Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Announcements
 Announcements: New Releases
 Security Update for Version 3.1 SR4 released
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

gor
Retired Admin

Netherlands
5511 Posts

Posted - 11 February 2001 :  02:30:26  Show Profile  Visit gor's Homepage
Version 3.1 Service Release 4 as you can download from the site here has some security problems conserning the setup pages.
These problems don't affect the sites using Microsoft Access as database.

This patch fixes those problems and enables better IP-monitoring.
The patch will ofcourse be included in Service Release 5, but it is highly recommended that you apply it on your own site also in the mean time.

If you have a highly modified version of Snitz, don't want of can apply this path and are running the forum using MS Sql Server of MySql, it is recommended that you delete the inc_create_forum_sql6.asp and inc_create_forum_sql7.asp files from you forums directory.

You can download the patch/fix here

Pierre

[title edited by reinsnitz on 02/11/2001]

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 11 February 2001 :  08:02:58  Show Profile  Visit HuwR's Homepage
As a side note, the security problem we uncovered will only affect some SQL server installations.

If you created your SQL tables using the Forums setup.asp, you are unlikely to be affected by the security problem.

You will only be exposed to a risk if your Snitz forum tables were created by a user other than the forum SQL user.

I will explain.
When you run setup.asp, the SQL user you are logged in as creates as set of tables, these tables are owned by that user.
The tables in the databse here were not created using setup.asp, but were created by the SQL user sa, and were therfore owned by dbo.

So, the security problem enabled someone to run setup.asp here on this forum, which consequently created a brand new set of tables with the snitz SQL user as the owner, which now meant there were two identical forums in the DB, one full owned by dbo and a brand new empty one owned by the Snitz user.
By default the forum therfore started using it's own set of tables which were empty.

Had the original tables been set up by the forum user, running setup.asp would have failed since the tables already existed.

Hope that clarifies the situation.

'Resistance is futile'
Go to Top of Page

gor
Retired Admin

Netherlands
5511 Posts

Posted - 11 February 2001 :  08:31:08  Show Profile  Visit gor's Homepage
Huw,

You are absolutely correct, but still it is highly recommended that all SQL server and/or MySQL users do the thing I mentioned in my original post.
There was more that could go wrong, which I won't explain in more detail here.

Pierre
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 11 February 2001 :  08:33:50  Show Profile  Visit HuwR's Homepage
I agree, just thought I would ease peoples minds incase they were panicing

'Resistance is futile'
Go to Top of Page

gor
Retired Admin

Netherlands
5511 Posts

Posted - 11 February 2001 :  08:51:38  Show Profile  Visit gor's Homepage
Ok, panic never is good

Well, to complete this, I'll also explain them what you explained me.

If you really want the forumtables to be secure, make sure you've got two database-users instead of one.
The first, i.e. DBAdmin, has table-creation/modification rights on the database
The second, i.e. DBSnitz, only has read/write/delete rights for the records in the tables and can't create tables etc. Make sure it also can't do things like drop the entire database !

You then use the first user during forum-setup time to create the tables. You can add the username and password in the setup-page (make sure you use the one in the fix-zip because that one does work).

In the strConnString in config.asp you use the DBSnitz user.
As strForumTablePrefix and strForumMemberTablePrefix you use: "DBAdmin.FORUM_" instead of just "FORUM_"

This way, if someone ever got hold of the info in you config.asp (which is very unlikely, but might be possible if you are on a shared server with other users). They never will be able to i.e. delete all your tables with data, because the user they get hold of won't have enough access right to the database to do that.

Note: If you want to do this using Version 3.1 SR4 make sure you use the active.asp and forum.asp page I added to the (updated) zipfile with the fix. Otherwise using DBAdmin.FORUM_ as tableprefix will break those two pages.

Most ISPs won't provide you with two users to access your database, but if you are doing this using your own server, this is a recommended way of setting up the database.
It is not the difference between not-secure and secure, but between secure and even more secure.

Pierre
Go to Top of Page

brkonthru
Development Team Member

Jordan
69 Posts

Posted - 21 February 2001 :  12:51:53  Show Profile  Send brkonthru an ICQ Message
I have a very good recommendation that would apply to this situation and to many others.

As part of the setup of the forum of snitz, some files should be deleted like the setup.asp and some other sensitive files that will only be used during the initial setup of the forum.

