Posted to their forum...

[Replies] [Reply] [View by Thread] [Help]
[Back To Security]

Ret. Mar Ikioi

Dunno if it will stay up (they seem to have no forum for bugs, but oh well):

I would like to reply to an announcement, and this seems the most fitting forum. If it is not, please move my post to the correct one.

In reply to http://www.phpbb.com/phpBB/viewtopic.php?t=183098 :

"If you're an admin why would you want to bother jumping through hoops to discover another users password? "

People sometimes share passwords with their e-mail, other sites, etc. Sure, there are other methods to get another users password, if you have access to modify site files, but this is outside the bounds of phpBB, and would include more trusted individuals. Shared passwords is a bad habit, but one that exists, none the less.

Remember, not all forum admins are the same people that are the site admins.

"I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!"

I am a hosting provider, and I can give you as many examples in which this is true, if you would like. People incorporate phpBB into other software, and share DB's for many reasons. Main site with only one SQL db, that runs forums for subdomains; Incorporating phpBB into a CMS, like Postnuke; etc. I host many sites that use these examples, this is not a hypothetical situation. Shared hosting environment increases the risk for many reasons, the chief being that shared hosts work with limitted resources, thus, are more prone to make the best use of them through sharing.

The other thing I would like to point out is that no security flaw should be very very low priority. As I understand it, a fix is already available at http://www.gulftech.org/vuln/phpBBadminFix.rar , so priority need only be to incorporate the already available fix, correct?

Where risk can be lowered, it should be lowered. I have seen a proof of concept of this exploit, and in a shared environment, it could be very hazardous.

Thank you, and feel free to e-mail me as a hosting provider, if you wish more information about situations of SQL usage in a shared hosting environment that you may not be familiar with that could increase security risks to exploits such as the one mentioned.

Replies:

phpBB 2.0.7a And Earlier Security Issues - Ker JeiAr 2004-03-22 04:23:47
- Some Fixes For These Issues - Ret. Ker JeiAr 2004-03-25 12:11:30
  - sweet man :) - LtKer Semper 2004-03-25 16:48:09
    - RE: sweet man :) - Ret. Ker JeiAr 2004-03-25 19:01:33
- Hmmmm ... - Ker JeiAr 2004-03-23 20:40:47
  - Hah. - Lt Obscurity 2004-03-24 03:17:41
- Want Some Opinions - Ker JeiAr 2004-03-23 05:18:00
  - RE: Want Some Opinions - Lt Obscurity 2004-03-23 07:46:48
    - I'm with you, they are on crack with this one... - Ret. Mar Ikioi 2004-03-23 11:00:34
      - RE: I'm with you, they are on crack with this one... - Ker JeiAr 2004-03-23 17:14:55
      - Development Teams Reply - Lt Obscurity 2004-03-23 14:19:18
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:17:53
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:31:30
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 17:25:16
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:33:40
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 18:15:38
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 19:39:35
        RE: Development Teams Reply - Lt Obscurity 2004-03-24 03:14:15
      - >Posted to their forum... - Ret. Mar Ikioi 2004-03-23 11:37:22 <
        RE: Posted to their forum... - Ker JeiAr 2004-03-23 17:49:48
        Argh if someone could delete the post previous - Lt Obscurity 2004-03-23 11:50:55
        Done :) - Ret. Ker JeiAr 2004-03-24 05:31:16
        Hah thanks... - Lt Obscurity 2004-03-24 06:04:35
    - RE: Want Some Opinions - Ker JeiAr 2004-03-23 08:05:01
      - To be honest... - Lt Obscurity 2004-03-23 08:21:38
        RE: To be honest... - Ker JeiAr 2004-03-23 08:32:53
        RE: To be honest... - Lt Obscurity 2004-03-23 08:40:09
        RE: To be honest... - Ker JeiAr 2004-03-23 08:54:05
        RE: To be honest... - Lt Obscurity 2004-03-23 09:07:57
        'respond' :D -nt- - LtKer Bastian 2004-03-23 11:16:40
        RE: To be honest... - Maj zaydana 2004-03-23 09:25:26
        GPL... just fork it. ;) -nt- - Ret. Mar Ikioi 2004-03-23 11:39:41
        Ikioi [more] - Lt Obscurity 2004-03-24 10:21:14

Guest:
Subject:
Message:	On 2004-03-23 11:37:22, Ikioi wrote >Dunno if it will stay up (they seem to have no forum for bugs, but oh well): > >I would like to reply to an announcement, and this seems the most fitting forum. If it is not, please move my post to the correct one. > >In reply to http://www.phpbb.com/phpBB/viewtopic.php?t=183098 : > > >"If you're an admin why would you want to bother jumping through hoops to discover another users password? " > >People sometimes share passwords with their e-mail, other sites, etc. Sure, there are other methods to get another users password, if you have access to modify site files, but this is outside the bounds of phpBB, and would include more trusted individuals. Shared passwords is a bad habit, but one that exists, none the less. > >Remember, not all forum admins are the same people that are the site admins. > >"I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!" > >I am a hosting provider, and I can give you as many examples in which this is true, if you would like. People incorporate phpBB into other software, and share DB's for many reasons. Main site with only one SQL db, that runs forums for subdomains; Incorporating phpBB into a CMS, like Postnuke; etc. I host many sites that use these examples, this is not a hypothetical situation. Shared hosting environment increases the risk for many reasons, the chief being that shared hosts work with limitted resources, thus, are more prone to make the best use of them through sharing. > >The other thing I would like to point out is that no security flaw should be very very low priority. As I understand it, a fix is already available at http://www.gulftech.org/vuln/phpBBadminFix.rar , so priority need only be to incorporate the already available fix, correct? > >Where risk can be lowered, it should be lowered. I have seen a proof of concept of this exploit, and in a shared environment, it could be very hazardous. > >Thank you, and feel free to e-mail me as a hosting provider, if you wish more information about situations of SQL usage in a shared hosting environment that you may not be familiar with that could increase security risks to exploits such as the one mentioned.
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.01060 seconds