| Author |
 Topic  |
|
Asha
Starting Member
39 Posts |
 Posted - 05 May 2003 : 01:25:04
|
Hi, I just installed Snitz 2000 and am happy to say that the forums seem to be displaying nicely. I haven't tried anything else.
I noticed that by default the Snitz admin writes a post into the newly created test forum. When this is done by the Snitz setup code, the Snitz setup code really should not post using the name of the administrator. This exposes the name of an admin to the world, which is half of what's needed to get full admin privileges (the other half being the admin's password). A well known security precaution in the security world is to attempt to hide the names of users of a system, especially admins, so it'd be nice if Snitz did this too when installation happens.
Andrew
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 05 May 2003 : 01:42:17
|
| The Admin's name is displayed in the Member's list and on every post that the person makes as well. I see no reason at all to hide this. It is definitely not a bug. |
 |
|
|
Asha
Starting Member
39 Posts |
Posted - 05 May 2003 : 01:53:31
|
| Could there be different admins, with varying privileges? It is okay to post the admin's name when the admin makes a post, of course, but posting the name of the uber-admin (which might never post anything) seems more dangerous than necessary. |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 05 May 2003 : 02:09:36
|
I agree with Richard definately not a bug
If you want to see who the "uber-admin" is of most Snitz forums, just look at the profile for memberID=1 |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
Asha
Starting Member
39 Posts |
Posted - 05 May 2003 : 02:39:26
|
That is a security hole as well, then..
Anyone with sysadmin security experience knows that exposing user names to the outside world entails a security risk. It doesn't seem necessary to expose the Snitz uber-admin's name.
Anyway, I've reported the vulnerability. Sometimes feedback like this from "outsiders" is quite valuable. If the Snitz developers choose not to address this particular vulnerability, that's their perogative, although that'd disappoint me a bit, and make me wonder about the level of security of Snitz in general. It wouldn't be a big deal though. Mostly I figured I'd contribute by reporting opportunities for improvement that I saw while installing and using Snitz.
(Lest anyone conclude from this that I don't like Snitz, don't! I really like it so far.)
Andrew
|
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 05 May 2003 : 03:01:39
|
| seeing as snitz uses encryption for its passwords, I really don't think it is much of a vunerability. also, that first post can be deleted. In addition, there are ways of "hiding" the fact that a member is the super admin... changing the title, making star colors the same, creating a new member and making that one the super admin. there are plenty of protection measures if the security is a concern of yours. |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
|
|
|
Asha
Starting Member
39 Posts |
Posted - 05 May 2003 : 07:06:52
|
Windows encrypts user passwords too, but exposing user names is considered bad with Windows. In general one does not want to expose user names of a system even when the passwords are encrypted. This is standard sysadmin doctrine.
One of the Snitz forums mentioned that hackers are becoming increasingly interested in Snitz because of its popularity. If the Snitz developers are serious about security, the code should run 'secure by default', not 'insecure by default, secure by tweaking'. The latter is the approach that Microsoft has historically taken, and people hate it. The former appears to be what Microsoft has recognized as desirable and is trying to migrate to. |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 05 May 2003 : 07:13:14
|
quote:
Originally posted by Asha
exposing user names is considered bad with Windows.
Then it is curious then that after you log off of a Windows domain is it default to show the username of the last logged on person |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
|
|
|
Asha
Starting Member
39 Posts |
Posted - 05 May 2003 : 07:28:57
|
| It's considered bad by the guys that administer Windows, not necessarily by Microsoft when it was writing previous versions of Windows. Also, no OS is perfect, including Windows, so what you mention may be a flaw. |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 05 May 2003 : 08:07:49
|
| With password encryption current version of snitz is much secured then previous versions. However, I would also like to see the addition of a feature which will allow the users to have a login name (known to user only) different from username (seen by all). |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 05 May 2003 : 08:33:24
|
| certainly having that option (especially if user chosen) would be good. sometimes though, I think that we as administrators/programmers do not think about the user when considering such things. most of the users I know would hate to have to keep up with a log in name versus a screen name. it would just be too confusing for them. |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
|
|
|
Cliff
Average Member
United States
501 Posts |
Posted - 05 May 2003 : 08:45:13
|
I’d like to comment also, although I am not a programmer, sysadmin or other data guru.
I agree that it would be wise to have the forum setup with the username not being the log-in name. If not what do I need to guess, just one password? I suspect there are many people out there that could write a program (I’m sure many exist already) that would continue to guess at the password until it has been beat. All you need to do is pick a user that has admin access, Snitz even fully gives up the info that member 1 is the super admin for that forum (http://forum.snitz.com/forum/pop_profile.asp?mode=display&id=1).
Would it not be better to have a log in name and password that are both encrypted and available to no one? What are the odds of beating a system that has essentially two passwords?
|
https://squarewheelscycling.com/
https://www.pathlabtalk.com/ |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 05 May 2003 : 08:50:36
|
quote:
Then it is curious then that after you log off of a Windows domain is it default to show the username of the last logged on person
that can be disabled by a simple policy change and iirc is now the default in 2003.
Thing is this isn't an operating system, theres not that much damage that can be done by having the username, theres a strong chance your forum web host is easier brought down via a DDoS than your Snitz forum is :(.
Revealing logon names even with Windows isn't a big issue, whilst it is best practise not to have it revealed, its not something that an auditor would normally rate as any higher than a "moderate" risk, that is on a scale of 1-5 its a 3. You still need another part of the puzzle to be able to logon and there are much more at risk things you need to worry about if your the sysadmin of a Windows machine (a huge number of open machines on the Net I can connect to and give you their complete User listing by using 2 or 3 simple Dos commands)
A good solution is what GauravBhabu suggests where the display name is different entirely from the logon name, however this is something that as Nikkol points out is perhaps cumbersome to the users to an extent where I wonder how many people would actually use it. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
Asha
Starting Member
39 Posts |
Posted - 05 May 2003 : 09:09:52
|
Maybe admins could be allowed to have a display name different than their login name, and there could be a forumwide option that specifies whether non-admins can have a display name that's different than their login name. That way the admins could have a display name different than their login name, and individual forum owners could decide whether to allow the display name / login name distinction for the general population.
(Ideally, when a new Snitz installation is performed, the display name of the uber-admin should be different than its login name, and it should not be easy to find out the uber-admin's login name.) |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 05 May 2003 : 09:52:18
|
| I don't see this as a problem. You can say it's a security risk/flaw all you want to, that doesn't make it so. |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 05 May 2003 : 15:27:34
|
This forum IS open-source. You can easily change the code to hide admin usernames if you wish. I don't see much point in doing so myself :)
|
======
Doug G
======
Computer history and help at www.dougscode.com |
|
|
|
Topic |
|
Topic Locked
