CrackerTracker Professional?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
User avatar
Razarnet
Registered User
Posts: 23
Joined: Fri Aug 05, 2005 1:32 pm

CrackerTracker Professional?

Post by Razarnet »

Hi! can anyone told is this Cracker Tracker Professional "http://www.cback.de" real working antispy addon or is this simply some "joke/spyware" which steals admin passwords etc? where i can find more security addons for phpBB2?
AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm

Post by AnthraX101 »

The link for CrackerTracker was removed deliberately because it has at least one ludicrously insecure function. (The auto-updater)

AnthraX101
kid_man
Registered User
Posts: 6
Joined: Tue Nov 08, 2005 1:52 pm

Post by kid_man »

So it's better not to use CrackerTracker Professional?????

I find it here...http://www.phpbbhacks.com/download/5681
So? That's fake?
User avatar
PCGUY112887
Registered User
Posts: 502
Joined: Thu Apr 01, 2004 12:39 am
Location: Illinois
Contact:

Post by PCGUY112887 »

I've been using it for a whail....
kid_man
Registered User
Posts: 6
Joined: Tue Nov 08, 2005 1:52 pm

Post by kid_man »

PCGUY112887 wrote: I've been using it for a whail....

and....?
User avatar
PCGUY112887
Registered User
Posts: 502
Joined: Thu Apr 01, 2004 12:39 am
Location: Illinois
Contact:

Post by PCGUY112887 »

Well nothing bad has happened. I can see why official phpBB woulden't trust it becuase it can update it's self, bringing the possibility of something macilous going on, but the whole time i've used it nothing bad has happened.
who_cares
Registered User
Posts: 5106
Joined: Fri Jan 14, 2005 11:04 pm
Location: ATL
Contact:

Post by who_cares »

kid_man wrote: I find it here...http://www.phpbbhacks.com/download/5681

that moves the admin linkto the header
geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

Both that MOD and another very used security MOD have serious security risks. DO NOT USE THEM. Seriously, you will get hacked, you will have issues. phpBB is a very secure product, for those of us that are on the slightly paranoid side there are additional steps like htaccess that can be used, but those MODs are worthless.

Before you argue with me, please note that I, several team members, and many community members have looked at these MODs extensivley. Those MODs prey on people who just dont know a lot about web security, and want to do whatever they can to increase security. Protecting yourself is not a bad thing, it is very good. But there are much better ways of going about it. Like keeping your board up to date.

In my several years here I have never seen a board hacked that was up to date. In every case of hacking it was due to an out of date board, or a non phpBB exploit being used.
who_cares
Registered User
Posts: 5106
Joined: Fri Jan 14, 2005 11:04 pm
Location: ATL
Contact:

Post by who_cares »

geocator wrote: Both that MOD and another very used security MOD have serious security risks.

what's the other?
geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

I would rather not say publicly as I dont want anyone going looking for it.
User avatar
PCGUY112887
Registered User
Posts: 502
Joined: Thu Apr 01, 2004 12:39 am
Location: Illinois
Contact:

Post by PCGUY112887 »

## 2005-07-25 - Version 3.1.2
## - Change : Some people have not trusted the AutoUpdater so this
## Version is now without the Update functionallity.
SCVirus
Registered User
Posts: 4
Joined: Mon Oct 24, 2005 6:05 am

Post by SCVirus »

Both that MOD and another very used security MOD have serious security risks. DO NOT USE THEM. Seriously, you will get hacked, you will have issues. phpBB is a very secure product, for those of us that are on the slightly paranoid side there are additional steps like htaccess that can be used, but those MODs are worthless.

Before you argue with me, please note that I, several team members, and many community members have looked at these MODs extensivley. Those MODs prey on people who just dont know a lot about web security, and want to do whatever they can to increase security. Protecting yourself is not a bad thing, it is very good. But there are much better ways of going about it. Like keeping your board up to date.

In my several years here I have never seen a board hacked that was up to date. In every case of hacking it was due to an out of date board, or a non phpBB exploit being used.

Thats a nice thought, but phpbb gets 0days every couple months. Since the last version was released a new xss attack has been found for phpBB and PUBLICLLY disclosed, only 9 days after the patch. If you are not using any kind of additional security on your board (this particular mod does claim to be able to block at least the majority of standard xss exploits but I can't vouch for its usefulness.). Don't tell people to outright avoid security mods.
User avatar
smithy_dll
Former Team Member
Posts: 7632
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Post by smithy_dll »

Geocator only said to avoid these MODs because he looked at the souce code of them. So did a number of phpBB Team members. Guess what we all found?

We could easily bypass most of the filters rendering them useless. We also found security holes in one of them. Thats right, instead of protecting phpBB, it had security holes in it due to poor coding not up to phpBB coding standards.

What is usually the case is these MODs are created by inexperienced programmers with little experience. You know what they say, a little bit of knowledge is a dangerous thing.
Systems Engineering
NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic »

SCVirus wrote: Thats a nice thought, but phpbb gets 0days every couple months.


Incorrect. The 2.0.18 release wasn't due to an 0day, it was due to the final findings of a secuirty audit combined with bugfixes


SCVirus wrote: Since the last version was released a new xss attack has been found for phpBB and PUBLICLLY disclosed, only 9 days after the patch.


Ahh, you mean this?
http://www.securityfocus.com/bid/15357/exploit

Lets see:
  1. The fact that usercp_sendpasswd.php is an /includes file, and thus IN_PHPBB will not be defined if called directly.
  2. The exploit code is not setting any variables in the GET string
  3. Even if you magically set the $username, phpbb_clean_username is run on the $username, making this attack impossible
  4. All variables in usercp_sendpasswd.php are obtained via POST, not GET
In other words, this is a bogus report unless you have anything else to say about this 'exploit'?

SCVirus wrote: If you are not using any kind of additional security on your board (this particular mod does claim to be able to block at least the majority of standard xss exploits but I can't vouch for its usefulness.). Don't tell people to outright avoid security mods.


The problem with security mods in the PHP code layer is that by then its far far too late. There's a myrid of ways I can bypass any form of filtering that you do on input from the URL. Even if you block the word 'UNION', I can still go about using that word in the URL in a way that only the SQL server would understand it, but the 'security' layer wouldn't.

The best security mods are updates to phpBB and all other software your server runs, pure and simple. There's no better way to keep secure.

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

SCVirus wrote: Since the last version was released a new xss attack has been found for phpBB and PUBLICLLY disclosed, only 9 days after the patch. If you are not using any kind of additional security on your board (this particular mod does claim to be able to block at least the majority of standard xss exploits but I can't vouch for its usefulness.). Don't tell people to outright avoid security mods.


Guess what... if an attacker has control of a web server somewhere on internet, this link could be a XSS script attack against Internet Explorer users: "http://somedomain.com/picture.jpg". How do you prevent that, and still allow someone to insert a link of any kind in a message? It certainly looks innocent enough. After all, a JPG couldn't hurt you now, could it?

But, with IE, it can. Not only do you have the bugs in the picture rendering code, you have IE's tendency to accept and act upon any kind of file when it should only accept a picture. The link could actually be to a directory named "picture.jpg", and have a malicious index.php (or other) file in it to send bad things to the user's computer... This is why cross-site scripting exploits work in the first place, and why PHPBB can't do much about them, no matter how many times they clamp down on "dangerous" links.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
Locked

Return to “2.0.x Discussion”