Listing active plugins
#21
(2010-04-07, 12:54 PM)Yumi Wrote:
(2010-04-07, 08:11 AM)ladyunicornejg Wrote: Also a few on other sites that do things like add in passwords, check IPs, etc. Primarily things that can be done without plugins and probably better so, but they do exist and you wouldn't want to point them out.
Would you mind pointing out some examples?

(2010-04-07, 12:10 PM)Pirata Nervo Wrote: MyProtection outputs a 404 error if search for it. So it would be a nice plugin to not show on that list Toungue
It's still quite easy to tell:
$ nc forums.mybb-plugins.com 80
GET /in/plugins/myprotection.php HTTP/1.1
Host: forums.mybb-plugins.com

HTTP/1.1 404 Not Found
Transfer-Encoding: chunked
Date: Wed, 07 Apr 2010 12:50:44 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.11
Set-Cookie: mybb[lastvisit]=1270644644; path=/; domain=.forums.mybb-plugins.com
Set-Cookie: mybb[lastactive]=1270644644; path=/; domain=.forums.mybb-plugins.com
Content-Type: text/html; charset=UTF-8
Vary: User-Agent
Whereas a _real_ fake page returns:
$ nc forums.mybb-plugins.com 80
GET /fake-page.html HTTP/1.0

HTTP/1.0 404 Not Found
Date: Wed, 07 Apr 2010 12:51:59 GMT
Server: LiteSpeed
Connection: close
Vary: User-Agent
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 389

You could hide it better, though, you probably can't erase the PHP header from a plugin.

Hmm did you copy paste that from the terminal? Because if you did, you entered in/ instead of inc/
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#22
Oops, but your real thing still displays a PHP header.

In fact:
http://forums.mybb-plugins.com/inc/plugins/hahaha.php
http://forums.mybb-plugins.com/inc/plugi...ection.php

I think it's fairly obvious...
#23
(2010-04-07, 01:09 PM)Yumi Wrote: Oops, but your real thing still displays a PHP header.

In fact:
http://forums.mybb-plugins.com/inc/plugins/hahaha.php
http://forums.mybb-plugins.com/inc/plugi...ection.php

I think it's fairly obvious...

That made me lol.
.htaccess should fix it, right?
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#24
It would probably make sense to deny the entire inc directory from being accessed via htaccess, if that's what you're going to do. But be aware of the implications of webserver config over PHP though...

I had a quick look through that plugin, but I really can't see how it really improves security. It just seems to be performing pedantic checks on who is an administrator or not, whether it matches that defined. If someone manages to get database access, it just makes it a bit more difficult for them, but doesn't actually stop them.
(also, there are really better ways to approach this than the one you've done Toungue)
#25
(2010-04-07, 01:23 PM)Yumi Wrote: It would probably make sense to deny the entire inc directory from being accessed via htaccess, if that's what you're going to do. But be aware of the implications of webserver config over PHP though...
What implications?

(2010-04-07, 01:23 PM)Yumi Wrote: I had a quick look through that plugin, but I really can't see how it really improves security. It just seems to be performing pedantic checks on who is an administrator or not, whether it matches that defined. If someone manages to get database access, it just makes it a bit more difficult for them, but doesn't actually stop them.
(also, there are really better ways to approach this than the one you've done Toungue)

Care to elaborate?
I can always deny all IP ranges except mine to the admin directory
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#26
(2010-04-07, 01:28 PM)Pirata Nervo Wrote: What implications?
Not supported by all hosts, and will only work on Apache.

(2010-04-07, 01:28 PM)Pirata Nervo Wrote: Care to elaborate?
Check whether the current user is able to access the AdminCP, for example, rather than pull two queries.

(2010-04-07, 01:28 PM)Pirata Nervo Wrote: I can always deny all IP ranges except mine to the admin directory
Yes, and a webserver block is going to be far more effective than anything you can do with PHP.
Of course, that means you can't access the AdminCP from a public computer, or if you have a dynamic IP etc.
#27
(2010-04-07, 01:32 PM)Yumi Wrote:
(2010-04-07, 01:28 PM)Pirata Nervo Wrote: What implications?
Not supported by all hosts, and will only work on Apache.
Oh that would probably be something I'd use on my own websites, not something that would come with MyProtection.

(2010-04-07, 01:32 PM)Yumi Wrote:
(2010-04-07, 01:28 PM)Pirata Nervo Wrote: Care to elaborate?
Check whether the current user is able to access the AdminCP, for example, rather than pull two queries.
What if the user is able to access the AdminCP and deletes the other admin accounts and changes the password?
MyProtection tries to find these issues and if any issue is found, the board is closed immediately and cannot be opened without database access.

(2010-04-07, 01:32 PM)Yumi Wrote:
(2010-04-07, 01:28 PM)Pirata Nervo Wrote: I can always deny all IP ranges except mine to the admin directory
Yes, and a webserver block is going to be far more effective than anything you can do with PHP.
Of course, that means you can't access the AdminCP from a public computer, or if you have a dynamic IP etc.
I'd probably write my own script to edit .htaccess automatically and allow me to enter it, same for blocking after I've done all I had to do.
But this would be for my websites only so would be nearly impossible to find the path to the script.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#28
This user has been denied support. This user has been denied support.
(2010-04-07, 12:54 PM)Yumi Wrote: Relying on this is known as obscurity, and hiding plugins, whilst it may provide some security, it's generally considered very weak.
http://en.wikipedia.org/wiki/Security_through_obscurity

Funny i dont remember saying anything about hiding plugins.
Rather just not advertising them.
I mean if you leave your house door open thats bad.
But to put a sign out the front that says my house door is open for example would be considered silly no?
#29
(2010-04-07, 12:54 PM)Yumi Wrote:
(2010-04-07, 08:11 AM)ladyunicornejg Wrote: Also a few on other sites that do things like add in passwords, check IPs, etc. Primarily things that can be done without plugins and probably better so, but they do exist and you wouldn't want to point them out.
Would you mind pointing out some examples?
Sure, sure.
Admin Password, Admin+, MyFake CP (similar, I suspect, to the fake ACP plugin available here), MyProtection (already discussed above, also available here), IP check for admin (unsure on this, really), Restrict IP

No, I don't use most of these. Yes, more than half of these are pointless if you know what you're doing. They still exist, and I still wouldn't think announcing them being used would be a great move. There are probably others as well, but that's the list of ones I know of (and can re-find) right now.

(2010-04-07, 01:53 PM)DAMINK Wrote: Funny i dont remember saying anything about hiding plugins.
Rather just not advertising them.
I mean if you leave your house door open thats bad.
But to put a sign out the front that says my house door is open for example would be considered silly no?

LOL yep.

Ultimately, you're not going to stop a real hacker from finding out if you have something installed or not. There is almost definitely going to be some trace left somewhere or it's simply not going to work... That being said, should you really announce to all the script kiddies "HEY! I'm using such-and-such! If you're going to try to hack me, you'd better plan to get around this too..."? I mean that sounds like a hybrid of lowering the effectiveness even more AND presenting a challenge to them (when they may or may not have had any interest before being challenged).
#30
(2010-04-07, 12:47 PM)DAMINK Wrote: lol lots of posts deleted here. Smile Funny how the rules vary here isnt it?

What are you talking about? Not one post has been deleted from this thread.

Any way, I have got the info I needed so thank you frostschutz and Yumi Smile

/thread


Forum Jump:


Users browsing this thread: 1 Guest(s)