View Full Version : UBB Security, Deb??
01-11-1999, 04:47 PM
I have started a -Pre-Alpha- level project on this at:
I think this is more in line as to what 'win' was looking for...
Right now we can password protect at the thread level, but I'm going a step further and implementing restrictions at the Topic List level...
Win, I realize that you are not a FQuest customer, but you can watch the A/B/G thread and see if it applies to your hosting provider as well...
--FutureQuest goal: (10x+8y)/(x+y)=9.99--
--The best way to predict the future is by inventing it--
[This message has been edited by ccTech (edited 01-11-99).]
I am looking for Deb, The word is that you had an earlier post here about ubb security. I have looked for it but couldn't find it. Please repost the message
I think the post you may be referring to is on the UltimateBB's UBB rather then this one the url to that thread is http://www.scriptkeeper.com/ubb/Forum1/HTML/001539.html
The post was made by our Sys Admin, Andrew Gillespie.
After reading this particular thread, I wanted to take a moment and mention the one thing that has not been brought to light...
CGI Wrappers, or in our case Apache suEXEC mechanism...
For further information on this, please visit:
As you can see - this is Apache designed and deployed for a secure method of executing CGI scripts... Without suEXEC, *all* customers scripts execute as the Apache uid/gid (usually nobody/nobody) - forcing you to the mode 777 methadology...
In the UBB's case - this opens up the Members directory to plain view, **as well** as writing whatever you want in there... Another concern was that the passwords are all in plaintext... We have initiated a -Beta- domain lockdown project to attack this problem both at the system level, as well as the domain owners level...
Our support costs may go up, as we educate/advocate the use of suEXEC, but in the end - everyone *owns* there own files and can set mode 700 on sensative directories/files, like the Members directory...
Security is never to be taken lightly, with respect to executing CGI scripts... What prevents 'hostile.com' from writing a malicious script / executes as nobody / trashes 'acme.com' 777 files?
Just something to consider as more Hosting companies, that actually do pay attention to client security, are advocating a solution that Apache developer's themselves provide...
We do not believe in security, via obscurity... Nor do we want to create a panic with UBB users regarding this... In the end, if your Members directory is mode 777 - nothing can really stop another person/account on the same server to gain administrative rights and start monkeying around with your Bulletin Board...
Don't always assume that the majority of System Administrators are lazy, for which the installation instructions are geared for... Much effort has gone into our CGI execution policies, and we feel that it will reduce headaches in the future, by incurring the education in the beginning...
Just my 2 cents regarding the installation methods **and** all the forced chmod 777 written within the scripts as well...
My final recomendation for Ted, would be to make another set of installation docs where the Apache suEXEC mechanism is in use... I only stress this as suEXEC is designed/written/shipped with the Apache source code...
http://www.FutureQuest.net/developers.shtml -- Ready for the next level???
http://www.AOTA.net/cgi-bin/Ultimate.cgi -- FutureQuest Community Support
I think the above is what you were looking for...
Hope it helps
I've found that anybody on the same server can access your /Members directory of the UBB. Big problem. Passwords are not encrypted, so anybody could take control of your forums. How can I stop people from accessing my "/cgi-bin/members" directory through FTP? How can I forbid it?
You can chmod the members directory to 700 rather then 777 ....
That should solve it for you....
The FQuest server design does enable you this functionality. http://www.aota.net/ubb/biggrin.gif
Hope this helps
vBulletin® v3.6.8, Copyright ©2000-2013, Jelsoft Enterprises Ltd.