Previous Thread
Next Thread
Print Thread
Rate Thread
#63887 05/29/2002 11:03 AM
Joined: Jan 2002
Posts: 266
Kel
Offline
Member
Member
Offline
Joined: Jan 2002
Posts: 266
Is there anyone here who would be considered an expert on the issue of board security? IE. preventing mischief makers from getting into files and forums that they shouldn't be getting in to. I really could use some help in this area. Thank you... smile

Sponsored Links
#63888 05/29/2002 4:21 PM
Joined: Jun 2001
Posts: 729
Coder
Coder
Offline
Joined: Jun 2001
Posts: 729
Is this your server or a hosting companies? You will need to note what version of UBB, operating system as well as the modules you are running. Also are you completly patched? Just for starters...

#63889 05/30/2002 12:59 AM
Joined: May 2001
Posts: 6,708
Member
Member
Offline
Joined: May 2001
Posts: 6,708
First thing to be safe: Turn off HTML in forums.

#63890 05/30/2002 8:42 AM
Joined: Jan 2002
Posts: 266
Kel
Offline
Member
Member
Offline
Joined: Jan 2002
Posts: 266
I had forgotten about that. I did have it on in the one forum. Can you explain how that works? How does having HTML on in a forum create a security leak?

I'll be honest here... My mind does not run this way so it is difficult at best for me to put up defenses. I have no interest in being destructive to others' boards so I have no idea how it is done to mine.

Perhaps some simple lessons here might help others as well.

Thank you LD... smile

#63891 05/30/2002 2:31 PM
Joined: Aug 2000
Posts: 335
Member
Member
Offline
Joined: Aug 2000
Posts: 335
Imaginative use of HTML can do tricky things, such as running scripts and stealing other people's cookies. There are filters in UBB which attempt to prevent this type of abuse, but new exploits continue to be found. The safest approach is to disable HTML posting, and only allow UBB Code.

UBB Code images pose a similar threat.

Other security tips:

1) Ensure that your server is configured so that certain files cannot be accessed from a web browser, such as member profiles, cache files and the vars_ configuration files. You can test for this by trying to access the files yourself from a browser.

2) If possible, move your members directory outside of the web document tree.

3) Protect directories that shouldn't be accessed from a web browser with .htaccess files.

4) Password-protect the control panel with an .htaccess file.

Searching for "security", "members" and "htaccess" in these forums or the Infopop community forums should provide more details on the above.

Sponsored Links
#63892 05/30/2002 2:36 PM
Joined: Dec 2001
Posts: 699
Member
Member
Offline
Joined: Dec 2001
Posts: 699
Well, even though HTML is filtered, it is far easier to feed 'bad' scripts to the page via it.

#63893 05/30/2002 6:23 PM
Joined: Feb 2001
Posts: 815
Moderator / Kingpin
Moderator / Kingpin
Joined: Feb 2001
Posts: 815
Most importantly, change all your Admin passwords and FTP passwords frequently. Use completely different passwords for each. Use passwords that contain numbers and letters and avoid names and words that can be found in a dictionary. In other words: random strings of letters and numbers.

#63894 05/31/2002 2:19 AM
Joined: May 2001
Posts: 6,708
Member
Member
Offline
Joined: May 2001
Posts: 6,708
Dave you don't need to use .htaccess files to stop that. All you need to do is upload a blank index.html file and they can't access it from a browser.

#63895 05/31/2002 10:23 AM
Joined: Aug 2000
Posts: 335
Member
Member
Offline
Joined: Aug 2000
Posts: 335
That is not correct. tipsy

A blank index.html file will prevent the browser from displaying a directory listing, but it won't stop the browser from accessing a file within that directory, if the user knows the file name.

#63896 05/31/2002 6:45 PM
Joined: May 2001
Posts: 6,708
Member
Member
Offline
Joined: May 2001
Posts: 6,708
I guess you made your point. frown

Should start using .htaccess now.

Sponsored Links
#63897 06/15/2002 9:06 PM
Joined: Jun 2001
Posts: 2,848
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,848
assuming she is using apache. . . . . . . . .. . . . . . . . . . . .. . . . . . . .. . .. confused confused confused confused confused confused

#63898 06/15/2002 11:21 PM
Joined: Jan 2002
Posts: 266
Kel
Offline
Member
Member
Offline
Joined: Jan 2002
Posts: 266
Yes, Apache... PowWeb.

Can't find my httpd.conf file though!... confused confused confused


Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Shock Hosting
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
Ruben Rocha
Ruben Rocha
Lutz,FL,USA
Posts: 253
Joined: January 2000
Forum Statistics
Forums63
Topics37,583
Posts293,955
Members13,824
Most Online151,614
Nov 14th, 2025
Today's Statistics
Currently Online 666
Topics Created 0
Posts Made 0
Users Online 0
Birthdays 3
Top Posters
AllenAyres 21,080
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,834
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Morgan 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2026 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.1.0
(Snapshot build 20260108)