[BETA] phpBB Passport 0.2.2 (NOW OUT!)

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
fleccy
Registered User
Posts: 275
Joined: Mon Oct 27, 2003 8:26 am
Location: Manchester, UK

Post by fleccy »

yeah cant wait for the next version ill be making a good style for it :D

danb00
Registered User
Posts: 1025
Joined: Sun Dec 15, 2002 9:41 pm
Location: Inside Mod:Extreme PHPBB
Contact:

Post by danb00 »

i can't wait to get this back up!

my members liked it, and want to see it up and running

Maybe you could like to a file that also links to another file and gets lost in encrytion or something.

i dont know just helping :)

or what about virtual links to the datbase or something?
phpBBModded.com - Modding phpBB

fleccy
Registered User
Posts: 275
Joined: Mon Oct 27, 2003 8:26 am
Location: Manchester, UK

Post by fleccy »

or make a confusion system lol

User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

Post by psoTFX »

WebspaceUK wrote: I know that... now!

When you're working on something like this security should've been number one of your list of priorities.
WebspaceUK wrote: That MOD before "Could" of worked, if it was in something like zend, however I find now giving out SQL information is a far too high security risk.

sigh, you've missed the major point ... you were communicating, over an insecure socket, a username and a password to your database. It's not hard to grab that data and make use of it, your entire database could've been downloaded. And because the data wasn't appropriately encrypted within that database (remember a cipher =/= a few iterations through zlib ;)) it would've been perfectly understandable and immediately useful to anyone.

Relying on Zend encoding to cover up this sort of thing is a big no no. If it were an internal only application buried away from the peering eyes of other employees you may have, perhaps, possibly been okay. But it wasn't, it was an application designed to be installed by the general populace. Thus from the very outset all your communications should've been abstracted.
WebspaceUK wrote: Before I publish it again, would someone from phpBB want to check it?

Personally? No ... but what I would like you to do (and what the Mod team will insist on with my full support) is that you do not release anything here until you're completely satisifed that:

a) Personal data cannot be obtained except via an abstrated (SOAP et al) interface
b) That communications whereby the username/password pair are exchanged are secure
c) That data in the database be secured thus limiting damage should it be compromised
d) That yourself and your users understand and agree to the legal implications of storing mass third party data for which you, yourself are not directly responsible

I'm sure there are other things I've forgotten ... but that'll keep you going I suspect :D It may sound like we're being harsh but we're trying to ensure "our" users are not unknowingly exposing their data.

ElizabeththeGrey
Registered User
Posts: 118
Joined: Sun Nov 16, 2003 5:52 pm

Post by ElizabeththeGrey »

What about PayPal's IPN system? I think that using a system similar to theirs might work:

Initiate https connection to central server, using POST to submit md5($password) and username. Retrieve data (CSV or other format?).

WebspaceUK
Registered User
Posts: 56
Joined: Sun Feb 08, 2004 3:16 pm
Contact:

Post by WebspaceUK »

psoTFX wrote:
WebspaceUK wrote:I know that... now!

When you're working on something like this security should've been number one of your list of priorities.
WebspaceUK wrote: That MOD before "Could" of worked, if it was in something like zend, however I find now giving out SQL information is a far too high security risk.

sigh, you've missed the major point ... you were communicating, over an insecure socket, a username and a password to your database. It's not hard to grab that data and make use of it, your entire database could've been downloaded. And because the data wasn't appropriately encrypted within that database (remember a cipher =/= a few iterations through zlib ;)) it would've been perfectly understandable and immediately useful to anyone.

Relying on Zend encoding to cover up this sort of thing is a big no no. If it were an internal only application buried away from the peering eyes of other employees you may have, perhaps, possibly been okay. But it wasn't, it was an application designed to be installed by the general populace. Thus from the very outset all your communications should've been abstracted.
WebspaceUK wrote: Before I publish it again, would someone from phpBB want to check it?

Personally? No ... but what I would like you to do (and what the Mod team will insist on with my full support) is that you do not release anything here until you're completely satisifed that:

a) Personal data cannot be obtained except via an abstrated (SOAP et al) interface
b) That communications whereby the username/password pair are exchanged are secure
c) That data in the database be secured thus limiting damage should it be compromised
d) That yourself and your users understand and agree to the legal implications of storing mass third party data for which you, yourself are not directly responsible

I'm sure there are other things I've forgotten ... but that'll keep you going I suspect :D It may sound like we're being harsh but we're trying to ensure "our" users are not unknowingly exposing their data.


