How big of a security risk is that 'security risk' really?
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: How big of a security risk is that 'security risk' reall
It really depends on the setup of the host - on some you would be able to change it yourself on a per-site basis (although these types of hosts would generally have it off by default anyway IME), on some it's a server wide setting that you can't change
- Cheater512
- Registered User
- Posts: 245
- Joined: Thu Mar 23, 2006 1:29 am
- Location: Brisbane, Australia
- Contact:
Re: How big of a security risk is that 'security risk' reall
If you have a dedicated server then its simple. Just edit the line in php.ini.
If your on a shared host then you'll have to ask the host to change it.
Chances are they wont since some scripts need it.
If your on a shared host then you'll have to ask the host to change it.
Chances are they wont since some scripts need it.
Re: How big of a security risk is that 'security risk' reall
Some shared hosts will allow you to override it in a htaccess file.
If you ask them they should tell you if they have enabled thecorrect settings to allow you to override it and tell you what to do.
Forcing people to run with register_globals on because "some scripts won't work without it" isn't making things very future proof is it? PHP5 ships with register_globals off by default. PHP6 won't even have the option of having register_globals. People will need to upgrade their scripts at some point, it may aswell be now.
Aparently a few other things are for the chop in PHP6 aswell, including 'safe_mode' (which wasn't actually that safe ).
If you ask them they should tell you if they have enabled thecorrect settings to allow you to override it and tell you what to do.
Forcing people to run with register_globals on because "some scripts won't work without it" isn't making things very future proof is it? PHP5 ships with register_globals off by default. PHP6 won't even have the option of having register_globals. People will need to upgrade their scripts at some point, it may aswell be now.
Aparently a few other things are for the chop in PHP6 aswell, including 'safe_mode' (which wasn't actually that safe ).
Re: How big of a security risk is that 'security risk' reall
What about the md5 part? It can get really bad if you sign up and the webmaster is a malicious user. It would be nice to have salts.zeroality wrote: Also why aren't the md5 encryption strings for the passwords in the database salted or somehow beefed up? There are so many md5 reverse lookup sites out there, etc. It's not as secure as it should be.
Re: How big of a security risk is that 'security risk' reall
And that is the "stupid comment of the day".peaches wrote: What about the md5 part? It can get really bad if you sign up and the webmaster is a malicious user. It would be nice to have salts.
If the webmaster was malicious could he not just alter the phpBB source so it used NO encryption/hashing? answer: Yes
Could he also change it so that whenever anyone signed up or changed there password it was recorded seperatly in plain text? answer: yes
There is absolutely nothing the phpBB team can do to prevent a malicious webmaster. The webmaster can undo everything the phpBB team does.
A simple way to alieviate the problem is to have a differant (and I mean completely differant, none of this prefixing stuff) for every site you visit. So if a webmaster had evil intent he could only gain access to stuff you have on his site anyway.
Re: How big of a security risk is that 'security risk' reall
Oh there's a bunch of things that can be done... like praying... effectiveness not guaranteed though.Yoda_IRC wrote: There is absolutely nothing the phpBB team can do to prevent a malicious webmaster.
I've heared you can buy rainbow tables for MD5 "all characters" (~1,5TB) ... salting is so simple yet so powerful .
Don't give me my freedom out of pity!
- Cheater512
- Registered User
- Posts: 245
- Joined: Thu Mar 23, 2006 1:29 am
- Location: Brisbane, Australia
- Contact:
Re: How big of a security risk is that 'security risk' reall
Yep keep it coming, keep it coming....Stop! (semi-trailer backing up your driveway your order of rainbow tables)APTX wrote: I've heared you can buy rainbow tables for MD5 "all characters" (~1,5TB)
Ok now unload the cds here. Thanks!
Re: How big of a security risk is that 'security risk' reall
Unfortunatley no matter which website you visit there is an element of trust involved. There is always going to need to be that trust between the client and the webmaster, it's a problem that simply cannot be solved easily. But I must say, I don't know why (as a webmaster) you could be bothered stealing peoples passwords to their forum accounts, as a webmaster you like having lots of visitors... Scaring these away with rumours of you stealing passwords...
Just don't sign up to anything that dosen't look reputable, and if you must then use a seperate email/username/password effectively creating a different identity.
The best prevention against all these problems is to simply be smart, use you intellect and be logical...
Cheers,
Stubbers
Just don't sign up to anything that dosen't look reputable, and if you must then use a seperate email/username/password effectively creating a different identity.
The best prevention against all these problems is to simply be smart, use you intellect and be logical...
Cheers,
Stubbers
Re: How big of a security risk is that 'security risk' reall
You buy them with HDD's... though unless the HDD's are bigger than 300GB each you'd need 6 of those which is hard to manage by a normal PC... though there are some nice technologies that can make CD-sized disc's useful.Cheater512 wrote:Yep keep it coming, keep it coming....Stop! (semi-trailer backing up your driveway your order of rainbow tables)APTX wrote: I've heared you can buy rainbow tables for MD5 "all characters" (~1,5TB)
Ok now unload the cds here. Thanks!
Don't give me my freedom out of pity!
Re: How big of a security risk is that 'security risk' really?
500GB hard drives are relatively cheap these days