It can be done by yourself on your own server. Not all people use htaccess compatible web servers
In fact, this a possibility to....change the admin directory in a few other forum software programs.
No!Trying to accomplish security through obscurity?
Obscurity can sometimes add security. If the page is named something inconspicuous and the content displayed to them is relevant to this inconspicuous page it can add some securityTrying to accomplish security through obscurity?
The problem is that if there's an exploit where you don't have to login as a user, you can bypass any group permission.I've never really had an issue with an admin area not being protected by .htaccess. Group permissions and the additional login form seem to work just fine . Would be nice if we could change the filename though, similarly to how you can change the admin directory in a few other forum software programs.
Yeah, that's right. But ... the first security layer cost NO penny....they run into a second security layer.
As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!If you need a .htaccess, then something is wrong.
Mike and Kier should actually hold a security contest - setup a test board on a subdomain, populate it with content, and then challenge anyone to hack it in some way and do something (change content, change admin settings, login as an admin or another user, etc. - based on the rules of the contest, also, server vulnerabilities don't count - it has to be through the software) and anyone who can find a hole gets a free XF license. That would be a very fast way to find any possible security holes, and at a very low cost to them (not to mention a few lucky people get free XF licenses!).
If you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum.As interesting as this sounds, I'm pretty sure if any vulnerabilities were to be tested they'dve been done on this site... people are dying to see that backend!
A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhereIf you try to test vulnerabilities on this site and you succeed (or even if you fail), you're in trouble. Setting up a test forum specifically for this purpose would allow people to test vulnerabilities without attacking the live forum.
Well, at least it sounds like he condoned it (do you have a link to the thread?). I still think setting up a contest like this would be awesome, as people would actually try hard and you could try whatever you wanted without fear of repercussions.A few of us did XSS testing with no repercussions... except Kier stating that we'd be lucky to get anywhere
Surely you're not telling me people running Lighttpd or nginx run a bad server?People on bad hosting, don't have .htaccess
We use essential cookies to make this site work, and optional cookies to enhance your experience.