SimpleBB - Completely Re-engineered

[s-p-n]

You can make your hashes hard to figure out...... When you insert time into the DB, you should do it using the timestamp/datetime feature through MySQL. It's faster than doing it through PHP and hashing it. There's really no reason to encrypt it, that's just an extra step, it doesn't help to make anything more secure.

Hashing the passwords are VERY important. Don't assume those md5 crackers have it all figured out. All they are is a list of values with MD5 matches. If your password is on the list it's bad. That doesn't mean you don't hash the passwords. You should also be using a "throw off" tactic or two. Like a salt, or the mixture of unchanging fields to increase the password strength.

Since you're forum is open-source, it can be backwards-engineered simply by downloading the source and seeing how it's encrypted. So keep it simple, but don't be an open book.

Still, there's no reason to have time() and encrypt it.

The user is supposed to remember their password, that's how they log-in???

They don't need to be concerned with the hash version of it, though their data shouldn't appear ANYWHERE on your server unhashed. That includes any databases.

Storing the raw password in the user's data (their cookies), is fine, obviously because it's their own computer, and their browser most-likely has tons of raw passwords laying around in the "Saved Passwords" bin.

I still don't get the time() as security. Yes, it's very unlikely to figure out, but it isn't a significant piece of data needed to access the account. It makes about as much sense as entering a Zip Code to verify you own a given Visa issued to an address in that zip-code.. I just don't get it..

The user enters a user+pass, but the database gets asked if the user, id, and timestamp exist? That doesn't make sense, now there's two ways to log-in, instead of just one. You must query for user+pass in the first log-in, why in any returning visits do you do it different? That's about twice as much code when you could've used the same exact procedural code for the same thing.

Every page load, log the user in the same. If sess[user]+sess[pass] is in the DB, the user must be correct.

When a form gets submitted, change form[user],[pass] to sess[user],[pass]. When there are cookies, change cookie[user],[pass] to sess[user],[pass], and you DON'T EVEN HAVE TO CHANGE THE LOG IN PROCEDURES!!!

See, it's 3x faster.

[xSilv3rbullet]

You can make your hashes hard to figure out...... When you insert time into the DB, you should do it using the timestamp/datetime feature through MySQL. It's faster than doing it through PHP and hashing it. There's really no reason to encrypt it, that's just an extra step, it doesn't help to make anything more secure.

Hashing the passwords are VERY important. Don't assume those md5 crackers have it all figured out. All they are is a list of values with MD5 matches. If your password is on the list it's bad. That doesn't mean you don't hash the passwords. You should also be using a "throw off" tactic or two. Like a salt, or the mixture of unchanging fields to increase the password strength.

Since you're forum is open-source, it can be backwards-engineered simply by downloading the source and seeing how it's encrypted. So keep it simple, but don't be an open book.

Still, there's no reason to have time() and encrypt it.

The user is supposed to remember their password, that's how they log-in???

They don't need to be concerned with the hash version of it, though their data shouldn't appear ANYWHERE on your server unhashed. That includes any databases.

Storing the raw password in the user's data (their cookies), is fine, obviously because it's their own computer, and their browser most-likely has tons of raw passwords laying around in the "Saved Passwords" bin.

I still don't get the time() as security. Yes, it's very unlikely to figure out, but it isn't a significant piece of data needed to access the account. It makes about as much sense as entering a Zip Code to verify you own a given Visa issued to an address in that zip-code.. I just don't get it..

The user enters a user+pass, but the database gets asked if the user, id, and timestamp exist? That doesn't make sense, now there's two ways to log-in, instead of just one. You must query for user+pass in the first log-in, why in any returning visits do you do it different? That's about twice as much code when you could've used the same exact procedural code for the same thing.

Every page load, log the user in the same. If sess[user]+sess[pass] is in the DB, the user must be correct.

When a form gets submitted, change form[user],[pass] to sess[user],[pass]. When there are cookies, change cookie[user],[pass] to sess[user],[pass], and you DON'T EVEN HAVE TO CHANGE THE LOG IN PROCEDURES!!!

See, it's 3x faster.

Well, this is what I'm doing (New way; fixed the hack :)):

Code:

Login
->
Set sbbsession (md5(sha1(time()).sha1(username).sha1(password))
No more username and id stored in cookies
->
On each pageload, username and ID are assigned
$GLOBALS['id'] = getId($_COOKIE['sbbsession']); (pseudo-code)
->
Now the only way it can be hacked is if the hacker is succesfully able to get the correct SHA1 values of the login time, the username, and the password, and then MD5 it all.

