admin panel

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Mr.Jester
Registered User
Posts: 25
Joined: Sun Sep 12, 2004 9:28 pm

Re: admin panel

Post by Mr.Jester »

On our site, we removed anonymous access to the /admin/ folder. This requires us to login with a server username/password as well as be an admin.

Its a second level of security, not perfect, but better.

stevelfc
Registered User
Posts: 6
Joined: Mon Dec 27, 2004 7:28 pm
Contact:

Re: admin panel

Post by stevelfc »

Good idea! You can never be too protective

Roberdin
Registered User
Posts: 1546
Joined: Wed Apr 09, 2003 8:44 pm
Location: London, United Kingdom

Re: admin panel

Post by Roberdin »

stevelfc wrote: Good idea! You can never be too protective
Then disconnect your server from the internet. ;)
Rob

who_cares
Registered User
Posts: 218
Joined: Mon Feb 07, 2005 1:20 pm
Contact:

Re: admin panel

Post by who_cares »

You could run it of an intranet if you had enough people.

Ybarra
Registered User
Posts: 15
Joined: Mon Jun 09, 2003 3:12 am

Re: admin panel

Post by Ybarra »

Of course if you had enough people, one of them would probably be of a type that would attempt to access your ACP and ruin your board

:D

NaR883
Registered User
Posts: 19
Joined: Sat Feb 05, 2005 3:12 am

Re: admin panel

Post by NaR883 »

Mr. Jester.. that may actually make it worse, depending how it's implemented. If you're using basic HTTP authentication (clear text), then someone could potentially get a server username and password. It's not likely, but it could happen. :)

Mr.Jester
Registered User
Posts: 25
Joined: Sun Sep 12, 2004 9:28 pm

Re: admin panel

Post by Mr.Jester »

No more likely to happen then someone capturing your username and password to log into the forums.

NaR883
Registered User
Posts: 19
Joined: Sat Feb 05, 2005 3:12 am

Re: admin panel

Post by NaR883 »

Not more likely, but very likely a much more useful login/pass since it can probably give you shell access.

Aldenhier
Registered User
Posts: 183
Joined: Tue Oct 19, 2004 9:52 pm

Re: admin panel

Post by Aldenhier »

Martin Blank wrote: While the vulnerability to auto-login hasn't changed (and really can't be mitigated easily), what has changed is that to access the ACP, you have to enter the password again, which creates a session cookie tied to both password and IP address (IIRC) that is destroyed at the end of the session (browser close or timeout).
I close my browser a lot, whenever I am doing other things... so if it destroys everything every time I close my browser, I will have to login a whole bumch... and besides... if it destroys the cookie/session everytime the browser goes bye-bye, what's the use of the "Stay Logged In" feature?

-Aldenhier

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: admin panel

Post by psoTFX »

There are two very good reasons for the "second login" to the ACP ...

1) If you enable autologin and your cookie is captured they have immediate access to the ACP. Requiring the password to be entered offers another "layer" of defence. Layers are good people :)

2) It aids in the protection of off-site submittance of forms which may do harm. We already have in place a system which mitigates this greatly but again this is another layer

This system will not be changing.

Post Reply