In-My-Opinion.org

»How to protect your phpBB forum against hackers«


Sometimes a hacker may try to alter variables of PHP, for example by calling "viewtopic.php?GLOBALS[...]".
Sometimes a hacker tries to cause errors by sending data that is very long (e.g. a username that is 10 megabyte characters long).
These are clear hacking attempts and we can filter them out by the following code:
• Open "common.php"
• Find

if ( !defined('IN_PHPBB') )
{
    die('Hacking attempt');



Insert thereafter:

foreach ($_REQUEST as $varname => $value)
    {
    if (
        (preg_match('#^(globals|_|http_|php_|argv|knnvalues|argc|gateway_|server_|request_|query_|document_|remote_|script_|path_|auth_)#i',$varname)) // If someone tries to do some hacking tricks
    ||    (strlen($value) >= 1*1024*1024// If posting is too long (> 1 MB)
       )
        {
        die('Hacking attempt');
        }
    } 



What does this code do? It finds out whether someone tries to influence global variables like $GLOBALS or $HTTP_POST_VARS and if so, then it stops.

I have not tested it out completely with all functions of phpbb and all mods, but since it works on my heavy modded site it should work on yours too


posted by knn
  

in-my-opinion.org -> Technology, Computers, Science, Internet -> Software by the admin -> How to protect your phpBB forum against hackers

self-enactment


knn:
Thus change the text "Powered by phpBB" to something else.
You can leave the link to
phpbb.com...

but please change the wording. Often hackers look in Google for pages that contain "Powered by phpbb 2.0.3" ♣ or similar to exploit bugs in exactly this version. To change the wording simply change:
"phpBB" to "php B.B."
You may also consider to use a .gif image that says "Powered by phpBB". I have attached one

Are you going to enact this change here at IMO as well as on MeX? I still see "Powered by phpBB modified v1.8 by Przemo © 2003 phpBB Group" here and it's still searchable in google...


posted by volonteshiva
  

Google takes some time


volonteshiva:
I still see "Powered by phpBB modified v1.8 by Przemo © 2003 phpBB Group" here and it's still searchable in google...

1) Yeah, Google will take some time until it gets updated.
2) No, you are logged in, thus you see a template for logged in users. Unregistered visitors will see a different one where the "powered by" note is different.


posted by knn
  



are you aure its a good idea telling hackers what your doing?

posted by Agent Zero
  

Not the standard stuff


Agent Zero:
are you aure its a good idea telling hackers what your doing?

I am actually not telling what I am doing. I am only telling "I am not doing the standard stuff".


posted by knn
  



ok, your smarter than i ever thought you were, to throw off hackers and such

posted by Agent Zero
  

Warning! Very Wrong Code


knn:
Make yourself the only one who can become admin = no other registered user (or intruder) can gain admin rights.
    • Open "includes/sessions.php"
    • Find

$auto_login_key = $userdata['user_password'];

    • After add:

if (($userdata['user_level'] == ADMIN) || ($userdata['user_level'] == MOD))
    {
    $userdata['user_level'] = $userdata['user_level'] && ($user_id == 2);
    }


Warning! Don't use this code!
This will make all your Mods, not only to Admin, but to YOU SELF!
Any Mod will be notmore he self, but he will be you, and widthout your password!

If you want to use this code than change this:
if (($userdata['user_level'] == ADMIN) || ($userdata['user_level'] == MOD))

to:
if ($userdata['user_level'] == ADMIN)


But this is not needed, is already inside of the phpbb...


posted by luky
  

Correction


luky:
Warning! Don't use this code!
This will make all your Mods, not only to Admin, but to YOU SELF!
Any Mod will be notmore he self, but he will be you, and widthout your password!

Yup, sorry I have corrected it now. I forgot a "="
Thanks for pointing it out. It wasn't a too serious bug since it applied only to admins and mods.


posted by knn
  

vers. 2.0.11


Great post. I have a question though, are all the coding changes still needed in 2.0.11? Obviously showing the version and changing the table prefixes, etc. would be the same from version to version, but what about the code (ie password) changes?

Thanks.

posted by c3r3br0
  

Yes, all of them


c3r3br0:
. I have a question though, are all the coding changes still needed in 2.0.11?

Yes, ALL of my tips should be applied on EVERY phpBB version, past or future.

They are no bug fixes but ADDITIONAL security measures.


posted by knn
  

Header Errors


I get header errors trying to use the allowedadminips. Error message says that headers were already sent. Any suggestions?

posted by c3r3br0
  

PM me the URL


c3r3br0:
Error message says that headers were already sent. Any suggestions?

Actually not possible unless allowedadminips.php is not found.
You can PM me the URL


posted by knn
  

Thanks!


All I can say is that I didn't realise I was so ignorant! I'm now going to update all my forums with the info provided here...thank you! Thumb Up

posted by angeljs
  

using the a.php

if i use this Mod and try to access to the my ACP, i get this message
Fatal error: Cannot redeclare ech0() (previously declared in /home/www/web73/html/beta/a.php:16) in /home/www/web73/html/beta/a.php on line 16


My Site is a phpbbfm.net... with few (50+ Wink ) another Mods

else this ist a great mod!


P.S. Forgive me for my bad English i´m a russian.


posted by HIMIK
  



HIMIK:
if i use this Mod and try to access to the my ACP, i get this message

That's only possible if you include 'config.php' more than once. You should sign up so we can PM


posted by knn
  



Goto page Previous  
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19  Next

Reply to topic
Goto page Previous  
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19  Next






RegisterRegister
Log inLog in
 		The time now is 12 March 2010, 20:15
php B.B.