[Security Vulnerability/Security Alert] Admin List
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: [Security Vulnerability/Security Alert] Admin List
Vulnerability my rear end, it's a missing feature you can quickly overcome with a quick check of the database. A vulnerability is a bug/s that allow a 3rd party to gain unlawful entry to an application. This is not a vulnerability.
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
psoTFX wrote:Vulnerability my rear end, it's a missing feature you can quickly overcome with a quick check of the database. A vulnerability is a bug/s that allow a 3rd party to gain unlawful entry to an application. This is not a vulnerability.
It is not a vulnerability that you allow hackers to hack a phpBB with X exploit and then to be able to hide for any length of time?
This is a serious security problem for you to address with urgency.
Member of the security community.
Re: [Security Vulnerability/Security Alert] Admin List
No, the hole allowing access would be a vulnerability. Not being able to "easily" see a list of admins is not a vulnerability.
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
The whole issue here is not being able to see who's an admin but that the database has been hacked.
If my database was hacked, admin list or no admin list, i would be screwed.
More "damage" could be caused by hacking the database than simply being a fully blown admin. Corrupt tables... even deleted tables or alteration of info...
If a hacker could hack to alter your database to make themself an admin, they could do anything. They could even edit your little admin script so they wont appear on it...
This is a security issue which phpbb or any other organisation can do nothing... absolutely NOTHING to prevent.
If anything, any company or any home user gets a hacker successfully into their systems, nothing would really stop them in their tracks.
Putting in a feature so you can see who are admins is just over bloating phpBB... by making a security measure... so you can know if someone will be scrambling up your database soon.
On another note... how would this really help much more than what you currently have? Will you ban/delete that admin? Just so the hacker can go back in the database... unban theirself?
What a hacker can do to destroy your board is endless. get over it. If you care so much, get onto the backs of the people who've made your database so it isnt so easy to hack.
If my database was hacked, admin list or no admin list, i would be screwed.
More "damage" could be caused by hacking the database than simply being a fully blown admin. Corrupt tables... even deleted tables or alteration of info...
If a hacker could hack to alter your database to make themself an admin, they could do anything. They could even edit your little admin script so they wont appear on it...
This is a security issue which phpbb or any other organisation can do nothing... absolutely NOTHING to prevent.
If anything, any company or any home user gets a hacker successfully into their systems, nothing would really stop them in their tracks.
Putting in a feature so you can see who are admins is just over bloating phpBB... by making a security measure... so you can know if someone will be scrambling up your database soon.
On another note... how would this really help much more than what you currently have? Will you ban/delete that admin? Just so the hacker can go back in the database... unban theirself?
What a hacker can do to destroy your board is endless. get over it. If you care so much, get onto the backs of the people who've made your database so it isnt so easy to hack.
Re: [Security Vulnerability/Security Alert] Admin List
I don't actually appreciate this response. You have and continue to fail to see the point of what I'm saying.EliteLamer wrote:Ok. 8O
A vulnerability is a failure in the source allowing someone unlawful entrance to areas of your forum for which they do not have permission. What you are complaining about is a "missing" feature enabling you to more "easily" tell if someone has gained admin privs due to an existing vulnerability.
My response is this will not happen in 2.0.x, it is feature fixed and this is not something that will make much if any difference to the vast majority of users at this time. It is not a vulnerability and if you continue to call it such you will only suceed in making yourself look quite foolish.
If you believe someone has made use of an existing vulnerability to gain admin privs do the following:
1) Take you forum offline
2) Using phpMyAdmin, CLI, whatever run the following query on your database:
Code: Select all
SELECT user_id, username FROM phpbb_users WHERE user_level = 1
3) Update your phpBB 2.0.x installation to the latest available and ensure you keep it updated. Similarly update any Mods if you believe they are at fault ... Mods have zip to do with us so if they have a security issue you should contact the relevant author.
4) Change your passwords, your hosting account password (or user password), your database passwords (as and if necessary)
5) Re-enable phpBB
6) Change your phpBB password/s (all your admins and moderators should do this).
End of story.
Re: [Security Vulnerability/Security Alert] Admin List
Too late.psoTFX wrote:... you will only suceed in making yourself look quite foolish.
Need good web hosting? I recommend Hostrocket.
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
How often do people check for hidden admins? Have you checked this board or the other board on phpbb.com for hidden admins? Not always the case that you'll know that you've been hacked. Some people just like to pop in to the admin panel from time to time and being able to check IP's and maybe do the odd topic locking, when admins aren't really paying attention
If you won't have an admin list as a security feature of phpbb then perhaps you should put a warning in future phpbb documentation to warn forum admins to check the database regulary to see if someone is a hidden admin.
If you won't have an admin list as a security feature of phpbb then perhaps you should put a warning in future phpbb documentation to warn forum admins to check the database regulary to see if someone is a hidden admin.
Member of the security community.
Re: [Security Vulnerability/Security Alert] Admin List
YesEliteLamer wrote:How often do people check for hidden admins? Have you checked this board or the other board on phpbb.com for hidden admins?
Keep your forum updated and the vast vast vast vast majority of the time you'll have no problems.EliteLamer wrote:Not always the case that you'll know that you've been hacked. Some people just like to pop in to the admin panel from time to time and being able to check IP's and maybe do the odd topic locking, when admins aren't really paying attention
-
- Registered User
- Posts: 67
- Joined: Sat Mar 27, 2004 1:07 am
- Location: Europe.
Re: [Security Vulnerability/Security Alert] Admin List
Ok, thanks for replying to my concerns on this issue.psoTFX wrote:YesEliteLamer wrote:How often do people check for hidden admins? Have you checked this board or the other board on phpbb.com for hidden admins?Keep your forum updated and the vast vast vast vast majority of the time you'll have no problems.EliteLamer wrote:Not always the case that you'll know that you've been hacked. Some people just like to pop in to the admin panel from time to time and being able to check IP's and maybe do the odd topic locking, when admins aren't really paying attention
It means alot to me.
You can lock this topic if you want.
I'm happy with your answers.
Member of the security community.