Admin protection

Sort by date Sort by votes
I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine ;). Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
 
Upvote 0 Downvote
I'd assume that the admin.php file can be renamed... (assuming that references to admin.php in the code are done via a PHP variable similar to vBulletin). You could make it as inconspicuous as faq.php with some generic FAQ text for unauthorised users or you could even rename it 404.php then add some extra security like showing a 404 page if the user's usergroup isn't admin...

possibilities are endless!
 
Upvote 0 Downvote
Mr_Bob said:
I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine ;). Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
Click to expand...
The problem is that if there's an exploit where you don't have to login as a user, you can bypass any group permission.
or just have an exploit one day that escalates usergroups to super admin ..

Adding htaccess ensures that whatever exploit there might be that grants access, that they run into a second security layer.
 
Upvote 0 Downvote
If you need a .htaccess, then something is wrong. ;)

Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. :) That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!). :)
 
Upvote 0 Downvote
Eriksrocks said:
If you need a .htaccess, then something is wrong. ;)

Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. :) That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!). :)
Click to expand...
As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
 
Upvote 0 Downvote
James said:
As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
Click to expand...
If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum. :)
 
Upvote 0 Downvote
Eriksrocks said:
If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum. :)
Click to expand...
A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere :P
 
Upvote 0 Downvote
James said:
A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere :p
Click to expand...
Well, at least it sounds like he condoned it (do you have a link to the thread?). I still think setting up a contest like this would be awesome, as people would actually try hard and you could try whatever you wanted without fear of repercussions. :)
 
Upvote 0 Downvote

Similar threads

K
Security Lock: User must contact admin
Replies
2
Views
220
Kirby
K
Sim
  • Suggestion Suggestion
Log out of all devices
Replies
3
Views
185
Kirby
K
R
  • Question Question
XF 2.2 How to protect icons?
Replies
0
Views
335
Robert9
R
Ozzy47
[OzzModz] Security Lock Old Accounts
2 3
Replies
58
Views
3K
Ozzy47
Ozzy47
mjda
XF 2.2 Issue with rebuild job
Replies
1
Views
181
mjda
mjda
Top Bottom