Hi,

You have to be harsh when it comes to user details, and I fully understand that. I am not taking this as a "Dont bother" or "Stupid idea", I am taking this as greatly valued advice from someone who has put in the effort to help us.

We did have security top priority, however including SQL information was a bad mistake, which I have learnt not to do in future releases.

I have already began the work on the (nu)SOAP and making sure everything is secure. we have installed an SSL certificate on our servers which should increase the security with logins.

I will note down that post and work as hard as possible to make sure that we are 110% they are secure.

Thankyou for your time put into making that post, and really appreciate your support,

Regards,

James Parmee Morris

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Post by Arty »

WebspaceUK wrote: We did have security top priority, however including SQL information was a bad mistake, which I have learnt not to do in future releases.

No, you didn't. All you did was simply encoded php. You didn't even bother to set mySQL priviledges to SELECT and because of it everyone could easily modify database (and if i'm not mistaken that is exactly why website was brought down).

And, the thing that i hate most about your total incompetence: you included ads in code without users knowing about it, and you lied to users saying that ads are set on server while ads were set in passport.php.

But i hope you learned your lesson and next version will be secure and without hidden adware/spyware.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

WebspaceUK
Registered User
Posts: 56
Joined: Sun Feb 08, 2004 3:16 pm
Contact:

Post by WebspaceUK »

CyberAlien wrote:
WebspaceUK wrote:We did have security top priority, however including SQL information was a bad mistake, which I have learnt not to do in future releases.

No, you didn't. All you did was simply encoded php. You didn't even bother to set mySQL priviledges to SELECT and because of it everyone could easily modify database (and if i'm not mistaken that is exactly why website was brought down).

And, the thing that i hate most about your total incompetence: you included ads in code without users knowing about it, and you lied to users saying that ads are set on server while ads were set in passport.php.

But i hope you learned your lesson and next version will be secure and without hidden adware/spyware.


Hello,

We had brought down the website as soon as we found out how weak our security was.

The adverts were set on the server as they were recieved from phpBBServers, not implanted in the passport.php file (Only javascript to get the advert from our server). We did not Lie about this.

As I have stated in a post on page 2 or around there, we will NOT be inlcuding adverts in the file, and do not see why this has been brought up again, but I do understand your anger in adding advertising and as stated, we will remove it, as we are trying to oblidge to all of phpBB requests.

We have learnt our lesson and working hard on making this version secure. Thanks again psoTFX for your great post, its extremly usefull in helping us making it secure.

Thankyou,

James Parmee Morris
Last edited by WebspaceUK on Wed Feb 18, 2004 10:44 pm, edited 2 times in total.

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Post by Arty »

WebspaceUK wrote: The adverts were set on the server as they were recieved from phpBBServers, not implanted in the passport.php file (Only javascript to get the advert from our server). We did not Lie about this.

You did. That javascript is what controls ads on pages. If that javascript is removed from passport.php there are no ads.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

WebspaceUK
Registered User
Posts: 56
Joined: Sun Feb 08, 2004 3:16 pm
Contact:

Post by WebspaceUK »

CyberAlien wrote:
WebspaceUK wrote:The adverts were set on the server as they were recieved from phpBBServers, not implanted in the passport.php file (Only javascript to get the advert from our server). We did not Lie about this.

You did. That javascript is what controls ads on pages. If that javascript is removed from passport.php there are no ads.


Ok,

Well I meant something else when I was talking to the user, I am sorry for the confussion. As I said, we have removed the advertising in the next version. ;)

Regards,

James Parmee Morris

WebspaceUK
Registered User
Posts: 56
Joined: Sun Feb 08, 2004 3:16 pm
Contact:

Post by WebspaceUK »

Hello,

I hope its ok to ask for everyones opinion, if not I am sorry.

I have developed the phpBBPassport using SOAP, and all validation on login is ServerBased, so there is no worried there.

One thing that is concerning me is whether or not I should encrypt the passport.php file or not.

No ones data is at risk of coming out of the system, if you have not requested it to, however I can imagine people editting the passport.php file and maybe adding the details to other forums ect when logged in. Also they can add a feature to email the username and password when logged in (From the form).

