IntegraMOD / IntegraMOD151

The most complete premodded forum software
http://integramod.com
4 stars 4 forks source link

phpBB Security IM 150 #44

Open MWE001 opened 7 years ago

MWE001 commented 7 years ago

Hey fellas, I did a clean install tonight and when I got to messing around in the admin panel, it was then that I noticed that I never got asked for any security keys such as admin_allowed mods_allowed badpeople_notallowed or what ever those 3 are. Nor was I ever prompted to put in a security answer or question for my account.

I went to phpBB_security in the includes folder and it was default keys `function phpBBSecurity_AdminConfigName() { return 'phpBBSecurity_max_admins'; }

function phpBBSecurity_ModConfigName()
{
    return 'phpBBSecurity_max_mods';
}

function phpBBSecurity_UseSpecial()
{
    return 'phpBBSecurity_use_max';
}`

Ironically enough, i have hashed keys in my database. Is there any way I can reinstall phpBb security from scratch without tearing down the board and staring over? It has been so long since I messed with this I cant recall how e did it back in the day.

Not sure if this is another windows error from WAMP or a honest bug. I'll let you fellas decide. Due to me being localhost (windows) , I'm not a good candidate to call bugs.

Truth be known since it is local host I could just not worry about it. but I am simply trying to make sure it is right as far as installation goes for an end user that might use our product down the road.

IntegraMOD commented 7 years ago

sounds like you have a write permission issue. is the file permission set to 666? you can put chmod.php back and browse to it to check all your permissions. If the hash does not match the db, many phpbb security functions will not work and the site will be at risk to script-kiddies

MWE001 commented 7 years ago

I'll take a quick stab at it here in a few minutes. I got a hot database update running as we speak

MWE001 commented 7 years ago

Ok so not sure if this is a phpBbsecutiry issue or CrackerTracker but when installing, the chmod.php worked flawless. When it told me to delete the install I did then clicked continue, then

It appears you have been banned from this website. If this is a mistake or you are not sure why you are banned, please contact the board administrator.

Board Administrator: xxxxxxx [at] xxxxxxx.com

You have been blocked because you have permission to be staff, but the admins did not grant you permission in the security panel.

Instead of going to install Prilliam messenger, it went to login.php and insta ban. That was on a live server that I found room on as well as localhost both.

MWE001 commented 7 years ago

Oh the permission thing that was mentioned, its a windows machine. i can't chmod. Unless windows has a permissions trick that I do not know about.

As far as the ban issue on the live server a few minutes ago, I'm positive all was chmod properly.

MWE001 commented 7 years ago

The localhost was legit, I think the live server might have been my fault. 10 minute and I'll know more.

MWE001 commented 7 years ago

So it must have been my fault on the live server. I have tried it 3 times and it installs every time. I tried 2 more times on my WAMP and got banned every time.

IntegraMOD commented 7 years ago

Im having the same issue on im.com but on every other domain it installs fine. Ive checked all the .htaccess files and relaxed security from paranoid to safe, but I still have this issue. Im getting a little stumped on this one.

IntegraMOD commented 7 years ago

here is a fix Mike came up with that solved his local install problem. It does not work on im.com but may work for you. It is in includes/phpbb_security_install.php

        function phpBBSecurity_Error($reason, $add_count)
        {
            global $board_config, $db, $phpEx, $phpbb_root_path, $lang;
            //include($phpbb_root_path .'language/lang_'. $board_config['default_lang'] .'/lang_phpbb_security.'. $phpEx);

            $lang_key     = 'PS_die_msg_'. $reason;
            $message     = '';
            $message     .= $lang['PS_auto_message'] . str_replace("@", " [at] ", $board_config['board_email']);
            $message     .= '<br><br>';
            $message     .= $lang[$lang_key];
            //$message     .= '<br>';
            //$message     .= str_replace('%email%', $board_config['board_email'], $lang['PS_die_msg_email']);

            if ($add_count)
            {
                $q = "UPDATE ". CONFIG_TABLE ."
                      SET config_value = config_value + 1
                      WHERE config_name = 'phpBBSecurity_total_attempts'";
                $db->sql_query($q);
            }

            // Only process if phpBB is completely installed... Mike //
            if (defined("PHPBB_INSTALLED"))
            {
                die($message);
                exit();
            }
        }
vendethiel commented 7 years ago

@IntegraMOD should I pull this in?

vendethiel commented 7 years ago

edited the code snippet to beautify it

MWE001 commented 5 years ago

This install issues was fixed right? Last time I installed, a few weeks back, phpBB security installed flawless without me altering or deleting any files at all. That is the first time in a very long time that happened.

vendethiel commented 5 years ago

I nevet had an issue, myself. If you say it’s working we can close it.... and maybe revisit it later if it breaks on some servers....

