RE: Posted to their forum...

Ker JeiAr

Well, here is the issue.

I was told that the important files were protected via session ID's But none of the admin files are. I think being able to place any admin command in an image tag that relies on it's values from GET, and having it execute as soon as an admin views it is a fairly substantial risk. The having an admin exeute SQL queries requires certain circumstances, but is also possible when placed in an img tag. Also, I could very well place an image tag in this post that would delete even the latest announcment released in the announcment form. Obviously I am not gonna do that as it would be a very uncool thing to do, but I just say that to give an example, ya know?

Also, if security in the ACP is not an issue then why is ANY input validation done? It would have saved you guys a load of time to just make it work instead of making it somewhat secure if you really believe security in the ACP is moot.

I am not here to argue with anyone, and I am not here as a security researcher. I am here as a long time phpBB user who has genuine concerns regarding the security of my forum. Thats all. I know that other users see the risk and feel the same way I do also. I do not want this to turn into a debate or a hostile conversation, that helps nothing. I just want to find a solution that makes users who realize the security risk such as myself happy, and feel secure.

Best Regards,

JeiAr

• phpBB 2.0.7a And Earlier Security Issues - Ker JeiAr 2004-03-22 04:23:47
  • Some Fixes For These Issues - Ret. Ker JeiAr 2004-03-25 12:11:30
    • sweet man :) - LtKer Semper 2004-03-25 16:48:09
      • RE: sweet man :) - Ret. Ker JeiAr 2004-03-25 19:01:33
  • Hmmmm ... - Ker JeiAr 2004-03-23 20:40:47
    • Hah. - Lt Obscurity 2004-03-24 03:17:41
  • Want Some Opinions - Ker JeiAr 2004-03-23 05:18:00
    • RE: Want Some Opinions - Lt Obscurity 2004-03-23 07:46:48
      • I'm with you, they are on crack with this one... - Ret. Mar Ikioi 2004-03-23 11:00:34
        • RE: I'm with you, they are on crack with this one... - Ker JeiAr 2004-03-23 17:14:55
        • Development Teams Reply - Lt Obscurity 2004-03-23 14:19:18
          • RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:17:53
            • RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:31:30
            • RE: Development Teams Reply - Lt Obscurity 2004-03-23 17:25:16
              • RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:33:40
                • RE: Development Teams Reply - Lt Obscurity 2004-03-23 18:15:38
                  • RE: Development Teams Reply - Ker JeiAr 2004-03-23 19:39:35
                    • RE: Development Teams Reply - Lt Obscurity 2004-03-24 03:14:15
        • Posted to their forum... - Ret. Mar Ikioi 2004-03-23 11:37:22
          • >RE: Posted to their forum... - Ker JeiAr 2004-03-23 17:49:48 <
          • Argh if someone could delete the post previous - Lt Obscurity 2004-03-23 11:50:55
            • Done :) - Ret. Ker JeiAr 2004-03-24 05:31:16
              • Hah thanks... - Lt Obscurity 2004-03-24 06:04:35
      • RE: Want Some Opinions - Ker JeiAr 2004-03-23 08:05:01
        • To be honest... - Lt Obscurity 2004-03-23 08:21:38
          • RE: To be honest... - Ker JeiAr 2004-03-23 08:32:53
            • RE: To be honest... - Lt Obscurity 2004-03-23 08:40:09
              • RE: To be honest... - Ker JeiAr 2004-03-23 08:54:05
                • RE: To be honest... - Lt Obscurity 2004-03-23 09:07:57
                  • 'respond' :D -nt- - LtKer Bastian 2004-03-23 11:16:40
                  • RE: To be honest... - Maj zaydana 2004-03-23 09:25:26
                    • GPL... just fork it. ;) -nt- - Ret. Mar Ikioi 2004-03-23 11:39:41
                      • Ikioi [more] - Lt Obscurity 2004-03-24 10:21:14