How big of a security risk is that 'security risk' really?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: How big of a security risk is that 'security risk' reall

Post by Graham »

It really depends on the setup of the host - on some you would be able to change it yourself on a per-site basis (although these types of hosts would generally have it off by default anyway IME), on some it's a server wide setting that you can't change
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!

User avatar
Cheater512
Registered User
Posts: 245
Joined: Thu Mar 23, 2006 1:29 am
Location: Brisbane, Australia
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by Cheater512 »

If you have a dedicated server then its simple. Just edit the line in php.ini.

If your on a shared host then you'll have to ask the host to change it.
Chances are they wont since some scripts need it. :(

Yoda_IRC
Registered User
Posts: 158
Joined: Tue Mar 01, 2005 10:19 pm

Re: How big of a security risk is that 'security risk' reall

Post by Yoda_IRC »

Some shared hosts will allow you to override it in a htaccess file.

If you ask them they should tell you if they have enabled thecorrect settings to allow you to override it and tell you what to do.

Forcing people to run with register_globals on because "some scripts won't work without it" isn't making things very future proof is it? PHP5 ships with register_globals off by default. PHP6 won't even have the option of having register_globals. People will need to upgrade their scripts at some point, it may aswell be now.

Aparently a few other things are for the chop in PHP6 aswell, including 'safe_mode' (which wasn't actually that safe ;)).

peaches
Registered User
Posts: 2
Joined: Sun Jun 18, 2006 8:19 am

Re: How big of a security risk is that 'security risk' reall

Post by peaches »

zeroality wrote: Also why aren't the md5 encryption strings for the passwords in the database salted or somehow beefed up? There are so many md5 reverse lookup sites out there, etc. It's not as secure as it should be.
What about the md5 part? It can get really bad if you sign up and the webmaster is a malicious user. It would be nice to have salts.

Yoda_IRC
Registered User
Posts: 158
Joined: Tue Mar 01, 2005 10:19 pm

Re: How big of a security risk is that 'security risk' reall

Post by Yoda_IRC »

peaches wrote: What about the md5 part? It can get really bad if you sign up and the webmaster is a malicious user. It would be nice to have salts.
And that is the "stupid comment of the day". :D

If the webmaster was malicious could he not just alter the phpBB source so it used NO encryption/hashing? answer: Yes
Could he also change it so that whenever anyone signed up or changed there password it was recorded seperatly in plain text? answer: yes

There is absolutely nothing the phpBB team can do to prevent a malicious webmaster. The webmaster can undo everything the phpBB team does.

A simple way to alieviate the problem is to have a differant (and I mean completely differant, none of this prefixing stuff) for every site you visit. So if a webmaster had evil intent he could only gain access to stuff you have on his site anyway.

APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: How big of a security risk is that 'security risk' reall

Post by APTX »

Yoda_IRC wrote: There is absolutely nothing the phpBB team can do to prevent a malicious webmaster.
Oh there's a bunch of things that can be done... like praying... effectiveness not guaranteed though. :P

I've heared you can buy rainbow tables for MD5 "all characters" (~1,5TB) :)... salting is so simple yet so powerful :P .
Don't give me my freedom out of pity!

User avatar
Cheater512
Registered User
Posts: 245
Joined: Thu Mar 23, 2006 1:29 am
Location: Brisbane, Australia
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by Cheater512 »

APTX wrote: I've heared you can buy rainbow tables for MD5 "all characters" (~1,5TB) :)
Yep keep it coming, keep it coming....Stop! (semi-trailer backing up your driveway your order of rainbow tables)
Ok now unload the cds here. Thanks! :lol:

User avatar
stubbers
Registered User
Posts: 406
Joined: Sat Oct 23, 2004 10:36 pm
Location: LoSt
Contact:

Re: How big of a security risk is that 'security risk' reall

Post by stubbers »

Unfortunatley no matter which website you visit there is an element of trust involved. There is always going to need to be that trust between the client and the webmaster, it's a problem that simply cannot be solved easily. But I must say, I don't know why (as a webmaster) you could be bothered stealing peoples passwords to their forum accounts, as a webmaster you like having lots of visitors... Scaring these away with rumours of you stealing passwords...

Just don't sign up to anything that dosen't look reputable, and if you must then use a seperate email/username/password effectively creating a different identity.

The best prevention against all these problems is to simply be smart, use you intellect and be logical...

Cheers,
Stubbers

APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: How big of a security risk is that 'security risk' reall

Post by APTX »

Cheater512 wrote:
APTX wrote: I've heared you can buy rainbow tables for MD5 "all characters" (~1,5TB) :)
Yep keep it coming, keep it coming....Stop! (semi-trailer backing up your driveway your order of rainbow tables)
Ok now unload the cds here. Thanks! :lol:
You buy them with HDD's... though unless the HDD's are bigger than 300GB each you'd need 6 of those which is hard to manage by a normal PC... though there are some nice technologies that can make CD-sized disc's useful.
Don't give me my freedom out of pity!

profpete
Registered User
Posts: 140
Joined: Wed Dec 08, 2004 10:49 pm
Location: Wales, UK

Re: How big of a security risk is that 'security risk' really?

Post by profpete »

500GB hard drives are relatively cheap these days :mrgreen:

Post Reply