I think the query on each pageload might be inefficient though...

I might go for a recode in Beta. Maybe.

Current Structure

Code:

Load Page
->Include Config
->Include Functions
->Include Settings (this is where the cookie checking and assigning occurs)
->Include Theme
->Execute htmlHeaders() in theme
->Execute index() in theme
     -> Execute body() from index()
->Done Loading

But this really isn't good.
The theme stylist still needs to know some PHP and how to use mysql_fetch_array().

Basically, to get the forums, this is what you use:

Code:

include("functions.php");

$cats = getCategories();//Returns a mysql query

while($array = mysql_fetch_array($cats)
{
}

So as you can see, the stylist still needs to know some BASIC to INTERMEDIATE PHP skills.

Also, the structure doesn't allow add-ons.

So I'm hoping for this to be the new structure some day.

Code:

Load Page
->
Include files
->
Load Add-on Classes
->
Load "ThemeLoader.php" //Maybe styling could be a custom script language
->
Use the code generated by ThemeLoader
->
Include Add-on code
->
Display
->
Done Loading

[s-p-n]

How does $GLOBALS['id'] get checked with the database?

[xSilv3rbullet]

How does $GLOBALS['id'] get checked with the database?

Database structure of sessions table:

Code:

|KEY=============
|id md5, originaltime, originaltext, ip, userid

Basically, let's say that sbbsession is set as a1b2c3d4.

Code:

SELECT * FROM `sessions` WHERE md5='".$_COOKIE['sbbsession']."';

$GLOBALS['id'] = $array['userid'];
$GLOBALS['name'] = getUserById($array['userid'], false);

That's basically what's happening on each page load.
Ineffecient, I know. :p

[s-p-n]

I mean the actual code. The log-in, the cookie set, and the user data fetch into $globals[].

Using the code you have now, what if the sbbsession is:

Code:

" OR 1;SELECT id as userid FROM users WHERE id=1--

The code you're actually using is different than the above, or that injection would surely return the user ID I was looking for.

It didn't work as expected, but your site doesn't think I'm trying to hack it, and assumes a user is logged in, I just couldn't get the userid returned correctly.

Maybe it has something to do with the fact tonyyyyy doesn't have a row in the session table, which would be cheating on your part, because if 'demo' is the only user in the table, then of course nobody else is going to get logged in.. You'd just be cheating yourself if you made it any more secure than a typical build would be. Such as, only having a single user account in the "session" table. It could be looked at as secure, but what if you have two users on the forum at the same time. I mean come on.. How common is that?

[xSilv3rbullet]

I mean the actual code. The log-in, the cookie set, and the user data fetch into $globals[].

Using the code you have now, what if the sbbsession is:

Code:

" OR 1;SELECT id as userid FROM users WHERE id=1--

The code you're actually using is different than the above, or that injection would surely return the user ID I was looking for.

It didn't work as expected, but your site doesn't think I'm trying to hack it, and assumes a user is logged in, I just couldn't get the userid returned correctly.

Maybe it has something to do with the fact tonyyyyy doesn't have a row in the session table, which would be cheating on your part, because if 'demo' is the only user in the table, then of course nobody else is going to get logged in.. You'd just be cheating yourself if you made it any more secure than a typical build would be. Such as, only having a single user account in the "session" table. It could be looked at as secure, but what if you have two users on the forum at the same time. I mean come on.. How common is that?

AH.
Thank you.

I forgot all about SQL Injection. :)

The row is created when you login, and the 'active' column is set to 0 when you log out. This way, the admin can view logs of all sessions (Time logged in, time spent, IP, etc). The admin can also delete the session log, if too much memory gets used up.

So basically, the only way you're going to be able to get the row inserted would be going through the login.

[s-p-n]

Well in any case, it's becoming much better. ;) It's not the most normal forum, but it's becoming more promising anyway. I still think MD5ing everything is redundant, only the password should really be hidden from the eyes. The reasoning why it's done differently is a little better defined, but I still think it needs a little work. I can't pin-point exactly what it is yet, but something seems incomplete. Good work so far, keep moving forward adding more functions like edit/delete. As you're doing that, keep in mind Administration, and most importantly security.

You can use a simple where clause for the posts/threads:

Code:

/* Update Query.. */ WHERE `rank_id` = "'.$GLOBALS['rank_id'].'" OR `user_id` = "'.$GLOBALS['user_id'].'"

