WebspaceUK wrote: I know that... now!
WebspaceUK wrote: That MOD before "Could" of worked, if it was in something like zend, however I find now giving out SQL information is a far too high security risk.
WebspaceUK wrote: Before I publish it again, would someone from phpBB want to check it?
psoTFX wrote:WebspaceUK wrote:I know that... now!
When you're working on something like this security should've been number one of your list of priorities.WebspaceUK wrote: That MOD before "Could" of worked, if it was in something like zend, however I find now giving out SQL information is a far too high security risk.
sigh, you've missed the major point ... you were communicating, over an insecure socket, a username and a password to your database. It's not hard to grab that data and make use of it, your entire database could've been downloaded. And because the data wasn't appropriately encrypted within that database (remember a cipher =/= a few iterations through zlib ) it would've been perfectly understandable and immediately useful to anyone.
Relying on Zend encoding to cover up this sort of thing is a big no no. If it were an internal only application buried away from the peering eyes of other employees you may have, perhaps, possibly been okay. But it wasn't, it was an application designed to be installed by the general populace. Thus from the very outset all your communications should've been abstracted.WebspaceUK wrote: Before I publish it again, would someone from phpBB want to check it?
Personally? No ... but what I would like you to do (and what the Mod team will insist on with my full support) is that you do not release anything here until you're completely satisifed that:
a) Personal data cannot be obtained except via an abstrated (SOAP et al) interface
b) That communications whereby the username/password pair are exchanged are secure
c) That data in the database be secured thus limiting damage should it be compromised
d) That yourself and your users understand and agree to the legal implications of storing mass third party data for which you, yourself are not directly responsible
I'm sure there are other things I've forgotten ... but that'll keep you going I suspect It may sound like we're being harsh but we're trying to ensure "our" users are not unknowingly exposing their data.
WebspaceUK wrote: We did have security top priority, however including SQL information was a bad mistake, which I have learnt not to do in future releases.
CyberAlien wrote:WebspaceUK wrote:We did have security top priority, however including SQL information was a bad mistake, which I have learnt not to do in future releases.
No, you didn't. All you did was simply encoded php. You didn't even bother to set mySQL priviledges to SELECT and because of it everyone could easily modify database (and if i'm not mistaken that is exactly why website was brought down).
And, the thing that i hate most about your total incompetence: you included ads in code without users knowing about it, and you lied to users saying that ads are set on server while ads were set in passport.php.
But i hope you learned your lesson and next version will be secure and without hidden adware/spyware.
As a user you agree to any information you have entered above being stored in a database. While this information will not be disclosed to any third party without your consent the webmaster, administrator and moderators cannot be held responsible for any hacking attempt that may lead to the data being compromised.
This is an update. I have been working day and night since the BETA's have been taken down to make phpBBPassport Version 0.2.0. I have put in the following security measures:
- No SQL Information in any php files.
- phpBBPassport is using SOAP and XML to pass data through SSL (https)
- Can not edit Passport.php file so that a malicious user could make duplicates of the system.
- Each passport.php file will be given out freely, however I have decided, that each website has the option to submit in their website, in return (After being checked) they will get the website added to the Secure Passport Forums list, and they will also get a badge which will link to the certificate to proof this, with a date of issue.
- ZEND Encrypt (However I am still considering whether to ZEND encrypt as so far quite alot of people's servers are not zend encrypt, your idea's?)
- Private Key in php files which will be checked with the server file.
- Password sent through SSL and MD5'd for checking and sending details back.
- Logs on what forums people log in to, and un successful logins.
- 3 un successful logins = Temp Ban and reactivated through your email.
Any other security idea's please let me know.
Code: Select all
Could not insert data into users table DEBUG MODE SQL Error : 1062 Duplicate entry '1' for key 1 INSERT INTO phpbb_users (user_id, username, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_sig_bbcode_uid, user_avatar, user_avatar_type, user_viewemail, user_aim, user_yim, user_msnm, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_viewonline, user_notify, user_notify_pm, user_popup_pm, user_timezone, user_dateformat, user_lang, user_style, user_level, user_allow_pm, user_active, user_actkey, user_passport) VALUES(1, 'Selven', 1077274639, 'aaf7ccdf566f8e58612cc2aef2bc884d', 'email@example.com', '', '', '', '', '', '', '','', '0', '0', '', '', '', '', '1', '0', '1', '1', '0', '1', '1', '0.00', 'D M d, Y g:i a', 'english', null, 0, 1, 1, null, 'Selven') Line : 264 File : /usr/local/psa/home/vhosts/danb00.34sp.com/httpdocs/forum/passport.php