#63887
05/29/2002 11:03 AM
|
Joined: Jan 2002
Posts: 266
Member
|
|
Member
Joined: Jan 2002
Posts: 266 |
Is there anyone here who would be considered an expert on the issue of board security? IE. preventing mischief makers from getting into files and forums that they shouldn't be getting in to. I really could use some help in this area. Thank you... 
|
|
|
#63888
05/29/2002 4:21 PM
|
Joined: Jun 2001
Posts: 729
Coder
|
|
Coder
Joined: Jun 2001
Posts: 729 |
Is this your server or a hosting companies? You will need to note what version of UBB, operating system as well as the modules you are running. Also are you completly patched? Just for starters...
|
|
|
#63889
05/30/2002 12:59 AM
|
Joined: May 2001
Posts: 6,708
Member
|
|
Member
Joined: May 2001
Posts: 6,708 |
First thing to be safe: Turn off HTML in forums.
|
|
|
#63890
05/30/2002 8:42 AM
|
Joined: Jan 2002
Posts: 266
Member
|
|
Member
Joined: Jan 2002
Posts: 266 |
I had forgotten about that. I did have it on in the one forum. Can you explain how that works? How does having HTML on in a forum create a security leak? I'll be honest here... My mind does not run this way so it is difficult at best for me to put up defenses. I have no interest in being destructive to others' boards so I have no idea how it is done to mine. Perhaps some simple lessons here might help others as well. Thank you LD... 
|
|
|
#63891
05/30/2002 2:31 PM
|
Joined: Aug 2000
Posts: 335
Member
|
|
Member
Joined: Aug 2000
Posts: 335 |
Imaginative use of HTML can do tricky things, such as running scripts and stealing other people's cookies. There are filters in UBB which attempt to prevent this type of abuse, but new exploits continue to be found. The safest approach is to disable HTML posting, and only allow UBB Code.
UBB Code images pose a similar threat.
Other security tips:
1) Ensure that your server is configured so that certain files cannot be accessed from a web browser, such as member profiles, cache files and the vars_ configuration files. You can test for this by trying to access the files yourself from a browser.
2) If possible, move your members directory outside of the web document tree.
3) Protect directories that shouldn't be accessed from a web browser with .htaccess files.
4) Password-protect the control panel with an .htaccess file.
Searching for "security", "members" and "htaccess" in these forums or the Infopop community forums should provide more details on the above.
|
|
|
#63892
05/30/2002 2:36 PM
|
Joined: Dec 2001
Posts: 699
Member
|
|
Member
Joined: Dec 2001
Posts: 699 |
Well, even though HTML is filtered, it is far easier to feed 'bad' scripts to the page via it.
|
|
|
#63893
05/30/2002 6:23 PM
|
Joined: Feb 2001
Posts: 815
Moderator / Kingpin
|
|
Moderator / Kingpin
Joined: Feb 2001
Posts: 815 |
Most importantly, change all your Admin passwords and FTP passwords frequently. Use completely different passwords for each. Use passwords that contain numbers and letters and avoid names and words that can be found in a dictionary. In other words: random strings of letters and numbers.
|
|
|
#63894
05/31/2002 2:19 AM
|
Joined: May 2001
Posts: 6,708
Member
|
|
Member
Joined: May 2001
Posts: 6,708 |
Dave you don't need to use .htaccess files to stop that. All you need to do is upload a blank index.html file and they can't access it from a browser.
|
|
|
#63895
05/31/2002 10:23 AM
|
Joined: Aug 2000
Posts: 335
Member
|
|
Member
Joined: Aug 2000
Posts: 335 |
That is not correct. A blank index.html file will prevent the browser from displaying a directory listing, but it won't stop the browser from accessing a file within that directory, if the user knows the file name.
|
|
|
#63896
05/31/2002 6:45 PM
|
Joined: May 2001
Posts: 6,708
Member
|
|
Member
Joined: May 2001
Posts: 6,708 |
I guess you made your point. Should start using .htaccess now.
|
|
|
#63897
06/15/2002 9:06 PM
|
Joined: Jun 2001
Posts: 2,848
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,848 |
|
|
|
#63898
06/15/2002 11:21 PM
|
Joined: Jan 2002
Posts: 266
Member
|
|
Member
Joined: Jan 2002
Posts: 266 |
Yes, Apache... PowWeb. Can't find my httpd.conf file though!... 
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 253
Joined: January 2000
|
|
|
Forums63
Topics37,583
Posts293,955
Members13,824
| |
Most Online151,614 Nov 14th, 2025
|
|
Currently Online 666
Topics Created 0
Posts Made 0
Users Online 0
Birthdays 3
|
|
|
|