MWE001 commented 5 years ago

Well the way it worked previously we had to delete a file, rename another and so on. If not, then had to copy and paste some stuff and do this and that to get it working. I believe there was a readme with notes of Mikes install method for it. The last time I Installed IM a couple 2 or 3 weeks back I didn't have to do all that though. It just installed with the IM install and worked right out of the box.

vendethiel commented 5 years ago

I never had to do that myself, that's what I'm saying. Not sure if Mike's fix has fixed everything, since @IntegraMOD said earlier that "this doesn't work on integramod.com", so I'd like to know if it's resolved.

MWE001 commented 5 years ago

Sorry so slow on the reply. Got busy again and a laptop reformat again.

Well, Mikes Fix is years old. it has been a part of the package for a very long time. I am not sure how 3 of us have 3 methods to be honest. That is odd to say the least.

I see the files here were updated 2 days ago. If they are stable enough to give a good install a try I will give it a go. I just reinstalled a new localhost server and it is ready to roll. In turn that will give me a chance to check the dates issue out as well.

MWE001 commented 5 years ago

phpbbsecurity

As you can see, phpBB Security was not installed by default. If I attempt to set the settings, they are not saved in the database at all.

To install phpBB security on initial install, I have to delete the phpbb_security.php file and rename phpbb_security_install.php to phpbb_security.php. That will allow phpBB Security to install on a fresh install of Integramod for me.

According to Mikes notes this was done for a reason and now I recall why, it was for update reasons. However, No matter how much I scream and shout at it, it will not install at all with a fresh install of Integramod without the procedure I have explained here in this reply.

DISCLAIMER To be fair and honest, I am installing on a Windows stack, not a Standard Nix machine. I am fresh out of room at this very moment on my production server. So is this a Windows issue?

MWE001 commented 5 years ago

Ok I think I am getting bit in the ass when it comes to php. Can you tell me what version of php NOT to exceed and MySQL? This may or may not be part of my issue. Now that I have a fresh updated WAMP stack, I have major issues that I did not have days ago. Once I get that part figured out, I will once again get to test this phpBB Security issue out.

My current options are:

5.6.40 7.0.33 7.1.26 7.2.14 7.3.1

And I am on MySQL v5.7.24

MWE001 commented 5 years ago

Ok. Here goes.

On php 5.6.40 the whole delete one file and rename another is not necessary to do a fresh install. On php 7.0.29 it was necessary. Not sure why.

On php 7.0.33 phpBB Security did not install as shown in my screenshot above. I did run across a eregi error in phpBBsecurity.php not sure that has anything to do with it or not to be honest.

Now that I know it installs on php 5, I am going to clear all cache and cookies and all and switch back to 7.0.33 php and shut server down and give it a fresh start and try another install and see how it goes. I am guessing the Integramod is going to install but not phpBB Security. I'll report back.

Here is a screen shot if a success install on php 5.6 securityphp5

MWE001 commented 5 years ago

And here we go on a fresh install of Integramod on php 7.0.33

phpbbsecphp7

vendethiel commented 5 years ago

ereg is definitely the culprit. I just did a quick search, we still have 30 occurences of the little guy in the codebase. Alas it was removed in PHP7, so we need to get rid of him ourselves.

Thank you for being so thorough in your search btw, that's definitely gonna be helpful. Since I have been running PHP5.6 on my computers, it's probably why I thought phpBB Security worked fine. Now I'll make sure it works fine with PHP7 as well.

Ok I think I am getting bit in the ass when it comes to php. Can you tell me what version of php NOT to exceed and MySQL? This may or may not be part of my issue. Now that I have a fresh updated WAMP stack, I have major issues that I did not have days ago. Once I get that part figured out, I will once again get to test this phpBB Security issue out.

Right now the safest bet is probably 5.6. But if we only test with 5.6, we'll be stuck on that version :-( I really want to keep IM going forward, but I'm not as good finding bugs. Please report anything you find with PHP7+

Oh and also, it's not necessary yet to test on PHP7.3. This one is broken, even the official phpBB team doesn't test there.

MWE001 commented 5 years ago

Just a quick one last report since we already know this has old code that needs replaced. I think the install that worked for me yesterday was a freak of nature. I installed Integramod 4 more times today testing various things (including my original server setup that security installed perfect on) and not a once did it phpBB Security install as well.

I will no longer report any findings related to phpBB Security from here on out due to deprecated code and we already know what is going on until we get it upgraded (modernized) in the future after less pressing issues are dealt with . I am pretty much beating a dead horse now. I have tested and tested and results are all over the place. I would chalk it up as the old code.

I agree on php 7.3 I never test any higher than the 7.0.33 That I have now.