Security Hole In Flash Chat »  Show posts from    to     

Icy Phoenix


Old Patches - Security Hole In Flash Chat



Mighty Gorgon [ Sat 02 Sep, 2006 05:07 ]
Post subject: Security Hole In Flash Chat
Hi All.

Each day I'm discovering new security holes in phpBB mods...

What I discovered today regards Flash Chat mod or any other mod which can allow login to db by not using the standard login.php page (or login_xs.php for XS).

Which is the risk?

The risk is really simple: passwords may be brute forced.

So, if you are using a mod which doesn't have security measures against passwords brute force or not secured login form... then you should choose a complex password for all the board admins.

The risk is high if your password is short and only alphabetic.

Attackers may obtain admins password and then access the board with admins privileges.

At the moment I don't know how many mods may be subject to this risk... obviously chat mods are exposed more than other mods...

phpBB XS doesn't contain any chat... even if you will find chatbox mod in contrib folder of next release... use these mods at your own risk... or find a way to secure them against brute force.


Claire [ Sat 02 Sep, 2006 10:14 ]
Post subject: Re: Security Hole In Flash Chat
Thanks a lot for the warning. I am going to have to get FlashChat reinstalled at my forum, if my forum every gets up and running again.


KugeLSichA [ Sat 02 Sep, 2006 12:59 ]
Post subject: Re: Security Hole In Flash Chat
thx mighty for that news


Lucky [ Sat 02 Sep, 2006 14:24 ]
Post subject: Re: Security Hole In Flash Chat
This security issue is only for Flash Chat Mod or also for ChatBox Mod ?

I know that in contrib directory inside the build 058 package there is chatbox mod (chatbox_v119g_XS) .. can I install this mod or not ?


Mighty Gorgon [ Sat 02 Sep, 2006 14:26 ]
Post subject: Re: Security Hole In Flash Chat
Lucky wrote: [View Post]
This security issue is only for Flash Chat Mod or also for ChatBox Mod ?

I know that in contrib directory inside the build 058 package there is chatbox mod (chatbox_v119g_XS) .. can I install this mod or not ?

I haven't checked this yet...

Choose a good password and use it!


zankyw [ Sat 02 Sep, 2006 22:53 ]
Post subject: Re: Security Hole In Flash Chat
a password with 16 chars and alphanumerical and special chars is enough?

(I suppose yes) But I would like to be sure if I decide to install the Flash-Chat


Mighty Gorgon [ Sat 02 Sep, 2006 23:02 ]
Post subject: Re: Security Hole In Flash Chat
zankyw wrote: [View Post]
a password with 16 chars and alphanumerical and special chars is enough?

(I suppose yes) But I would like to be sure if I decide to install the Flash-Chat

Yes, but remember that all POWER users should have a complex password... because if a password is found for some power user then the hacker may mess up your forum...


zankyw [ Sat 02 Sep, 2006 23:07 ]
Post subject: Re: Security Hole In Flash Chat
There aren't any other admin in my forum.

Anyway, I'll ask to my moderator. Thanks for the tip MG


Mighty Gorgon [ Sat 02 Sep, 2006 23:11 ]
Post subject: Re: Security Hole In Flash Chat
You're welcome...

...anyway I would ask to FLASHCHAT developers to take into consideration adding some checks for hacking... something like LOGIN ATTEMPTS COUNTER or similar...




Powered by Icy Phoenix