[DEV] phpBB Security

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
Locked
User avatar
aUsTiN-Inc
Registered User
Posts: 929
Joined: Fri Apr 16, 2004 10:31 am
Location: Georgia
Contact:

[DEV] phpBB Security

Post by aUsTiN-Inc »

Current Version: 1.1.2

Due to recent exploits, it inspired me to freeze all the 'fun' mods & make a serious one. So i took some time & made a phpBB Security mod. With this, it should render exploits useless. Below is a feature list.

Code: Select all

Due to the fact coding opens exploits, it is inevitable, i am making
and releasing this security mod for phpBB based boards. The problem
is with phpBB, if you have admin level, you have full access to
everything on the site. Which is only a problem because exploits
allow malicous script kiddies to make themselves admins or make admin
accounts. So i plan to render that issue here.

-> Extra login box on admin panel, so even if you have admin access,
you still can not access the admin panel to delete users, delete
posts, rename things, etc.. This is controled by a .htaccess file &
a .phpbbsecurty file holding the info. There is no way in this mod
for admins to change this info, that would make it pointless & allow
for some admins to lock other admins out etc. Please read the bottom
of the install for instructions on how to setup your username & password.

-> Limit amount of tries an account can be failed. Meaning inputting
the wrong username & password on an account. The amount is set by the
admin. If this number is exceeded, the account is locked.

-> Added a security question and answer to the users table. Every user
will have to add this. It is built into the script to redirect anyone
who has not added this info to their profile so they can update it.

-> Force a user to unlock their account with the security question and
answer provided. If the account is locked, when they try to login, they
will be informed its locked & given a link to unlock it. From there they
have to input the username & email on account to see the security question.
Then they have to answer the question. The answers are stored as an MD5
hash so no one can see what peoples answers are. Security purposes. If
they get it right, the account becomes unlocked & they can then login.

-> Admin notification feature. If an account becomes locked, the mod
will dispatch a PM to an admin, which who it is sent to is configured
in the acp. This feature has an off switch, so if you dont care to know
when accounts get locked, switch this off.

-> For security purposes, users can not change their security question
or answer. If they wish to change it, they need to contact an admin and
have the admin reset their SQ info.

-> Added some blocking features, this mod will try to help block attacks
such as DDoS, Clike, UNION & SQL Injection attacks.

-> Admins have the capability to lock or unlock anyones account in the
User Management admin. They can also reset a users SQ & SA info from
there.

-> Auto ban IP's that are caught trying to use UNION, SQL Injection, Clike
or DDoS tricks. Admin chooses to use this feature or not.

-> Discard multiple sessions per ip, only store the newest one.

-> Keep sessions table rows under a certain amount. Admins can choose this
amount in the ACP. If the sessions table exceeds this amount of sessions, the
oldest ones will be deleted until its under the set amount.

#==== Other Suggested Mods

-> Registration IP
-> Advanced IP Tracker
-> IP Search
Version 1.0.2:

Code: Select all

#====
#==== V1.0.2
#====

-> Added sessions/cookie protection so no one can manipulate the auto login in any way. This
ensures & checks the cookied password to match the cookied user id, since phpBB its self
doesn't do it when it needs to be done.

-> Added a configuration option for how many entires per page to show on the caught page
since some people where being timed out or loading 404 pages from having to many per page.

-> Removed the edits to the Configuration section & added a seperate admin section.

-> Added the ability for the oldest board admin to allow other admins to modify the special
fields.

-> Added the ability to block users based on user agent.

-> Added the ability to block users based on their referer.

-> Added user level protection, so every refresh it is reset, this way no user can manipulate
the board to pass off as a mod or admin.

-> Added a link to users profiles when they have to add a SQ & Answer, this was neglected in past
versions.

-> Fixed an insecure line of code, where & what wont be mentioned, but its fixed never the less.

-> Added the proper check to make sure the include file is being included from your site *
not being included from an offsite script.

-> Added 3 levels of DDoS protection, since the current is a bit strong for some users.

-> Removed the version number, by popular request. But by doing this, you will now be asked
everytime you post for support what version you are using.

-> Fixed the counter so it now adds multiple exploits again. With 1.0.1 the counter only added
one per IP even if they did try over & over on the same IP.

-> Added a message to the "phpBB Security Thinks You Should Go Away" for each reason someone
is reading it, so they will now know WHY they have been blocked & be given the boards email
to contact the admins if there was a mistake.

-> Added a quick "Member Tries" screen, so it will display any users who have posted & also
tried to exploit your site. It will also display what they did to be banned.

-> Added a "Quick Search" so if someone complains about being banned, you can input their IP
and find out why they where banned & optionally unban them from the same screen. This also
comes with a wildcard (partial match) or exact match choice.

-> Added an automated database backup system. So every day at a preset time (by the admins) the
database will be backed-up & saved to your FTP. This is on/off switchable in the ACP incase
you dont have the space to spare for this feature. But my suggestion is you leave it on & just
delete the old ones every couple days, this way you always have a good copy of your database.
This will also block UNION passes which are also popular on exploits. The feature list pretty much explains it all. Why no one has made something like this yet is beyond me, but never the less, i took the time to make it. I will get it tested by one or two people (when they wake up & sign on MSN) and get a beta released. Its running smoothly & flawlessly on my sites.

You're welcome to try & get into my account (aUsTiN) there by trying to guess the password. You have 4 guesses :p & then you will see the locked account feature. The concept is the same as lost password, you have to input the username & email, and itll take ya from there.


Im open for requests, if you can think of other things that can be done...

It can be downloaded & tested from Here
Last edited by aUsTiN-Inc on Thu Mar 31, 2005 10:27 am, edited 5 times in total.
¤ phpBB Security ¤ Blend Portal Creator ¤
¤ Activity Mod Plus Creator «« 2004 phpBBHacks "Hack" Of The Year ¤
¤ Activity Mod Plus Home ¤ 2004 phpBBHacks "Hack" Author Of The Year ¤
My mods are never done, always in update status!
deny
Registered User
Posts: 565
Joined: Wed May 14, 2003 9:14 am
Location: Find-Ip-Address.org
Contact:

Post by deny »

It looks great and i'm interested to try it.However i have already by myself installed protetion of admin panel with .htaccess + .htpass where only my ip is allowed and i have already Niels mod for freeze account if someone try to login 3 times.
If you gonna further to development this mod then please take a look with compatibility of Niels mod (there is already and max session mods from Niels).

btw

Is the code for this mod released?And where to get it this code?
User avatar
aUsTiN-Inc
Registered User
Posts: 929
Joined: Fri Apr 16, 2004 10:31 am
Location: Georgia
Contact:

Post by aUsTiN-Inc »

There would be no way to make 2 mods like that comptable without recoding one of them to do basically the same thing the other one does, so they both read the same fields. Which would be pointless when its already fully coded into this.

The admin section, naturally if you already have it, just skip that section of the install :)

All the codes are still on my desktop until i get it tested by a couple people.
¤ phpBB Security ¤ Blend Portal Creator ¤
¤ Activity Mod Plus Creator «« 2004 phpBBHacks "Hack" Of The Year ¤
¤ Activity Mod Plus Home ¤ 2004 phpBBHacks "Hack" Author Of The Year ¤
My mods are never done, always in update status!
Shof515
Registered User
Posts: 1169
Joined: Wed Mar 19, 2003 4:36 am

Post by Shof515 »

so this is going to better then neils mod?,and before using this mod,we need to uninstall neils mod?
Whos missing up my sig?
danb00
Registered User
Posts: 1025
Joined: Sun Dec 15, 2002 9:41 pm
Location: Inside Mod:Extreme PHPBB
Contact:

Post by danb00 »

why not base it on the vbulletin security?
So when you login to the ACP you can set the ACP session to timeout after x time, so then you have to relogin into the ACP
Either using the same password or try and set it so theres a different password for the ACP
phpBBModded.com - Modding phpBB
deny
Registered User
Posts: 565
Joined: Wed May 14, 2003 9:14 am
Location: Find-Ip-Address.org
Contact:

Post by deny »

I think it would be better that for all people who have Niels mod (and there are lot people including myself) come special installaion guide without that hack.
Other way i'll get confused what need to be done and what not
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

I've been considering doing a MOD like this, but I don't have time. :(

One thing that I can see at the moment, and that is default config on Apache servers is to protect .ht*, and not .blah. Unless you went around that another way? You could also put in outside the web-accessible directory.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
harishankar
Registered User
Posts: 99
Joined: Tue Oct 26, 2004 3:37 pm
Contact:

Post by harishankar »

This MOD sounds a great idea! But where do I download it?

Also can some features be turned off configurable in the admin panel? Like user security question and so on. I don't want to have to annoy or turn off potential users by making them type extra things while registering. But the most important ones I want to keep like admin security password and blocking IPs who try to do SQL injections.
User avatar
naderman
Consultant
Consultant
Posts: 3736
Joined: Fri Aug 01, 2003 10:06 pm
Location: Berlin, Germany
Name: Nils Adermann
Contact:

Post by naderman »

Hi

sounds useful, but what happens if you search for "mysql_query"?

naderman
I appreciate gifts from my Amazon wishlist.
naderman.de twitter: @naderman
da_badtz_one
Registered User
Posts: 376
Joined: Thu Jan 29, 2004 8:25 pm

Post by da_badtz_one »

A suggestion: That, if an account is locked up for a certain number of days it will be pruned and erased than to be left in a locked up stage.

Your mod seems promising ;)
User avatar
aUsTiN-Inc
Registered User
Posts: 929
Joined: Fri Apr 16, 2004 10:31 am
Location: Georgia
Contact:

Post by aUsTiN-Inc »

da_badtz_one wrote: A suggestion: That, if an account is locked up for a certain number of days it will be pruned and erased than to be left in a locked up stage.

Your mod seems promising ;)


The downfall to that, is members might start locking other members accounts so they get pruned. I was going to add a feature where it unlocks after x amount of days, but i can add it so after x amount of days it is pruned or unlocked or left locked.
¤ phpBB Security ¤ Blend Portal Creator ¤
¤ Activity Mod Plus Creator «« 2004 phpBBHacks "Hack" Of The Year ¤
¤ Activity Mod Plus Home ¤ 2004 phpBBHacks "Hack" Author Of The Year ¤
My mods are never done, always in update status!
duke d
Registered User
Posts: 25
Joined: Thu Sep 09, 2004 4:50 pm

Post by duke d »

great mod :D
»»EDDY««
Registered User
Posts: 220
Joined: Mon Jun 02, 2003 10:14 am
Location: Poland/Slupsk
Contact:

Post by »»EDDY«« »

Yeah, very secure... forum doesn't work.

Code: Select all

message_die() was called multiple times. This isn't supposed to happen. Was message_die() used in page_tail.php?
Make a Tiny URL in excellent domain heh.pl


cooling system & water cooling
~ TwiSteD ~
Registered User
Posts: 115
Joined: Sun Jun 27, 2004 4:03 am
Location: here
Contact:

Post by ~ TwiSteD ~ »

»»EDDY«« wrote: Yeah, very secure... forum doesn't work.

Code: Select all

message_die() was called multiple times. This isn't supposed to happen. Was message_die() used in page_tail.php?


it means by going to a exploit type URL, you get banned for a certain amount of time, by IP :wink:
User avatar
aUsTiN-Inc
Registered User
Posts: 929
Joined: Fri Apr 16, 2004 10:31 am
Location: Georgia
Contact:

Post by aUsTiN-Inc »

New feature

-> Keeps track of who all attemps to attack your site. These are stored in
a table so they can be viewed. It tracks what they try to do, what time,
and how many times they tried to do it. You can choose to display these
results if you like.

You can view it by clicking "Protected" in the footer on the demo site. Ive installed this on 2 sites with no issues, twisted is installing it now, so i will get a release up ASAP.
¤ phpBB Security ¤ Blend Portal Creator ¤
¤ Activity Mod Plus Creator «« 2004 phpBBHacks "Hack" Of The Year ¤
¤ Activity Mod Plus Home ¤ 2004 phpBBHacks "Hack" Author Of The Year ¤
My mods are never done, always in update status!
Locked

Return to “[2.0.x] MODs in Development”