How about the possibility of a CSRF attack because of the use of $_GET for handling session id's when locking a topic, as a moderator or admin. From what I've been told, if you were to check the referrer of a picture located in the locked thread, it would contain the user's session id, which could then be used for an attack. I actually haven't looked into the legitimacy of this claim, as I haven't used phpBB2 code in quite some time, but if the id is truly handled using $_GET in that instance, then it would only make sense.iWisdom wrote:In all honesty, I would be very surprised if a security vulnerability is not found in phpBB 2.0.23 in the not-so-distant future. Although there are no known vulnerabilities, hackers know that there are still many, many phpBB2 boards, and as of 1 February it will be open season. Plenty of incentive.
Yes, it's possible to get an administrator's SID from the referrer. The same can be done with phpBB3 or any other software that allows remote image posting. You don't even need an image. Just post a link and have the admin click it from the board.Daniel Exe wrote:How about the possibility of a CSRF attack because of the use of $_GET for handling session id's when locking a topic, as a moderator or admin. From what I've been told, if you were to check the referrer of a picture located in the locked thread, it would contain the user's session id, which could then be used for an attack. I actually haven't looked into the legitimacy of this claim, as I haven't used phpBB2 code in quite some time, but if the id is truly handled using $_GET in that instance, then it would only make sense.
Unnecessary if you've got no vulnerable MODs, that is. Some people go around installing all these unapproved MODs and, guess what? They're unapproved because they've got security errors in them. So, for some people a "Security MOD" could provide some help. For others, nope, you are completely correct; they are useless.iWisdom wrote:Such a MOD usually does nothing but introduce further vulnerabilities into your board. They're completely unnecessary.
I agree with you to an extent (that is after all, the point of these security mods), but I and others have found security holes in some of these security mods. Many of them very, very serious. That's why iWisdom said it is better to not use these security mods.Dog Cow wrote:Unnecessary if you've got no vulnerable MODs, that is. Some people go around installing all these unapproved MODs and, guess what? They're unapproved because they've got security errors in them. So, for some people a "Security MOD" could provide some help. For others, nope, you are completely correct; they are useless.iWisdom wrote:Such a MOD usually does nothing but introduce further vulnerabilities into your board. They're completely unnecessary.
Stefan Esser wrote:mod_security might be good to stop known worms.
A skilled attacker will however be able to get his payload through mod_security without triggering the rules.
Oh yes, I have looked into austin's security mod and other mods he has written. There's security holes (yes, plural-- and in just one mod) I know of in at least one of his mods that hasn't been reported yet, (will I report it? Nope.) and even if that mod and security mod are installed, you can still beat his "security" and exploit it.Marshalrusty wrote:Micheal and I identified a major vulnerability in one of these "security MODs" (I won't say which one) that was more serious than anything it could have hoped to protect against.
Simply those MODs (assuming we can name them that way) are doing nothing, absolutely nothing.Dogs and things wrote:When it comes to security, as far as I can tell from my server's error logs, Mod_security is stopping a considerable amount of hacking attempts dead on their tracks. I feel pretty secure and comfortable with it.
mod_security isn't a phpBB MOD, but a apache MODule . You need to install it at server level, and it can detect at certian ranges attacks, as long you use the correct rules.3Di wrote:Simply those MODs (assuming we can name them that way) are doing nothing, absolutely nothing.Dogs and things wrote:When it comes to security, as far as I can tell from my server's error logs, Mod_security is stopping a considerable amount of hacking attempts dead on their tracks. I feel pretty secure and comfortable with it.
My statement here belongs to an accurate code review me and others we did some year ago.
http://www.phpbb.com/community/viewtopi ... 7&t=527674