XMB Forum Software
Not logged in [Login - Register]
Go To Bottom

Printable Version  
 Pages:  1  2
Author: Subject: Continued Development
bfgadmin
Member
***




Posts: 38
Registered: 5-7-2020
Location: Pittsburgh, PA
Member Is Offline

Mood: Technical

[*] posted on 8-20-2020 at 07:09 PM


A few quick notes on this, on our XMB forum we changed the hashing algorithm to SHA256 (I believe), and of course had to rehash existing passwords (via mandatory password reset).

We also added a database table to track failed logins, and even an anti-spam system to track known behavior (ie: proceding to the User CP within a minute of registration, attempts to insert URLs into bio/signature fields, etc)

If anybody is interested in collaborating on this, let me know! I also run a forum in a non-production environment that we can nuke the crap out of in the name of development/progress :lol:

Can I just add how exciting it is to see interest in XMB?




XMB Rocks!
View user's profile Visit user's homepage View All Posts By User
bfgadmin
Member
***




Posts: 38
Registered: 5-7-2020
Location: Pittsburgh, PA
Member Is Offline

Mood: Technical

[*] posted on 8-20-2020 at 07:20 PM


Quote: Originally posted by miqrogroove  
Quote: Originally posted by lottos  

XMB misc.php allows one password reset request per 24 hours, date and time of last request in members table, column pwdate.


This part is fine. The report shows we have less than 3 bytes of useful entropy and even less with stronger hacks. Without any rate limits or extra tokens it is possible to brute force account access.


Oh yes, we danced with this for quite awhile. Our site owner was dead set on VB initially, but I managed to talk him into going with XMB so this issue in particular was in the forefront.

Other than account lockout timers (similar to the Windows domain feature) and implementing a more secure hashing algorithm (SHA256) we never did find a neat & tidy solution. I proposed everything from password complexity requirements and PIN codes to multifactor authentication. Our Sophos UTM security appliance with WAF adds another layer of intrusion prevention, exploit mitigation and session hardening, but of course this isn't bulletproof either.

For us, a key security measure is frequent backups. Every time we move code into the production environment, we take a full backup. Backups are also conducted three times per day, using Windows scheduled tasks and saved to a shared network location. This location is backed up once daily to physical disk.

Fortunately I have physical server access which makes this process much easier. On that same note, we have plenty of extra space on the server and gigabit bandwidth if anybody needs a place to host an XMB instance! Also can accommodate your own domain provided you can point them at our nameservers. :thumbup:




XMB Rocks!
View user's profile Visit user's homepage View All Posts By User
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 369
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 8-20-2020 at 10:01 PM


What would be an appropriate version number for the next patch then? If it requires a schema upgrade and PHP upgrade, would it become 1.9.12?
View user's profile Visit user's homepage View All Posts By User
bfgadmin
Member
***




Posts: 38
Registered: 5-7-2020
Location: Pittsburgh, PA
Member Is Offline

Mood: Technical

[*] posted on 8-20-2020 at 11:10 PM


Quote: Originally posted by miqrogroove  
What would be an appropriate version number for the next patch then? If it requires a schema upgrade and PHP upgrade, would it become 1.9.12?


Sounds right to me!

Exciting times :singing:

So whats the plan Micro?




XMB Rocks!
View user's profile Visit user's homepage View All Posts By User
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 369
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 8-21-2020 at 12:27 AM


I'm just thinking big picture. If I overhaul the session handler and bump the PHP requirement to 7+ then we can also unfreeze features and text. But I don't think it will be anything more than bug fixes.
View user's profile Visit user's homepage View All Posts By User
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 369
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 8-25-2020 at 12:14 PM


Are there any existing hacks that should get baked into 1.9.12?

I was thinking our new user moderation system has become such a vital anti-spam tool that it would have even more value as an integrated feature set.

https://sourceforge.net/p/xmb-forum/code/HEAD/tree/hacks/tru...

The code has been stable for years, and just needs some refinement to make it look more official.
View user's profile Visit user's homepage View All Posts By User
lottos
Administrator
********




Posts: 399
Registered: 6-3-2002
Location: Competitions Australia: https://www.lottos.com.au/
Member Is Offline

Mood: pass me a TimTam

[*] posted on 8-26-2020 at 07:52 AM


Quote: Originally posted by miqrogroove  
Are there any existing hacks that should get baked into 1.9.12?

