| Author |
 Topic  |
|
|
gor
Retired Admin
Netherlands
5511 Posts |
 Posted - 11 February 2001 : 02:30:26
|
Version 3.1 Service Release 4 as you can download from the site here has some security problems conserning the setup pages.
These problems don't affect the sites using Microsoft Access as database.
This patch fixes those problems and enables better IP-monitoring.
The patch will ofcourse be included in Service Release 5, but it is highly recommended that you apply it on your own site also in the mean time.
If you have a highly modified version of Snitz, don't want of can apply this path and are running the forum using MS Sql Server of MySql, it is recommended that you delete the inc_create_forum_sql6.asp and inc_create_forum_sql7.asp files from you forums directory.
You can download the patch/fix here
Pierre
[title edited by reinsnitz on 02/11/2001] |
|
|
HuwR
Forum Admin
United Kingdom
20580 Posts |
Posted - 11 February 2001 : 08:02:58
|
As a side note, the security problem we uncovered will only affect some SQL server installations.
If you created your SQL tables using the Forums setup.asp, you are unlikely to be affected by the security problem.
You will only be exposed to a risk if your Snitz forum tables were created by a user other than the forum SQL user.
I will explain.
When you run setup.asp, the SQL user you are logged in as creates as set of tables, these tables are owned by that user.
The tables in the databse here were not created using setup.asp, but were created by the SQL user sa, and were therfore owned by dbo.
So, the security problem enabled someone to run setup.asp here on this forum, which consequently created a brand new set of tables with the snitz SQL user as the owner, which now meant there were two identical forums in the DB, one full owned by dbo and a brand new empty one owned by the Snitz user.
By default the forum therfore started using it's own set of tables which were empty.
Had the original tables been set up by the forum user, running setup.asp would have failed since the tables already existed.
Hope that clarifies the situation.
'Resistance is futile' |
 |
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 11 February 2001 : 08:31:08
|
Huw,
You are absolutely correct, but still it is highly recommended that all SQL server and/or MySQL users do the thing I mentioned in my original post.
There was more that could go wrong, which I won't explain in more detail here.
Pierre |
|
|
|
HuwR
Forum Admin
United Kingdom
20580 Posts |
Posted - 11 February 2001 : 08:33:50
|
I agree, just thought I would ease peoples minds incase they were panicing
'Resistance is futile' |
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 11 February 2001 : 08:51:38
|
Ok, panic never is good 
Well, to complete this, I'll also explain them what you explained me.
If you really want the forumtables to be secure, make sure you've got two database-users instead of one.
The first, i.e. DBAdmin, has table-creation/modification rights on the database
The second, i.e. DBSnitz, only has read/write/delete rights for the records in the tables and can't create tables etc. Make sure it also can't do things like drop the entire database !
You then use the first user during forum-setup time to create the tables. You can add the username and password in the setup-page (make sure you use the one in the fix-zip because that one does work).
In the strConnString in config.asp you use the DBSnitz user.
As strForumTablePrefix and strForumMemberTablePrefix you use: "DBAdmin.FORUM_" instead of just "FORUM_"
This way, if someone ever got hold of the info in you config.asp (which is very unlikely, but might be possible if you are on a shared server with other users). They never will be able to i.e. delete all your tables with data, because the user they get hold of won't have enough access right to the database to do that.
Note: If you want to do this using Version 3.1 SR4 make sure you use the active.asp and forum.asp page I added to the (updated) zipfile with the fix. Otherwise using DBAdmin.FORUM_ as tableprefix will break those two pages.
Most ISPs won't provide you with two users to access your database, but if you are doing this using your own server, this is a recommended way of setting up the database.
It is not the difference between not-secure and secure, but between secure and even more secure.
Pierre |
|
|
|
brkonthru
Development Team Member
Jordan
69 Posts |
Posted - 21 February 2001 : 12:51:53
|
I have a very good recommendation that would apply to this situation and to many others.
As part of the setup of the forum of snitz, some files should be deleted like the setup.asp and some other sensitive files that will only be used during the initial setup of the forum.
Another option is to list the sensitive files in the readme file and advise the user to rename or to delete 'em due to their sensitive nature and to the fact that they are not going to be used again.
Edited by - brkonthru on 21 February 2001 12:52:51 |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 21 February 2001 : 13:22:38
|
brk.... forum security on those files is such that you shouldn't have to delete them... they are now safe in the latest alpha
Reinsnitz (Mike)
><)))'>
"Therefore go and make disciples of all nations,..." Matthew 28:19a |
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 21 February 2001 : 14:52:10
|
Having the setup script edit / create / delete files exposes a new security risk.
First of all it would mean that the guest account that IIS uses has those right. Here at the site i.e. that isn't the case (for security reasons). You would need to be able to use the FileSystemObject for that, and that could also be disable for security reasons.
But basically if I had a setup.asp file that would delete some of the other files after setup has run and I had a bug in that setup.asp file, I would have a bug in a file that could delete other files ! So I would have to be very sure that that file is secured (just like I now have to be with the other still there).
Pierre |
|
|
|
JBelthoff
Starting Member
USA
17 Posts |
Posted - 03 March 2001 : 23:23:17
|
Hi,
Do I understand correctly?
If all is ok My forum Tables should be owned by the Forum User Which is the User ID=XXX in the Connection String?
And the Tables should "not" be owned by dbo?
JB
Edited by - JBelthoff on 03 March 2001 23:24:22 |
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 04 March 2001 : 04:50:20
|
Yes and No.
If you use the dbo account always to create the tables, meaning during initial install and for each upgrade after that you're ok. No problem with that and a lot safer because you don't have to grant the account you use in you config.asp CREATE TABLE rights.
Often however, when you use an SQL Server database supplied by an ISP, they only give you one user account for the SQL Server database. So you'll have no choice.
What went wrong here was that the dbo user was used to create the tables, and then the useraccount in the config.asp (say that was SqlUser ) was used to create the tables again.
So then you have i.e. dbo.FORUM_MEMBERS and SqlUser.FORUM_MEMBERS
If there is only dbo.FORUM_MEMBERS then the SqlUser account uses/sees that table.
If there are dbo.FORUM_MEMBERS and SqlUser.FORUM_MEMBERS then the SqlUser account uses/sees the SqlUser.FORUM_MEMBERS table.
Either use dbo for all tablecreating / upgrading
or use only the account in config.asp to do all that.
Pierre |
|
|
|
zodc
Starting Member
Japan
16 Posts |
Posted - 07 March 2001 : 10:08:28
|
I'm not sure if this is related, but...
In my forum, when I view 'All Forums' and under one of the categories, for instance,
it shows there are 3 Topics. But when I click to go view the topics, the results are 'No Topics Found'.
Could this be caused but what you are refering to here, in this thread? |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 07 March 2001 : 10:15:43
|
make sure you are displaying topics older than XX days/months etc... they may be there but not displayed becaus they are older than your diplay period.
This is controled via a dropdown in the upper right (below the main menu/login) on the forum.asp where you are looking at a list of topics in that forum.
Reinsnitz (Mike)
><)))'> Need a Mod?
"Therefore go and make disciples of all nations,..." Matthew 28:19a |
|
|
|
zodc
Starting Member
Japan
16 Posts |
Posted - 11 March 2001 : 09:16:34
|
 HAH!
I can't believe I missed that... Thank YOU! |
|
|
| |
Topic |
|
Topic Locked
