Security Hole ???

[Micalus]

Hi there !

We lately opend a little Board and asked people to check security. They found that if you write a message to an other user this message allways is directed to the LOGIN-Name of the user and NOT to the nickname you can choose individualy.

So if the Admin of a Board uses a nickname, everybody can find out his LOGIN and so half the Information he needs to log in as Administrator.

Never the less choosing a nikname under this circumstances is somewhat counterproductive, or ?

Does anybody have an idea or fix ?

[Compuart]

So if the Admin of a Board uses a nickname, everybody can find out his LOGIN and so half the Information he needs to log in as Administrator

The login name is not intended to be secret in any way. In most cases it's the same as the display name. To login you would need a password as well. As long as you don't know the password, a login name is useless, right?

[Micalus]

Well I think its not right at all and there is a second thing, too:

If I log in and perhaps got the Capslock on or type my password note 100% correct I get a site with my Loginname and my typed password as blank written !

So if anybody looks on my screen, for instance a jealous kollegue, he got my password !!!

Well mayby its a little paradoid, but I like to have that fixed; has anybody some mod therefor ?

[Sir_Redferne]

Hi, Compuart,

Every security-advisor would "cut your head off" , if he would read your reply. The account name IS the first information, that you must know before you can try to guess or hack the password. Every major operating system has a function to rename strategic user accounts to make it more difficult to guess the user/password - combination.  But answer me another question: Are there already any functions in this board to lock out an account, if the password has been entered wrong too many times? I don't think so! So, wouldn't it be more secure, if communication inside the board would reference the nickname inspite of te login name, because it is more difficult to hack a user account when you don't know it's name? If I would be a programmer and not only administrator I would also remove the following security holes:

1) Username is referenced instead of nickname.
2) "More stats" displays subjects of "hidden" categories to every logged in user, even, if not member of those categories.
3) Entering of the wrong password leads to an error message, which displays username and password in clear text. (Simple Error Message "User or PWD incorrect" would resolve this problem).

If you are an YABB developer, security should be a concern for you, don't you agree?

Any comments?

Sir_Redferne

[Compuart]

Every security-advisor would "cut your head off" , if he would read your reply.

Luckily security advisors have to be paid $200/hour first before they do anything at all...

The account name IS the first information, that you must know before you can try to guess or hack the password.

agreed, it is the first step, but that doesn't mean that there's a security hole if this login name is known.

Every major operating system has a function to rename strategic user accounts to make it more difficult to guess the user/password - combination.

YaBB is not an OS, so security is different as well. Strategic user accounts might be a feature in a Bulletin Board, but for YaBB 1 it isn't.

But answer me another question: Are there already any functions in this board to lock out an account, if the password has been entered wrong too many times?

Nope, you could write one if you think it'll make your board more secure

So, wouldn't it be more secure, if communication inside the board would reference the nickname inspite of te login name, because it is more difficult to hack a user account when you don't know it's name?

It would be more secure. But that still doesn't make this board insecure. The login name originated from the original YaBB where it was used as unique identification. This still is the case for Instant Messages, because display names are not unique and therefor cannot be used as recipient (that would even be more insecure because someone could evesdrop IM's by taking over someone's display name).

"More stats" displays subjects of "hidden" categories to every logged in user, even, if not member of those categories.

This is by design.

Entering of the wrong password leads to an error message, which displays username and password in clear text. (Simple Error Message "User or PWD incorrect" would resolve this problem).

yeah, I guess that would be more secure

If you are an YABB developer, security should be a concern for you, don't you agree?

Security IS a big concern to me. I haven't developed YaBB SE 1, but did fix some 'real' security holes. But to implement the secret username would have a great impact on the source code and therefore only increase the chance of (security) bugs. Besides, I'm currently working on development of YaBB SE 2 and I can assure you it will not use login names for other functions than to login.

[Micalus]

As far as I know, the nichnames ARE unique !

We have tested to use one twice, the system denied that !

[Compuart]

As far as I know, the nichnames ARE unique !

We have tested to use one twice, the system denied that !

That's because a test was added in 1.4.1 to assure noone can set his/her display name to a user/display name already existing. The fact that no new non-unique usernames can be added doesn't assure some 'old' duplicate user/display names still exist.

[Jedi~]

"More stats" displays subjects of "hidden" categories to every logged in user, even, if not member of those categories.

This is by design.

Actually it doesn't show them, you should know that Compuart

[Spaceman-Spiff]

"More stats" displays subjects of "hidden" categories to every logged in user, even, if not member of those categories.

This is by design.

Actually it doesn't show them, you should know that Compuart

yes it does

[Compuart]

it does show the topics, but doesn't show the contents of the topic. That's why it isn't considered a security hole, but a design choice (not mine btw )

[Jedi~]

Actually I just checked it, I was logged in as a brad new member, couldn't see the subjects listed for anything, it might be new in 1.4.1, but it's all in the query, it will only select stuff you have access to to show.

[Ben_S]

If you were to use the diaplay name for sending instant messages and someone who you are about to send an IM to changes their displayname, and someone else changes their display name to the display name that the person you were going to send the IM to, then the IM would goto the wrong person.

The way things are now if fine...

[Compuart]

Actually I just checked it, I was logged in as a brad new member, couldn't see the subjects listed for anything, it might be new in 1.4.1, but it's all in the query, it will only select stuff you have access to to show.

You'd have to check the topic replies top 10 in 'more stats'. Here's some 1.4.1 source taken out of this page:

Code Select Expand

$topic_reply_result = mysql_query("SELECT {$db_prefix}topics.*,m.* FROM {$db_prefix}topics,{$db_prefix}messages as m, {$db_prefix}messages as mes WHERE (m.ID_MSG={$db_prefix}topics.ID_FIRST_MSG && mes.ID_MSG={$db_prefix}topics.ID_LAST_MSG) ORDER BY {$db_prefix}topics.numReplies DESC LIMIT 10");
There's nothing about permissions in here (that would at least require a call to the members table). So topics DO show.

[David]

The account name IS the first information, that you must know before you can try to guess or hack the password. Every major operating system has a function to rename strategic user accounts to make it more difficult to guess the user/password - combination.

Windows this account has the username of administrator.  By defualt it ships with no password on that account.  Bet you can't guess the username for *nix, it is root.  

[A.M.A.]

and can any one tell me why the password to YaBBSE's database is not encrypted in the Settings.php!!!