Hi All.

Each day I'm discovering new security holes in phpBB mods...

What I discovered today regards Flash Chat mod or any other mod which can allow login to db by not using the standard login.php page (or login_xs.php for XS).

Which is the risk?

The risk is really simple: passwords may be brute forced.

So, if you are using a mod which doesn't have security measures against passwords brute force or not secured login form... then you should choose a complex password for all the board admins.

The risk is high if your password is short and only alphabetic.

Attackers may obtain admins password and then access the board with admins privileges.

At the moment I don't know how many mods may be subject to this risk... obviously chat mods are exposed more than other mods...

phpBB XS doesn't contain any chat... even if you will find chatbox mod in contrib folder of next release... use these mods at your own risk... or find a way to secure them against brute force.

____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON

Thanks a lot for the warning.  I am going to have to get FlashChat reinstalled at my forum, if my forum every gets up and running again.

____________
No site anymore

thx mighty for that news  

____________

Play Games at GamesCampus!

This security issue is only for Flash Chat Mod or also for ChatBox Mod ?

I know that in contrib directory inside the build 058 package there is chatbox mod (chatbox_v119g_XS) .. can I install this mod or not ?

Lucky wrote: [View Post]

This security issue is only for Flash Chat Mod or also for ChatBox Mod ?

I know that in contrib directory inside the build 058 package there is chatbox mod (chatbox_v119g_XS) .. can I install this mod or not ?

I haven't checked this yet...

Choose a good password and use it!

____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON

a password with 16 chars and alphanumerical and special chars is enough?

(I suppose yes) But I would like to be sure if I decide to install the Flash-Chat

____________
www.LphantES.com

zankyw wrote: [View Post]

a password with 16 chars and alphanumerical and special chars is enough?

(I suppose yes) But I would like to be sure if I decide to install the Flash-Chat

Yes, but remember that all POWER users should have a complex password... because if a password is found for some power user then the hacker may mess up your forum...

____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON

There aren't any other admin in my forum.

Anyway, I'll ask to my moderator. Thanks for the tip MG

____________
www.LphantES.com

You're welcome...

...anyway I would ask to FLASHCHAT developers to take into consideration adding some checks for hacking... something like LOGIN ATTEMPTS COUNTER or similar...

____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON