Security Issue needs fix.

[Torvald]

I've posted looking for a mod and asked for support so far nothing. This is a security issue (I'm finding you have many) There needs to be a way to assign ACP permissions by group not just user.
Also forum passwords need to be at least hidden if not encrypted on the ACP side.

[Nils]

How is this a security issue? Looks more like a feature request to me...

[bfarber]

1) It's not a security issue that you can't assign ACP permissions on a group level, but rather on a user level. It's a feature suggestion, as Nils pointed out

2) The password is never, ever accessible anywhere in IPB. Quite simply, we don't STORE an un-hashed copy of the password, so there isn't any WAY for us to display the password.

[Dlf]

Also forum passwords need to be at least hidden if not encrypted on the ACP side.

The password is never, ever accessible anywhere in IPB. Quite simply, we don't STORE an un-hashed copy of the password, so there isn't any WAY for us to display the password.

From what I get from reading Torvald's post that's quoted he's talking about the password to a forum not a user-account. Forum passwords are shown in the page to edit forum settings. I think he's suggesting that they be encrypted by some method (hash, what-ever).


Correct torvald?

[Jason H]

I concur with the analysis of what he's trying to say, but only halfway with the content. Both on the password issue.

1) I don't see why you'd allow someone access to your ACP if you didn't also give them full access to all your forums. But.. Let's say by some slight miracle you want to run your forum this way... I'd agree that maybe the password should be masked rather than displayed in plain text on the forum page.. But.. Then again.. Someone who can see it can change it. So what's the point? Although.. Masking it would likely prevent them from changing it back to what it was.

2) I don't see any reason for encrypting the password in the DB. But.. I tend to agree that if security is job 1.. It probably should be. Because if there's another SQL exploit.. Then possibly someone could read the password to that forum out of the DB.. I'd be more worried about them doing OTHER things than getting THAT password.. And anyone other that root admin can't normally see the DB anyway.

I dunno.. I don't entirely see the points. Or, rather, I can see both sides of the points, and it seems that encrypting and/or masking the passwords would fall into a 'feel good' category. It would make an admin perhaps feel more secure, but would actually do very little.

I'd second the ACP Permissions.. OR... Perhaps a better idea is to allow copying of permissions. So that you could set permissions for one user and apply them quickly to another user. Would give a bit more felxibility than assigning permissions by group. Doing it by group AND member.. Not something that could be done quickly I don't think. Simply because you have to code in to check group permissions, then user level permissions. And seems it defies the KISS principle. Maybe ACP masks would be a better way to go? But.. Then it becomes how confusing is that to Joe Average? They not only have to know about Forum Permission Masks, but ACP Permission Masks as well..

[Ryan]

I'd have to say, on the password issue, that it would really accomplish very little, and for the forgetful admin, which I often am, would not provide an easy way to lookup the password. Even if you had something where it was hidden... I second the "why"? If they're an admin they can do whatever they want with the forum.. if they see that page they can change the password to whatever they want. Forum passwords aren't the primary security method anyway, group permissions generally are, so I don't consider it worthwhile addition, personally.

[Torvald]

I'd have to say, on the password issue, that it would really accomplish very little, and for the forgetful admin, which I often am, would not provide an easy way to lookup the password. Even if you had something where it was hidden... I second the "why"? If they're an admin they can do whatever they want with the forum.. if they see that page they can change the password to whatever they want. Forum passwords aren't the primary security method anyway, group permissions generally are, so I don't consider it worthwhile addition, personally.

Correct Forum passwords should be hidden. If an admin changes it, at least we;ll know someone was doing something they shouldn't be. as it is now there is no record of improper access. We just caught 2 people giving out passwords to forums because they could see them.

As for why they could see them.. the forum defaults to full access for ACP it should default to no access for the ACP. Just because someone needs access to promote or change members status does not mean they need full access. the current method of having to remove all permissions form every admin every time someone changes position is a nightmare stay on top of and control access. You are basing your idea of what is right on your forum and how you think it should be used. That's poor planning on your part, we make full use of the forum software with multiple areas, restricted areas, public areas, restricted forums and sub forums. We have managers/moderators at several levels of trust some do member work and only need access to member setting other do forums config work and need access to forum set areas, that does not mean they need access to all the forums.

This is a security issue if you want this software to be used in a secure environment. You assume one or two people will have ACP access we have 25-30 that change often as needs change. Having a "Forum Mod" group and a "Member Mod" group and just drop usrs into the right group or ACP rights much like you have for forum rights would solve this. Having the ACP default to restricted access instead of full access would go a long ways to improving security. Worrying if a beginner will have problems is weak, at best if them can figure out member permissions then ACP groups are no problem, if they can't then they really don't need to have others in the ACP, really how posts do I see were an admin got booted off his own site? because he gave some one ACP access for a specfic reason and they abused the access, restricing them from the start and requiireing the root admin to grant greater rights would also prevent that.

Yes it's a mod request, to fix a security concern that should have been address from the beginning.

Also you need to allow for forcing members to have strong passwords, and a way of forcing members to change passwords on set schedules. and while I'm at it more detail in the log files especially the admin actions.