The key, is to be absolutely confident and sure that your variables cannot get redefined by a malicious user. That is the one sure key to being secure. If you can keep an array of safe, secure variables extracted directly through a confirmed database query, you can do allot of very cool things. [Nothing gets passed, 'SELECT id, rank_id FROM users WHERE user="user" AND pass="pass"', for instance.. You must also be sure they cannot be redefined later in the script]. You can use your own methods, though simpler procedures are much easier to keep track of on allot of levels.

Things that get loaded on every page must be as simple as possible, for that's the very heart of the engine, that can slow down every page. For example, using SESSION variables allows a 'first-time-only' load on many variables. Site settings, global theme properties, and even user-data can be loaded one time from the database, only on the first page-load. Could be done with a single line of code; If the sessions exist, then they don't get loaded from the database. Logically speaking,

PHP Code:

if(!isset($_SESSION['site_settings']))
{
    $site_settings = new site_load_settings();
    $site_settings->create_session('_site'); //always use a prefix for things like this
} 


If you're perfectly confident the session will be what it needs to be, this saves allot of execution time.

Can you tell me what's wrong with this script?

PHP Code:

<?php
$post_id = mysql_real_escape_string($_POST['post_id']);
$post_title = mysql_real_escape_string($_POST['post_title']);
$post_body_HTML = BBcodeToHtml($_POST['post_body']);
$post_body_BB = $_POST['post_body'];

mysql_query('UPDATE `posts` SET `title` = "'.$post_title.'",
             `body_HTML` = "'.$post_body_HTML.'",
             `body_BB` = "'.$post_body_BB.'"
             WHERE `id` = "'.$post_id.'"') or $errMsg = mysql_error();
if(strlen($errMsg)<1)
    $goodMsg = 'Post Updated!';

?>
<form method="post" action="">
<input type="hidden" name="post_id" value="3" />
<input type="text" name="post_title" value="The Original Title" />
<br />
<textarea name="post_body">[b]Original Post Body with [u]BBcode[/u][/b]
...
</textarea><br />
<input type="submit" name="edit_post" value="Update Post" />
</form>

If you can find all the security risks in there, and you take in what I said above, you should be fairly confident with security.

So, see anything wrong in the code above?

[xSilv3rbullet]

Well in any case, it's becoming much better. ;) It's not the most normal forum, but it's becoming more promising anyway. I still think MD5ing everything is redundant, only the password should really be hidden from the eyes. The reasoning why it's done differently is a little better defined, but I still think it needs a little work. I can't pin-point exactly what it is yet, but something seems incomplete. Good work so far, keep moving forward adding more functions like edit/delete. As you're doing that, keep in mind Administration, and most importantly security.

You can use a simple where clause for the posts/threads:

Code:

/* Update Query.. */ WHERE `rank_id` = "'.$GLOBALS['rank_id'].'" OR `user_id` = "'.$GLOBALS['user_id'].'"

The key, is to be absolutely confident and sure that your variables cannot get redefined by a malicious user. That is the one sure key to being secure. If you can keep an array of safe, secure variables extracted directly through a confirmed database query, you can do allot of very cool things. [Nothing gets passed, 'SELECT id, rank_id FROM users WHERE user="user" AND pass="pass"', for instance.. You must also be sure they cannot be redefined later in the script]. You can use your own methods, though simpler procedures are much easier to keep track of on allot of levels.

Things that get loaded on every page must be as simple as possible, for that's the very heart of the engine, that can slow down every page. For example, using SESSION variables allows a 'first-time-only' load on many variables. Site settings, global theme properties, and even user-data can be loaded one time from the database, only on the first page-load. Could be done with a single line of code; If the sessions exist, then they don't get loaded from the database. Logically speaking,

PHP Code:

if(!isset($_SESSION['site_settings']))
{
    $site_settings = new site_load_settings();
    $site_settings->create_session('_site'); //always use a prefix for things like this
} 


If you're perfectly confident the session will be what it needs to be, this saves allot of execution time.

Can you tell me what's wrong with this script?

