Previous Thread
Next Thread
Print Thread
Rate Thread
#57391 03/03/2004 4:41 PM
Joined: Dec 2003
Posts: 40
Member
Member
Offline
Joined: Dec 2003
Posts: 40
Up until now, the only safeguard against the cookie-stealing vulnerability has been mega-mod, which allows an Admin to do admin actions in the forums w/o worrying about his cookie being stolen and used to access the CP.

Instead of having to use mega-mod, it would be great if there were a mod that simply checked the first x digits of the IP address of the person trying to login to the CP, to see if it matched the IP on record for that Admin.

Granted, the last few digits of an IP change from time to time, but the first x digits are usually pretty much the same. And if the Admin's IP did ever change, he could always go into FTP and make the necessary adjustments.

Sponsored Links
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
I agree. I've mentioned this many times before but not by checking IP. I've been a victim of cookie theft and it was obviously not a pleasant experience though I happened to be on the board within minutes after my password was changed and i got into the FTP and renamed ultimatebb.cgi to .bak. That shut the board off in a hurry.

I would love to see something like this added to the core of UBB. I brought up having a second password that would be asked for after the UBB password was presented. I've settled for surfing the board as a non-admin (megamod) and in reality it is a good solution. There's really no reason I HAVE to be logged in as an admin all the time.

Anyway, back to the subject. I agree that this would be a good thing.

Joined: Jan 2000
Posts: 5,833
Likes: 20
UBBDev / UBBWiki Owner
Time Lord
UBBDev / UBBWiki Owner
Time Lord
Joined: Jan 2000
Posts: 5,833
Likes: 20
Why not just set a disallow to your cp.cgi file through .htaccess? I'm not entirely sure of the code but it shouldn't be too large of a hassle to read up on.


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, My UBB Scripts
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
That would work but only for certain people on certain servers. I think a hack or mod should be UBB centric and available to all. *shrugs* I don't think having a separate CP password is a bad idea. It would cerrtainly kill the cookie issue once and for all.

Joined: Dec 2003
Posts: 40
Member
Member
Offline
Joined: Dec 2003
Posts: 40
I have to agree here, a second CP password would be more 'portable' than an IP match. And it certainly would bury the cookie issue. As a matter of fact, wouldn't it also solve the issue of moderators being able to let themselves into the CP?

Sponsored Links
Joined: Jan 2000
Posts: 5,833
Likes: 20
UBBDev / UBBWiki Owner
Time Lord
UBBDev / UBBWiki Owner
Time Lord
Joined: Jan 2000
Posts: 5,833
Likes: 20
You can ban moderators from accessing the cp; look in the 6.4-6.7 mods section, I believe it's a fairly short mod.


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, My UBB Scripts
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
For 6.6 and 6.7, it's very short indeed - built right into the code. You can thank me later. wink


UBB.classic: Love it or hate it, it was mine.
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
I already thanked you CC, I've been modding moderators out for some time.

Joined: Dec 2003
Posts: 40
Member
Member
Offline
Joined: Dec 2003
Posts: 40
Built right into the code? Is it automatic or do I need to toggle something? At any rate, thank you Charles!

Now back to the CP double password mod-- would it be better if it were made so that each Admin has his own second password, or else if the second password was associated with the CP rather than with the individual Admin (in other words, the second password would be the same for any admin).

Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
I think it would be great to have a second password for each admin, there's more accountability that way. My wife and I are the only two admins that Netwerkin has ever had but some sites have quite a few of them.

Sponsored Links
Joined: Jan 2000
Posts: 5,833
Likes: 20
UBBDev / UBBWiki Owner
Time Lord
UBBDev / UBBWiki Owner
Time Lord
Joined: Jan 2000
Posts: 5,833
Likes: 20
The making it so mod's can't access the CP is built into the code, it's a VERY MINOR modification to the board that even my dog could do. As I previously stated, look through the mod's section.


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, My UBB Scripts
Joined: Dec 2003
Posts: 40
Member
Member
Offline
Joined: Dec 2003
Posts: 40
Ah, didn't know it was a mod, thought it might be part of the stock code.

...found it!

Thanks.

Joined: Jan 2000
Posts: 5,833
Likes: 20
UBBDev / UBBWiki Owner
Time Lord
UBBDev / UBBWiki Owner
Time Lord
Joined: Jan 2000
Posts: 5,833
Likes: 20
Quote
Originally posted by Gizzy:

You can ban moderators from accessing the cp; look in the 6.4-6.7 mods section, I believe it's a fairly short mod.
No one listens to lil ole me cry


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, My UBB Scripts

Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
JAISP
JAISP
PA
Posts: 449
Joined: February 2008
Forum Statistics
Forums63
Topics37,573
Posts293,925
Members13,849
Most Online5,166
Sep 15th, 2019
Today's Statistics
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
Top Posters
AllenAyres 21,079
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,833
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Morgan 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2024 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20221218)