Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Idea: (assumption: old hashs are exactly the same phpbb2 -> phpbb3)
a third type of password hash for phpbb3
this new hash will store OLD hash in a more secure manner, same way as current(phpbb3) hashes but an extra flag to indicate that the OLD hash must be applied before applying the current hash
the update script will go through the DB and apply the 3rd hash to the OLD hash.
--
keep in mind the worst case scenario, huge chunk of users with old hashes and use the same password for everything, attackers gain access to email accounts, email accounts contain all verification emails, from here you gain admin access to more forums, i'm guessing that the typical phpbb3 admin can download just the user table from the ACP, and spider out from there, etc.
--
edit: btw, i think it would be a big security gain to require a flag to be set in the config.php before any admin can backup the DB through the ACP, kind of like how you have to delete the install directory
edit: same thing goes for clear logs and restore. if someone does do a ACP back user table then clear log there may still be evidence(forum file system, db file, see timestamp), though the ability to change a long inactive admin password and use that to clear the logs adds uncertainty when it comes to tracing the problem.
Last edited by Posts on Thu Feb 05, 2009 7:33 pm, edited 1 time in total.
Hashing the old hashes again could be done; the tricky part is not to reduce password security when doing so. It adds another step of complication to conversions, though. We will probably introduce it.
A switch as you propose, sadly, wouldn't have any effect. Admins already need a permission to access the module; an attacker who is already able to read and write the database and to execute arbitrary scripts will get past any such limitation. At this point the horses have already left the stable; reinforcing the doors won't help much.
Sorry if this is the wrong place but I'm pretty desperate!
My site is planning a major upgrade this spring that will incorporate 3. For now we're still on version 2. And I've been locked out of the forum since Monday. This happened once before and all I need to fix it is the "auto_cookies" mod. but since the PHPBB site is down I can't get it. Does anyone have a copy I can download somewhere? Thanks and apologies if this is the wrong place to ask.
This is really unfortunate. I am so lost without all the support you guys provide and at the same time worried about the SPAM that is coming my way.
Just wanted to let you guys know, the guy who hacked you has written a post of how he did it. maybe this will give you some info of how to prevent it from happening in the future.
<< Link re moved >>
=========================
Edit : ChrisRLG
we do not wish to add to the links to his posts on the net - we are very aware of those blogs/sites with the data.
If anyone else has any info please PM to a team member here instead of posting - thank you : ChrisRLG
Last edited by ChrisRLG on Thu Feb 05, 2009 11:04 pm, edited 1 time in total.
Reason:removed link and added note.
JThree wrote:Sorry if this is the wrong place but I'm pretty desperate!
My site is planning a major upgrade this spring that will incorporate 3. For now we're still on version 2. And I've been locked out of the forum since Monday. This happened once before and all I need to fix it is the "auto_cookies" mod. but since the PHPBB site is down I can't get it. Does anyone have a copy I can download somewhere? Thanks and apologies if this is the wrong place to ask.
Sorry but v2 in not longer in support - even if we had the access to those files, they are suspect to having been altered, so would need to be checked over manually before being available for download.
I do not expect we will be doing that, with anything for v2, as to us that software has been 'end of lifed' and was announced almost a year ago now. We have enough to do with checking everything of v3 without us worring about something we no longer support.
My suggestion to you is to use google or another search engine and find another support site which may still be doing support for v2 versions.