Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 2 of 2
  1. #1
    Senior Member
    Join Date
    Apr 2005
    Location
    Hatfield, England
    Posts
    855
    Member #
    9790
    This is my first contracted website i am developing and it is about a full days work from completion. I am deeply concerned about the security of it all. The worst thing that could happen to my site is if i leave a loophole and it gets effectively destroyed because of an error on my part.

    So this thread is simply about identifying security holes and what i can do to stop them before the site goes live. I am not looking for coding, its more general security advice.

    My concern now is with the safety and security of the site. It is built on top of a phpbb2 forum and the website uses the member system of the forum to keep everything integrated. I have also used the forums user groups to assign users permissions. At the time i felt this would be more secure than trying to write something myself. Because i am using an existing user authentication system which is in the forum i feel confident that this will be ok.

    The 2 main concerns i do have are attacks from the inside and attacks from the outside.

    Inside attacks
    The site is for an up and coming gaming clan and my client is adamant that all clan members can post materials on the main site. This means that they will have to be able to access the admin panel.

    I have limited what they can access, i have also stopped them from being able to edit and delete content on the site. This means that should some become disgruntled the worst they can do is post something offensive, they won't be able to modify or delete any thing.

    I really can't think of a better way to protect against this. If anyone has any ideas feel free to recommend something.

    Outside attacks
    When i say outside i mean by people who have member access and cannot get into the admin panel. I am very confident about the security of the admin panel and i am sure that the only way an unauthorized user could get in is by getting the username and password of an existing account with the right privileges.

    My main concern is with forms. Are there any major potential problems that i should be aware of when it comes to putting data into the database? If there is could someone shed some light on what the potential damage would be if i miss out something.

    I thank you in advance for any help given on this topic

  2.  

  3. #2
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    phpBB itself has a reputation of insecurity (potentially unjustified; but there was a string of critical security issues that were widely publicized a few months ago). However, I do agree that it will likely be more secure than somebody you (or I) could develop in a short timeframe without a lot of planning. I'm actually getting some books on the topic of web security because it's so important.

    Inside attacks: only assign trust to members who deserve it. Nobody but you should be able to access the administrative control panel. I trust the moderators here, but there's no way they'll ever get access to the admin CP even because they could accidently click a wrong link, or if their account gets compromised, the entire forum is implicitly compromised.

    Outside attacks: .htaccess using mod_user_auth or whatever it's called all protected areas of the site. With vBulletin, you can change the actual directories of the mod and admin CPs, so if phpBB can do that, then do it. Require complex passwords (for example, 8 or more characters, mixed case, numbers, symbols, not dictionary words, etc.) from all trusted users.

    Don't forget that the weak point might not be the application, but the system on which it resides. If somebody gets access to your MySQL/PostgreSQL/whatever database, it doesn't matter how secure phpBB is. Turn off any unnecessary services, use very complex passwords, don't allow remote connections to the database, turn off all unnecessary FTP accounts and, if possible, require a whitelist of IPs to connect to FTP, etc.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 05:11 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com