn't seem to do anything.

JimToupet
The Crazy / Le Fou
Posts: 265
Joined: Wed Jul 02, 2014 10:55 am

Re: IMPORTANT - WebPortal Security fixes release

Post by JimToupet » Wed Aug 10, 2016 12:38 pm

You can provide me a link where you put the .htaccess ?

I've tested on my web server and it works well. (www.lhssf.com/test/toto.php - redirect to www.lhssf.com)

The Dude
The Accomplished One / L'Accompli
Posts: 127
Joined: Fri Feb 10, 2012 4:01 pm

Re: IMPORTANT - WebPortal Security fixes release

Post by The Dude » Sun Oct 02, 2016 12:46 pm

Can anyone advise on how to change the admin and news passwords for the portal? I haven't done it in a very long time and can't remember how, I believe I need to access a specific file in the database and make changes to it. I did a search on the forum here and came up with nothing.

I just had a GM PM me with this:
Hey buddy,

Went to download my lines today. When I did I got this weird message [hacked by alawi ibn duzlawi]. Anybody else have this problem?
I uploaded the proper STC league file after sim last night and then this morning there was an ALI.TXT file there.

I'm not computer literate and have no idea how to execute the steps above:
There's two way of updating your portal

1) If you have made some changes on the portal, look at the files change commit here and apply or download the changes files. To upload by ftp.

2) Download the latest release here. Unzip and upload all files EXCEPT Connections/settings.php by ftp.
Is there a step by step for dummies for this?

JimToupet
The Crazy / Le Fou
Posts: 265
Joined: Wed Jul 02, 2014 10:55 am

Re: IMPORTANT - WebPortal Security fixes release

Post by JimToupet » Tue Oct 04, 2016 4:32 pm

You can modify your admin and news password in the settings.php file in the Connections folder.

You should clean your site (remove any hack files) before updating.

There's no more straight forward steps than the second one propose.

The Dude
The Accomplished One / L'Accompli
Posts: 127
Joined: Fri Feb 10, 2012 4:01 pm

Re: IMPORTANT - WebPortal Security fixes release

Post by The Dude » Thu Dec 01, 2016 2:05 am

JimToupet wrote:You can modify your admin and news password in the settings.php file in the Connections folder.

You should clean your site (remove any hack files) before updating.

There's no more straight forward steps than the second one propose.
Well I changed all the passwords and didn't update the portal via option 2 because I figured I'd run into some snags I can't work out. Turns out we were hacked again so I changed passwords again and decided to try and update the portal with option 2. Looks I was right. I feel I did everything I was supposed to and when I go to install, I get this:
Error performing query 'use sths; ': Access denied for user 'mydatabasename'@'%' to database 'sths'

Error performing query ' CREATE TABLE `articlegenerator` ( `A_ID` int(11) NOT NULL AUTO_INCREMENT, `Headline` varchar(50) DEFAULT NULL, `Content` text, `Type` varchar(12) DEFAULT NULL, `Relationship_ID` int(11) DEFAULT NULL, PRIMARY KEY (`A_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; ': Table 'articlegenerator' already exists
And that continues on for pages for each table. Any ideas how I can fix this? I know that the passwords and information in the connections/settings.php file are correct.

Any assistance with this is greatly appreciated.

The Dude
The Accomplished One / L'Accompli
Posts: 127
Joined: Fri Feb 10, 2012 4:01 pm

Re: IMPORTANT - WebPortal Security fixes release

Post by The Dude » Fri Dec 02, 2016 11:44 am

Well, maybe it's time to splurge $10K on a real site lol

JimToupet
The Crazy / Le Fou
Posts: 265
Joined: Wed Jul 02, 2014 10:55 am

Re: IMPORTANT - WebPortal Security fixes release

Post by JimToupet » Sat Dec 03, 2016 10:44 am

You don't have to install anything, simply copy the new .php files except the Connection/settings.php file.

Can you give your league URL please.

The Dude
The Accomplished One / L'Accompli
Posts: 127
Joined: Fri Feb 10, 2012 4:01 pm

Re: IMPORTANT - WebPortal Security fixes release

Post by The Dude » Sun Dec 04, 2016 3:16 pm

JimToupet wrote:You don't have to install anything, simply copy the new .php files except the Connection/settings.php file.

Can you give your league URL please.
http://www.NHLSL.com

I copied the files over and my portal won't work, it makes me do an install.

My Skype handle is nhlslcommish

If you have Skype maybe add me and I can more easily follow your directions.

I do greatly appreciate your assistance.

Locked