Nightrider

Wondering why that MOD you have won't install correctly? Let's take a look
Forum rules
DO NOT give out any FTP passwords to anyone! There is no reason to do so! If you need help badly enough, create a temporary FTP account that is restricted to only the files that you need help with and give the information for that. Giving out FTP information can be very dangerous!
Locked
Dogs and things
Registered User
Posts: 49
Joined: Sat Sep 23, 2006 10:21 pm
Location: Spain.
Contact:

Re: Nightrider

Post by Dogs and things »

Well, excuse me again but I´m a bit puzzled now.

As I understand the discussion one of you is telling me that if I don´t take certain measures EM poses a serious security threat for my live board and on the other side I read that EM doesn´t pose more of a threat then does installing MODs in a let´s say lazy manual manner.

I hope you´ll continue this very interesting discussion.

A last remark: As a simple php user I must say that it would be so incredibly nice if modding my board with whatever officially admitted MOD using EM were to be simply flawless. Yesterday I manually installed the Attachment MOD modifying well over 40 files and I must say that this kind of work is very hard and dificult work. Of course, I understand that developing such a MOD is much harder.

But I´m just interested in setting up my board as good and effortlessly as possible, not in spending days on end endlessly copying, pasting and what more. (My god, this sounds so modern_lazy_consumer_like...) :P

Of course, I like to learn about what php really is and does, but there must be nicer ways than just copying and pasting. I believe I learn more watching closely what EM does and learning to help it out than pasting endless chunks of code in exactly the right place.

Hasta luego. ;)
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

You really aren't likely to learn much by doing the tedious task of copying and pasting code from these MODs. You actually learn by seeing how MOD authors tackle each problem that they encounter, and the more MODs that you can install, the more examples you can see of how things can be coded in phpBB. Manually applying code doesn't teach anything to anyone but it does waste a great deal of time that could be better served by analyzing MOD solutions...

EM is not insecure as some would have you believe. If people could gain access to any of the data from EM, the admin has far greater problems with their site than EM. To decrypt the passwords stored in the phpbb_config table, a hacker has to be able to get into the table. If anyone can get into your table, then they can do just about anything to your board. To be able to run EM, they have to be able to log into the phpBB ACP. Once again, if they can get into your ACP, you have much greater concerns than EM...

The database settings are stored in an unsecured area in your phpBB config.php file. Of course unless someone has set the permissions to 777, there is no way to read the config.php file. Unfortunately there are some who don't know better than to set their file and folder permissions to 777. But that is not a security problem with phpBB, but is a problem with the admin themselves...

EM is not a security risk no matter how many times it's repeated. Saying it a thousand times or more doesn't make it true, but it does tend to sway those who don't know any better. It is a shame that some people would pass fiction for fact and be able to convince so many people to believe them...

Image
NMSportster
Registered User
Posts: 31
Joined: Tue Sep 19, 2006 8:54 pm

Re: Nightrider

Post by NMSportster »

Obviously I don't bring anything from a technical standpoint. However, the experience from phpbb is much more difficult to get anywhere unless you are a programming wizard. It is certainly a great database of Mods, but it's geared IMO more to experienced coders and techies and not for the newbies. I certainly am not a techie, and that's why EM was an attractive mod for someone trying to get things done in a technical environment without the schooling or programming knowledge.

Both EM and Nightrider in particular have helped me set up my board with multiple Mods in weeks that I would have not been able to do in a years time trying to learn everything that is needed. In the process of using EM, i've learned quite a few things in a short time and because of that i'm interested in learning more. Had I tried to do everything manually I would have certainly given up in frustration.

A good example is the Post Icons Mod, It was a complete pain in the arse to manually install it. I put many, many hours (weeks) trying to get it with no luck, didn't get any helpful input at phpbb, actually other people that were having problems were trying to help, which is appreciated but just makes things worse. With EM and Nightrider it took me basically 1 day to get it done and most of the wait was simply because our schedules are different.

I think Nightrider is onto something here and if collectively you geniuses worked together and adopted some of what NR has done here with EM and support, more time would be spent coding new great mods then offering endless support when most of the issues are people having problems or simply screwing up manual installations.

I applaud all of you Programmers for your hard work, but from my short experience I definately have to agree with Nightrider on the way he's doing things.
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: Nightrider

Post by Ptirhiik_ »

Ok Nightrider, as you are so sure easymod is secured, just take this mod:

