[Security Vulnerability/Security Alert] Admin List

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: [Security Vulnerability/Security Alert] Admin List

Post by psoTFX »

Vulnerability my rear end, it's a missing feature you can quickly overcome with a quick check of the database. A vulnerability is a bug/s that allow a 3rd party to gain unlawful entry to an application. This is not a vulnerability.

EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

psoTFX wrote:Vulnerability my rear end, it's a missing feature you can quickly overcome with a quick check of the database. A vulnerability is a bug/s that allow a 3rd party to gain unlawful entry to an application. This is not a vulnerability.

It is not a vulnerability that you allow hackers to hack a phpBB with X exploit and then to be able to hide for any length of time?

This is a serious security problem for you to address with urgency.




Member of the security community.

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: [Security Vulnerability/Security Alert] Admin List

Post by psoTFX »

No, the hole allowing access would be a vulnerability. Not being able to "easily" see a list of admins is not a vulnerability.

EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

Ok. 8O :( :roll: :| :evil:
Member of the security community.

DoD
Registered User
Posts: 360
Joined: Sat Aug 30, 2003 11:32 am

Re: [Security Vulnerability/Security Alert] Admin List

Post by DoD »

The whole issue here is not being able to see who's an admin but that the database has been hacked.

If my database was hacked, admin list or no admin list, i would be screwed.

More "damage" could be caused by hacking the database than simply being a fully blown admin. Corrupt tables... even deleted tables or alteration of info...

If a hacker could hack to alter your database to make themself an admin, they could do anything. They could even edit your little admin script so they wont appear on it...

This is a security issue which phpbb or any other organisation can do nothing... absolutely NOTHING to prevent.

If anything, any company or any home user gets a hacker successfully into their systems, nothing would really stop them in their tracks.

Putting in a feature so you can see who are admins is just over bloating phpBB... by making a security measure... so you can know if someone will be scrambling up your database soon.

On another note... how would this really help much more than what you currently have? Will you ban/delete that admin? Just so the hacker can go back in the database... unban theirself?

What a hacker can do to destroy your board is endless. get over it. If you care so much, get onto the backs of the people who've made your database so it isnt so easy to hack.

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: [Security Vulnerability/Security Alert] Admin List

Post by psoTFX »

EliteLamer wrote:Ok. 8O :( :roll: :| :evil:
I don't actually appreciate this response. You have and continue to fail to see the point of what I'm saying.

A vulnerability is a failure in the source allowing someone unlawful entrance to areas of your forum for which they do not have permission. What you are complaining about is a "missing" feature enabling you to more "easily" tell if someone has gained admin privs due to an existing vulnerability.

My response is this will not happen in 2.0.x, it is feature fixed and this is not something that will make much if any difference to the vast majority of users at this time. It is not a vulnerability and if you continue to call it such you will only suceed in making yourself look quite foolish.

If you believe someone has made use of an existing vulnerability to gain admin privs do the following:

1) Take you forum offline
2) Using phpMyAdmin, CLI, whatever run the following query on your database:

Code: Select all

SELECT user_id, username FROM phpbb_users WHERE user_level = 1
Changing phpbb_ for your table extension if it differs. That will return a list of all the admins on your forum. If there are any there which should not be either use the user management form in the ACP (you now have the username) or a SQL query.
3) Update your phpBB 2.0.x installation to the latest available and ensure you keep it updated. Similarly update any Mods if you believe they are at fault ... Mods have zip to do with us so if they have a security issue you should contact the relevant author.
4) Change your passwords, your hosting account password (or user password), your database passwords (as and if necessary)
5) Re-enable phpBB
6) Change your phpBB password/s (all your admins and moderators should do this).

End of story.

Wert
Registered User
Posts: 400
Joined: Tue Jul 03, 2001 8:33 pm

Re: [Security Vulnerability/Security Alert] Admin List

Post by Wert »

psoTFX wrote:... you will only suceed in making yourself look quite foolish.
Too late. :)
Need good web hosting? I recommend Hostrocket.

EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

How often do people check for hidden admins? Have you checked this board or the other board on phpbb.com for hidden admins? Not always the case that you'll know that you've been hacked. Some people just like to pop in to the admin panel from time to time and being able to check IP's and maybe do the odd topic locking, when admins aren't really paying attention

If you won't have an admin list as a security feature of phpbb then perhaps you should put a warning in future phpbb documentation to warn forum admins to check the database regulary to see if someone is a hidden admin.
Member of the security community.

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: [Security Vulnerability/Security Alert] Admin List

Post by psoTFX »

EliteLamer wrote:How often do people check for hidden admins? Have you checked this board or the other board on phpbb.com for hidden admins?
Yes
EliteLamer wrote:Not always the case that you'll know that you've been hacked. Some people just like to pop in to the admin panel from time to time and being able to check IP's and maybe do the odd topic locking, when admins aren't really paying attention
Keep your forum updated and the vast vast vast vast majority of the time you'll have no problems.

EliteLamer
Registered User
Posts: 67
Joined: Sat Mar 27, 2004 1:07 am
Location: Europe.

Re: [Security Vulnerability/Security Alert] Admin List

Post by EliteLamer »

psoTFX wrote:
EliteLamer wrote:How often do people check for hidden admins? Have you checked this board or the other board on phpbb.com for hidden admins?
Yes
EliteLamer wrote:Not always the case that you'll know that you've been hacked. Some people just like to pop in to the admin panel from time to time and being able to check IP's and maybe do the odd topic locking, when admins aren't really paying attention
Keep your forum updated and the vast vast vast vast majority of the time you'll have no problems.
Ok, thanks for replying to my concerns on this issue.

It means alot to me.

You can lock this topic if you want.

I'm happy with your answers.



Member of the security community.

Post Reply