| Author |
 Topic Search  Topic Options
|
ljamal 
Mod Builder Group
Joined: 16 April 2003
Status: Offline
Points: 888
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: MSSQL set up security??
Posted: 16 January 2004 at 9:43pm |
|
In doing a forum update to a SQL version of the forum, I stumbled upon a security hole.
When you run the sql setup file on top of an installation it creates a new admin account with the widely distributed username and password. This means that if you do not delete the sql setup file, it can be run and give someone admin access to your forum. Those that have installed the username change MOD should be even more cautious as they will not notice the new admin user if the person changes the username.
My suggestion for closing the hole would be to have the setup file check to be sure the database is empty before adding the admin and guest accounts during set-up.
|
|
|
 |
MadDog
Mod Builder Group
Joined: 01 January 2002
Status: Offline
Points: 3008
|
Post Options
Thanks(0)
Quote Reply
Posted: 16 January 2004 at 11:38pm |
|
This is not a bug because the person would have to know your username and password to re-run the script.
|
|
|
|
ljamal
Mod Builder Group
Joined: 16 April 2003
Status: Offline
Points: 888
|
Post Options
Thanks(0)
Quote Reply
Posted: 16 January 2004 at 11:49pm |
|
True, but you run it yourself with an upgrade in order to upgrade the stored procedures and add another admin and forget (or not know to) delete it.
Either way it should check to avoid adding another admin, it such an easy fix, it seems lax not to do it.
Edited by ljamal
|
|
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 January 2004 at 4:31am |
|
The sql setup file should only be run once and is NOT for upgrades so this shouldn't be a problem.
It does also say in the install instructions to delete the file from the server once the database is created.
DO NOT RUN THE SETUP FILE MORE THAN ONCE ON INITIAL INSTALL.
IT IS NOT AN UPGRADE FILE!!!
Edited by -boRg-
|
|
|
|
ljamal
Mod Builder Group
Joined: 16 April 2003
Status: Offline
Points: 888
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 January 2004 at 11:48am |
|
You can shoot it to the mountain top, but that doesn't mean it won't be done. I always thought the idea behind building applications was to make them as idiot proof as possible. A simple SQL if clause would make this a unfactor, so why all the opposition?
|
|
|
|
michael
Senior Member
Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 January 2004 at 10:16pm |
|
I kind of have to agree with Jamal, even though I would not consider that a hole or bug but more of a cosmetic improvement. You know how many people do what they are not supposed to, if the setup is somewhat slow they may hit refresh on the page and yit they have two admin accounts. Agreed though, this file should be deleted immediately....
|
|
|
|
dpyers
Senior Member
Joined: 12 May 2003
Status: Offline
Points: 3937
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 January 2004 at 10:53pm |
|
Make something idiot proof, and they'll build a better idiot. Many don't read installation instructions. You just know they're not going to read post-installation instructions.
|
Lead me not into temptation... I know the short cut, follow me.
|
|
ljamal
Mod Builder Group
Joined: 16 April 2003
Status: Offline
Points: 888
|
Post Options
Thanks(0)
Quote Reply
Posted: 18 January 2004 at 9:46am |
 dpyers wrote:
Many don't read installation instructions. You just know they're not going to read post-installation instructions. |
Exactly, so addressing issues that you can control is the best solution over ignoring them and telling people over and over to read the instructions.
|
|
|
|