If I encrypt it using ZEND, I know that some users will not have ZEND on there Servers and so will not be able to run the script. At the moment I am think Security is far too important, even if some users will not use the mod.

I am currently running BETA tests by myself on http://www.phpbbpassport.com/passport.php.

I will not release it untill I have got privacy statments, terms and conditions, and further more. However I must say that your Terms and conditions you agree to do back us up a bit without the new Terms and Conditions currently being organised at the moment
As a user you agree to any information you have entered above being stored in a database. While this information will not be disclosed to any third party without your consent the webmaster, administrator and moderators cannot be held responsible for any hacking attempt that may lead to the data being compromised.

(Before anyone says anything, when you log in your giving us permission to send your details to that specific forum, through SSL)

The mod so far is being sent to PHP programmers high in their position to try and hack it for us, so far none of them have. If anyone is very good with PHP (And phpBB) please contact me using any method in my Profile, thats if you wish to give up 10-20 minutes of your time to try and hack our Fake database.

Thankyou and look forward to your suggestions, Below is specification I have currently added to BETA 0.2.0 as seen on our website:

Regards,

James Parmee Morris
This is an update. I have been working day and night since the BETA's have been taken down to make phpBBPassport Version 0.2.0. I have put in the following security measures:

- No SQL Information in any php files.
- phpBBPassport is using SOAP and XML to pass data through SSL (https)
- Can not edit Passport.php file so that a malicious user could make duplicates of the system.
- Each passport.php file will be given out freely, however I have decided, that each website has the option to submit in their website, in return (After being checked) they will get the website added to the Secure Passport Forums list, and they will also get a badge which will link to the certificate to proof this, with a date of issue.
- ZEND Encrypt (However I am still considering whether to ZEND encrypt as so far quite alot of people's servers are not zend encrypt, your idea's?)
- Private Key in php files which will be checked with the server file.
- Password sent through SSL and MD5'd for checking and sending details back.
- Logs on what forums people log in to, and un successful logins.
- 3 un successful logins = Temp Ban and reactivated through your email.

Any other security idea's please let me know.

Thanks,

James P-M

fleccy
Registered User
Posts: 275
Joined: Mon Oct 27, 2003 8:26 am
Location: Manchester, UK

Post by fleccy »

if you need a tester ill destroy my board for you :P j/k if u need a tester ill test :D

danb00
Registered User
Posts: 1025
Joined: Sun Dec 15, 2002 9:41 pm
Location: Inside Mod:Extreme PHPBB
Contact:

Post by danb00 »

dont encrypt it, as you saw what happened on my site when we one that.

it wuld not load, even though my server supported it :(

demo of the nice 0.2.0 beta
www.danb00.34sp.com/forum/passport.php

also it looks good, and is more secure
phpBBModded.com - Modding phpBB

Selven
Registered User
Posts: 291
Joined: Fri Nov 08, 2002 7:28 am

Post by Selven »

Code: Select all

Could not insert data into users table

DEBUG MODE

SQL Error : 1062 Duplicate entry '1' for key 1

INSERT INTO phpbb_users (user_id, username, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_sig_bbcode_uid, user_avatar, user_avatar_type, user_viewemail, user_aim, user_yim, user_msnm, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_viewonline, user_notify, user_notify_pm, user_popup_pm, user_timezone, user_dateformat, user_lang, user_style, user_level, user_allow_pm, user_active, user_actkey, user_passport) VALUES(1, 'Selven', 1077274639, 'aaf7ccdf566f8e58612cc2aef2bc884d', 'selven@zaion.com', '', '', '', '', '', '', '','', '0', '0', '', '', '', '', '1', '0', '1', '1', '0', '1', '1', '0.00', 'D M d, Y g:i a', 'english', null, 0, 1, 1, null, 'Selven')

Line : 264
File : /usr/local/psa/home/vhosts/danb00.34sp.com/httpdocs/forum/passport.php
I try with my phpbb passport account!
No-more supporting phpBB

fleccy
Registered User
Posts: 275
Joined: Mon Oct 27, 2003 8:26 am
Location: Manchester, UK

Post by fleccy »

works on my passport

Locked

Return to “[2.0.x] MODs in Development”