PHP Code:

<?php
$post_id = mysql_real_escape_string($_POST['post_id']);
$post_title = mysql_real_escape_string($_POST['post_title']);
$post_body_HTML = BBcodeToHtml($_POST['post_body']);
$post_body_BB = $_POST['post_body'];

mysql_query('UPDATE `posts` SET `title` = "'.$post_title.'",
             `body_HTML` = "'.$post_body_HTML.'",
             `body_BB` = "'.$post_body_BB.'"
             WHERE `id` = "'.$post_id.'"') or $errMsg = mysql_error();
if(strlen($errMsg)<1)
    $goodMsg = 'Post Updated!';

?>
<form method="post" action="">
<input type="hidden" name="post_id" value="3" />
<input type="text" name="post_title" value="The Original Title" />
<br />
<textarea name="post_body">[b]Original Post Body with [u]BBcode[/u][/b]
...
</textarea><br />
<input type="submit" name="edit_post" value="Update Post" />
</form>

If you can find all the security risks in there, and you take in what I said above, you should be fairly confident with security.

So, see anything wrong in the code above?

I'm going to guess that post_body isn't escaped?
O_O

[s-p-n]

There's a few more things wrong, too. $post_body_BB is the only $post_body variable you can know for sure can get cracked. The one that goes through the function depends on whether or not the function protects the DB from SQL, and mark-up from XSS injections. Since BBcode is for security reasons in the first place, it's fine to assume the function has what it needs to be secure. (In reality you'll be making it, so it's your job to make sure)

The body isn't the only issue though.

Think in the WHERE clause, there's still a few things wrong with it. [All revolving around one single concept, but 1 var is wrong, and 1 or 2 are missing.

[xSilv3rbullet]

There's a few more things wrong, too. $post_body_BB is the only $post_body variable you can know for sure can get cracked. The one that goes through the function depends on whether or not the function protects the DB from SQL, and mark-up from XSS injections. Since BBcode is for security reasons in the first place, it's fine to assume the function has what it needs to be secure. (In reality you'll be making it, so it's your job to make sure)

The body isn't the only issue though.

Think in the WHERE clause, there's still a few things wrong with it. [All revolving around one single concept, but 1 var is wrong, and 1 or 2 are missing.

I'm just going to take a guess here...

If the user can modify the ID, then they can update another post.
O_O

[s-p-n]

Right, now if there was only a way to build the system around that very problem. In the `posts` table, (using the example), there should be a column for the Author's ID. Assuming the user-name is possible to change in the future, only the User ID [which should never change] should be used.\

Now wait, so the hacker would only need to know & crack the user's ID and the post ID? That's really easy- especially if the form has the post ID, changeable and submittable, in the source code. We need a way to track the post from the form to the action. The post's ID is the smallest and most distinct, and therefore the obvious culprit, so we use that.

So what about the user's ID? Well if you use a secure global array of variables like I talked about in some of the previous posts, it seems like all the variables are in place.

WysGui CMS has a new feature, one or more users (in addition to their rank), can have the gratitude of being called "Super Admin". Now, Admins and Mods may be able to edit posts, but we'll deal with that later. The Super Admin is the ruler of the entire site, or forum in your case, so thus should be granted permission to do EVERYTHING.

So in the WHERE clause, it needs to say.....?

(Stretch to do all of your security work in the WHERE clause. It's more efficient than creating conditional statements in PHP.)

[xSilv3rbullet]

Right, now if there was only a way to build the system around that very problem. In the `posts` table, (using the example), there should be a column for the Author's ID. Assuming the user-name is possible to change in the future, only the User ID [which should never change] should be used.\

Now wait, so the hacker would only need to know & crack the user's ID and the post ID? That's really easy- especially if the form has the post ID, changeable and submittable, in the source code. We need a way to track the post from the form to the action. The post's ID is the smallest and most distinct, and therefore the obvious culprit, so we use that.

So what about the user's ID? Well if you use a secure global array of variables like I talked about in some of the previous posts, it seems like all the variables are in place.

WysGui CMS has a new feature, one or more users (in addition to their rank), can have the gratitude of being called "Super Admin". Now, Admins and Mods may be able to edit posts, but we'll deal with that later. The Super Admin is the ruler of the entire site, or forum in your case, so thus should be granted permission to do EVERYTHING.

So in the WHERE clause, it needs to say.....?

(Stretch to do all of your security work in the WHERE clause. It's more efficient than creating conditional statements in PHP.)

Wait, are you saying that the user CAN edit their ID and post id?

---------- Post added at 11:10 AM ---------- Previous post was at 11:07 AM ----------

You can use a simple where clause for the posts/threads:

Code:

/* Update Query.. */ WHERE `rank_id` = "'.$GLOBALS['rank_id'].'" OR `user_id` = "'.$GLOBALS['user_id'].'"

