John connor wrote: ↑Mon Jun 11, 2018 9:42 pm
I guess you don't watch or read the news.
" Hacker group steals 15 million user accounts."
" A vulnerability has allowed a hacker to gain access to such and such database."
or the future post of: "HELP! I've had my database stolen!"
and how many of those issues were related to phpbb? none? that is my point.
I was just picking at you about paranoid. no offense meant.
just because you are paranoid doesn't mean they are not out to get ya.
robert
It is true that I'm paranoid, but a little paranoia is a good thing in terms of making sure you are not owned. I said I use 2FA for everything I can, but that doesn't include phpBB. I'd hate to find out my domain account was hacked or my CloudFlare account, etc.
tojag wrote: ↑Mon Jun 11, 2018 7:11 pm
If I remember correctly, a few years ago the phpBB site was hacked, what was the reason?
Lack of mod_security from what I read on the hacker's blog.
This is incorrect. It is true that access was obtained to the database. However, it had nothing to do with any security vulnerability in phpBB.
Didn't say it was a vulnerability with the software its self. I read an excerpt of the hackers blog about how he did it and he pointed out something about mod_security. That's a server issue.
John Connor, you are not paranoid, you are a responsible man.
Ignoring security leads to data leakage sooner or later.
No one has to break phpBB security, it's enough that the trojan steals the password from the admin computer or something else happens. 2FA in this case secures access, because the hacker does not have access to an additional codes generator, for example a phone with a Google Authenticator.
If double authentication was not good, nobody would introduce it. Currently, it has most financial services, including cards (3d-secure) but also IT solutions are going in this direction and as I wrote in principle, my entire hosting system at every login is secured with an additional code from the phone except phpBB.
Why in core? Because it ensures that the solution will be compatible and supported by the Team. Extensions are ok but sometimes the author stops making new versions and then all users have a problem, which we have experienced many times.
"The good news is hell is just the product of a morbid human imagination.
The bad news is, whatever humans can imagine, they can usually create." - Harmony Cobel
John connor wrote: ↑Tue Jun 12, 2018 9:46 pm
Didn't say it was a vulnerability with the software its self. I read an excerpt of the hackers blog about how he did it and he pointed out something about mod_security. That's a server issue.
Had nothing to do with mod_security, either.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
John connor wrote: ↑Tue Jun 12, 2018 9:46 pm
Didn't say it was a vulnerability with the software its self. I read an excerpt of the hackers blog about how he did it and he pointed out something about mod_security. That's a server issue.
Had nothing to do with mod_security, either.
I know what I read. From what I remember the hacker mentioned he was able to alter some server files due to lack of mod_security.
how are you even sure that was the actual hacker? why would you believe anything a hacker says? why would someone that hacked phpbb.com admit it in the open and leave themselves open to prosecution?
I think I would believe the staff at phpbb quicker than some anonymous person online that claims to have been the hacker and claims to know how it was done.
You would be surprised at how many blogs and websites I have read where the hacker talked about how they pulled it all off. In fact, I have followed a Twitter user on hacking and they linked a blog post to a hacker who talked about how he recently took down or defaced an India sports website. There are many ways to mask your presence on the Internet. Don't ever forget that.
John connor wrote: ↑Tue Jun 12, 2018 9:46 pm
Didn't say it was a vulnerability with the software its self. I read an excerpt of the hackers blog about how he did it and he pointed out something about mod_security. That's a server issue.
Had nothing to do with mod_security, either.
I know what I read. From what I remember the hacker mentioned he was able to alter some server files due to lack of mod_security.
How old of a phpbb version?
I am a web developer/administrator, specializing in forums. If you have work you need done or are too lazy to do, pm me!
This was posted on sep 2013 about that, which explains that all.
The vulnerability used in the attack on PHPlist was actually a zero-day vulnerability that had no patch available until two weeks after the initial attack. As you mention though, a WAF like ModSecurity would have most likely caught this.
Just wondering what all of this has to do with this topic though.
I like 2Fa, I don't know about in 3.3 but I'd like to see it. Why not? Users like being able to protect themselves against their own mistakes.
I guess ajaxifying user interaction as reasonably as possible would be another good thing. Quick replies, editing posts, chat like pms...
A third thing? I don't really know. Things I really do need would be best served as extensions at this point, or just more ajax suggestions.
Oh! I know, this is a good one. How about having the extension db tied into the ACP like wordpress has their extensions, including one (or two click, installation and activation) installs?
Is there an extension that makes a pop up login box? Would be great for mobile especially.
Something I've been thinking about is how a lot of people who use base phpbb don't know about extensions or don't think they can provide what they can. They can change your forum so much it's ridiculous. I don't have any solutions to this but it is something I've been thinking about...
I am a web developer/administrator, specializing in forums. If you have work you need done or are too lazy to do, pm me!
To be honest a branch number/version doesn't matter.. those things that i want to see are already in development or in a starting/thought stage: wrapping front controllers by httpkernel, new module system & new theme. About +1 or something similar, it should be option based and turned off by default. 2FA is a good thing, but as mentioned some time ago, i think it was in ideas forum, if it is needed, then only to access acp, so again it's option/opinion based.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!