Talk about rush hour.
| 5:35 AM | Vulnerability posted, Chris sleeping. |
| 8:26 AM | Woken up by client on the phone, had some issues uploading images to his site. |
| 8:51 AM | Client issues resolved, pushed new changes live to his site. |
| 8:52 AM | Decided to check community forums whilst waiting for client to call back. |
| 8:52 AM | New private message from Tickhi, “Big exploit MyBB 1.2.3″.
Sinking feeling in stomach. |
| 8:54 AM | Noticed vulnerability had been published on milw0rm with full proof of concept & exploit scripts.
Panic mode sets in. |
| 8:57 AM | Checked staff forums for notification of vulnerability too. Sure enough, it’s posted there as well. |
| 9:00 AM | Transmit (OS X SFTP client) opened, connected to MyBB server. |
| 9:07 AM | Analysed proof of concept to see what was being exploited. |
| 9:14 AM | Patch in place on MyBB Community Forums. |
| 9:17 AM | Notice several IP address in the Who’s Online which look like they’re people attempting to exploit the Community Forums.
Stomach just fell to the floor. |
| 9:18 AM | MyBB 1.2.3 release patched, manual patch instructions written. |
| 9:19 AM | Informed users on the IRC channel of patched 1.2.3 release & pasted manual patch instructions to them. |
| 9:24 AM | MyBB 1.2.3 release cloned as MyBB 1.2.4, version check & downloads file updated to show 1.2.4 as the latest version. |
| 9:31 AM | MyBB 1.2.4 changed files archive generated. |
| 9:36 AM | Release announcement written and posted on Community Forums. |
| 9:50 AM | Release announcement written and posted on MyBB site. |
| 10:07 AM | Change status on MSN Messenger from ‘Appear Offline’ to ‘Online’. Flooded with messages from 6 people. |
| 10:08 AM | Vulnerability scanner written, tested & posted in release announcement. |
| 10:15 AM | Announcements mailing list message written & queued for delivery. |
| 10:35 AM | Breakfast time. |
Comments
Tikitiki (April 4th, 2007, 12:29 pm)
What a day!
Belloman (April 4th, 2007, 12:31 pm)
Exploit patched and fix released in less than five hours…
MyBB Games ‘07 » Blog Archive » Urgent: SQL Injection Discovered (April 4th, 2007, 8:21 pm)
[…] You can also see the amazingly quick process which Chris undertook to release the new […]
MyBB 1.2.4 - Important Security Update at Belloman on the Web (April 6th, 2007, 3:21 pm)
[…] case you’re wondering how quickly this vulnerability was fixed, check out the 1.2.4 timeline at Chris Boulton’s blog. Published April 6th, 2007 in […]
.Lou (April 7th, 2007, 12:56 am)
Nice one Chris, lol
DCR (April 10th, 2007, 3:29 am)
Nice one. Good job. Thanks for the security. Still as in today I see people talking about the Exploit and hackers finding 1.2.3 Forums to harm.
kimmo (April 10th, 2007, 11:49 pm)
But the real question remains….
what??? life’s too short for sleeping!!
Tikitiki (April 11th, 2007, 4:02 pm)
pfft… you’d die without sleep. So technically, it’d be shorter if you didn’t sleep lol
Matt (May 16th, 2007, 2:16 pm)
Nah, you just need lots of Red Bull.
j/k