Author |
Message |
Slackervaara Board Member
Joined: 01 Jan 2009
Posts: 70
|
Posted: Tue Aug 10, 2010 1:08 am Post subject: Re: The Final phpBB 2 Security Error |
|
|
Does the Firefox add on RefControl offer any protection against this type of hack attempt? |
|
Back to top |
|
|
Acaria Board Member
Joined: 20 Feb 2009
Posts: 238
|
Posted: Tue Aug 10, 2010 12:22 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Very possible. I haven't used it but I know it does something with the HTTP referrers, which is exactly what is involved in a CSRF attack. |
|
Back to top |
|
|
ABDev Board Member
Joined: 01 Jun 2009
Posts: 76
|
Posted: Tue Aug 10, 2010 12:31 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Acaria wrote: | Let's say you want to hack a board. You write a simple script to take the full URL in the browser of the attacked victim. You put it in the [img][/img] tags which loads the script to the page, allowing it to do it's intended effect. To do real damage, you post this in a thread you know will be locked. You know, some kind of random spam. When a Mod (or if they're lucky, and Admin) locks the thread, he is sent back to the thread displaying his current SID in the URL. This URL is sent to the hacker through his script, so he has the guy's SID. |
Ok, I understand now that exploit works. It's an include type issue.
I'm going to look if there's not a better solution than the fixes of the SVN.
Thanks . |
|
Back to top |
|
|
Salvatos Board Member
Joined: 19 Feb 2009
Posts: 449 Location: Québec
|
Posted: Tue Aug 10, 2010 2:12 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Acaria wrote: | *facepalm*
Thank you DogCow. I'll add these changes immediately! |
Oh my, I dared not point this out earlier because I thought you were saying that the fix in this thread was ineffective
Glad to know my board IS safe after all |
|
Back to top |
|
|
drathbun Board Member
Joined: 24 Jul 2008
Posts: 729 Location: Texas
|
Posted: Tue Aug 10, 2010 8:00 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
First of all, I would submit that this is just yet another reason to never log on to your board as Admin unless you need to do actual admin things. Second, even if an admin SID gets stolen, unless that admin has logged in to the admin control panel and re-authenticated the session is not authorized to do that. The would-be hacker would be forced to reauth and if they don't know the admin password, they're locked out of the admin panel. Third, it's a simple matter to put an additional layer of security on the admin panel using .htaccess rules.
None of this addresses moderator exposure, of course. But there are other options either in place or available that can help protect your administrator options. _________________ phpBBDoctor Blog |
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Wed Sep 28, 2011 12:13 am Post subject: Re: The Final phpBB 2 Security Error |
|
|
Question about the .23 to .24 changes. Are you required to twice click on the admin link to gain access. Once prior to PW entry and once after? _________________ http://www.jlaforums.com |
|
Back to top |
|
|
Salvatos Board Member
Joined: 19 Feb 2009
Posts: 449 Location: Québec
|
Posted: Wed Sep 28, 2011 10:55 am Post subject: Re: The Final phpBB 2 Security Error |
|
|
You mean to get to the control panel? You click Go to admin panel, then you "log in", then you're redirected to the ACP. |
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Wed Sep 28, 2011 11:58 am Post subject: Re: The Final phpBB 2 Security Error |
|
|
Salvatos wrote: | You mean to get to the control panel? You click Go to admin panel, then you "log in", then you're redirected to the ACP. |
What I mean is this
Prior to .23 to .24 update
* Admin logs into site via login screen - after login is redirected to last place or index depending on how/when logged in
* Admin clicks admin link - is redirected to login screen
* Admin logs in again and is redirected to admin panel
After .23 to .24 update
* Admin logs into site via login screen - after login is redirected to last place or index depending on how/when logged in.
* Admin clicks admin link - is redirected to login screen
* Admin logs in again and is redirected to index
* Admin clicks admin link and is directed to admin panel
(Notice that after third step - sid shows then after forth step PID shows)
[/list] _________________ http://www.jlaforums.com |
|
Back to top |
|
|
Dog Cow Board Member
Joined: 18 Nov 2008
Posts: 378
|
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Thu Sep 29, 2011 12:39 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Dog Cow wrote: | Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post). |
Thanks - just wanted to verify. Appreciate you putting together the change list from the code.! _________________ http://www.jlaforums.com |
|
Back to top |
|
|
Dog Cow Board Member
Joined: 18 Nov 2008
Posts: 378
|
Posted: Mon Oct 10, 2011 6:24 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
JLA wrote: | Dog Cow wrote: | Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post). |
Thanks - just wanted to verify. Appreciate you putting together the change list from the code.! |
Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs. _________________ Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI |
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Fri Oct 14, 2011 9:09 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Dog Cow wrote: | JLA wrote: | Dog Cow wrote: | Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post). |
Thanks - just wanted to verify. Appreciate you putting together the change list from the code.! |
Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs. |
Didn't you put the code change list together? _________________ http://www.jlaforums.com |
|
Back to top |
|
|
Dog Cow Board Member
Joined: 18 Nov 2008
Posts: 378
|
Posted: Sat Oct 15, 2011 3:35 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
JLA wrote: | Dog Cow wrote: | JLA wrote: | Dog Cow wrote: | Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post). |
Thanks - just wanted to verify. Appreciate you putting together the change list from the code.! |
Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs. |
Didn't you put the code change list together? |
No. I just wrote the first post. The code changes were done automatically by software. _________________ Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI |
|
Back to top |
|
|
JLA Board Member
Joined: 30 Apr 2009
Posts: 451 Location: U.S.A
|
Posted: Sat Oct 15, 2011 9:31 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
Dog Cow wrote: | JLA wrote: | Dog Cow wrote: | JLA wrote: | Dog Cow wrote: | Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post). |
Thanks - just wanted to verify. Appreciate you putting together the change list from the code.! |
Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs. |
Didn't you put the code change list together? |
No. I just wrote the first post. The code changes were done automatically by software. |
Oh, ok. Interesting to know. What is the software that generates this? What does it compare to root directories and generate the change? _________________ http://www.jlaforums.com |
|
Back to top |
|
|
Dog Cow Board Member
Joined: 18 Nov 2008
Posts: 378
|
Posted: Sun Oct 16, 2011 3:49 pm Post subject: Re: The Final phpBB 2 Security Error |
|
|
JLA wrote: | Dog Cow wrote: | JLA wrote: | Dog Cow wrote: | JLA wrote: | Dog Cow wrote: | Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post). |
Thanks - just wanted to verify. Appreciate you putting together the change list from the code.! |
Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs. |
Didn't you put the code change list together? |
No. I just wrote the first post. The code changes were done automatically by software. |
Oh, ok. Interesting to know. What is the software that generates this? | On Unix and Linux systems, it's called diff. _________________ Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI |
|
Back to top |
|
|
|