Malware attack at the GMC
September 7, 2008
UPDATE: The situation is now over, and the iframe has been removed. Google will still list the GMC as a “malicious website” until they recrawl it.
Some users at the official Game Maker Community have today reported receiving warnings from their antivirus software or web-browsers when viewing the forum.
The alerts are triggered from an iframe which appears to have been maliciously inserted in the forum header and were first reported at around 1:10pm BST.
Two hours after the attack was originally reported it was clear that the GameMaker Community remained vulnerable, as the offending URL in the iframe had been changed from its original to another dubious site.
KC LC’s attempted explanation, “It’s probably being generated by one of the advertisers on YYG”, does not seem remotely plausible to me and I believe the code is more likely to have been the result of a MySQL injection.
NakedPaulToast helpfully provided a link identifying the vulnerability within the Invision Power Board software which is used to run the forum.
A vulnerability has been identified in Invision Power Board (IP.Board), which could be exploited by attackers to manipulate and inject SQL queries. This issue is caused by an input validation error in the “xmlout.php” script when processing the “name” parameter, which could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information.
A patch was released on August 29th, so obviously the forum software has not been kept up-to-date.
At around 3:10pm BST YoYo Games CEO Sandy Duncan began writing a post to users of the forum- however this post has not yet appeared.
How’s it going?
[…] over a year ago malicious software was injected into the forum after YoYo Games failed to install a critical security […]
[…] on GameMaker Blog the discovery of Malware on the official community forum lead to a 50% increase in daily visits, pageviews and uniques to […]
[…] The malware which had been inserted into the forum template at YoYo Games’ Game Maker Community was finally removed yesterday. […]
I’m not sure if this is the case with IPB, but some forum software may store template files in the database. There are most likely also other ways to alter the IPB database to result in the malicious iframe being embedded in the page.
I’ve been browsing the GMC knowing that this was happening (using Firefox) and I ran some software today and my computer is still clean. Could be shitty software’s or could just be that it’s safe to goto the GMC. I go with option 2.
And just how would a sql query change the html code of the page?
I’m glad I check Game Maker Blog every day before I go to the GMC. It’s quite possible that you’ve saved my computer from infection, Mr. Gamble. Thanks!
[…] This live blog below is now closed, but you can replay it. A textual article on the topic of GameMaker Community viruses can be found here. […]
[…] to Phil Gamble on the Game Maker Blog, it may be possible that the forum code was altered by the use of a technique called ‘MySQL […]
http://www.frsirt.com/english/advisories/2008/2487