When installing, it checks for your PHP version then whether something is disabled or not, I forget the name. It said that if it's enabled then it exposes a potential security risk, something or the other.
For my host, it was uh enabled.. or disabled? (whichever one is the security risk) so that got me to wondering...
Just how big of a security risk is this, strictly speaking? Because my host probably won't change something like that just for me, unless that's an individual setting and not a global one.
Also why aren't the md5 encryption strings for the passwords in the database salted or somehow beefed up? There are so many md5 reverse lookup sites out there, etc. It's not as secure as it should be.
How big of a security risk is that 'security risk' really?
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: How big of a security risk is that 'security risk' reall
I have the same question. Salting is essentially important as phpbb is open-source and can easily get into the hands of a malicious user.
Re: How big of a security risk is that 'security risk' reall
You mean register_globals? The most secrity exploits are there because register globals is enabled(not all, but a the most ). If you need register globals, you can better rewrite your script.
Re: How big of a security risk is that 'security risk' reall
I don't even use php other than a small search engine on my site and phpBB. I'll see if I can get it disabled.
-
- Registered User
- Posts: 397
- Joined: Tue Jul 20, 2004 6:21 am
- Location: Rotterdam, The Netherlands
- Contact:
Re: How big of a security risk is that 'security risk' reall
so true.. globals are evil!paulus wrote: You mean register_globals? The most secrity exploits are there because register globals is enabled(not all, but a the most ). If you need register globals, you can better rewrite your script.
- Cheater512
- Registered User
- Posts: 245
- Joined: Thu Mar 23, 2006 1:29 am
- Location: Brisbane, Australia
- Contact:
Re: How big of a security risk is that 'security risk' reall
Its not much of a security risk.
Think of it this way: You use Windows which is a much bigger security risk.
Think of it this way: You use Windows which is a much bigger security risk.
Re: How big of a security risk is that 'security risk' reall
windows using is a security risk, register globals is also a risk. If register globals is off, many exploits don't workCheater512 wrote: Its not much of a security risk.
Think of it this way: You use Windows which is a much bigger security risk.
- SHS`
- Registered User
- Posts: 1628
- Joined: Wed Jul 04, 2001 9:13 am
- Location: The Boonies, Hong Kong
- Contact:
Re: How big of a security risk is that 'security risk' reall
Register Globals is something that is termed BAD (Broken As Designed), and come PHP6, if this setting is even detected in php.ini (and some other legacy settings which are just BAD)... PHP6 will refuse to even start and throw an E_CORE error.
Jonathan “SHS`” Stanley • 史德信
phpBB™ 3.1.x, Bug/Security trackers
phpBB™ Bertie Bear 3.0 — prosilver Edition! • Asking Questions The Smart Way
phpBB™ 3.1.x, Bug/Security trackers
phpBB™ Bertie Bear 3.0 — prosilver Edition! • Asking Questions The Smart Way
Re: How big of a security risk is that 'security risk' reall
Well is that something I'd usually be able to disable myself in a hosting ACP? For reference, I use 1and1hosting.
Or would I have to contact them? Would they even be willing to do it?
Or would I have to contact them? Would they even be willing to do it?
- SHS`
- Registered User
- Posts: 1628
- Joined: Wed Jul 04, 2001 9:13 am
- Location: The Boonies, Hong Kong
- Contact:
Re: How big of a security risk is that 'security risk' reall
"Suck it and see" Otherwise... switch hosts. "Voting with one's feet".zeroality wrote: Or would I have to contact them? Would they even be willing to do it?
Jonathan “SHS`” Stanley • 史德信
phpBB™ 3.1.x, Bug/Security trackers
phpBB™ Bertie Bear 3.0 — prosilver Edition! • Asking Questions The Smart Way
phpBB™ 3.1.x, Bug/Security trackers
phpBB™ Bertie Bear 3.0 — prosilver Edition! • Asking Questions The Smart Way