Up until now, the only safeguard against the cookie-stealing vulnerability has been mega-mod, which allows an Admin to do admin actions in the forums w/o worrying about his cookie being stolen and used to access the CP.

Instead of having to use mega-mod, it would be great if there were a mod that simply checked the first x digits of the IP address of the person trying to login to the CP, to see if it matched the IP on record for that Admin.

Granted, the last few digits of an IP change from time to time, but the first x digits are usually pretty much the same. And if the Admin's IP did ever change, he could always go into FTP and make the necessary adjustments.

I agree. I've mentioned this many times before but not by checking IP. I've been a victim of cookie theft and it was obviously not a pleasant experience though I happened to be on the board within minutes after my password was changed and i got into the FTP and renamed ultimatebb.cgi to .bak. That shut the board off in a hurry.

I would love to see something like this added to the core of UBB. I brought up having a second password that would be asked for after the UBB password was presented. I've settled for surfing the board as a non-admin (megamod) and in reality it is a good solution. There's really no reason I HAVE to be logged in as an admin all the time.

Anyway, back to the subject. I agree that this would be a good thing.

Why not just set a disallow to your cp.cgi file through .htaccess? I'm not entirely sure of the code but it shouldn't be too large of a hassle to read up on.

That would work but only for certain people on certain servers. I think a hack or mod should be UBB centric and available to all. *shrugs* I don't think having a separate CP password is a bad idea. It would cerrtainly kill the cookie issue once and for all.

I have to agree here, a second CP password would be more 'portable' than an IP match. And it certainly would bury the cookie issue. As a matter of fact, wouldn't it also solve the issue of moderators being able to let themselves into the CP?

You can ban moderators from accessing the cp; look in the 6.4-6.7 mods section, I believe it's a fairly short mod.

For 6.6 and 6.7, it's very short indeed - built right into the code. You can thank me later.

I already thanked you CC, I've been modding moderators out for some time.

Built right into the code? Is it automatic or do I need to toggle something? At any rate, thank you Charles!

Now back to the CP double password mod-- would it be better if it were made so that each Admin has his own second password, or else if the second password was associated with the CP rather than with the individual Admin (in other words, the second password would be the same for any admin).

I think it would be great to have a second password for each admin, there's more accountability that way. My wife and I are the only two admins that Netwerkin has ever had but some sites have quite a few of them.

The making it so mod's can't access the CP is built into the code, it's a VERY MINOR modification to the board that even my dog could do. As I previously stated, look through the mod's section.

Ah, didn't know it was a mod, thought it might be part of the stock code.

...found it!

Thanks.

No one listens to lil ole me