Hi All.
Each day I'm discovering new security holes in phpBB mods... :roll:
What I discovered today regards Flash Chat mod or any other mod which can allow login to db by not using the standard login.php page (or login_xs.php for XS).
Which is the risk?
The risk is really simple: passwords may be brute forced.
So, if you are using a mod which doesn't have security measures against passwords brute force or not secured login form... then you should choose a complex password for all the board admins.
The risk is high if your password is short and only alphabetic.
Attackers may obtain admins password and then access the board with admins privileges.
At the moment I don't know how many mods may be subject to this risk... obviously chat mods are exposed more than other mods... :wink:
phpBB XS doesn't contain any chat... even if you will find chatbox mod in contrib folder of next release... use these mods at your own risk... or find a way to secure them against brute force. :roll:
Security Hole In Flash Chat
Subject: Re: Security Hole In Flash Chat
Thanks a lot for the warning. I am going to have to get FlashChat reinstalled at my forum, if my forum every gets up and running again.
Subject: Re: Security Hole In Flash Chat
This security issue is only for Flash Chat Mod or also for ChatBox Mod ?
I know that in contrib directory inside the build 058 package there is chatbox mod (chatbox_v119g_XS) .. can I install this mod or not ?
I know that in contrib directory inside the build 058 package there is chatbox mod (chatbox_v119g_XS) .. can I install this mod or not ?
Subject: Re: Security Hole In Flash Chat
I haven't checked this yet... :wink:
Choose a good password and use it! :lol_flag:
Lucky wrote: [View Post]
I haven't checked this yet... :wink:
Choose a good password and use it! :lol_flag:
Subject: Re: Security Hole In Flash Chat
a password with 16 chars and alphanumerical and special chars is enough? :mryellow:
(I suppose yes) :doc: But I would like to be sure if I decide to install the Flash-Chat
(I suppose yes) :doc: But I would like to be sure if I decide to install the Flash-Chat
Subject: Re: Security Hole In Flash Chat
Yes, but remember that all POWER users should have a complex password... because if a password is found for some power user then the hacker may mess up your forum... :wink:
zankyw wrote: [View Post]
Yes, but remember that all POWER users should have a complex password... because if a password is found for some power user then the hacker may mess up your forum... :wink:
Subject: Re: Security Hole In Flash Chat
There aren't any other admin in my forum. :roll:
Anyway, I'll ask to my moderator. Thanks for the tip MG ;)
Anyway, I'll ask to my moderator. Thanks for the tip MG ;)
Subject: Re: Security Hole In Flash Chat
You're welcome...
...anyway I would ask to FLASHCHAT developers to take into consideration adding some checks for hacking... something like LOGIN ATTEMPTS COUNTER or similar... :wink:
...anyway I would ask to FLASHCHAT developers to take into consideration adding some checks for hacking... something like LOGIN ATTEMPTS COUNTER or similar... :wink:
Page 1 of 1
You cannot post new topicsYou cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events
This is a "Lo-Fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Powered by Icy Phoenix based on phpBB
Generation Time: 0.2302s (PHP: 9% SQL: 91%)
SQL queries: 10 - Debug Off - GZIP Enabled