RE: I'm with you, they are on crack with this one... |
||
 Ker JeiAr 
On 2004-03-23 11:00:34, Ikioi wrote >Regardless of what they think the risk is, security is about minimalization of risk. Any hole should be top priority where security is concerned. User session ID's expiring... are they actually serious? Increase the time limit then. Session IDs are NOT brain surgery. > I agree, Invision Power Board Postnuke. Both of those for example would not allow this type of activity. They say that they protected all of the "important files" yet the entire admin control panel that relies on the GET method is open to attack. Actually, you could exploit post method stuff also if done via a 3rd part site I believe. >Frankly, I've trusted phpBB because of quick response to security holes, but that reply makes me question their current direction seriously. > Same here man, I was really disappointed and felt like they were trying to make me feel foolish for even bringing these issues up :-\ >As for shared hosting, please be kind enough to inform them that variants of phpBB db's are included with many other systems, like Postnuke. To exploit phpBB's system, is to them give accesses to other areas outside the phpBB system, making it a doorway hack. > >Further, shared phpBB db's are not uncommon. If an site owner only has one SQL db, but runs forums for subdomains, obviously, they will share that one db, and would have multiple admins for multiple levels with multiple abilities on multiple boards. > This is the case with gulftech.org I have forums.gulftech.org and I set friends up with forums that share a db. With the right permissions and not having ftp access this is not really a big security threat for my site. Well, it wasn't until now :-\ >Very low priority. Someone needs to tell the phpBB team that regardless of features, an insecure board is worthless board, regardless of features... which is why phpBB has been a viable alternative to Invision. Invision has more features, but phpBB's response to bugs/holes has been really great. At least, up to this point. > > >Some points: > >"If you're an admin why would you want to bother jumping through hoops to discover another users password? " > What he said was that why would an admin want to find out a users pass when they could just change it to whatevere they want? ummmm ... okkkaaaaayyyy :-\ >Someone tell this genius (sarcasm) that people sometimes share passwords with their e-mail, other sites, etc. > >"I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!" > >This guy must live in la-la land where everyone hosts with an unlimitted SQL provider, and all admins are root. Tell him to chat with me, a hosting provider, and I'll inform him of a little something I like to call... reality. > >"To err is human, to screw up royally requires me!" > >Yep, partner, you got that right. > >That reply tantemount to the *nux community telling server owners, "Yeah, there is an exploit in chroot, but only if root executes it, so it's low priority." (Well, cause if cron runs as root, and they execute chroot statements for other user sites, then you have a big clusterf#$%!). *nix community wouldn't give some crap response like that, and users wouldn't stand for it. > >So, yes, third party patchs are certainly welcomed, at least, by phpBB users. If anyone considers any security hole is "very very low priority", then they are not the person to be leading any discussion of security development in any product. They are apt to fit in well on some other project... like the next version of Windows. ;) GulfTech Security Research SubScan 1.2 Replies:
|
||
| CyberArmy::Forum v0.6 Generated In 0.03494 seconds |
2004-03-25 16:48:09
2004-03-24 03:17:41
2004-03-23 11:00:34
2004-03-23 11:16:40
2004-03-23 09:25:26