Just actually read the query lol.

That wouldn't work.
You see, if the user would change ranks (like becoming a mod or getting promoted to a higher rank), that wouldn't work.

Lets say user A posts thread X. Currently, user A has a rank with an id of '1'.
User A posts another thread, lets say Y.
Now, after he posts Y, he's promoted to lets say, a rank called
'XY' with an id of 2

Now, he can't edit his posts any more, since his rank isn't the same.

Oh wait, you're using OR.
But then you're relying on the user id, which you just said is bad. :O

[s-p-n]

The key is to have trusted variables defined on every page of the site. If you don't have anything secure to fall-back on, nothing can be secure.

Based on that, the key is having a secure log-in system to determine the user's correct ID. That's all fine and simple, DO NOT store it anywhere it can be changed/seen by the user.

If you can successfully determine a user's ID beforehand [As in, 100% secure, no way for a user to view/change it], then you can (and should) rely solely on that piece of data.

Why rely solely on a processed user ID? Because it leaves one space for a hacker, the user ID. (Which means less work for the programmer ;). So if one changes their user ID, they can hack the shit out of your site, true. But again, the issue isn't how bad they can hack the site if they crack the user ID, the issue is making security simple, and moving forward. Of course, the simpler security is, the easier it is to handle.

Assuming you have that down, let's move on to what I meant by the ranking system.

Notice in RageZone, things are multithreaded. As a Moderator, I have permission to moderate "Coder's Paradise", for example. My range extends in all sub-forums, threads, and posts. My user ID doesn't match yours, or anyone elses, but I can still edit yours and others posts. How is that possible?

The answer is actually rather simple. It's brought to you by "OR", obviously, but how does the post know I have permission? Even harder, how does it know other moderators do not have permission? I'm not going to get into that.. Let's assume every moderator can edit posts in those sections.

The rank_id field in the database, doesn't fall-back on the submitters rank. No no no, it's the rank inherited from the permission-base of your forum. Has absolutely no reference to the user's rank when it's added into the posts table. It should be inherited from the forum->sub-forum->thread, in reverse order; (furthest_parent->closest_parent-> post). If that's too complicated, which it sounds daunting to say the least, you can keep it simple.

Let's say the Moderator's rank ID is 3.
Now, assuming the undefined variables, 'rank_id', and 'user_id' are defined securely above, our query can look like this:

Code:

UPDATE `posts` SET '.$post_set.'
WHERE `id` = "'.mysql_real_escape_string($_POST['id']).'" /* ? = ? */
AND (
    `rank_id` = "'.$user['rank_id'].'" /* 3 = ? */
    OR `user_id` = "'.$user['id'].'" /* ? = ? */
)

The only way to update the post is if the post_id is correct, and also, the user must be the author, or a moderator. [ 3 = ? ]
*Note the importance of parenthesis in SQL clauses.

Security doesn't come easy unless you design it easy. I'm not going to "guarantee" everything's going to work just fine if you take all my advice, I'm more trying to help you make sense of the reasons things are or are not secure.

For example, the only thing stopping a hacker from cracking the query above is, well actually a few things. Each variable determined by a user can possibly open a door for a hacker. For example, I showed a few posts back a form which contained a hidden field with the post ID. Nothing stops a hacker from changing that post ID to any post in the database. However, the hacker's user ID and rank ID prevent them from updating any post except their own. So they can't get through that without a SQL injection. If you prevent those, then it's full-proof. The only way the hacker can get through is changing his user-id. MAKE THAT IMPOSSIBLE TO DO AT ANY AND ALL COSTS! Keep the cost cheap (metaphor; simple) as possible, but at any cost, keep the site safe.

If the user+pass are correct, grab the user's data: id, rank_id. Each page-load, if the user is not defined, define them securely. If they are defined, ignore. Well that only works if you use SESSIONS as the main thing, which you should.

I prefer

PHP Code:

$_SESSION['prefix_SqlColumnName'];
$_SESSION['users_rankId'];
$_SESSION['users_id'];
$_SESSION['users_user'];
$_SESSION['users_pass']; 


You don't have to use sessions, it's just more efficient and easier in the long-run.

[xSilv3rbullet]

...and we're back!

SimpleBB development has officially started...
not now,
and not now either,
nor now,
nope,
uh uh,
not here,

but here!
That's right, development is on!

[s-p-n]

Release it with a SQL import file.

Do you have a release you can throw at me?