Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Suggestion for 2.6.2 Sep 6th, 2014 at 8:30pm Mark & QuoteQuote As error "not_found" is shown for guests, I think it would be best to split as "no_topic_found" and "no_board_found", so we wouldn't need to display paths to the files or file names to guests... This makes it harder for crackers to inject malicious files using vulnerabilities on other software installed on same user account. The messages actually already exist in my language files... « Last Edit: Sep 6th, 2014 at 9:45pm by Monni » GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged
Dandello Forum AdministratorYaBB Modder Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Suggestion for 2.6.2 Reply #1 - Sep 6th, 2014 at 8:43pm Mark & QuoteQuote Good idea. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Suggestion for 2.6.2 Reply #2 - Sep 6th, 2014 at 8:51pm Mark & QuoteQuote Something like this: Code --- C:/Users/Mika/AppData/Local/Temp/Security.pm-revBASE.svn000.tmp.pm Tue Sep 02 07:28:23 2014 +++ C:/build/yabb/trunk/cgi-bin/yabb2/Sources/Security.pm Sat Sep 06 23:50:09 2014 @@ -53,13 +53,13 @@ if ( !-e "$datadir/$curnum.txt" ) { if ( eval { require Variables::Movedthreads; 1 } ) { if ( !$moved_file{$curnum} ) { - fatal_error( 'not_found', "$datadir/$curnum.txt" ); + fatal_error( 'no_topic_found', $curnum ); } while ( exists $moved_file{$curnum} ) { $curnum = $moved_file{$curnum}; next if exists $moved_file{$curnum}; if ( !-e "$datadir/$curnum.txt" ) { - fatal_error( 'not_found', "$datadir/$curnum.txt" ); + fatal_error( 'no_topic_found', $curnum ); } } $INFO{'num'} = $INFO{'thread'} = $FORM{'threadid'} = $curnum; @@ -130,7 +130,7 @@ } fopen( BOARDFILE, "$boardsdir/$currentboard.txt" ) - or fatal_error( 'not_found', "$boardsdir/$currentboard.txt", 1 ); + or fatal_error( 'no_board_found', $currentboard, 1 ); while ( $yyThreadLine = <BOARDFILE> ) { if ( $yyThreadLine =~ m{\A$curnum\|}oxsm ) { last; } } GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged
Dandello Forum AdministratorYaBB Modder Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Suggestion for 2.6.2 Reply #3 - Sep 6th, 2014 at 9:09pm Mark & QuoteQuote Made the changes and uploaded it here for testing. I have no idea why those error calls were changed since obviously we don't want to give the crackers any more information than we absolutely have to. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Suggestion for 2.6.2 Reply #4 - Sep 6th, 2014 at 9:15pm Mark & QuoteQuote Maybe it's just me following too closely the error logs for forum of one of my clients, but I've noticed several cracking attempts per day... So far all have failed, but they're clearly collecting valid file name and path patterns so they can find vulnerable software. I've added stub error pages in Apache so that minimal information is returned on failed requests. GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged
Dandello Forum AdministratorYaBB Modder Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Suggestion for 2.6.2 Reply #5 - Sep 6th, 2014 at 9:26pm Mark & QuoteQuote Is it paranoia when they really are out to get you? Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Suggestion for 2.6.2 Reply #6 - Sep 6th, 2014 at 9:44pm Mark & QuoteQuote I'm out to get them... Just like when write Mandarin Chinese with some of my friends who are too lazy to keep in touch with me... One sure way to get their attention... GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged
Dandello Forum AdministratorYaBB Modder Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Suggestion for 2.6.2 Reply #7 - Sep 6th, 2014 at 10:21pm Mark & QuoteQuote Monni wrote on Sep 6th, 2014 at 9:44pm:I'm out to get them... ...They ran through the briars and they ran through the brambles and they ran through the bushes where a rabbit couldn't go. They ran so fast that the hounds couldn't catch 'em... (It's from an American folk song... ) Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Suggestion for 2.6.2 Reply #8 - Sep 7th, 2014 at 8:19am Mark & QuoteQuote They forget that I can understand 13 different languages... No matter what encoding they use for hidden messages, I can decrypt them... lol Thread ID: '1315302929 Result: íå íàøëîñü ôîðìû äëÿ îòïðàâêè' This one looks like garbage, but it's actually Russian message, and says "Couldn't find the form to send" GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged
Dandello Forum AdministratorYaBB Modder Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Suggestion for 2.6.2 Reply #9 - Sep 12th, 2014 at 3:46pm Mark & QuoteQuote Back on topic - I think Carsten's Ex-Member Mod would be a good addition to 2.6.2. I have an updated version of it but still haven't heard back from Carsten as to whether or not we have permission to update/distribute his mods. (His copyright info explicitly states that written permission is required.) I think maybe possibly this one could also be modified to save things like member vars and other ancillary member files so the member could be reinstated if necessary. The 'Optional bday' mod would be good as well - I suspect most forums don't need mandatory birthdates. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Suggestion for 2.6.2 Reply #10 - Sep 12th, 2014 at 3:48pm Mark & QuoteQuote Dandello wrote on Sep 12th, 2014 at 3:46pm:The 'Optional bday' mod would be good as well - I suspect most forums don't need mandatory birthdates. I want that in 2.6.2 GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged