Subscribe to Grim's Projects        RSS Feed
-----

SECURITY FLAW EXPOSED!

Icon 10 Comments
I've been posting around the net trying to get people to visit my forum to see if they can expose security flaws and errors on GrimBB. On one of the forums, namely DevShed someone succeeded. They hacked my password for GrimBB. I'd set up an e-mail and my registration to that forum with the same password. Needless to say the second post you can see on that forum wasn't made by me. That particular user also changed the password to the email I had created. But no worries, there was no sensitive/important information in either of those things. Apart from the hassle of locking me out of the forum and my email, that user did expose a flaw in GrimBB; that its passwords can be hacked. You can see the file with the password here. EDIT: THIS LINK IS NO LONGER FUNCTIONING

How did he possibly achieve this?
Well, online there are various library repositories of md5 hashes generated with certain textual input. One such example is gdataonline. Therefore all he needed to do was type in my hash and get text that generates that code and voila instant access to my account. As he so eloquently stated using my forumname at DevShed:
1) Its a bad Idea to use md5().
2) Its a bad idea to put your real password in a .txt file.
3) Its a bad idea to use flat-files.

So what are possible solutions?
  • Make a separate directory with sensitive files (such as board_users.inc) and use .htaccess to restrict who can view them
  • Use something stronger than md5 or use passwords that don't utilize common words (i.e. randomly generated passwords)
  • "Salting" the md5 hashes by using some arbitrary key which only the forum's super administrator would know (you would insert this string into the user's password and then compute the hash)
What will I be doing?
Not sure yet, I would like to avoid having to hide files and things of that nature since some of those operations are difficult for novices (I'm a novice). Someone who just wants to put up a forum might not want to, or know how to, deal with those issues. More likely I will construct my own hashing function.

What should you do?
Don't use a password you use elsewhere on the forum.
Make the password some random sequence of alphanumerics.
Don't worry too much as the only person who they could do any damage to was me since the only info they have about anyone is myself, the author of the forum.
Suggest other ways to secure passwords and usernames, and keep on testing that forum ^_^

10 Comments On This Entry

Page 1 of 1

max302 

12 November 2006 - 03:05 PM
Oh man. Pwned. You should write your passes in a PHP file that would get parsed and therefor not get echoed like a .inc does. Also, you should create individual files for each user, then a hidden user directory which uses randomized numbers as index. For security... Also, to prevent SQL injects and stuff of the kind, be sure to check out the isset_addr() function in the PHP section of the Code Snippets.

I'm still wondering why you want to use entirely text files though. Anyways, nice project.
0

rockstar_ 

12 November 2006 - 03:30 PM
I'm also wondering what the advantage of flat files are. I'm interested to hear the reasoning behind it. MySQL allows for good security. SQL injection is easy to stop (it's called being smart), and you have no problem storing your md5 hashes in the database. Unless the database is owned, you should be okay. If the database is owned, someone getting your md5 hash is the LEAST of your worries. I store everything in sha1, but same concept. Someone with hash tables could always crack that, but if they have access to database that'll be the last thing you would have the worry about (it's the demographics that you should be worried about there.)

rockstar_
0

grimpirate 

12 November 2006 - 04:26 PM
I'm utilizing text files because originally the server I used did not provide a MySQL database. I used a free server and I'm not willing to pay for MySQL or anything else for that matter. I'm cheap like that, more importantly I'm a pirate and we take not give. As I stated before I'm trying to find a way to work around those things for the sake of making a forum which is accessible to the most inexperienced of computer users (most people on these forums seem to take for granted that they have a mastery of computer topics).
0

Tuzoid 

12 November 2006 - 05:34 PM
1) .htaccess is your friend, use it :)
2) For your .inc files, just make the extension .inc.php. This way it won't show anything ;)

If you need help, just ask :)
0

skyhawk133 

12 November 2006 - 09:36 PM
I understand the reasoning behind doing flat files, anyone can program a mysql forum, but taking on a challenge such as flat files and security is admirable. I think it will make you a better programmer in the long run.
0

Tuzoid 

13 November 2006 - 04:54 AM
I second that ;)

Flat Files is a challenge!
0

max302 

13 November 2006 - 09:46 AM

Tuzoid, on 12 Nov, 2006 - 08:34 PM, said:

1) .htaccess is your friend, use it :)
2) For your .inc files, just make the extension .inc.php. This way it won't show anything ;)

If you need help, just ask :)


Hmmm. .htaccess for ready to deploy BB system? I don't think so.
0

grimpirate 

13 November 2006 - 11:08 AM
Care to expand on those thoughts max?
0

cipherence 

13 November 2006 - 02:27 PM
I think your link for the User list is a tad bit broken. also the whole encrypting with random numbers for an index name is genius, and using PHP is great idea as well.
0

grimpirate 

13 November 2006 - 06:05 PM
The link for board_users.inc is no longer existent as that file was permanently changed to board_users.php that's why you can no longer view the usernames and passwords (it is indeed a broken link). If you want to see how they're generated just download the zip distro.
0
Page 1 of 1