Vulnerable to Heartbleed Bug :(

[CthulhuLuke]

Hey guys, been lurking here a loooooooong time.

Anyway, just wanted to let you know that arcadecontrols.com is vulnerable to the Heartbleed bug Someone who has the ability needs to update the server software on here to get a non-vulnerable OpenSSL server.

[Louis Tully]

.

[bochi]

Its bad

(This is CthulhuLuke, I can't see any passwords but you get cookie dumps :/ :/ )

[404]

yep, just tested it myself. Admins need to update asap.

[yotsuya]

Looks like the bug affected your signature file line.

If this gets Tapatalk fixed, go for it!

[saint]

I've updated the OpenSSL. 

I didn't realize anyone was using https to access the forum though. Are folks?

CthulhuLuke, 404 - still seeing vulnerabilities?

[wp34]

I've updated the OpenSSL. 

I didn't realize anyone was using https to access the forum though. Are folks?

CthulhuLuke, 404 - still seeing vulnerabilities?

I assumed that the login page was https but it is not.  Is it an option to require SSL for the login page?

[404]

I've updated the OpenSSL. 

I didn't realize anyone was using https to access the forum though. Are folks?

CthulhuLuke, 404 - still seeing vulnerabilities?

Still reports as vulnerable but this time around i couldn't dump cookies.

[saint]

Thank you - what tool are you using to assess the vulnerability?

[404]

^^ heartbleeder
https://github.com/titanous/heartbleeder

Although i think the biggest issue here is that your cert was signed over 2 years ago. I'd try to get a new cert (your host should be more than accommodating during this situation)Best method to patch this up is to tweak settings and then just use some of the more common, online testers to check your settings as you go along.

http://filippo.io/Heartbleed/
https://lastpass.com/heartbleed/

If you happen to have a cert by geotrust, they have created a quick form that allows you to get a new cert very fast
https://products.geotrust.com/orders/orderinformation/authentication.do

[saint]

That's the thing I have to puzzle out - I don't have a cert that I'm aware of I may have a self-signed cert, sirwoogie may have set something up, but I've never purchased a cert for the server here.

[404]

That's the thing I have to puzzle out - I don't have a cert that I'm aware of I may have a self-signed cert, sirwoogie may have set something up, but I've never purchased a cert for the server here.

yeah, I would ask sirwoogie to get more details on the cert situation. There is definitely something there but it is definitely old.  Also make sure the heartbeat extension is enabled.

[CthulhuLuke]

fox_heartbleedtest.py says you are no longer vulnerable.  ( http://foxitsecurity.files.wordpress.com/2014/04/fox_heartbleedtest.zip )

That is what I used to get bochi's cookie, you could basically set it up in a loop dumping memory and looking for cookies that contain SMF20=

Your certificate is definitely self-signed. The issuer is sirwoogie@gmail.com.

[404]

fox_heartbleedtest.py says you are no longer vulnerable.  ( http://foxitsecurity.files.wordpress.com/2014/04/fox_heartbleedtest.zip )

That is what I used to get bochi's cookie, you could basically set it up in a loop dumping memory and looking for cookies that contain SMF20=

Your certificate is definitely self-signed. The issuer is sirwoogie@gmail.com.

strange. when i checked earlier this morning it was showing up as still vulnerable. Now i just checked with heartbleeder and it times out. 

[PL1]

Does the wiki need to be patched, too?


Scott

[yotsuya]

What does all this have to do with Tapatalk?