I have experienced a vulnerability where malicious users can hack a phpBB with X exploit. The exploit doesn't matter, the point I want to make is this.
If a user creates multiple admin users, the "real" admins have no way to track which users are an admin. Now i'm currently aware of a mod for phpBB which will supply an "admin list". Though I think it would be in phpBB team of experts interests to make this a default feature.
I have experienced, not only hidden admins been created, but some of them are being run by bots. Who can also take malicious actions for the forum at any automated time, with no way for the "real" admin to keep track or identify which user(s) have been made admins.
So, even if you do discover X vulnerabilitiy and patch it. The hidden/malicious admin users are still left undetected.
[Security Vulnerability/Security Alert] Admin List
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
[Security Vulnerability/Security Alert] Admin List
Member of the security community.
Re: [Security Vulnerability/Security Alert] Admin List
Feature requests need to go on the tracker.
Need good web hosting? I recommend Hostrocket.
Re: [Security Vulnerability/Security Alert] Admin List
last time i checked, the admin(s) with database access can tell at a glance who's an admin or not, and change that users' settings at will...but that's not the point. the point is you have either evidently not read the description of this forum, or ignored it, as it clearly states to post request to the feature tracker
NO PM or IM support offered!!
thank you!
thank you!
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
This is not a feature request. It is a security vulnerability & advisory.
I do not request of a functionality here, merely highlighting a security problem.
I do not request of a functionality here, merely highlighting a security problem.
Member of the security community.
Re: [Security Vulnerability/Security Alert] Admin List
Ummm, have you looked at CVS?
I can only assume that you are referring to something in 2.0.x
The Admin permissions screen already gives you a list of all the users and groups who have access to some (or all) of the Admin section. There is only one potential exception to this that I can think
I can only assume that you are referring to something in 2.0.x
The Admin permissions screen already gives you a list of all the users and groups who have access to some (or all) of the Admin section. There is only one potential exception to this that I can think
Re: [Security Vulnerability/Security Alert] Admin List
And even if this were to refer to 2.1, it seems to me to be a premature advisory. phpBB 2.1 isn't supposed to be used in a production or public environment. That caution can be seen as a blanket security advisory as well as a practical matter. By not using 2.1 in a production or public environment, any existing security issues are comprehensively and effectively addressed pending 2.2 beta release.
Should a vulnerability survive to 2.2 beta, then obviously there would be a need to issue just such an advisory, though through the dedicated security channel and not in the open forums.
Just my opinion ...
Should a vulnerability survive to 2.2 beta, then obviously there would be a need to issue just such an advisory, though through the dedicated security channel and not in the open forums.
Just my opinion ...
"I hate trolls!" - Willow Ufgood
-
- Registered User
- Posts: 1546
- Joined: Wed Apr 09, 2003 8:44 pm
- Location: London, United Kingdom
Re: [Security Vulnerability/Security Alert] Admin List
Besides, you should be able to trust your admins anyway. Otherwise, why make them admins?
Rob
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
We are not talking about "legal" admins doing anything malicious. We are talking about if you do get hacked. hidden admin user(s) created by the hacker, can be left hidden for the hacker to visit the forum at any given time and carry out "illegal" tasks and generally cause mayhem.Roberdin wrote:Besides, you should be able to trust your admins anyway. Otherwise, why make them admins?
Member of the security community.
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
Graham wrote:I can only assume that you are referring to something in 2.0.x
This refers to all versions of phpBB. Old and new.
Member of the security community.
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
No moderator and admin list is availabe for "real" admins to keep track of any possible illegal admin permissions made by a hacker.
This is a vulnerability hackers can take advantage of, as they know they can have hidden admin permissions and will go undetected for months, years and forever.
This is a vulnerability hackers can take advantage of, as they know they can have hidden admin permissions and will go undetected for months, years and forever.
Member of the security community.