On these pages are my WordPress plugins, the odd article and my Support Forum.

For my random rantings on everything else please visit my blog at Yellow Swordfish

WP Plugins


Articles

If you find any of my plugins useful, please comsider a donation towards my running costs.

Thank you

Support Forum : Is 2.0 still vulnerble without a login option?
Current User: Guest
Please consider registering

 
Search Forums:


 




Home Forums Simple:Press Forum - Next Version Is 2.0 still vulnerble without a login option?

Is 2.0 still vulnerble without a login option?
Page: 1
UserPost

3:27 pm
29 Jan 2008


Phil

Guest

 
 
1

I understand that it’s possible for someone to maliciousy log in as an administrator in Simple Forum 2.0.  Unfortunately, I’ve been having some problems figuring out how to upgrade to 2.1. 

I’ve removed the login bar from my forum and there is currently no way for a user to register or login (I allow unregistered guests to post).  Does this solve the vulnerability in 2.0, or could a hacker still log in as an administrator somehow?

Thanks for the help! 

3:42 pm
29 Jan 2008


Yellow Swordfish

Admin

Peterborough, England

posts 5009
 
 
2

I would very much like to know what problems you are having upgrading to 2.1… this would help…

I am afraid that due to a hard disk crash I have lost my notes on the security problem but as far as I recall it was somewhat crass and juvenile. I believe it relied on the Admins ID being ‘1′ (which of course it really shouldn’t be) and the table prefix being ‘wp_’ (which again it shouldn’t be). Sadly, a lot of users do leave these two so there was a risk.

But… I do not recall it being anything to do with being able to login. I think it was more to do with ganing access to data althoughy that does imply that user ables could perhaps be scanned.

3:19 am
30 Jan 2008


Phil

Guest

 
 
3

Honestly, the answer is embarassing: I simply don’t know how to upgrade.  I’m still a bit green when it comes to using my hosting service.  In order to instal the Simple Forum plugin on my host, I had to manually recreate every single folder present in the download and, in turn, upload every single file into the proper folders.  It took a very long time!

The only way I know to upgrade is to replace every single file with the new files from the update, which would take a great deal of time.  This simply doesn’t appeal to me, although I suppose I could do it if I have to.

I also am very nervous that I will screw something up if I try to upgrade and that my forum will be destroyed.

I do need to know, however, if this upgrade is absolutely necessary to keep my site safe.  I have to admit that I’ve started making a great deal of advertising money on my site, and Simple Forum is one of the reasons why.  I can’t put this income in jeopardy by ignoring a necessary upgrade!

I do love the way the forum runs exactly as it exists on my site, however, and wish I could just let it remain the way it is.

So, what do you think?  Am I taking too much of a risk my not upgrading, or would I be safe leaving things the way they are?

Thanks again.  

3:49 am
30 Jan 2008


Mr Papa

Moderator

Arizona, USA

posts 1437
 
 
4

yes, you are taking a risk, but its hard to quantify…   upgrading is much simpler than you are making it to be…  

Do you use FTP to upload new files?  simply upload all the new ones overwriting the old ones…  the upgrade will happen automatically and you should have no issues…  afterwards, you shouldnt even notice…

On the off chance the something goes wrong, we are here to help…  I would be willing to help you with the upgrade if needed…  

9:33 am
30 Jan 2008


Yellow Swordfish

Admin

Peterborough, England

posts 5009
 
 
5

Maybe just to expand on that… it is a matter if simply dropping the ’simple-forum’ folder from the new version into the ‘plugins’ folder on your server and overwriting.

having said that… there is also a ‘patch’ file which I recommend taking which then replaces a small number fo files with updates and you will need to just check the Avatars location (see the notes with the upgrade). 2.1 needs to moive it to an ew location and tries to copy the defaults. For many systems, permissions will not allow it so it needs to be done manually after the install.
Page: 1


Reply to Topic: Is 2.0 still vulnerble without a login option?

NOTE: New Posts are subject to administrator approval before being displayed

Guest Name (Required):

Guest EMail (Required):

Guest URL (required)

Math Required!
What is the sum of: 8 + 6        (Required)

Topic Reply:


 
 

About the Stuff at Yellow Swordfish forum

Currently Online:

Yellow Swordfish

partireper.it

13 Guests

Maximum Online: 71

Forums:

Groups: 3

Forums: 16

Topics: 1941

Posts: 13154

Members:

There are 916 members

There are 796 guests


Yellow Swordfish has made 5009 posts

Top Posters:

Mr Papa - 1437

-Radio- - 518

ovizii - 106

jfv - 82

RoseCitySister - 68

Administrator: Yellow Swordfish | Moderators: Yellow Swordfish, Mr Papa, -Radio-


© Simple:Press Forum - Version 3.1.4 (Build 357)