Admin protection

F

Floris

Guest
If they hack it now, then at least that security issue is found.
 

Shamil

Well-known member
It can be done by yourself on your own server. Not all people use htaccess compatible web servers :)
 

Mr_Bob

Well-known member
I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine ;). Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
 

James

Well-known member
I'd assume that the admin.php file can be renamed... (assuming that references to admin.php in the code are done via a PHP variable similar to vBulletin). You could make it as inconspicuous as faq.php with some generic FAQ text for unauthorised users or you could even rename it 404.php then add some extra security like showing a 404 page if the user's usergroup isn't admin...

possibilities are endless!
 

James

Well-known member
Trying to accomplish security through obscurity?
Obscurity can sometimes add security. If the page is named something inconspicuous and the content displayed to them is relevant to this inconspicuous page it can add some security :cool:
 
F

Floris

Guest
I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine ;). Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
The problem is that if there's an exploit where you don't have to login as a user, you can bypass any group permission.
or just have an exploit one day that escalates usergroups to super admin ..

Adding htaccess ensures that whatever exploit there might be that grants access, that they run into a second security layer.
 

Erik

Well-known member
If you need a .htaccess, then something is wrong. ;)

Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. :) That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!). :)
 

James

Well-known member
If you need a .htaccess, then something is wrong. ;)

Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. :) That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!). :)
As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
 

Erik

Well-known member
As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum. :)
 

James

Well-known member
If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum. :)
A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere :p
 

Erik

Well-known member
A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere :p
Well, at least it sounds like he condoned it (do you have a link to the thread?). I still think setting up a contest like this would be awesome, as people would actually try hard and you could try whatever you wanted without fear of repercussions. :)
 

dutchbb

Well-known member
I'm surprised that the admin.php is not protected with .htaccess.
For security, I mean that's MUST be standard. ;)
I have it too, but the way it is now also shows that they're self confident about their software security.
 
Top