Howto secure YaBB ?

[René]

Hello,

I'm going to host YaBB forums (trying) and because you cannot trust anyone I want to limit some admin settings.

I have disabled the file attachments and yabb pak. I also hide information about the database + path settings.

So I think an administrator can do no harm now except destroying his own forum. Am I correct?
Or can he do evil things on my host? Maybe with the html template?

[Joseph Fung]

Hello,

I'm going to host YaBB forums (trying) and because you cannot trust anyone I want to limit some admin settings.

I have disabled the file attachments and yabb pak. I also hide information about the database + path settings.

So I think an administrator can do no harm now except destroying his own forum. Am I correct?
Or can he do evil things on my host? Maybe with the html template?

Because he can edit the template, he'll be able to run php commands.  To make it completely secure, you'll have to disable this as well, or modify the code so that PHP code can not be executed in the php template.

[groundup]

ummm.. no need to even do this.  Boardnation will be out soon and people will have no need to use any other free host jk

[René]

Hm ok, that's going to be hard
thnx

[Joseph Fung]

Alternately, if you have FTP, Telnet and SSH disabled, you can chmod the template file to something they can't write to.

Or, if you have FTP enabled but Telnet and SSH disabled, you can set a umask that forces the file to a certain set of permissions.

[David]

There's an easier answer but I won't tell you because you all should all use BoardNation.    No, I might tell you, no I won't be an ass so I will tell you, but only if you use BoardNation.  Now I am rambling, *David smacks himself.  I bet you too will smack your self when you see the answer.  Now get ready, get set, go.  Rename your template from template.php to template.html, now it won't parse the php.
I will later be smacked with a wet slimey fish for sharing that information but  . . .
 

* David is being drug away by the powers that be at BoardNation head quarters shouting and screaming trying to break free.

[groundup]

* groundup pulls out David-beating-stick..

lol

[David]

And my english teacher told me I sucked at creative writing, sheesh!

[René]

Now get ready, get set, go.  Rename your template from template.php to template.html, now it won't parse the php.

See, that wasn't so hard, I knew you would tell me
Do you think that they can't do any harm with the template.html?

I have SSH access, is it possbile to protect the YaBB-directory so there is no way that they can access the other directories on my host?

boardnation.nl is coming!!

[Joseph Fung]

Rename your template from template.php to template.html, now it won't parse the php.

This isn't guaranteed to work.  Go ahead - try it.  There's a fair chance it will still parse it.

The reason is in our initial version, we used a method of template import that would not work properly in safemode.  In this version the above suggestion would work.  In an effort to improve safemode functionality we altered the template inclusion routine.  It will most likely execute PHP code even in the HTML file now.

[David]

IT depends on how php is set up.  Fine, it depends on how apache is set up.  On my server, apache will not parse an html file as a php file.  Other servers, to aid lazy programmers, may parse html files with php.

[David]

Do you think that they can't do any harm with the template.html?

They could still put javascript into it but I doubt they could do harm to the server with it.

[Joseph Fung]

IT depends on how php is set up.  Fine, it depends on how apache is set up.  On my server, apache will not parse an html file as a php file.  Other servers, to aid lazy programmers, may parse html files with php.

This is incorrect - it's how PHP is setup.  Take a look at the code in subs.php and you'll see what I mean.  Don't think you're safe just because you're apache setup doesn't parse html files.

[David]

Yeah, you are right.  It is being included into a php file which is being executed.  Hmm, so much for my easy solution.

* David wants groundup to put away the whipping stick

[groundup]

looks like someone *ahem* david *ahem* has some work to do