Security Concerns
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=26222
Printed Date: 29 March 2026 at 2:58pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Security Concerns
Posted By: ForumDummy
Subject: Security Concerns
Date Posted: 07 September 2008 at 4:23pm
| I am using v8.05a. I am reluctant to upgrade as I have made so many changes to the code. But I am concerned about security. Are there any dangers by not upgrading? The forum is private and I have had no issues to date. I also keep the forum off the search engines but the main webpages are indexed. Is there anything I should do to keep things safe? |
Replies:
Posted By: 123Simples
Date Posted: 07 September 2008 at 6:15pm
|
If you are running an older version such as 8.05, then the dangers are that the software and your forum and your site can be comprimised. Its pretty old now, but it is ones choice to swap or upgrade forum software. I myself am running 9.06, but I will be upgrading to 9.51, or 9.52 if that comes out in a week or so There are several good reasons why you should upgrade, but you will notice lots of changes, which may not sit well with your current forum ------------- http://www.123simples.com/" rel="nofollow - Visit 123 Simples Web Design |
Posted By: Scotty32
Date Posted: 07 September 2008 at 6:21pm
|
Im sure Bruce will post saying how many security fixes their have been... .. And hes right - At present you are running a forum with known security holes - so it wont take the smartest hacker to get in. I would highly recommend upgrading - You could create a 2nd test site and apply all your changes to it, and once ready upgrade your main site with it. ------------- S2H.co.uk - http://www.s2h.co.uk/wwf/" rel="nofollow - WebWiz Mods and Skins For support on my mods + skins, please use http://www.s2h.co.uk/forum/" rel="nofollow - my forum . |
Posted By: 123Simples
Date Posted: 07 September 2008 at 6:49pm
|
Hiya Scotty Your links work out fine by the way  Agree with Scotty on this fact - "so it wont take the smartest hacker to get in" ------------- http://www.123simples.com/" rel="nofollow - Visit 123 Simples Web Design |
Posted By: ForumDummy
Date Posted: 08 September 2008 at 2:32am
Is there a way I can get a list of security fixes since 8.05a?
1) How do the hackers get in the "known security holes" if my forum is not on the search engines? How will they find my forum to begin with? 2) What exactly is it that a hacker can do? Get into my adminstation login? Or, can they get further into my server itself? |
Scotty32 wrote:Posted By: Scotty32
Date Posted: 08 September 2008 at 9:52am
|
You can find all the changes in the Version History. 1) the hackers will be able to download the version history and see what changes have been made, then attack this hole on sites not been upgraded. They may even find the details on secruity websites. They can find your site by doing search terms such as "web wiz forum v8", i usually see "web wiz forums :inurl(uk)" or something like that. 2) there are various things a hacker could do, depending on the exploit. They could upload malicious files, which could replace your files, read secure files, etc (there have been improvements on the security of uploading) They could use Cross Site Scripting, I believe V9 has improved security on that. So there is alot of different things they could do. It would be in your best interest to upgrade. ------------- S2H.co.uk - http://www.s2h.co.uk/wwf/" rel="nofollow - WebWiz Mods and Skins For support on my mods + skins, please use http://www.s2h.co.uk/forum/" rel="nofollow - my forum . |
Posted By: ForumDummy
Date Posted: 08 September 2008 at 10:25am
By search, I assume you mean via the search engines. But my forum is not indexed on any search engines. Can they still finding it by searching?
Are you talking about uploads within the forum itself, like whena user uploads a file? What if I have uploads turned off?
Do you mean run a script on one server that would affect the forum on my server? |
Posted By: Scotty32
Date Posted: 08 September 2008 at 11:50am
|
Do you block search engines from indexing your site via the robots.txt file? If so then you wont be discovered via search engines. But a hacker can still stumble on your site, as i assume it is live on the net. If you have disabled uploads then you should be relatively safe, but I hacker could turn it on if they got access to your admin area. For info on Cross Site Scripting (XSS) you can view it on http://en.wikipedia.org/wiki/Cross-site_scripting - wikipedia here ------------- S2H.co.uk - http://www.s2h.co.uk/wwf/" rel="nofollow - WebWiz Mods and Skins For support on my mods + skins, please use http://www.s2h.co.uk/forum/" rel="nofollow - my forum . |
Posted By: ForumDummy
Date Posted: 08 September 2008 at 12:41pm
|
Thanks for the information Scotty. In answer to your question, I am using a robots.txt file.
I guess I could make it so that no one would be able to login to admin if their IP address anything other than my own static IP. Would that solve my worries? |
Posted By: ForumDummy
Date Posted: 14 September 2008 at 4:35am
| As I have my own windows server, I have made it so that my admin login screen blocks every IP in the world except my own. I have tested it and it works. |
Posted By: WebWiz-Bruce
Date Posted: 15 September 2008 at 10:24am
|
There are a number of XSS Exploits, particularly in IE which have come to light since 8.05. These can be launched by placing malicious code into a post. There is also an SQL Injection vulnerability if you are using mySQL database that effected 8.05. If you allow image and/or files uploades, there is also a vulnerability within IE that allows IE to run malicious code hidden within image files, so version 9 scans any uploaded images for malcioucs code. If you allow YouTube or Flash content then there is also a vulnerbility that was fixed for this in version 9.04. For these reasons you should upgrade to the latest release as resticting access to the admin area will not protect against these vulnerbilities. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: 123Simples
Date Posted: 15 September 2008 at 5:37pm
|
I cannot stress this point enough for peeps Running out of date forum software is like running an out of date virus software - not a great idea. There is a long long list of changes over the version releases, and any hacker worth his salt, will just have to locate older forums and start injecting malicious codes. If you have a great forum then its not wise to take the risk that it will not be comprimised, so my advice would be update the software Okay if you are running the FREE version, you may lose some former functionality, but its a small price to pay for security. Alternatively, you could always opt to buy the software, and/or hosting packages on offer here, and get the best benefits of having a realiable web hosting company taking care of you  ------------- http://www.123simples.com/" rel="nofollow - Visit 123 Simples Web Design |