• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Admin protection

Mr_Bob

Well-known member
#5
I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine ;). Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
 

James

Well-known member
#7
I'd assume that the admin.php file can be renamed... (assuming that references to admin.php in the code are done via a PHP variable similar to vBulletin). You could make it as inconspicuous as faq.php with some generic FAQ text for unauthorised users or you could even rename it 404.php then add some extra security like showing a 404 page if the user's usergroup isn't admin...

possibilities are endless!
 
F

Floris

Guest
#11
I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine ;). Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
The problem is that if there's an exploit where you don't have to login as a user, you can bypass any group permission.
or just have an exploit one day that escalates usergroups to super admin ..

Adding htaccess ensures that whatever exploit there might be that grants access, that they run into a second security layer.
 

Erik

Well-known member
#13
If you need a .htaccess, then something is wrong. ;)

Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. :) That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!). :)
 

James

Well-known member
#14
If you need a .htaccess, then something is wrong. ;)

Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. :) That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!). :)
As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
 

Erik

Well-known member
#15
As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum. :)
 

James

Well-known member
#16
If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum. :)
A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere :p
 

Erik

Well-known member
#17
A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere :p
Well, at least it sounds like he condoned it (do you have a link to the thread?). I still think setting up a contest like this would be awesome, as people would actually try hard and you could try whatever you wanted without fear of repercussions. :)