I was thinking our new user moderation system has become such a vital anti-spam tool that it would have even more value as an integrated feature set.

https://sourceforge.net/p/xmb-forum/code/HEAD/tree/hacks/tru...

The code has been stable for years, and just needs some refinement to make it look more official.


After reviewing the list of existing hacks, I think the moderation system is a great and most appropriate candidate to be baked in.




Largest list of competitions online!
View user's profile Visit user's homepage View All Posts By User
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 369
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 8-26-2020 at 06:01 PM


Agreed then. I'm open to more suggestions. Even if new-user moderation is the only major new feature, I think it's a realistic and understandable roadmap.

I've got about 400 lines of the new session handler written so far here at home. I'm trying to make the impact on existing files as little as possible. I committed one significant change to the functions.inc.php because we will soon need a function to go between the session handler and the IP banning logic. Having that part separated out now should help keep that part stable when I start tearing out the old cookie commands.
View user's profile Visit user's homepage View All Posts By User
lottos
Administrator
********




Posts: 399
Registered: 6-3-2002
Location: Competitions Australia: https://www.lottos.com.au/
Member Is Offline

Mood: pass me a TimTam

[*] posted on 8-27-2020 at 12:03 AM


I'm assuming you mean existing hacks such as those listed here:
https://www.xmbforum2.com/modifications/
which has these two, not sure of the difference between them
google-rdf-breadcrumbs.zip
rdfa-breadcrumbs.zip

Maybe a contender?

If you also mean possible new hacks, tagging members in a post eg. @miqrogroove would be cool, with a u2u notification to the tagged member with u2u message linking to the relevant post.
[edit: ignore the paragraph above as I reread your first post that does say existing.]

Would it worthwhile for the 1.9.12 alpha version you have on the SVN to be implemented on this forum for testing before making the new session handler?




Largest list of competitions online!
View user's profile Visit user's homepage View All Posts By User
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 369
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 8-27-2020 at 12:45 AM


Yes those hacks. Should be the same ones as in SVN.

The breadcrumbs hacks are obsolete AFAIK. I wrote one of them based on the standard that was current at the time, and I believe that language is no longer supported by Google.

I added a subdomain alpha dot. I'm using it for syntax checks and dev testing only. You can try it but it's only 1.9.11 with a bunch of minor bug patches so far.

We can eventually upgrade the production site when the first beta is released. I think that's how we've done it in the past.
View user's profile Visit user's homepage View All Posts By User
lottos
Administrator
********




Posts: 399
Registered: 6-3-2002
Location: Competitions Australia: https://www.lottos.com.au/
Member Is Offline

Mood: pass me a TimTam

[*] posted on 8-27-2020 at 11:31 AM


Not existing hacks but perhaps the last post date and time could be a link to the actual last post? Could be more intuitive for some ?

delete.png - 5kB

[edit: saw a nifty implementation of something similar from forum provider microcosm where they have for example:
@Ken replied 3 hours ago

Broken down:
'@Ken' is hyperlink to member profile
'replied' is the hyperlink to the last post
'3 hours ago' is clickable and changes to the date and time posted]




Largest list of competitions online!
View user's profile Visit user's homepage View All Posts By User
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 369
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 8-28-2020 at 03:59 PM


I would think bigger. Maybe the entire table cell in each Forum / Subject / Last Post column could be clickable. Would you care to add that as a feature request in the bug tracker?

Today I'm trying to work out the details of automatic session token regeneration. It adds a lot of complexity to the new session handler. I'll try to make it possible to switch that off or remove it in case we find problems in testing.
View user's profile Visit user's homepage View All Posts By User
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 369
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 9-26-2020 at 01:14 PM


Quote: Originally posted by lottos  

google-rdf-breadcrumbs.zip
rdfa-breadcrumbs.zip

Maybe a contender?


Going to take a second look at this.

Beta 2 is up.
View user's profile Visit user's homepage View All Posts By User
 Pages:  1  2

  Go To Top

Powered by XMB 1.9.12 Beta 2 (Debug Mode)
XMB Forum Software © 2001-2020 The XMB Group
[Queries: 16] [PHP: 25.9% - SQL: 74.1%]
Thanks to competitions website.