1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Admin protection

Discussion in 'XenForo Pre-Sales Questions' started by DSF, Aug 31, 2010.

  1. DSF

    DSF Well-Known Member

    I'm surprised that the admin.php is not protected with .htaccess.
    For security, I mean that's MUST be standard. ;)
     
    soloarquitectura likes this.
  2. Floris

    Floris Guest

    If they hack it now, then at least that security issue is found.
     
  3. Shamil

    Shamil Well-Known Member

    It can be done by yourself on your own server. Not all people use htaccess compatible web servers :)
     
  4. Floris

    Floris Guest

    People on bad hosting, don't have .htaccess ;)
     
  5. Mr_Bob

    Mr_Bob Well-Known Member

    I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine ;). Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
     
  6. DSF

    DSF Well-Known Member

    In fact, this a possibility to.
     
  7. James

    James Well-Known Member

    I'd assume that the admin.php file can be renamed... (assuming that references to admin.php in the code are done via a PHP variable similar to vBulletin). You could make it as inconspicuous as faq.php with some generic FAQ text for unauthorised users or you could even rename it 404.php then add some extra security like showing a 404 page if the user's usergroup isn't admin...

    possibilities are endless!
     
  8. ManagerJosh

    ManagerJosh Well-Known Member

    Trying to accomplish security through obscurity?
     
    Been Told and James like this.
  9. DSF

    DSF Well-Known Member

    No!
    Rename AND .htaccess is the way
     
  10. James

    James Well-Known Member

    Obscurity can sometimes add security. If the page is named something inconspicuous and the content displayed to them is relevant to this inconspicuous page it can add some security :cool:
     
  11. Floris

    Floris Guest

    The problem is that if there's an exploit where you don't have to login as a user, you can bypass any group permission.
    or just have an exploit one day that escalates usergroups to super admin ..

    Adding htaccess ensures that whatever exploit there might be that grants access, that they run into a second security layer.
     
  12. DSF

    DSF Well-Known Member

    Yeah, that's right. But ... the first security layer cost NO penny. :D
     
  13. Erik

    Erik Well-Known Member

    If you need a .htaccess, then something is wrong. ;)

    Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. :) That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!). :)
     
    James likes this.
  14. James

    James Well-Known Member

    As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
     
  15. Erik

    Erik Well-Known Member

    If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum. :)
     
  16. James

    James Well-Known Member

    A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere :p
     
  17. Erik

    Erik Well-Known Member

    Well, at least it sounds like he condoned it (do you have a link to the thread?). I still think setting up a contest like this would be awesome, as people would actually try hard and you could try whatever you wanted without fear of repercussions. :)
     
  18. James

    James Well-Known Member

  19. dutchbb

    dutchbb Well-Known Member

    I have it too, but the way it is now also shows that they're self confident about their software security.
     
    Lawrence likes this.
  20. Lost

    Lost Well-Known Member

    Surely you're not telling me people running Lighttpd or nginx run a bad server? :p
     

Share This Page