How big of a security risk is that 'security risk' really?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
zeroality
Registered User
Posts: 16
Joined: Thu Mar 02, 2006 5:21 am

How big of a security risk is that 'security risk' really?

Post by zeroality »

When installing, it checks for your PHP version then whether something is disabled or not, I forget the name. It said that if it's enabled then it exposes a potential security risk, something or the other.

For my host, it was uh enabled.. or disabled? (whichever one is the security risk) so that got me to wondering...

Just how big of a security risk is this, strictly speaking? Because my host probably won't change something like that just for me, unless that's an individual setting and not a global one.

Also why aren't the md5 encryption strings for the passwords in the database salted or somehow beefed up? There are so many md5 reverse lookup sites out there, etc. It's not as secure as it should be.

peaches
Registered User
Posts: 2
Joined: Sun Jun 18, 2006 8:19 am

Re: How big of a security risk is that 'security risk' reall

Post by peaches »

I have the same question. Salting is essentially important as phpbb is open-source and can easily get into the hands of a malicious user.

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 367
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by Paul »

You mean register_globals? The most secrity exploits are there because register globals is enabled(not all, but a the most :)). If you need register globals, you can better rewrite your script.

zeroality
Registered User
Posts: 16
Joined: Thu Mar 02, 2006 5:21 am

Re: How big of a security risk is that 'security risk' reall

Post by zeroality »

I don't even use php other than a small search engine on my site and phpBB. I'll see if I can get it disabled.

Uchiha Nick
Registered User
Posts: 397
Joined: Tue Jul 20, 2004 6:21 am
Location: Rotterdam, The Netherlands
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by Uchiha Nick »

paulus wrote: You mean register_globals? The most secrity exploits are there because register globals is enabled(not all, but a the most :)). If you need register globals, you can better rewrite your script.
so true.. globals are evil!
Image

User avatar
Cheater512
Registered User
Posts: 245
Joined: Thu Mar 23, 2006 1:29 am
Location: Brisbane, Australia
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by Cheater512 »

Its not much of a security risk.

Think of it this way: You use Windows which is a much bigger security risk. ;)

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 367
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by Paul »

Cheater512 wrote: Its not much of a security risk.

Think of it this way: You use Windows which is a much bigger security risk. ;)
windows using is a security risk, register globals is also a risk. If register globals is off, many exploits don't work ;)

User avatar
SHS`
Registered User
Posts: 1628
Joined: Wed Jul 04, 2001 9:13 am
Location: The Boonies, Hong Kong
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by SHS` »

Register Globals is something that is termed BAD (Broken As Designed), and come PHP6, if this setting is even detected in php.ini (and some other legacy settings which are just BAD)... PHP6 will refuse to even start and throw an E_CORE error. ;)
Jonathan “SHS`” Stanley • 史德信
phpBB™ 3.1.x, Bug/Security trackers
phpBB™ Bertie Bear 3.0 — prosilver Edition!Asking Questions The Smart Way

zeroality
Registered User
Posts: 16
Joined: Thu Mar 02, 2006 5:21 am

Re: How big of a security risk is that 'security risk' reall

Post by zeroality »

Well is that something I'd usually be able to disable myself in a hosting ACP? For reference, I use 1and1hosting.

Or would I have to contact them? Would they even be willing to do it?

User avatar
SHS`
Registered User
Posts: 1628
Joined: Wed Jul 04, 2001 9:13 am
Location: The Boonies, Hong Kong
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by SHS` »

zeroality wrote: Or would I have to contact them? Would they even be willing to do it?
"Suck it and see" ;) Otherwise... switch hosts. ;) "Voting with one's feet". ;)
Jonathan “SHS`” Stanley • 史德信
phpBB™ 3.1.x, Bug/Security trackers
phpBB™ Bertie Bear 3.0 — prosilver Edition!Asking Questions The Smart Way

Post Reply