Jump to content

Backdoor Admin

Guest America's Reject

By Guest America's Reject
in Feedback

Recommended Posts

Why Two Kay Newbie

Why Two Kay

Posted
Posted

I say a big NO to this, as there are too many security risks associated with it. If your forum was hacked or you lost admin status, you could go into MySql and change the member group of an account to admin and login as them.

krocheck Rising Star

krocheck

Posted
Posted

I see your point there, but if it is a standard feature they WILL know about it.

I don't see any advantages of this over having the root admin account(s), and I would not want it.

Keith

Guest

Guest

Posted
Posted

It's somewhat pointless. If you get hacked, you could just as easily use MySQL to upgrade another user account and use that to log in and 'take back over'.

Steve H Explorer

Steve H

Posted
Posted

You do not need to know be completely literate in sql as it's very easy to find even for someone that is new to sql and IPB. If someone was to purchase this board and install it then get hacked and they were unaware how to get the forum access back all they would need to do is nip onto this support forum and ask. Many people are willing to help. This without a doubt opens up security issues other than the one's that the majority of people first think about.
Steve

Reado Explorer

Reado

Posted
Posted

Say you get hacked. And they find no traces of a back door admin,



THen u can log in an dtake it back over.


Never been hacked before myself, why should it happen in the future? As long as you follow IPS's recommendations on Board Security and check your CHMOD settings are all OK, you can't go wrong. Also having a strong Admin password would be a good thing, like me (upper/lowercase letters and numbers). If your board has been hacked, then you or one of your Admins has been careless and that's where the problem lies. Such a feature shouldn't be needed.
Wolfie Grand Master

Wolfie

Posted
Posted

I think a backdoor admin would be great. Could be enabled or disabled and other settings found fit.



It would not have a member No. Would not appear anywhere. Only root admins would have access to the config.

I think this idea will serve your purpose:

backdoor.php
$back['pass'] = (md5hash of password);
$back['challenge'] = "question to ask";
$back['response'] = (md5hash of response);

In order to change/delete it, the password would have to be put in, thus preventing a hacker from just disabling it. Being a file, a hacker couldn't use SQL to delete it.

When using it, userID would be blank, password would be the 'pass', then it would take you to the challenge/response part, and once completing that, would let you add/edit an account to give root admin access to. (Edit so you can change a password on an account if it was stolen).

:)

If you want to take it an extra step, have the filename be backdoor_(md5 hash of password).php
Then when the file is created, the only way to edit it is to use the right password. Then only allow 1 backdoor_*.php file so that a hacker can't create one of their own.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...