The Arcive of Official vBulletin Modifications Site.

kjkoster · #11 04-19-2009, 02:07 PM

Dear Paul M,

I meant to say that the regular forum mysql user should not have CREATE/ALTER/DELETE privileges and the administrative site should. My bad.

As for the password protecting, that would not allow me to lock down the database user for vbulletin.

Plus (and you don't know this of course) I have a lot more running on that admin machine than just the vbulletin forum. That machine also runs the monitoring for instance. I hang out of the admin machine more than on for forum.

For me it is more logical to have all that on one machine, while for most forums it is more logical to use the default setup of having admin tasks on the forum machine as well.

Kees Jan

Paul M · #12 04-19-2009, 03:59 PM

Im pretty sure you need DELETE for the forum to run properly, not sure about ALTER/CREATE.

Angel-Wings · #13 04-20-2009, 04:36 AM

Well - conclusion first - this is maybe useless. The problem is that the second (your Admin machine) would need the SQL rights you want to take away in order to do administrative tasks.
To write them in the DB of your first machine, you either have to setup a replica - the replica user would then have the rights you want to take away or some kind of tunnel - then again the problem remains the same.
At least INSERT / SELECT is required to run Vbulletin and that's already enough to dump the passwords or add another admin to your forum - if there's an injection possible.
I just want to say that all this might not give the security enhancements you're looking for because at least one DB user needs to rights at your VB database.
Maybe, rename the AdminCP folder, add a Password Protection and if you want to lookdown IP's do it directly in the Webserver configuration.
Or move your AdminCP - at the same server - inside a SSL environment setting up a redirection, Client Cert Authentication is the key.

Like said, DB access is still required with the rights you care about, doesn't matter where your AdminCP is placed. IP's can be spoofed as well so the time is maybe better spent configuring your primary machine that injections are already as hard as possible. Moving something insecure away doesn't make it more secure anyways if there's a problem because even at the other machine, the security problems, if any, will stay.

kjkoster · #14 04-20-2009, 05:15 AM

Dear Angel-Wings,

Hmm. Excellent points. Certainly food for thought. This is beginning to sound like less and less of a good idea. Thanks for you advise.

Kees Jan

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05994 seconds Memory Usage 2,189KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (4)post_thanks_box (4)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (4)post_thanks_postbit_info (4)postbit (4)postbit_onlinestatus (4)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!