Code: Select all

##############################################################
## MOD Title:		security proof
## MOD Author:		Ptirhiik < please_use_the_board@clanmckeen.com > (Pierre) http://ptifo.clanmckeen.com
## MOD Description:	/!\ DO NOT INSTALL THIS ON A LIVE ENVIRONMENT WITH EASYMOD /!\
##
## MOD Version:		0.0.1
##
## Installation Level:	Easy
## Installation Time:	1 Minutes
## Files To Edit: 
##			config.php
##
## Included Files:	n/a
## License:		http://opensource.org/licenses/gpl-license.php GNU General Public License v2
##############################################################
## For security purposes, please check: http://www.phpbb.com/mods/
## for the latest version of this MOD. Although MODs are checked
## before being allowed in the MODs Database there is no guarantee
## that there are no security problems within the MOD. No support
## will be given for MODs not found within the MODs Database which
## can be found at http://www.phpbb.com/mods/
##############################################################
## Author Notes:
##
##############################################################
## MOD History:
##
##############################################################
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD
##############################################################
#
#-----[ OPEN ]------------------------------------------------
#
config.php
#
#-----[ FIND ]------------------------------------------------
#
<?php
#
#-----[ AFTER, ADD ]------------------------------------------
#
// a simple comment
#
#-----[ SAVE/CLOSE ALL FILES ]--------------------------------
#
# EoM
As you can see, the mod itself is perfectly secured, matches the MOD template requirements, is EMC as far as we can tell according to the existing EMC rules, so there is absolutly no problem with. It would validate all investigations and would be officialy released as is according to the MOD policy rules, so any user willing to install it can go eyes closed with.

Now install it with easyMOD on a live environment (let say the mod directory is called mod-security_proof/), and hit
[url]http://www.your_site.com/your_forum/admin/mods/[/url] ,
[url]http://www.your_site.com/your_forum/admin/mods/mod-security_proof/backups/[/url] , or
[url]http://www.your_site.com/your_forum/admin/mods/mod-security_proof/processed/[/url]

Don't you see something slightly disturbing ?.. Such as a fundamental user/password disclosure ?

And this is not the only flaw with easyMOD running on a live board: this one is obvious, but exists (ie one of the joomla bridge requires config.php edition, but it is not the only one). With easyMOD used live to install mods, you have very easely access to all the files modified by the mods installed live with easyMOD, so the exact ones you can expect security breaches due to a not bullet-proofed modification. easyMOD is so very helpfull for hackers to explore a targeted board on scripts they wouldn't have even thought they were modified, as you give them the list of the installed mods plus the modified files, plus the mods themselves. Even custom modifications (eg not installed with easyMOD) can be disclosed this way (a single mod modifying the script, and there you are).

You are still claiming it is a wise thing to run easyMOD on live environment ? And here I'm talking only of direct security breaches, I don't deal with board screwed due to mod installed live (so without any test stage) but incompatible between each others regarding the run (eg not the install itself)...

Use easyMOD, why not as it can help, but never on a live environment but on a localhost, cut from the outside world. easyMOD is still a beta api, and there are security risks (I will qualified medium to high severity) beyond the mods themselves to run it on a live environment, that simple.
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

Ptirhiik, thanks for returning to try to help improve EM...

As you are fully aware, utilities, MODs, phpBB, etc evolve and as problems are found, they can be corrected. I don't imagine any of your MODs are still at version 1.0.0. Why is that? Perhaps you improved the MODs, found security flaws, corrected bugs, etc. But instead of telling people to avoid your MODs out of concern that they may have flaws, you correct the bugs and release an updated version. The same is true for every MOD, phpBB version, and EM. So if/when anyone finds a security issue in a MOD, phpBB, or EM, it is usually best to bring it to the attention of the developer so that the concern can be addressed...

I will concede that your little test MOD above could prove to be a concern. But a lot of events need to occur before this could adversely affect anyone....

First, a MOD author/hacker has to develop a MOD that modifies the config.php file. I have a great many of the MODs from phpBB installed on my site and I have yet to see a MOD in the phpBB MOD database that modifies the config.php file. I have seen ONE MOD that actually improved the security on the config.php file and I think it came from phpBBHacks.com. But very few people have installed it. A great many of the MODs from phpBBHacks.com cannot be installed by EM in their present state because they follow no real modding standard like found at phpBB.com...

Second, for your scenario to be a problem, someone needs to find and install a MOD that alters the config.php file using EM. Again, I have yet to see more than ONE MOD out of the thousands of available MODs that does that and it is not included in the phpBB MOD Database. So what are the odds that someone will find and install that MOD using EM? I would say fairly slim...

Third, the MOD author/hacker has to know who is installing the hack using EM and where. They have to know who downloaded it and who is uring EM. Then the MOD author/hacker has to know the board address of the site where the MOD was installed using EM. So how does a MOD Author/hacker find what they need to be able to use their hack against those who have installed it? Perhaps you have visions of MOD authors/hackers pouring through their logs to find IP addies and they spend endless hours trying to find sites that they can hack...

Fourth, the MOD author needs to remain anonymous so that they cannot be caught so that they can continue to get away with it. With the number of people who are aware of security concerns, I don't imagine that a MOD Author/Hacker who is deliberately attempting to hijack a site would be able to get many to install their MODs if their sites are continuously shut down by their hosts after getting caught. So the chances that anyone would find and install their MODs is extremely limited...

Fifth, the only way to take advantage of this is if the admin fails to remove the MOD folder from admin/mods after the MOD was installed. So not only does the MOD Author/hacker need to know who downloaded their MOD/Hack and used EM to install it, but they have to figure out the address of the site AND they also need to act quickly before the admin deletes the MOD folder from admin/mods after the MOD has been successfully installed. So the MOD Author/hacker has very little time to waste to track down vulnerable sites...

Six, far more people change the file and folder permissins to 777, which is far more dangerous than the chance that they may find a MOD that modifies their config.php file and use EM to install it...

Seventh, on almost every MOD, admins are told to create backups of their files before modifying them. So how many admins store those backups in a new folder in their phpBB folder? I imagine a great deal keep all the files on their sites. So a person who follows the suggestions to create backups of their files and stores it on their site before manually modifying their board is creating the same problem as in your scenario. So it is now also dangerous to manually modify your board if you don't realize that creating a backup of the config.php file and storing it on your site could be a huge security problem...

I appreciate your taking the time to help make EM the best that it could be. This is a extremely small problem that hopefully can be addressed in the next EM version. The risk to MOST sites is minimal since the odds that this hack can be used against them is extremely slim. To tell people to use the far more risky method of manually modifying their files just doesn't make much sense since this scenario is very unlikely to occur. It is far better, faster, and accurate to use EM to install MODs, whether on a Live or Test board, then it ever would be to manually modify the files...

Ptirhiik, if you know of any MODs that modify the config.php file, I will do my best to warn people either not to install them or to remove the MOD's backups and processed folders as soon as the MOD is installed. Your assistance in pointing out these dangerous MODs would be greatly welcome and appreciated...

Image
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: Nightrider

Post by Ptirhiik_ »

This is not this little sample mod which is dangerous, I think you didn't measure where the threat stand. For example, I've been able to check your posting.php, and determines some potential points that could be used to attack your board (mods not upgraded, security patches not applied, and so). If I was a bad guy, I could explore them one per one, as I had in hand your exact script, what makes the things much more easier than without the script. I still don't get how you refuse to see this, this is really a medium to severe security issue, and you can be sure any mod disclosing user side a script designed to run will be immediatly denied by the mod team as being a major security flaw. You should never run a beta on a live environment, this is a basic rule you will find any and everywhere. Even RC version are not recommanded. This is specialy true when a script has been prooved to disclose informations that can be used to attack a site.

And remember also what I've dealt with along the latest post is not the only breach, nor the only threat. This one is simply the more obvious, so the more easy to understand.
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

Thanks again for returning to help improve EM rather than to continue trashing a valuable and powerful tool that is used by thousands of happy EM users. It is good to see that you are now working to help make the modding experience even better for experts and beginners alike. Thanks for devoting your attention to this matter Ptirhiik. We all benefit when we work together...

I would be more than interested in seeing and discussing any other issues that you consider a security threat. If the unlikely config.php hack attempt is not the greatest concern that you have, feel free to post more. Since I too am a programmer by trade, I can discuss the more complicated issues that you might have, so don't hold back. I should be able to analyze your concerns to determine the level of risk that each may pose. The more you can offer, the better the chance that it can be used to better secure future EM releases...

The more we can work together, the more we should be able to put all of your fears to rest. I appreciate your interest in helping to make EM the best possible install tool for all. Together we can make a difference...

Image
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: Nightrider

Post by Ptirhiik_ »

Sorry, but I won't go further publicaly about security issues present in easyMOD. I simply quoted these ones as they are well-known and obvious, in order to make you understand how dangerous is to use easyMOD on live environment, so to make you stop advicing blidnly anybody to use it live: for what I see, you don't seem to take much care of unsecuring the boards of the users you give advices to, and this is a major concern for me (and probably for the great majority of mods authors). I assume you'd didn't know these issues and their consequences, now it is no more the case.

Regarding my contributions to easyMOD, I either don't want to make them public unless they are generic matter concern: both (contributions and security reports) are dealt with the devs from the MOD team on the back scene, as I always did.
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

As always, you are free to PM me with anything that you feel is too sensitive for public consumption. Of course everyone has a right to know the details, so it would be best to carry on the conversation publicly. But if you aren't willing to do so, don't hesitate to PM me with any details to back your claims...

It is easy to make claims, but when kept "secret", it's hard to believe that there is any proof to support them. Here in the US, we currently have a government that believes that the people don't have a right to know anything. You sound a lot like those "leaders" and now their lack of credibility is coming back to bite them in the arse...

Please feel free to support your claims. The more you share, the more likely your concerns can be addressed...

Image
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: Nightrider

Post by Ptirhiik_ »

Sorry, but you can not adress them (nor I can): only the easyMOD dev from the MOD team can. The issue I have quoted above is enough for you to understand one of the obvious security breach, and one is enough to make the decision till it is fixed or patched, what is not the case at this very time.
Locked