| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jul 2006 21:06:14 +0100 From: "Jessica Hope" <jessicasaulhope@...glemail.com> To: bugtraq@...urityfocus.com Subject: Re: XSS phpBB 2.0.21 in administration > Because admin accounts are attacked religiously. Hashes for most common > passwords up to 8 chars can easily (within hours) be cracked and known. > Once someone can uncover an admin password all bets are off. > If someone is able to obtain the hashes, bets were off a long time ago, no? As for attacking the password, unless I'm mistaken, phpBB will lock login attempts to an account under attack after 3 failures. The duration of the lockout is 30 mins (default configuration). Thus Brute force isn't an option. > Regardless of whether an admin, user or guest is logged in XSS should not be > exploitable. > > But you'll say...many packages 'allow' admins to perform XSS. Bad software. No, I'll say that I'll agree, XSS attacks should not be exploitable, but I'll add to that. By normal users. These attacks require you to be admin. Once you *are* admin, there is little point playing about with XSS, as you've already done something better than that to obtain admin, and you now have full control over the forum, its database, and possibly the server (if we extend the assumption that the DBMS has incorrect permissions, etc). > > If that is the case, then yes. Rather than state shock, I would simply > delete the code. > I think however you are confusing CST with XSS. > > > Here's a little secret, database restore options on any forum > > package out there allows you to execute any SQL you wish! You > > just need to be an admin to do it. > > Yes, your correct. Poorly implemented functions and features added to web > applications without proper security is quite pathetic as many packages are > guilty. But you are right, we cannot force you to use more secure products. I think the real question comes to the point that with web applications (and forums), what is the most secure product? Any you name will have either a history of problems, or will have a future of problems, possibly compounded by the code of said application (look at the report I did on DeluxeBB for example, it has some code to emulate register globals being on...) In my opinion, the most secure forum software would have to be phpBB due to two factors. The first and foremost is the speed at which critical problems are fixed. Both highlight and authentication bypass exploits of old were fixed very quickly (~24 hours from point of report to patch). If we look at IPB for exampled (picked from the last few e-mails here), the original exploit for their SQL injection problems is noted as 08/06/06, or about 31 days ago. The fix? just six days ago. The second reason is the clear points at which to report security related problems (both the download page and the support page list their security tracker, and you can also e-mail them, security@...bb.com ). When I went to report to SMF the IP spoofing exploit (the trust of X-Forwarded-For... *sigh*), there was no clear point at which one could report security problems. To give them their due, when I pointed this out to them, they added a place to report them, but it doesn't bode to well for the image of the security of the software. I guess what I'm trying to say is that when it comes to forum software, phpBB is the best in terms of security when you look at the cost and its outreach. > > Pointless. > > We'll remember that comment when your site is affected. > I'm not sure about you, but I don't plan to let myself become a victim of some script kiddy attack... Jessica
Powered by blists - more mailing lists