[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4758: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3893)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4760: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3893)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4761: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3893)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4762: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3893)
phplist forums • View topic - Security Issue

Security Issue

Discuss, research, share, find, and solve bugs

Security Issue

Postby GCamp07 » 4:52am, Thu 09 Aug, 2007

Sorry didnt know if this is the right spot but While looking thorugh the database i found out that you guys dont encrypt your passwords for the accounts and that could make a site easy to hack below is a image showing you what i mean

So please fix this to protect peoples sites from getting hacked

Thanks,

GCamp07

Edit: Cant post a image yet
GCamp07
phpList newbie
 
Posts: 1
Joined: 4:40am, Thu 09 Aug, 2007

Postby H2B2 » 11:56pm, Thu 09 Aug, 2007

Yes, I guess you have a point there. Encrypting admin passwords in the database would be a good idea. Encrypting user/subscriber passwords is already an option, but it would be a good idea to extend this to admin passwords, even though one might assume the database to be reasonably well protected.

More importantly, placing the config dir -and possibly the whole admin dir- beneath the root dir would substantially enhance security. This is relevant because a number of users mentioned having deleted the .htaccess files that protect these key directories and/or changing permissions, leaving them completely exposed. While most users do not make this kind of error and know how to protect key directories, it would be a good idea to reduce risks for unexperienced users.

You could file a feature request -or bug report if you prefer- on this issue in the bug tracker at www.mantis.phplist.com

EDIT I just filed a report on this issue: http://mantis.phplist.com/view.php?id=10998
phpList | | | |
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Re: Security Issue

Postby JohnDelay » 3:43am, Tue 10 Apr, 2012

Hi there,

first of all - thx for this great piece of software!
As I can see, you fixed the problem (https://mantis.phplist.com/view.php?id=12822) for version 2.11 ... The report of that issue is about 4 years ago. The fix is about 2 years ago. Is it really so hard to make the fix for the stable v 2.10 as well? Probaply not, but of course time consuming. Hmmm ... I´d do it by myself, if I knew exactly, which of all the files are affected ...

May this will be useful for somone else:
Getting the config dir beneath the root is done quickly. I´d do that by copying the config.php to a new and lower (out of http-root) directory and place a kind of dummie config.php file into the original config folder. That dummie file only needs to contain a require_once or include_once call that points on the real configuration file in the lower dir, like

require_once('../../../new_config_dir/real_config.php'); // untested !

Cheers,
John
JohnDelay
phpLister
 
Posts: 5
Joined: 5:32pm, Tue 09 Aug, 2011

Re: Security Issue

Postby Pipo » 11:58pm, Thu 21 Feb, 2013

Pipo
phpList newbie
 
Posts: 2
Joined: 5:47pm, Wed 13 Feb, 2013

Re: Security Issue

Postby JohnDelay » 1:35am, Mon 01 Apr, 2013

Thx a lot for sharing Pipo ! :D

Regards, John
JohnDelay
phpLister
 
Posts: 5
Joined: 5:32pm, Tue 09 Aug, 2011


Return to Bug Discussion

Who is online

Users browsing this forum: No registered users and 2 guests

cron