|
#54352
08/06/2002 9:08 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
Okay, please bear with me for a second. I have been giving a lot of thought to security because of some recent events. I no longer post as an admin. My wife and I are moderators and have an admin account safely stashed that never ever logs into the board directly. That affords me a lot of protection but still gives a person that steals my cookie the ability to cause damage.
How difficult would it be to write a hack that allows a second password for each moderator that isn't visible or able to be changed in the users profile. Every time a moderator wanted to perform a function that required a check for moderator status a window would pop-up that requested the person to enter the second password. This way even if a moderators cookie was hijacked the person couldn't perform moderator functions. This combined with no admin accounts being used to post with would provide a lot more security, and better nights sleep for a lot of us.
Any thoughts?
|
|
|
#54353
08/07/2002 2:30 AM
|
Joined: May 2001
Posts: 6,708
Member
|
Member
Joined: May 2001
Posts: 6,708 |
I wanted something like this too, because with the way they got your pass TheX it's safe to say other people know this cookie stealing technique. I'd like to see this.
|
|
|
#54354
08/07/2002 9:41 AM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
I guess this isn't as important to people that haven't had it happen to them. Haha, seems like a great idea to me.
|
|
|
#54355
08/07/2002 10:33 AM
|
Joined: Dec 2000
Posts: 371
Member
|
Member
Joined: Dec 2000
Posts: 371 |
I agree with you TheX, i saw it happen twice on our forum. We were very lucky because the control panel isn't where it should be, so they could only delete topics, wich is serious enough though.
I have searcht for the method that was used and it seems to be that this is a huge vulnerability. Is there any news from the MD5 encryption method on passwords/cookies jet? Infopop has to give this issue a number one priority.
|
|
|
#54356
08/07/2002 2:14 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
My hosting company has the MD5 encryption ready for me now and when I implemented the hack I got a version error from Dynaloader looking for v2.16 and finding v2.20. It should be running sometime today though. I'm sure that Infopop is giving this a high priority. They do have to balance efficiency, load, and ease of installation and portablility of UBB as a whole.
That's why I think that the haxxors of the UBB world need to put some of their attention to the short term.
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 69
Joined: January 2001
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|
|