lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44740eb60607191306h60db403r6612887d4efda2b6@mail.gmail.com>
Date: Wed, 19 Jul 2006 21:06:14 +0100
From: "Jessica Hope" <jessicasaulhope@...glemail.com>
To: bugtraq@...urityfocus.com
Subject: Re: XSS phpBB 2.0.21 in administration

> Because admin accounts are attacked religiously.  Hashes for most common
> passwords up to 8 chars can easily (within hours) be cracked and known.
> Once someone can uncover an admin password all bets are off.
>

If someone is able to obtain the hashes, bets were off a long time
ago, no? As for attacking the password, unless I'm mistaken, phpBB
will lock login attempts to an account under attack after 3 failures.
The duration of the lockout is 30 mins (default configuration). Thus
Brute force isn't an option.


> Regardless of whether an admin, user or guest is logged in XSS should not be
> exploitable.
>
> But you'll say...many packages 'allow' admins to perform XSS.  Bad software.

No, I'll say that I'll agree, XSS attacks should not be exploitable,
but I'll add to that. By normal users. These attacks require you to be
admin. Once you *are* admin, there is little point playing about with
XSS, as you've already done something better than that to obtain
admin, and you now have full control over the forum, its database, and
possibly the server (if we extend the assumption that the DBMS has
incorrect permissions, etc).

>
> If that is the case, then yes.   Rather than state shock, I would simply
> delete the code.
> I think however you are confusing CST with XSS.

>
> > Here's a little secret, database restore options on any forum
> > package out there allows you to execute any SQL you wish! You
> > just need to be an admin to do it.
>
> Yes, your correct.  Poorly implemented functions and features added to web
> applications without proper security is quite pathetic as many packages are
> guilty.  But you are right, we cannot force you to use more secure products.

I think the real question comes to the point that with web
applications (and forums), what is the most secure product? Any you
name will have either a history of problems, or will have a future of
problems, possibly compounded by the code of said application (look at
the report I did on DeluxeBB for example, it has some code to emulate
register globals being on...)

In my opinion, the most secure forum software would have to be phpBB
due to two factors.

The first and foremost is the speed at which critical problems are
fixed. Both highlight and authentication bypass exploits of old were
fixed very quickly (~24 hours from point of report to patch). If we
look at IPB for exampled (picked from the last few e-mails here), the
original exploit for their SQL injection problems is noted as
08/06/06, or about 31 days ago. The fix? just six days ago.

The second reason is the clear points at which to report security
related problems (both the download page and the support page list
their security tracker, and you can also e-mail them,
security@...bb.com ). When I went to report to SMF the IP spoofing
exploit (the trust of X-Forwarded-For... *sigh*), there was no clear
point at which one could report security problems. To give them their
due, when I pointed this out to them, they added a place to report
them, but it doesn't bode to well for the image of the security of the
software.

I guess what I'm trying to say is that when it comes to forum
software, phpBB is the best in terms of security when you look at the
cost and its outreach.

> > Pointless.
>
> We'll remember that comment when your site is affected.
>

I'm not sure about you, but I don't plan to let myself become a victim
of some script kiddy attack...

Jessica

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