Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 02-13-2009, 05:09 PM
pein87's Avatar
pein87 pein87 is offline
 
Join Date: Sep 2008
Posts: 352
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security Mod

I am planning to work on a secrity mod for vbulletin but i wnted to get some input from more seasoned dev's here on vb. My plan is to create a file locking system by using the

$lockFileCommand = flock($showthread, $lockWrite && $lockRead);

but i`m not sure if this method wold really work. I was going to save the file locking commands under the variables $lockWrite and $lockRead to make it easier to use them in my scripts. My question is would this work to lock the files and give only the vbulletin files access to read and write them. I was going to do a similar deal to the

define('THIS_SCRIPT', 'showthread');

but instead use

define('VB_SCRIPT', 'showthread');

and an included file to each script so that if the above is defined it can read and even write to the other files that have it defined. I`m wondering would i be wasting my time doing this or would it actually work on preventing people from hacking sites?

please voice your input on this.
Reply With Quote
  #2  
Old 02-13-2009, 09:27 PM
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Location: Austin, TX
Posts: 616
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Greetings, fellow Naruto fan. I don't think that the flock function does what you think it does... It locks a script from being read or written to all together. Until you unlock it. The only reason this function exists is if you're doing large data crunching and don't want anyone else to mess with your data AS you are reading it. It's not for security.

Locking any of the .php files from being read will be disasterous, since that particular page (or backend script) will instantly stop working for everyone except the person that initiated the lock. And until that person unlocks the file, no one else can use it. You'd constantly see "page cannot be found" errors. What you probably had in mind was locking the file, and then unlocking the file automatically after the page is done loading - but in real time if two people loaded that script at the same time one of them would lock the other one out. If you have an intensive script, like if you're updating the search index - or if you have a frequent cron job, your end users will get stopped in their tracks.

Consider if you have two users adding a new post at the same time - if one gets locked out they will see the "page cannot be found" error. Their browser might not be capable of just click "back" to restore the text they had typed (that would be frustrating).

On a public website, no files should be open for writing anyway.




The next biggest problem you have is with the unlock. By default, Apache and IIS run all php scripts as a single user on the server. Anyone viewing a script could execute the unlock function if the unlock condition isn't properly written. Essentially this would make your initial lock worthless. Unless you've customized your apache or IIS such that users have to log into the server with server-level credentials (aka. turned off "anonymous access" to the website) flock is worthless for security.
Reply With Quote
  #3  
Old 02-14-2009, 11:30 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What is it exactly that you want your script to protect against?
Reply With Quote
  #4  
Old 02-18-2009, 01:52 AM
pein87's Avatar
pein87 pein87 is offline
 
Join Date: Sep 2008
Posts: 352
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I know what flock does lol I wonted to make it so all files are unlocked only to vbulletin. So that any remote script woldnt be able t access them. So it would basiclly add the names of the scripts so that if the defined isnt there the script gets locked from being accessed.
Reply With Quote
  #5  
Old 02-18-2009, 02:33 AM
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Location: Austin, TX
Posts: 616
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Nah, the flock will lock out based on user accounts on the server - not based on which script is what.

If you want to be anal about it, edit your global.php file with something like:
Code:
if(!defined('MY_SCRIPT_CHECKING_VARIABLE'))
{
  die('Hacking attempt!');
}
Then in EVERY SINGLE php file for vBulletin, add this before including global.php:
Code:
define('MY_SCRIPT_CHECKING_VARIABLE', true);
You would want to customize the variable MY_SCRIPT_CHECKING_VARIABLE to something very unique. That's an old tried and true method of preventing any alternative scripts from accessing anything it shouldn't.

However, it's not exactly practical because you have to edit every single php file, and you have to keep doing it for every single upgrade.
Reply With Quote
  #6  
Old 02-18-2009, 05:55 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

vBulletin already checks for VB_AREA and THIS_SCRIPT.
Reply With Quote
  #7  
Old 02-18-2009, 04:06 PM
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Location: Austin, TX
Posts: 616
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah, but those are default to the scripts. Its easy to add a "VB_AREA" and "THIS_SCRIPT" variable in and then include the global.php, as well as anything else they want. A potential hacker wouldn't know the customized variable. This is really only a concern for other scripts accessing vBulletin - like for example if someone is on a shared host and the file permissions are not set properly, someone else on the same server could utilize/execute the scripts of other users (I believe that GoDaddy's hosting service had this problem for awhile, not sure if it still does or not).

So by making a custom variable for himself, he ensures that it's only his approved scripts that can call global.



One idea that Jelsoft could use is if they use this technique but with customer numbers. Consider: every php file will be altered on the fly at download time with the appropriate customer number at the top of the file. Why not take it a step further and make it into a variable that is checked for security? I know that the customer number is checked when you enter the upgrade system. The only downside is that the modification system would be largely broken - all custom .php files would have to be altered to follow the new standard, and I don't think there's a way of modifying the addon/hack .php files on the fly at download so the modifications to the addon/hack .php files would have to be done by the users.

But at least it would be that much more secure... It's up to jelsoft if they want to do that.
Reply With Quote
  #8  
Old 02-18-2009, 06:31 PM
pein87's Avatar
pein87 pein87 is offline
 
Join Date: Sep 2008
Posts: 352
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

No your miss understanding me I wasnt going to use the file lock function to lock all files instead i was only going to set its so each script has the above defined in my first post and then $flock(); with LOCK_UN so there all read only and have it so that if a script is trying to write to another file it would first be checked to see if it had the defined at the top and a commented out code like //000111001000 and if it did it would then allow the script to write by switching it to the LOCK_UN to LOCK_EX and then it would close the file once the script was done excetuting. That way only your scripts would be allowed to have write access. But i`ll instead use your idea saves me the trials of coding the system and testing and debugging.

Thanks TigerC10
Reply With Quote
  #9  
Old 02-18-2009, 06:41 PM
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Location: Austin, TX
Posts: 616
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oh, so you mean like... Say you store your avatars in a directory instead of in the database. You would want to use your lock unlock idea to prevent writing to the directory unless the script has permission?
Reply With Quote
  #10  
Old 02-18-2009, 06:53 PM
pein87's Avatar
pein87 pein87 is offline
 
Join Date: Sep 2008
Posts: 352
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yup every script would use the LOCK_UN and it wold alll be controled by the admin cp since most scripts that do writing use str_replace and preg_replace so it would first check the script that is used to execute that command aka the plugin engine to see if its actually the plugin system doing the commands or any other script that belongs to the forums owner. If it did have the defined and the code which would be generated at random or it could check the pages for the vbulletin id number that each one has at the top, well some pages have it using preg_find and if it did have it then the file would be opened using str_replace to replace the LOCK_UN and chnage it to LOCK_EX and then when its been comfirmed to have executed then it would replace the LOCK_EX with LOCK_UN. That way only your scripts can write to another script. Every script would be put inot and array like they do for THIS_SCRIPT so its stored in memory what scripts are what. I would say using array_merge but someone said theres an easier way like how they do it for the template cache.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:09 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04317 seconds
  • Memory Usage 2,259KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete