June 27, 2010 in Feedback
So I was looking at http://community.invisionpower.com/topic/298511-my-site-is-getting-repeatedly-hacked-via-a-tinyurl-info-re-direct/, and thought to myself that one avenue of attack could be fixed if there was a feature in IP.Board to generate a checksum every time the caches are written, and save a copy in the DB or something, and would refuse to load said cache files if they do not match the checksum stored wherever it is. This doesn't stop direct changes to the DB languages and manual recaching, nor does it stop a script from hunting and changing the checksum itself. But it does make it that much harder, and there's really nothing to lose by it is there?
Doesn't the cache store the information in said file to prevent accessing the database for that information on load?
It seems you'd be adding a database request, which wouldn't be a lot at all, but just pointing out some things. If it helps security, I say do it. Seems like a harmless thing to do.
There's already one DB request on every page load - to fetch the frozen caches from the cache_store tables. If you stored the checksums in the cache store... well, you see where that's going.
This topic is now archived and is closed to further replies.
Started October 4
Started Wednesday at 05:56 PM
Started Tuesday at 09:56 AM