using strongbox? look in here

[Chilihost]

for those of you using strongbox, please be aware that I have run into a small security issue that you should address immediately.

When Ray sets up strongbox, he adds an installer's account to your password file with the userid sbinstall. This account is also given the rights to login to your site's strongbox admin reports. Of course, this is required for him to set things up.

I have a client who discovered that hackers are using this userid to get into the reports area and download a list of valid userids for hacking purposes. I have spoken with Ray about this and his recommendation is to remove the sbinstall userid from your password files. This will disable the sblogin userid from being used to access both your website and the admin reports. This is easily done by logging into your admin reports and using the password file manager.

So far this has only affected one client running a straight teen website.

cheers,
Luke

[Jeff&Deaw]

Luke:

Thanks for the information. We are getting ready to install strongbox!

Jeff & Deaw

[Lee]

Thanks for the heads up Luke

We're all fixed on Condom Cash now hehe

Now i need to get in touch with Ray about 8 more StrongBox installs im going to needing shortly

Regards,

Lee

[raymor]

I have an updated reccomendation for the fix and also wanted to let
people know that this concern does NOT apply to Strongbox installations
done in the last couple of months.

Rather than removing the user name, it may actually be better to just change it's
password to something that won't be easily guessed, just some random
characters.
If you remove the "sbinstall" user name from your password file, you should
also remove it from the "$adminusernames" variable in cgi-bin/sblogin/config.pl.

[Takemytaco]

I didn't find sbinstall, should I be worried.

I also read on gfy something about some sites using strongbox being "hacked"

[raymor]

If there is no user name called "sbinstall" that's fine.
If you're an extremely security conscious type of person
you can check in cgi-bin/sblogin/config.pl and make sure
it's not listed under $adminusernames also.

The thread on GFY can be summarized as:
A webmaster was pissed at another webmaster named Jono.

The pissed off webmaster searched the password forums and
finally found password that worked for the Jono's site.

The pissed off guy tried to rip Jono's site, but couldn't because of the basic ripping
protection that Strongbox has as a minor bonus feature (actually a side effect
of some other security). The automatic built in ripping protection is such a minor
little feature that it's not even mentioned on the Strongbox features page. (What
IS mentioned is that Strongbox is designed to work well WITH ripper protection systems.)

Although Jono hadn't added the spider trap links that Strongbox can use to
enhance the protection, even the automatic "side effect" ripper protection was
good enough to stop a basic ripper program.

The pissed off guy wrote a custom program to get around the simple automatic
ripper protection in Strongbox, using the password he had for Jono's site.

So none of the security features designed into Strongbox were hacked in any way.
It just happens that Strongbox makes it harder to rip a site even if you don't add
the links that I suggest so the guy had to write custom software to avoid being
thwarted by a feature that doesn't even exist.

[DEVELISH]

Damn nice non-existing feature, Ray !!!!!