Advertisement:

Author Topic: What's New in SMF 2.1 - Security  (Read 21372 times)

Offline Trekkie101

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,157
  • Gender: Male
  • Ad Astra!
    • https://www.facebook.com/DLRPRoundup on Facebook
    • @dlrproundup on Twitter
    • DLRP Roundup
What's New in SMF 2.1 - Security
« on: September 10, 2012, 02:46:21 AM »
Last week we brought to you the first public alpha of SMF 2.1 in a blog post talking about current development. Over the coming weeks there will be a few blogs on some of the new features in SMF 2.1. Today I present our security enhancements.

We take security very seriously here at Simple Machines and to help further improve SMF 2.1 we have added the following features to strengthen our default guard.

IPv6 Support
Ban and post management now work by default with IPv6 and IPv4 without you needing to do anything. Enhancing your ability to block people from using your forum.

Moderation Sessions
Previously if you were logged in as an Administrator before completing any administration tasks you would be presented with a dialog asking you to re-enter your password - this allowed SMF to ensure that if you had forgot to logout elsewhere no-one could damage the settings of your forum. We realise that more often than not, there are more moderators on a forum than administrators and with a moderation account a malicious person could delete or harm many of your boards posts. To stop this, we have enabled moderation sessions too, so now before completing a moderation action your moderators will have to re-enter their password. Don't worry though its only once per active browsing session.

End Administration Session
In the same scope as above to stop any malicious activity if someone has access to your administration centre you can now select from the main menu in the administration centre "Admin End Session" and have them kicked right back out.

Tokens
If your logged into SMF, and even if you've validated your session by re-entering your password, a malicious person could trick or fool you into clicking a link that would harm your forum by carrying out a given action (in some rare circumstances). To further protect SMF 2.1 there is now one use tokens in play for every page. You won't notice them and they won't harm the running of your forum but they will essentially stop anything off the page from interacting with anything on the page that you don't manually touch.

HTTP only cookies
This setting can be enabled to stop any script from touching your cookies and data files needed for SMF to run, essentially this will stop things like JavaScript from reading the cookies, gaining any access you have and carrying out actions on your behalf. This helps to protect from the rising threat of cross site scripting attacks where one site tries to get you to poison your own.

Open Development
SMF is Open Source software released under the BSD license, you can view our current progress and see the work on the features listed above on our github account (our main source of development) where you can try out the latest code and submit changes or fixes of your own to the codebase.

http://github.com/SimpleMachines/SMF2.1

Offline Robert.

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,074
  • Gender: Male
    • nedroden on GitHub
Re: What's New in SMF 2.1 - Security
« Reply #1 on: September 10, 2012, 02:51:35 AM »
Great news :)
Software Engineering student
DraiWiki | Project Alpha

Offline Adish - (F.L.A.M.E.R)

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 10,614
  • Gender: Male
  • I am a ninja!
    • adishpatel on Facebook
    • https://www.linkedin.com/in/adishpatel on LinkedIn
Re: What's New in SMF 2.1 - Security
« Reply #2 on: September 11, 2012, 08:42:56 AM »
Awesome! Security is extremely important and SMF always tries to get on top of the issues before others get into it. :)

Online vbgamer45

  • Customizer
  • SMF Super Hero
  • *
  • Posts: 21,552
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: What's New in SMF 2.1 - Security
« Reply #3 on: September 11, 2012, 10:03:43 AM »
Lots of good stuff can't wait!
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Joseph H

  • Jr. Member
  • **
  • Posts: 148
  • Gender: Male
    • Yatosha
Re: What's New in SMF 2.1 - Security
« Reply #4 on: September 11, 2012, 11:50:09 AM »
Thats great.... And it a big step ahead... Cant wait
Cheap webhosting +24 hours

Offline Deaks

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,156
  • Gender: Male
Re: What's New in SMF 2.1 - Security
« Reply #5 on: September 12, 2012, 04:49:15 AM »
nice post

Offline Antes

  • Evil Black Cat
  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,951
  • Gender: Male
  • Black cat rulz!
    • Antes on GitHub
    • merta on LinkedIn
    • @XinYenFon on Twitter
    • WoWSnips
Re: What's New in SMF 2.1 - Security
« Reply #6 on: September 12, 2012, 09:40:05 AM »
awesome post :)
You can support me directly via Patreon

In Catnip We Trust.
The solution is Catnip!
Vote for Catnip!

Current Project(s): [ WoWSnips ]
Past Project(s): [ ezPortal ] # [ Lunarfall ] # [ RDD (HTML5) ]

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,728
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: What's New in SMF 2.1 - Security
« Reply #7 on: September 16, 2012, 10:05:54 AM »
Interesting...  Sessions sometimes give me a hard time.  I look forward to a new variation.

I have been playing with tokens.  Worked fine in a single php file but when I broke it into a source and template things went south.  Then my real job got into the way... preventing me from discovering why the tokens verification was failing between some script files.   Sounds like this new version will assist me to get back on track...  Sweet!!!

 :)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Offline SimpleGost

  • Full Member
  • ***
  • Posts: 626
  • Gender: Male
Re: What's New in SMF 2.1 - Security
« Reply #8 on: October 09, 2012, 01:53:28 PM »
Great Job!
I really like it! :)

Offline Xarcell

  • SMF Hero
  • ******
  • Posts: 1,684
  • Gender: Male
  • SMF-DP Supporter
Re: What's New in SMF 2.1 - Security
« Reply #9 on: January 02, 2013, 04:57:35 PM »
For security, is there a chance you can add a slider for human verification? Basically, a "Are You Human? then slide a slider from left to right(works with touch devices).

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,600
    • StoryBB/StoryBB on GitHub
Re: What's New in SMF 2.1 - Security
« Reply #10 on: January 02, 2013, 04:59:47 PM »
Not recommended.

The methodology of such would not be difficult to break for bots. All a bot has to do is identify the form value that relates to the slider, and make sure that its value is empty on submission. Given that SMF would then be a 'standard installation', it would be worth a bot author taking the time to identify the routine that generates this.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Xarcell

  • SMF Hero
  • ******
  • Posts: 1,684
  • Gender: Male
  • SMF-DP Supporter
Re: What's New in SMF 2.1 - Security
« Reply #11 on: January 02, 2013, 05:06:30 PM »
ok, thanks.