miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
The Other miniBB Support Forums / The Other /  
 

Admin id=1 Security Hole

 
Author felgall
Partaker
#1 | Posted: 25 Aug 2013 01:36 
Having the first id be the one with admin access is a major security hole in any software. Everything else in miniBB reads values from the bb_special.php file to determine which user has what access - why is the 1 hard coded throughout the script instead of being set in that file so as to make applying this essential security measure easier?

Author Paul
Lead Developer 
#2 | Posted: 26 Aug 2013 10:46 
What kind of hole do you mean? How could it be executed?
You need to give your words a proof. Else we can't consider it seriously.

In bb_specials.php there is no access set. There could be moderators assigned (optionally, because miniBB can run without moderators), and some other specific options. If you have meant that if there would be set admin privileges that way, then this will be much more security measure that the one you have mentioned.

BTW having miniBB's admin ID set that way how it works now, saved hunders of software, which is being set up by uneducated persons. Not giving them to assign the admin's right actually protects them.

Author felgall
Partaker
#3 | Posted: 26 Aug 2013 21:57 
Just knowing which id is the one with admin access means that anyone attacking the database can target their attack against that id. By using a randomly selected id for the admin the attacker has no idea of which one to attack.

One of the security measures that the top WordPress security modules enforce is to move the admin user away from id 1 to make it less obvious which one to attack.

Anyone with even the slightest knowledge of security would realise that.

Author Paul
Lead Developer 
#4 | Posted: 27 Aug 2013 13:18 
I guess, in any forum software, admin profiles are visible to public, so it's possible to get the basic info about any admin on forum, incl. admin IDs.

felgall:
One of the security measures that the top WordPress security modules enforce is to move the admin user away from id 1 to make it less obvious which one to attack.
So what? Did WordPress become kind of "standard" of web development?
Just don't mention how many other bugs and security holes WP has besides this tiny ID issue.

felgall:
Anyone with even the slightest knowledge of security would realise that.
Umm, or anyone with the middle-to-high level of paranoya?.. The highest level of security is to switch off your Internet cable and never use mobile phone or other spying device like from the Apple or Google family. Pal, if we talk about security, then you have chances to review the world you are living in, there are more serious security holes in your life then having miniBB with ID=1 assigned to admin.

Author tom322
Active Member
#5 | Posted: 27 Aug 2013 16:06 
Paul:
Just don't mention how many other bugs and security holes WP has besides this tiny ID issue.
I recently dropped WP like a hot potato because it was slow like s&&t (both with no 'addons' installed and with all these BS cache addons; I even tried the extra hosting and it was still slow). And I was tired of constant security upgrades. It cost me a full week of hard work to create new templates manually, but it was so worth it :)

Author Guest
~
#6 | Posted: 2 Sep 2013 15:52 
From the coding view, it is very comfortable to have admin privileges assigned to just one account. Then in minibb you have to compare $user_id to 1 and assign proper actions to this. In the similar way, we can compare guests ($user_id==0).

The only thing to care is to not allow to override $user_id, but minibb already does it.

So I'm not sure what the "security hole" is about?

Author Paul
Lead Developer 
#7 | Posted: 2 Sep 2013 16:39 
Guest:
So I'm not sure what the "security hole" is about?
I am Not Sure either... :)

Author felgall
Partaker
#8 | Posted: 3 Sep 2013 00:30 
It only took me about half an hour to make all the necessary changes to allow any userid or even several userids to be recognised as administrator. I don't know why the authors of this script claim that there can be only administrator and that they have to be user 1 when the changes to make it more flexible are trivial.

The member table that I already had before incorporating this script does not break database normalisation by adding an unnecessary userid field and so I had to make the corrections to miniBB to allow the administrator to be recognised via the field in the member table that identifies which members have administrator access in place of the tests specifically for user 1.

Author Paul
Lead Developer 
#9 | Posted: 3 Sep 2013 12:17 
felgall:
I don't know why the authors of this script claim that there can be only administrator and that they have to be user 1 when the changes to make it more flexible are trivial.
Because it's a concept of this software. It's a concept of being minimal:

- to have just ONE administrator on the board (more secure, more flexible, less risky)

- ONE = GOD (this is for selfish admins like me - miniBB is for selfish and people, if you didn't know it)

- keep the admin data in options file, not the database (don't ask WHY - it's also a working concept gained from practice - btw EXACTLY because keeping it in the file makes it almost no-breakable) - with just one account, it's made easy; with multiple accounts, it would become difficult and insecure and it would ruin the concept

- like mentioned by Guest above, it becomes ultra easy to compare admin thorough the script when making certain conditions in the code; comparing by user ID=1 is done also in many add-ons and could be done in new extras. It's about very simple and transparent logics.

felgall:
The member table that I already had before incorporating this script does not break database normalisation by adding an unnecessary userid field
This is great, you were having lamely build table and now you are going to teach us the BASICS? :)
Now that was miniBB guilty on your lame code! I am making shit!
"Unnecessary userid field"... ohh how many of such holy crap I've seen in my practice...
C'mon pal, stop trolling me.

Just give you this question first: if this software is not perfect and needs to be improved, and if it is not compatible with your database, then why the hell did you choose it? Drop this choice and make another one, market is full of forum toys which will bring you pleasure to have multiple admins, not assigned to a certain number one, and other crap things which could make you happy.

I don't understand people which try to rework the world around them instead of reworking themselves, sorry. May be you are too young for this, who knows.

Author Guest
~
#10 | Posted: 18 Sep 2013 14:09 
It's a bogus hole. No proof. Internet is full of bogus proofs created by non-coders or non-professionals without obvious understanding of what they just copied and pasted.

Minibb is still the best!!

The Other miniBB Support Forums / The Other /
 Admin id=1 Security Hole
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