Re: [Phpwebsite-developers] Security Explained

[Jim W. <spi...@us...>]

Matthew McNaney said:

> Here are the details for the what the security patches fix:
> 
> http://www.gulftech.org/?node=research&article_id=00048-08312004
> 
> Special thanks to Steven. He became the best hacker there is at foiling
> my security checks and he was quick to fix module issues.
> 
> I will also explain what James is referring to in his conclusion.
> 
> 0.9.4 will have an authentication key for each user. When you log in,
> the key is created from scratch and placed into your session.

Thank you for the update.  This should work fine, but existing users have a
serious problem that they should address in the mentioned RFC 2616 problems.

On the surface it doesn't seem like there would be a quick fix to solve this
issue,  but I would strongly recommend that individual users make edits to
certain files in order to avoid or limit defacement.

As far as I can tell, this requires disabling some functions for the time
being.  Below are some notes on how to do this.  I've listed the module files
and the functions that individuals may want to disable.  At the very least one
should look very closely at the "users" module functions.  The disabled
functions could be performed by administering the mod_users tables with a
database admin tool.

It would be helpful to get feedback on these ideas, or perhaps alternative
solutions.  For many users waiting for the next release might be too risky.

Thanks,

Jim Wilson


Disable the following functions in the following files.
Look for statements like 'case "deleteforum"; and either
mangle the command name text (e.g. change "deleteforum" to 
"zadaweb-was-deleteforum") or comment out the case statement 
and code following down to the break; statement:


mod/users/index.php
annointUser
castoutUser
turnOnAdmin
turnOffAdmin
deleteGroup
deleteUser

mod/phpwsbb/class/Manager.php
deleteForum
deletemessage
banusername
unbanusername

mod/photoalbum/class/Album.php
delete

mod/pagemaster/index.php
delete_page