Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2014-09-04 16:01:56

XAOS-Eric
Member
Registered: 2013-10-16
Posts: 34

Add secret pin to Admin interface?

So, I recently came across a neat thing that mybb is doing that we could probably add to make FluxBB more secure.

So right now, all you need to so to access the admin interface is login, however what do you do if someone has a database dump and found the admin password? Simple, we could add a line for a pin to access the admin interface in FluxBB. In config.php, we could add this:

$config['acp_pin'][uid of the admin without quotes] = 'yourpin';

And before an admin can access the dashboard, we we can verify it by verifying that the pin is correct. The way we could do that is like so:

if (isset($config['acp_pin'][$acpuid]) && $pun->input['pin'] != $config['acp_pin'][$acpuid]) {
        //pin is incorrect, return error message
 } 

We would obviously have to add checking to make sure that the user account exists and that the user is an admin, but I saw this suggestion over at mybb and thought it would be a nice idea to implement in FluxBB.

Offline

#2 2014-09-04 16:44:26

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 960

Re: Add secret pin to Admin interface?

I without access to the admin interface can destroy a forum if I having administrative access.

P.S. Everything becomes much more simply: .htpasswd + .htaccess


My modification of FluxBB 1.5.8 - rev.67
I speak only Russian  tongue

Offline

#3 2014-09-04 16:48:11

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 493
Website

Re: Add secret pin to Admin interface?

XAOS-Eric wrote:

... what do you do if someone has a database dump and found the admin password? Simple, we could add a line for a pin to access the admin interface in FluxBB.

d5389434a722be1bb6babb9b103fcbc2f85b6ebd is the password found in the database, and now you doing what?


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#4 2014-09-06 19:06:27

Sxderp
Member
Registered: 2012-11-02
Posts: 92

Re: Add secret pin to Admin interface?

Otomatic wrote:
XAOS-Eric wrote:

... what do you do if someone has a database dump and found the admin password? Simple, we could add a line for a pin to access the admin interface in FluxBB.

d5389434a722be1bb6babb9b103fcbc2f85b6ebd is the password found in the database, and now you doing what?

This.
And if I remember correctly the hashes are salted (and if they're not they _should_ be).

Offline

#5 2014-09-06 21:50:52

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 647
Website

Re: Add secret pin to Admin interface?

Sxderp wrote:
Otomatic wrote:
XAOS-Eric wrote:

... what do you do if someone has a database dump and found the admin password? Simple, we could add a line for a pin to access the admin interface in FluxBB.

d5389434a722be1bb6babb9b103fcbc2f85b6ebd is the password found in the database, and now you doing what?

This.
And if I remember correctly the hashes are salted (and if they're not they _should_ be).

If I'm not mistaking, they are not. And SHA1 is rather weak.

Last edited by Studio384 (2014-09-06 21:51:26)


FluxBB Community Benelux - ModernBB 3.4
Profile Plus: A new FluxBB profile interface

Offline

#6 2014-09-07 10:27:51

seven
Member
From: Torino, Italy
Registered: 2010-08-19
Posts: 269
Website

Re: Add secret pin to Admin interface?

I can confirm they're not salted. I slightly modified FluxBB using PHPass instead.


gamezoo.org - serious gaming services for serious gamers.

Offline

#7 2014-09-08 03:15:47

Sxderp
Member
Registered: 2012-11-02
Posts: 92

Re: Add secret pin to Admin interface?

seven wrote:

I can confirm they're not salted.

Then shouldn't this be added into 2.0 if not in a future release of 1.5.x?

Offline

#8 2014-09-08 07:11:00

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 906
Website

Re: Add secret pin to Admin interface?

Visman has salted passwords in his version of FluxBB, maybe someone could submit a mod using that for the current version. I agree with Sxderp though, I think it should be something added in - especially since bots appear to be carrying out rainbow attacks & brute forcing my login forms.

I would attempt one but I'm too busy at the moment. There is a mod for SHA256, but I'm still not sure whether it's salted, it doesn't sound like it:

https://fluxbb.org/resources/mods/complex-password/

Offline

#9 2014-09-08 13:36:16

seven
Member
From: Torino, Italy
Registered: 2010-08-19
Posts: 269
Website

Re: Add secret pin to Admin interface?


gamezoo.org - serious gaming services for serious gamers.

Offline

#10 2014-09-08 15:07:22

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 906
Website

Offline

#11 2014-09-08 16:55:57

seven
Member
From: Torino, Italy
Registered: 2010-08-19
Posts: 269
Website

Re: Add secret pin to Admin interface?

NP. But the password converting code in login.php is new and not tested, actually. Our forum was deployed from another solution.


gamezoo.org - serious gaming services for serious gamers.

Offline

#12 2014-09-09 11:01:31

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,047
Website

Re: Add secret pin to Admin interface?

To make this clear: 2.0 uses salted Bcrypt-hashing (as is Laravel's default). We currently use a per-site salt, not a per-user salt.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#13 2014-09-09 13:53:53

Sxderp
Member
Registered: 2012-11-02
Posts: 92

Re: Add secret pin to Admin interface?

Franz wrote:

To make this clear: 2.0 uses salted Bcrypt-hashing (as is Laravel's default). We currently use a per-site salt, not a per-user salt.

Doesn't having a site-wide salt partially defeat the purpose of having the salt? It'll help protect against cross-site attacks but doesn't help with same-site, on the off chance that two users have the same password. 12345678... -.- Yay for common users not following password best practices.

Offline

#14 2014-09-09 14:08:33

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,047
Website

Re: Add secret pin to Admin interface?

Oh wait, actually I think the salt is stored as part of the hash. The hash looks something like this: $NoIterations$Salt$ActualHash.

See password_hash() for more details.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

Board footer

Powered by FluxBB 1.5.8