UBB.Developers Forums UBB.threads 7 Development How Do I? Security bug fixes, take two:

I started with UBBThreads a few years ago, with a then new forum hosted on a cheapo server.

We had a "competitor" who hacked us the day he opened his own forum, and pretty much killed our forum. (We didn't consider him a "competitor", and had no ill feelings toward him, but he apparently thought so of us...)

As the resident IT guy, I insisted on being allowed to move the forum to Infopop's server, where it was more secure. Infopop's techs then did a tremendous job of resurrecting what should have been pretty much unressurectable, and we got our forum back, a few weeks later.

Now, the owners want to move servers again.

Again, because of cost.

To be honest, seeing the deal they have gotten on the new server, and adding to that, their current and future needs... I can't say that I can blame the owners.

What they really need would cost thousands at Infopop, and they simply do not have that kind of money.

So the bottom line is this... I am curious about what I can do in the move... What I can do on the new server... What I can do in any other way at all, to make our forum as secure as possible ???

We are currently running version 6.5.5

Thank you.

Threads V6.5.5 has closed all known holes. I see no more announces on the bug track sites (do you know holes for 6.5.5?)

The main thing is turn of register globals in your server envoiroment. This is the main break in point. With this off most problems are gone.

Be carefull with add ons. Most hacks seems to be unsafe and can be open a new hole.

Thank you Zarzal.

No, I don't know of any holes, myself. That was why I was asking.



I followed the instructions for turning off register globals, but I am not sure it worked.

Nothing has been written to the file since I did that.

I suppose that could simply be because no one has tried anything against my forum, though. LOL

Good point about the add-ons. Better stay away from that ThreadsDev place, right ?



LOL

I think this is a good point to notify all people to take more care. A add-on Hack is done in V6.x very fast and simple, but most times no one check any side effects to the security.

My Threads V6.5x was hacked 3 times in May, all over holes in conjunction with register globals. My server dont let me switch this off and using of htaccess for this was not possible with a Zeus Server.

The easy way on Apache is using the htaccess to switch of register globals.