• Welcome to Valhalla Legends Archive.
 

Maybe, just MAYBE

Started by Grok, August 11, 2002, 07:22 AM

Previous topic - Next topic

Grok

Maybe this forum isn't full of security holes like the other we used.

admin

#1
Maybe you could get one of your sharpshooters to try and break it before you make it public knowledge this exists.

Skywing

#2
Well, at least it's not worse than Snitz.. I don't think that's really possible :P

Invert

#3
Why wonder and hope? Use the same forum i use: forum.surkis.com

Here is a link: http://www.webwizguide.info/web_wiz_forums/default.asp?mode=asp

Very nicely programmed by ASP gurus. Oh and the best part is that it's FREE!  :P

iago

#4
I like YaBB :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


iago

#5
Actually, there are 2 big security problems with YaBB that should be resolved.

First, the passwords are stored unencrypted in the username.dat file on the server.
"./users/[username].dat" has this format:
[password]
[username]
[email]
etc.

which isn't very good.

The second problem is that when you edit a profile, it looks like this:
<td width="320"><font size=2><b>Choose password: </b></font><BR>
<font size="1">We suggest that you use 6 or more characters with a combination of letters and numbers.</font></td>
<input type="password" maxlength="30" name="passwrd1" size="20" value="password">
<input type="password" maxlength="30" name="passwrd2" size="20" value="password">

The problem being, of course, that if an admin (or somebody who happened to somehow get the admin's password, let's not worry about why) happens to edit somebody else's profile, and click view source, they can find that person's password out.  

Well, that's all I know, and I've read a good part of the source to an older version of YaBB (before Gold).  Good luck! :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


iago

#6
*tries to change gender (to something other than male/female), position, and posts

(fails)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


admin

#7
I don't think that http://forum.valhallalegends.com/cgi-bin/bbs/Members/iago.dat is too much of a problem since this is a very isolated box with only one user account on it.

iago

#8
ok, so the file is fairly safe, but what about the other thing I said?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


admin

I see what you are saying and it is true that any admin can see your password by viewing the source code of the modify page.

I have always assumed that the admin of any board I post on has access to my password.  It's no big deal to me.  I never use my high security password (abc123).  I don't want anybody to ever figure that one out.  :P

You should always remember that all admins are evil bastards.  Did you ever wonder how, on your profile, "Click me" changed to "Rape me"?  ;D

iago

#10
haha actually, I DID notice that, I laughed.

I'd feel better if the admin didn't have access to the passwords, since if somebody got the admin's password from somewhere (who cares where?) they could get everybody's.  Ah well.. I use a different password for most things anyway, so if somebody got my password for this board they couldn't do anything with it.  

There's an old version of YaBB I hacked (I lost it somehow, I forget where it went) that I hacked that so if(!&is_admin) { #Do password stuff } on both parts (display and change).  I haven't done that yet on this version, but maybe I'll do it and send you the updated parts.  I have a pretty good understanding of how YaBB works because I learned a lot of what I know about perl from reading its source :D
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*