Another option is to list the sensitive files in the readme file and advise the user to rename or to delete 'em due to their sensitive nature and to the fact that they are not going to be used again.





Edited by - brkonthru on 21 February 2001 12:52:51
Go to Top of Page

Reinsnitz
Snitz Forums Admin

USA
3545 Posts

Posted - 21 February 2001 :  13:22:38  Show Profile  Visit Reinsnitz's Homepage  Send Reinsnitz an AOL message  Send Reinsnitz an ICQ Message  Send Reinsnitz a Yahoo! Message
brk.... forum security on those files is such that you shouldn't have to delete them... they are now safe in the latest alpha

Reinsnitz (Mike)
><)))'>
"Therefore go and make disciples of all nations,..." Matthew 28:19a
Go to Top of Page

gor
Retired Admin

Netherlands
5511 Posts

Posted - 21 February 2001 :  14:52:10  Show Profile  Visit gor's Homepage
Having the setup script edit / create / delete files exposes a new security risk.

First of all it would mean that the guest account that IIS uses has those right. Here at the site i.e. that isn't the case (for security reasons). You would need to be able to use the FileSystemObject for that, and that could also be disable for security reasons.

But basically if I had a setup.asp file that would delete some of the other files after setup has run and I had a bug in that setup.asp file, I would have a bug in a file that could delete other files ! So I would have to be very sure that that file is secured (just like I now have to be with the other still there).

Pierre
Go to Top of Page

JBelthoff
Starting Member

USA
17 Posts

Posted - 03 March 2001 :  23:23:17  Show Profile  Visit JBelthoff's Homepage  Send JBelthoff an AOL message  Send JBelthoff an ICQ Message
Hi,

Do I understand correctly?

If all is ok My forum Tables should be owned by the Forum User Which is the User ID=XXX in the Connection String?

And the Tables should "not" be owned by dbo?

JB



Edited by - JBelthoff on 03 March 2001 23:24:22
Go to Top of Page

gor
Retired Admin

Netherlands
5511 Posts

Posted - 04 March 2001 :  04:50:20  Show Profile  Visit gor's Homepage
Yes and No.

If you use the dbo account always to create the tables, meaning during initial install and for each upgrade after that you're ok. No problem with that and a lot safer because you don't have to grant the account you use in you config.asp CREATE TABLE rights.

Often however, when you use an SQL Server database supplied by an ISP, they only give you one user account for the SQL Server database. So you'll have no choice.

What went wrong here was that the dbo user was used to create the tables, and then the useraccount in the config.asp (say that was SqlUser ) was used to create the tables again.
So then you have i.e. dbo.FORUM_MEMBERS and SqlUser.FORUM_MEMBERS

If there is only dbo.FORUM_MEMBERS then the SqlUser account uses/sees that table.
If there are dbo.FORUM_MEMBERS and SqlUser.FORUM_MEMBERS then the SqlUser account uses/sees the SqlUser.FORUM_MEMBERS table.


Either use dbo for all tablecreating / upgrading
or use only the account in config.asp to do all that.

Pierre
Go to Top of Page

zodc
Starting Member

Japan
16 Posts

Posted - 07 March 2001 :  10:08:28  Show Profile
I'm not sure if this is related, but...

In my forum, when I view 'All Forums' and under one of the categories, for instance,
it shows there are 3 Topics. But when I click to go view the topics, the results are 'No Topics Found'.

Could this be caused but what you are refering to here, in this thread?
Go to Top of Page

Reinsnitz
Snitz Forums Admin

USA
3545 Posts

Posted - 07 March 2001 :  10:15:43  Show Profile  Visit Reinsnitz's Homepage  Send Reinsnitz an AOL message  Send Reinsnitz an ICQ Message  Send Reinsnitz a Yahoo! Message
make sure you are displaying topics older than XX days/months etc... they may be there but not displayed becaus they are older than your diplay period.

This is controled via a dropdown in the upper right (below the main menu/login) on the forum.asp where you are looking at a list of topics in that forum.

Reinsnitz (Mike)
><)))'> Need a Mod?
"Therefore go and make disciples of all nations,..." Matthew 28:19a
Go to Top of Page

zodc
Starting Member

Japan
16 Posts

Posted - 11 March 2001 :  09:16:34  Show Profile
HAH!

I can't believe I missed that... Thank YOU!
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.14 seconds. Powered By: Snitz Forums 2000 Version 3.4.07