[Digi]

The forums default to NO ACCESS on all groups with ACP access EXCEPT the ROOT block. ROOT admins have access to everything (as the root would intend), unless you specifically restrict them. Use a second administrative group for this purpose and give the users access when/where they need it. In fact, when not using the ROOT block, users cannot even access a single page in the ACP by default (can't even log in...tested this morning on 2.3.3). You must add the user to the ACP via the manage restrictions page.

Second, this ISNT a security concern. Usability concern? That's more likely, but not a security concern. :)

[Torvald]

The forums default to NO ACCESS on all groups with ACP access EXCEPT the ROOT block. ROOT admins have access to everything (as the root would intend), unless you specifically restrict them. Use a second administrative group for this purpose and give the users access when/where they need it. In fact, when not using the ROOT block, users cannot even access a single page in the ACP by default (can't even log in...tested this morning on 2.3.3). You must add the user to the ACP via the manage restrictions page.

Second, this ISNT a security concern. Usability concern? That's more likely, but not a security concern. :)

Running 2.3.3 and everyone who gest ACP access get full access to everything unless I go in and turn it off one by one. Known bug or issue?

[Charles]

Running 2.3.3 and everyone who gest ACP access get full access to everything unless I go in and turn it off one by one. Known bug or issue?

Neither really :) That's just how it works as it's on a per user basis.

You assign someone to be an admin and unless you tell the software otherwise it assume you mean they are to be a full admin. It's like giving someone the keys to your house. You can choose to put a separate lock on your bedroom door to keep them out but you have to do that separately from the front door.

[Digi]

Ah, sorry. I skipped the "add user to restrictions" part. >_< Too used to doing that automatically :)

[Torvald]

Neither really :) That's just how it works as it's on a per user basis.

You assign someone to be an admin and unless you tell the software otherwise it assume you mean they are to be a full admin. It's like giving someone the keys to your house. You can choose to put a separate lock on your bedroom door to keep them out but you have to do that separately from the front door.

It really should default the other way. This is not my house it is my office building and I give maintenance people keys to do their jobs but I do not give them keys to every room and safe. As I said before we do not have 1 - 2 admins we have many and they change often it's the nature of the site and we need to be able to secure it better than we can now. I really don't see the argument you have permission groups for members why can you not add permission groups for admins? Hell I've even offered to pay for three times.

[bfarber]

I don't think anyone is arguing against group-based permissions at all. In fact it's a suggestion that has come up more than once and one which I personally agree would be a good idea.

I think it's just calling it a "security issue" that is throwing everyone off.

Beyond that, the majority of our users don't even use the permissions system, so having it default to no permissions and making the admin enable them individually, while technically more secure (not because of a code issue, but just to enforce secure practices) isn't something that most of our users have expressed desire for. In fact it would waste a lot of time for the users (the majority of our users actually) who don't use the permissions system at all.

[Torvald]

I don't think anyone is arguing against group-based permissions at all. In fact it's a suggestion that has come up more than once and one which I personally agree would be a good idea.

I think it's just calling it a "security issue" that is throwing everyone off.

Beyond that, the majority of our users don't even use the permissions system, so having it default to no permissions and making the admin enable them individually, while technically more secure (not because of a code issue, but just to enforce secure practices) isn't something that most of our users have expressed desire for. In fact it would waste a lot of time for the users (the majority of our users actually) who don't use the permissions system at all.

Would it really waste a "lot" of time since most peole seem to have 1 -2 stable admins having to check 20+ boxes once for one or maybe two people really more of a time waste than having to uncheck 5-6 boxes? :)

[atomicknight]

Eh, most "secure practices" are things that people don't express interest in right off the bat, but if everyone remained lazy, then we'd never get anywhere.

I'd suggest a compromise in starting out with no permissions as default, but adding some sort of "allow everything" button for administrators who can't be bothered to look through every option and enable them on a case-by-case basis. At least then the option is made painfully visible so people are at least aware of what's going on.

[Digi]

+1 on that idea. :)

The buttons to press go up the more components you have too!

[David_B]

2

[Torvald]

it's a start so I'll giver the +3

Would really like to see groups though...

[Torvald]

So only 3 people are interested in improved security? Seriously what can I do to get movement on this issue?

[bfarber]

What you are asking for, again, isn't so much a security issue, as a way to make the permissions more secure by default (given that you can change them, and you are fully aware of the default permissions, it's really hard to say there's any security issue at play here).

However, that's not really the status - we haven't released a feature update since this topic was started. I can't say what will be changed, how or when, but if this is implemented it won't be until the next full point upgrade. :)

[Digi]

Eh, most "secure practices" are things that people don't express interest in right off the bat, but if everyone remained lazy, then we'd never get anywhere.

I'd suggest a compromise in starting out with no permissions as default, but adding some sort of "allow everything" button for administrators who can't be bothered to look through every option and enable them on a case-by-case basis. At least then the option is made painfully visible so people are at least aware of what's going on.

Just as a reminder on what everyone said +1 to. ;)

No one agreed to your request overall.