Maybe, just MAYBE

Grok · August 11, 2002, 07:22 AM

Maybe this forum isn't full of security holes like the other we used.

admin · August 13, 2002, 11:43 AM

Maybe you could get one of your sharpshooters to try and break it before you make it public knowledge this exists.

Skywing · August 19, 2002, 08:04 PM

Well, at least it's not worse than Snitz.. I don't think that's really possible :P

Invert · August 22, 2002, 06:07 PM

Why wonder and hope? Use the same forum i use: forum.surkis.com

Here is a link: http://www.webwizguide.info/web_wiz_forums/default.asp?mode=asp

Very nicely programmed by ASP gurus. Oh and the best part is that it's FREE!

iago · August 24, 2002, 09:54 AM

I like YaBB

iago · August 24, 2002, 10:08 AM

Actually, there are 2 big security problems with YaBB that should be resolved.

First, the passwords are stored unencrypted in the username.dat file on the server.
"./users/[username].dat" has this format:
[password]
[username]
[email]
etc.

which isn't very good.

The second problem is that when you edit a profile, it looks like this:

Code Select

<td width="320"><font size=2><b>Choose password: </b></font><BR>
<font size="1">We suggest that you use 6 or more characters with a combination of letters and numbers.</font></td>
<input type="password" maxlength="30" name="passwrd1" size="20" value="password">
<input type="password" maxlength="30" name="passwrd2" size="20" value="password">

The problem being, of course, that if an admin (or somebody who happened to somehow get the admin's password, let's not worry about why) happens to edit somebody else's profile, and click view source, they can find that person's password out.

Well, that's all I know, and I've read a good part of the source to an older version of YaBB (before Gold). Good luck!

iago · August 24, 2002, 10:29 AM

*tries to change gender (to something other than male/female), position, and posts

(fails)

admin · August 24, 2002, 06:23 PM

I don't think that http://forum.valhallalegends.com/cgi-bin/bbs/Members/iago.dat is too much of a problem since this is a very isolated box with only one user account on it.

iago · August 24, 2002, 10:06 PM

ok, so the file is fairly safe, but what about the other thing I said?

admin · August 25, 2002, 12:57 PM

I see what you are saying and it is true that any admin can see your password by viewing the source code of the modify page.

I have always assumed that the admin of any board I post on has access to my password. It's no big deal to me. I never use my high security password (abc123). I don't want anybody to ever figure that one out.

You should always remember that all admins are evil bastards. Did you ever wonder how, on your profile, "Click me" changed to "Rape me"?

iago · August 25, 2002, 05:14 PM

haha actually, I DID notice that, I laughed.

I'd feel better if the admin didn't have access to the passwords, since if somebody got the admin's password from somewhere (who cares where?) they could get everybody's. Ah well.. I use a different password for most things anyway, so if somebody got my password for this board they couldn't do anything with it.

There's an old version of YaBB I hacked (I lost it somehow, I forget where it went) that I hacked that so if(!&is_admin) { #Do password stuff } on both parts (display and change). I haven't done that yet on this version, but maybe I'll do it and send you the updated parts. I have a pretty good understanding of how YaBB works because I learned a lot of what I know about perl from reading its source