News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Security issue

Started by TheGuy12, April 05, 2019, 07:15:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

TheGuy12

April 05, 2019, 07:15:44 PM
Hello,

I have a security issue with my SMF forum, and I'm not sure how to fix it.

Basically, admins can access .php files using the error log and therefore read its content, which should not be possible.

Can I somehow prevent this?

It shows the .php file in some kind of text viewer, with lines numbers.


Regards

Arantor

#1
April 05, 2019, 07:35:46 PM
No, you can't. But honestly, admins have way more power, like actually editing the files.

If you don't  trust them, don't make them admins.

Kindred

#2
April 05, 2019, 08:23:19 PM
yup...   an admin basically has full access to your file system through both the package manager and the theme manager...   so, showing them a part of the php file in the error log is not actually a security issue in any real way.

Heck, they can see the source code of EVERY one of the SMF file by downloading the script for themselves.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

LiroyvH

#3
April 05, 2019, 09:10:14 PM
Gentle reminder that editing files can be prevented by having sane file permissions.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Bob Perry of Web Presence Consulting

#4
April 05, 2019, 09:12:08 PM
All of the above, yes and also realize that those "admins" you've allowed can also change YOUR profile so that you are no longer an admin...
Best Regards,
Bob Perry



"The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it." Elbert Hubbard

drewactual

#5
April 05, 2019, 09:23:16 PM
There are three admins on my primary site, and all of them are me.  ... There are two decoy admins that hopefully draw fire from outsiders.  I once locked myself out years ago while far away from I box, and this is the only reason there are three.

Arantor

#6
April 06, 2019, 01:58:44 AM
Also I'd note that the base code is downloadable by anyone, so... the base code is visible to anyone anyway.
Print
Go Up Pages1
User actions
Advertisement: