[Security Vulnerability/Security Alert] Admin List

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

[Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

I have experienced a vulnerability where malicious users can hack a phpBB with X exploit. The exploit doesn't matter, the point I want to make is this.

If a user creates multiple admin users, the "real" admins have no way to track which users are an admin. Now i'm currently aware of a mod for phpBB which will supply an "admin list". Though I think it would be in phpBB team of experts interests to make this a default feature.

I have experienced, not only hidden admins been created, but some of them are being run by bots. Who can also take malicious actions for the forum at any automated time, with no way for the "real" admin to keep track or identify which user(s) have been made admins.

So, even if you do discover X vulnerabilitiy and patch it. The hidden/malicious admin users are still left undetected.
Member of the security community.
Wert
Registered User
Posts: 400
Joined: Tue Jul 03, 2001 8:33 pm

Re: [Security Vulnerability/Security Alert] Admin List

Post by Wert »

Feature requests need to go on the tracker.
Need good web hosting? I recommend Hostrocket.
ve4jhj
Registered User
Posts: 69
Joined: Tue Mar 16, 2004 4:07 am
Location: Mons Olympus
Contact:

Re: [Security Vulnerability/Security Alert] Admin List

Post by ve4jhj »

last time i checked, the admin(s) with database access can tell at a glance who's an admin or not, and change that users' settings at will...but that's not the point. the point is you have either evidently not read the description of this forum, or ignored it, as it clearly states to post request to the feature tracker
NO PM or IM support offered!!
thank you!
EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

This is not a feature request. It is a security vulnerability & advisory.

I do not request of a functionality here, merely highlighting a security problem.
Member of the security community.
Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: [Security Vulnerability/Security Alert] Admin List

Post by Graham »

Ummm, have you looked at CVS?

I can only assume that you are referring to something in 2.0.x

The Admin permissions screen already gives you a list of all the users and groups who have access to some (or all) of the Admin section. There is only one potential exception to this that I can think
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!
SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: [Security Vulnerability/Security Alert] Admin List

Post by SamG »

And even if this were to refer to 2.1, it seems to me to be a premature advisory. phpBB 2.1 isn't supposed to be used in a production or public environment. That caution can be seen as a blanket security advisory as well as a practical matter. By not using 2.1 in a production or public environment, any existing security issues are comprehensively and effectively addressed pending 2.2 beta release.

Should a vulnerability survive to 2.2 beta, then obviously there would be a need to issue just such an advisory, though through the dedicated security channel and not in the open forums.

Just my opinion ...
"I hate trolls!" - Willow Ufgood
Roberdin
Registered User
Posts: 1546
Joined: Wed Apr 09, 2003 8:44 pm
Location: London, United Kingdom

Re: [Security Vulnerability/Security Alert] Admin List

Post by Roberdin »

Besides, you should be able to trust your admins anyway. Otherwise, why make them admins?
Rob
EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

Roberdin wrote:Besides, you should be able to trust your admins anyway. Otherwise, why make them admins?
We are not talking about "legal" admins doing anything malicious. We are talking about if you do get hacked. hidden admin user(s) created by the hacker, can be left hidden for the hacker to visit the forum at any given time and carry out "illegal" tasks and generally cause mayhem.
Member of the security community.
EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

Graham wrote:I can only assume that you are referring to something in 2.0.x

This refers to all versions of phpBB. Old and new.
Member of the security community.
EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

No moderator and admin list is availabe for "real" admins to keep track of any possible illegal admin permissions made by a hacker.

This is a vulnerability hackers can take advantage of, as they know they can have hidden admin permissions and will go undetected for months, years and forever.
Member of the security community.
Post Reply