Backdoor Admin

[America's Reject]

I think a backdoor admin would be great. Could be enabled or disabled and other settings found fit.

It would not have a member No. Would not appear anywhere. Only root admins would have access to the config.

[Why Two Kay]

I say a big NO to this, as there are too many security risks associated with it. If your forum was hacked or you lost admin status, you could go into MySql and change the member group of an account to admin and login as them.

[America's Reject]

wouldn't have more risks then having a regular admin account.

[tom-riddle]

I can't see the purpose of such feature.

[America's Reject]

Say you get hacked. And they find no traces of a back door admin,

THen u can log in an dtake it back over.

[krocheck]

I see your point there, but if it is a standard feature they WILL know about it.

I don't see any advantages of this over having the root admin account(s), and I would not want it.

Keith

[America's Reject]

For one they would not know the user name. They would have no idea what it is.

[Guest]

It's somewhat pointless. If you get hacked, you could just as easily use MySQL to upgrade another user account and use that to log in and 'take back over'.

[America's Reject]

I am sure there are some that are not mysql pros

I know very little.

[Steve H]

You do not need to know be completely literate in sql as it's very easy to find even for someone that is new to sql and IPB. If someone was to purchase this board and install it then get hacked and they were unaware how to get the forum access back all they would need to do is nip onto this support forum and ask. Many people are willing to help. This without a doubt opens up security issues other than the one's that the majority of people first think about.
Steve

[Reado]

Say you get hacked. And they find no traces of a back door admin,

THen u can log in an dtake it back over.

Never been hacked before myself, why should it happen in the future? As long as you follow IPS's recommendations on Board Security and check your CHMOD settings are all OK, you can't go wrong. Also having a strong Admin password would be a good thing, like me (upper/lowercase letters and numbers). If your board has been hacked, then you or one of your Admins has been careless and that's where the problem lies. Such a feature shouldn't be needed.

[Wolfie]

I think a backdoor admin would be great. Could be enabled or disabled and other settings found fit.

It would not have a member No. Would not appear anywhere. Only root admins would have access to the config.

I think this idea will serve your purpose:

backdoor.php
$back['pass'] = (md5hash of password);
$back['challenge'] = "question to ask";
$back['response'] = (md5hash of response);

In order to change/delete it, the password would have to be put in, thus preventing a hacker from just disabling it. Being a file, a hacker couldn't use SQL to delete it.

When using it, userID would be blank, password would be the 'pass', then it would take you to the challenge/response part, and once completing that, would let you add/edit an account to give root admin access to. (Edit so you can change a password on an account if it was stolen).

:)

If you want to take it an extra step, have the filename be backdoor_(md5 hash of password).php
Then when the file is created, the only way to edit it is to use the right password. Then only allow 1 backdoor_*.php file so that a hacker can't create one of their own.