|
|
It appears you are using a browser that is not based on Internet Explorer, this means you are not viewing the web as good as you should be. Other browsers might try to immitate Internet Explorer, but none can parse the web as it should like Internet Explorer can. So view the web as it was meant to be with Avant Browser!
|
| |
|
|
All times are GMT - 5 Hours
|
|
 |
Sat Dec 31, 2005 9:10 am |
 |
 Author |
Message |
deny
Moderate TweakeR
Joined: 07 Jan 2005
Posts: 53
Words Posted: 4,860
Average Post: 91.70
|
| Post subject: Just wonder to know Austin comment? |
 |
|
This is actually comment in november from geocator that suppose to be part of phpbb team.
Anyway here is what he said about cracker tracker (another popular seurity mod) and phpBB-security!
http://www.theadminzone.com/forums/showthread.php?t=14375
| Quote: | I just want to note that both these MODs have been reviewed by myself, several of the MOD Team members, and several other comunity members. BOTH of them have vunarabilites. You are actually making things worse by installing them. Further, we defeated austins filters in a matter of 30 seconds, making it completley useless.
Dont fool yourselves, these kind of MODs are not the answer. Use common sense, and the advice of the real security folks and you will be fine. Also update, update, update.
If you want a really good solution to security look at mod_security for apache. As this runs at the server level, it actually does its job. |
Last edited by deny on Sat Dec 31, 2005 10:24 am; edited 1 time in total |
|
| Post #1 |
|
|
|
Sat Dec 31, 2005 9:40 am |
|
|
Sat Dec 31, 2005 10:16 am |
|
| Author |
Message |
deny
Moderate TweakeR
Joined: 07 Jan 2005
Posts: 53
Words Posted: 4,860
Average Post: 91.70
|
| Post subject: |
|
|
Ok here is another view to Austin phpbb Security from CyberAlien well recognized phpBB coder:
http://www.phpbbstyles.com/viewtopic.php?t=6799&highlight=phpbb+security
| Quote: | CyberAlien: It can't even detect DoS attacks, so that function only causes problems. About a month ago I got one pm from user who though that I operate one forum (that forum was using phpbbstyles.com style) and asked me to unblock him because phpbb security mod banned him. Reason of that ban was that he was browsing forum for a while without registering. And recently similar problem happened to me too when I was browsing one forum without registering.
Those 9,475 exploit attempts are most likely usual santy scripts. Logging every such "hacking attempt" is only useless waste of resources. Such mod shouldn't log known fixed bugs, but try to detect new ones.
The good part of mod is that it does help with common sql injections.
So overall it does help with security, but it causes more problems than solves, so I suggest not to install it.
baz-x: So it should be better to extract the functions that avoid sql injections?
If so I may have a look at it ...
CyberAlien: Yes, those are the only useful functions of that mod. Everything else is useless hype that doesn't work properly. |
Some part of phpBB security could be hype and not necessery (i agree to save some resources of your phpBB/server.For example it is simple to block any of this worm with .htaccess and any php updated version is not buggy to this attack) but there are many usefull things.
Example protecting admin panels, numbers of mod/admin, backup of database, blocking injecting sql, protect login (this is done by last build from phpBB.However i think Austin solution is even better), then sec. question/answer.
And i still think that all side need to be listen.It should only help to make better mod.
Adding new things is not necessery (it means very oft using more resources) but just try to find optimal way to protect board with not adding a lot queries. |
|
| Post #3 |
|
|
|
Sat Dec 31, 2005 1:02 pm |
|
| Author |
Message |
Spinebuster
Support Team
Joined: 21 Jan 2005
Posts: 413
Words Posted: 25,498
Average Post: 61.74
|
| Post subject: |
|
|
I think they are full of s**t. Recently they have been adding features that are in the phpbb security mod (protect admin accounts, cleaner cookies and max login attempts). The next thing you know they are going to be adding the security question and answer option.
Another thing, how many boards do you know of that have been defaced with phpbb security installed? |
|
| Post #4 |
|
|
|
Tue Jan 03, 2006 6:05 am |
|
| Author |
Message |
Carter
Amature TweakeR
Joined: 10 Sep 2005
Posts: 11
Words Posted: 3,304
Average Post: 300.36
|
| Post subject: |
|
|
I agree, to an extent. Any security suite is as good as it's last update, and it's been a while since Austin's last update.
But I would expect nothing less than a phpbb forum "head" to come and dissuade people from using security features. No one wants to admit their software can be hacked.
I know it's better to have extra protection than to rely on the phpbb teams head-in-the-sand method to security. They often roll out ridiculous corrections to obvious problems, like the new login restrictions. It does not include a method for users to unlock their own accounts, so anyone who wants can simply plug in a name X amount of times and lock that person out of their account. That's crap. Austin's feature has the same, but lets people unlock themselves if need be.
For what it's worth, I'm of the mind that something is better than nothing. |
|
| Post #5 |
|
|
|
Wed Jan 04, 2006 12:26 am |
|
| Author |
Message |
aUsTiN
Webmaster
 
Joined: 05 Jan 2005
Posts: 3684
Words Posted: 144,671
Average Post: 39.27
Location: USA
|
| Post subject: |
|
|
I'm not going to address peoples opinions. Its so easy to criticize someone elses work its unreal. So why bother with their childish rants? I have better things to do. As for the integrity of phpBB Security, i will however voice on that.
phpBB Security 1.0.0 was fine
phpbb Security 1.0.2 is fine
The flaw was in 1.0.1. It was when i added pagination to the caught page. I forgot to add a check to
| Code: |
$start = $_GET['start']
|
Which is now
| Code: |
$start = intval(($_GET['start']) ? $_GET['start'] : $HTTP_GET_VARS['start']);
|
Which fixed the issue that was found by the phpBB team. It can further be changed to
| Code: |
$start = $HTTP_GET_VARS['start'] ? intval($HTTP_GET_VARS['start']) : 0;
|
as it will be in 1.0.3. The above post from them was not the one i received. As they never said anything about '30 seconds', they said after looking over the mod for awhile, this is what we found & went on to explain their findings.
If that is indeed a post from a phpBB team member, it just goes to show their integrity to degrade others work behind the scenes.
As for no new releases lately, i have been rather busy the last couple months, not to mention the holiday season. There is no coding team here, there is just me. There are no exploits, so a major or minor release is not immenant, but is coming when i finish up one last thing in modcp.php.
As for phpBB "backporting" all these things phpBB Security does, i'm glad they are finally doing it. Regardless of whos ideas or whatever. Its something that needed to be done & took to long to get it done.
As for blocking DDoS, nothing can 110% stop a DDoS attack, its that simple. All you can do is help prevent them, which is what i try & do & thats all ive ever said. |
|
| Post #6 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Protected by phpBB Security © phpBB-TweakS
phpBB Security Has Blocked 3,235 Exploit Attempts.
· Archive · Sitemap: Index · Sitemap: Forums · Sitemap: Topics · Sitemap: Posts ·
:: [ Load Time: 2.9 Seconds ] :: [ 29 Queries ] :: [ 5,670 Page(s) Viewed Today ] ::
:: [ Todays Queries: 172,436 ] :: [ Highest Load: 1,396,429 Queries On May. 08, 2007 ] ::
:: [ SQL Load: 61% Time: 1.8 ] :: [ PHP Load: 39% Time: 1.1 ] :: [ Debug: On ] :: [ GZIP: Enabled ] ::
:: The server last rebooted 33 days, 10 hours, 17 minutes, 48 seconds ago. ::
|
|
|
Feedback 
