How dangerous is it to give Admin rights?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
User avatar
Lumpy Burgertushie
Registered User
Posts: 66332
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Mon May 30, 2005 4:44 am

well, that is cool, you people have been discussing ways to mess up a board that most people didn't know about. I think it would be a good idea for some of you to come back and delete or edit your posts, just in case.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
bonelifer
Community Team Member
Community Team Member
Posts: 3466
Joined: Wed Oct 27, 2004 11:35 pm
Name: William
Contact:

Post by bonelifer » Mon May 30, 2005 9:52 am

BiDoU wrote: As well, if a person has the administrator right on your board, he can download the database, and do anything with it, like obtain the md5 encrypted password of all users of your board and you can guest what can happen after that...

Some people use the same password for a discussion board and an hotmail account...


Don't give admin right to someone can do damage to your board and to the users of your board...

:)


What he can setup an identical board offline and try to brute force the passwords? Or I guess they could just delete the MD5 in the database, thus removing passwords. Or they could just go to Mangement section of Users and enter in a username and change the passwords.

I'm getting the feeling you mean they can reverse the MD5, which is 100% impossible since it is a one-way-hash.
Knowledge Base | phpBB Board Rules | Search Customisation Database
Image
Please don't contact me via PM or email for phpBB support .

blobber
Registered User
Posts: 50
Joined: Wed Mar 16, 2005 12:41 pm

Post by blobber » Mon May 30, 2005 11:56 am

bonelifer wrote:
BiDoU wrote:As well, if a person has the administrator right on your board, he can download the database, and do anything with it, like obtain the md5 encrypted password of all users of your board and you can guest what can happen after that...

Some people use the same password for a discussion board and an hotmail account...


Don't give admin right to someone can do damage to your board and to the users of your board...

:)


What he can setup an identical board offline and try to brute force the passwords? Or I guess they could just delete the MD5 in the database, thus removing passwords. Or they could just go to Mangement section of Users and enter in a username and change the passwords.

I'm getting the feeling you mean they can reverse the MD5, which is 100% impossible since it is a one-way-hash.


That's been discussed many times before ... and is neither really correct, nor entirely wrong:

Use the search function - however, the point is, you don't need to actually "reverse engineer" the hash, the majority of passwords is likely to be extremely simple and SHORT, hence they are prone to dictionary based attacks, which comes down to simply generating the corresponding hashes for a dictionary and then compare the resulting hash table against the hashed password that you need to know.

Any password that's not too complex (i.e. max. extended ascii charset) and not much longer than ~10 bytes, can be easily obtained using such an approach.
The catch is however, that you first need to create the corresponding hash databases, depending on the desired complexity this can take several weeks or even months, though.

But there are very simple scripts available that allow you to put that data into a SQL table, so that you can use that database once it's been created.

Again: this is NOT a weakness of phpBB - not even of MD5 itself, it's merely a weakness on the user side of things - even though it'd be a good thing if phpBB supported passwords > 32 bytes.

However, as soon as you have admin rights (=> the possibility to run SQL queries) you can simply do anything with the DB and won't have to actually care for any (user) passwords because anything is stored entirely unencrypted in the DB itself, so you could for example reset the password or clone a user and then reset the password in order to investigate said account.

By the way: I don't think it'd appropriate to delete ANYTHING in this thread, after all NOTHING really serious has been discussed so far: anybody who knows a bit about php/mySQL or even phpBB would know how to actually do such things anyway ...

So there's no point in censoring such information: security by obscurity doesn't work after all.
thx,
blobber

User avatar
bonelifer
Community Team Member
Community Team Member
Posts: 3466
Joined: Wed Oct 27, 2004 11:35 pm
Name: William
Contact:

Post by bonelifer » Mon May 30, 2005 1:47 pm

There is an account protection hack that allows you to set how many times an incorrect password maybe used untill the account is locked.
Knowledge Base | phpBB Board Rules | Search Customisation Database
Image
Please don't contact me via PM or email for phpBB support .

Locked

Return to “2.0.x Discussion”