A few quick notes on this, on our XMB forum we changed the hashing algorithm to SHA256 (I believe), and of course had to rehash existing passwords (via mandatory password reset).

We also added a database table to track failed logins, and even an anti-spam system to track known behavior (ie: proceding to the User CP within a minute of registration, attempts to insert URLs into bio/signature fields, etc)

If anybody is interested in collaborating on this, let me know! I also run a forum in a non-production environment that we can nuke the crap out of in the name of development/progress

Can I just add how exciting it is to see interest in XMB?

Quote: Originally posted by miqrogroove

Quote: Originally posted by lottos   XMB misc.php allows one password reset request per 24 hours, date and time of last request in members table, column pwdate. This part is fine. The report shows we have less than 3 bytes of useful entropy and even less with stronger hacks. Without any rate limits or extra tokens it is possible to brute force account access.

Oh yes, we danced with this for quite awhile. Our site owner was dead set on VB initially, but I managed to talk him into going with XMB so this issue in particular was in the forefront.

Other than account lockout timers (similar to the Windows domain feature) and implementing a more secure hashing algorithm (SHA256) we never did find a neat & tidy solution. I proposed everything from password complexity requirements and PIN codes to multifactor authentication. Our Sophos UTM security appliance with WAF adds another layer of intrusion prevention, exploit mitigation and session hardening, but of course this isn't bulletproof either.

For us, a key security measure is frequent backups. Every time we move code into the production environment, we take a full backup. Backups are also conducted three times per day, using Windows scheduled tasks and saved to a shared network location. This location is backed up once daily to physical disk.

Fortunately I have physical server access which makes this process much easier. On that same note, we have plenty of extra space on the server and gigabit bandwidth if anybody needs a place to host an XMB instance! Also can accommodate your own domain provided you can point them at our nameservers.

What would be an appropriate version number for the next patch then? If it requires a schema upgrade and PHP upgrade, would it become 1.9.12?

Quote: Originally posted by miqrogroove

What would be an appropriate version number for the next patch then? If it requires a schema upgrade and PHP upgrade, would it become 1.9.12?

Sounds right to me!

Exciting times

So whats the plan Micro?

I'm just thinking big picture. If I overhaul the session handler and bump the PHP requirement to 7+ then we can also unfreeze features and text. But I don't think it will be anything more than bug fixes.

Are there any existing hacks that should get baked into 1.9.12?

I was thinking our new user moderation system has become such a vital anti-spam tool that it would have even more value as an integrated feature set.

https://sourceforge.net/p/xmb-forum/code/HEAD/tree/hacks/tru...

The code has been stable for years, and just needs some refinement to make it look more official.

Quote: Originally posted by miqrogroove

Are there any existing hacks that should get baked into 1.9.12? I was thinking our new user moderation system has become such a vital anti-spam tool that it would have even more value as an integrated feature set. https://sourceforge.net/p/xmb-forum/code/HEAD/tree/hacks/tru... The code has been stable for years, and just needs some refinement to make it look more official.

After reviewing the list of existing hacks, I think the moderation system is a great and most appropriate candidate to be baked in.

Agreed then. I'm open to more suggestions. Even if new-user moderation is the only major new feature, I think it's a realistic and understandable roadmap.

I've got about 400 lines of the new session handler written so far here at home. I'm trying to make the impact on existing files as little as possible. I committed one significant change to the functions.inc.php because we will soon need a function to go between the session handler and the IP banning logic. Having that part separated out now should help keep that part stable when I start tearing out the old cookie commands.

I'm assuming you mean existing hacks such as those listed here:
https://www.xmbforum2.com/modifications/
which has these two, not sure of the difference between them
google-rdf-breadcrumbs.zip
rdfa-breadcrumbs.zip

Maybe a contender?

If you also mean possible new hacks, tagging members in a post eg. @miqrogroove would be cool, with a u2u notification to the tagged member with u2u message linking to the relevant post.
[edit: ignore the paragraph above as I reread your first post that does say existing.]

Would it worthwhile for the 1.9.12 alpha version you have on the SVN to be implemented on this forum for testing before making the new session handler?

Yes those hacks. Should be the same ones as in SVN.

The breadcrumbs hacks are obsolete AFAIK. I wrote one of them based on the standard that was current at the time, and I believe that language is no longer supported by Google.

I added a subdomain alpha dot. I'm using it for syntax checks and dev testing only. You can try it but it's only 1.9.11 with a bunch of minor bug patches so far.

We can eventually upgrade the production site when the first beta is released. I think that's how we've done it in the past.

Not existing hacks but perhaps the last post date and time could be a link to the actual last post? Could be more intuitive for some ?



[edit: saw a nifty implementation of something similar from forum provider microcosm where they have for example:
@Ken replied 3 hours ago

Broken down:
'@Ken' is hyperlink to member profile
'replied' is the hyperlink to the last post
'3 hours ago' is clickable and changes to the date and time posted]

I would think bigger. Maybe the entire table cell in each Forum / Subject / Last Post column could be clickable. Would you care to add that as a feature request in the bug tracker?

Today I'm trying to work out the details of automatic session token regeneration. It adds a lot of complexity to the new session handler. I'll try to make it possible to switch that off or remove it in case we find problems in testing.

Quote: Originally posted by lottos

google-rdf-breadcrumbs.zip rdfa-breadcrumbs.zip Maybe a contender?

Going to take a second look at this.

Beta 2 is up.

Question re Quarantine - is there a log of deleted users/ip's?

The quarantine panel allows an Admin to ban. It will delete posts, not users. So the original registration IP stays in the user record. Currently it does not create any extra logs.

Thanks. That way admins can see if there are repeat offenders for those that don't mask their ip.

Wondering how difficult it would be to alter search.php to allow multiple user names in the user name field, perhaps in same format as sending multiple u2us, ie: user1, user2, user3

Quote: Originally posted by lottos

Wondering how difficult it would be to alter search.php to allow multiple user names in the user name field, perhaps in same format as sending multiple u2us, ie: user1, user2, user3

Sounds like an interesting feature or modification.

Seems like beta testing is wrapped up. I don't know how much serious testing happened, but it's what we got. I'll try to package up the 1.9.12 release today or tomorrow.

Quote: Originally posted by miqrogroove

Seems like beta testing is wrapped up. I don't know how much serious testing happened, but it's what we got. I'll try to package up the 1.9.12 release today or tomorrow.

I did as much as possible, topicadmin was an area I spent some time on and with the admin rights I have, all seemed to function as expected.

Awesome work miqrogroove, I've peeked at much of the code and the effort you have put into this is commendable.

p.s. Don't forget to update https://www.xmbforum2.com/ after the release

Found too many bugs this week. I will try again next week. If any lurkers here are willing to install the beta or even the trunk version and report bugs, it will help immensely to prepare the release version 1.9.12.