nickname and password protection is essential

Posted: Thu Dec 02, 2004 7:45 am

I've tried something and it all works so here are some security advicesories

Be shure no-one can recieve your login name and password in any form like cookie or encrypted.

PHP has the option to send/recieve data from/to an website and that way you can simulate browser, cookies, http_referer, etc.
So there's totally no need to hack into your browser and modify cookies to gain control over an website since PHP can do it all.

The hacker could create an account at lycos, for example, and upload an script that hacks into your website.
Then if your sentinel locks the IP it locks the lycos server and not the hacker.
The hacker moves on to another free hosting site and tries again.

Does he ever get caught you think ? No, since there is no logging on the server to check with which websites PHP makes connections.

Does the IP blocking has drawbacks ? Yes, other lycos websites can't access your RSS feed to show your news articles

Posted: Thu Dec 02, 2004 7:59 am

I think this is a long standing issue with the way cookies are designed in phpnuke. I've ranted on the topic several times but since it is a core function I don't feel we can make substancial changes to it. I think a crypt of cookie encode and decrypt decode would be great it would also make forged cookies much tougher to design.

I think most of us are aware of the potential issues of blocking IP addresses and ranges. I think that the expire feature in Nuke Sentinel is under used and perhaps the best method for working around the issue. Simular to better firewalls a 600 second block can be more effective then a lifetime one.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

This, of course, is true about anything web related. Proxies present similar problems. Dynamic IP's also. I have had to release IP's that now belong to someone else. I would be more concerned about HOW he uploaded a script. That's the real issue with this scenario that you present.