16 July 2024, 14:20 | #81 |
Registered User
Join Date: Nov 2010
Location: .
Posts: 388
|
|
19 August 2024, 15:13 | #82 |
Administrator
Join Date: Feb 2001
Location: Paris / France
Age: 46
Posts: 3,101
|
For me, EAB should stay as it, with the old vb3 engine, because of the speed, nostalgia, and amiga compatible
I don't care about mobile skin, double authentication, etc. but we have to be "findable" by search engine to not be useless. Now, if we want to keep abime.net server secure, I have to keep kernel and linux packages up to date, because this server is online 24/24. This means PHP versions are always growing (EAB is running on php 7.x, but php 8.x will be soon live, etc.) So I will do the maximum to patch the php code and let it work with the latest PHP version. But maybe one day it won't be possible anymore, and if it happens, I will be forced to make a poll to choose between security (new forum engine) or unsecure EAB. Hopefully it won't happen soon Last edited by RCK; 19 August 2024 at 15:22. |
19 August 2024, 15:46 | #83 |
son of 68k
Join Date: Nov 2007
Location: Lyon / France
Age: 51
Posts: 5,391
|
Updates have their own issues, look at what happened with CrowdStrike.
|
Yesterday, 02:04 | #84 |
cheeky scoundrel
Join Date: Nov 2004
Location: Spijkenisse/Netherlands
Age: 43
Posts: 7,115
|
CrowdStrike hooks into kernel space, that is a whole different level of update disaster. But what would be even worse is if they would stop pushing those updates.
|
Yesterday, 05:30 | #85 | |||
old bearded fool
Join Date: Jan 2010
Location: Bangkok
Age: 57
Posts: 817
|
Quote:
From experience, being familiar enough with the PHP code to patch it increases the security a lot, and I like your plan. Quote:
A working compromise for me is to never forget what the smartphone is, "an ankle monitor for the modern world", and leave it behind in certain situations. Quote:
In vBulletin you have the "?p=123" parameter which takes you to post 123 in this case. Let's say a security flaw is reported where someone manages to inject an SQL string into this "p" parameter which does some nasty query on your database. The bug is disclosed in public and an official patch is released which changes the SQL query to be quoted differently in the PHP code. Solution 1 (following guidance, not knowing the code): You apply this patch by updating, and feel good about yourself. Solution 2 (thinking yourself, knowing the code): You quickly realize that the "p" parameter should never accept anything except integers, since you know the code, you add code which check if "p" brings an integer, if not you reject the parameter and give http error "403". "Solution 1" will fix the bug for the specific attack used to compromise the "p" parameter, while "Solution 2" will future proof your code by preventing any SQL injection attacks regarding the "p" parameter ever again. As an added bonus the quick http error "403" exit in your code prevents DDOS attacks unintentionally created by hoards of bots trying to exploit the announced bug. Also, "Solution 2" lets you patch code which isn't officially supported anymore. Last edited by modrobert; Yesterday at 07:28. Reason: Added lots of stuff, merged posts. |
|||
Yesterday, 07:46 | #86 |
son of 68k
Join Date: Nov 2007
Location: Lyon / France
Age: 51
Posts: 5,391
|
|
Yesterday, 10:01 | #87 | |
Registered User
Join Date: May 2023
Location: Norwich
Posts: 530
|
Quote:
|
|
Yesterday, 10:17 | #88 | |
son of 68k
Join Date: Nov 2007
Location: Lyon / France
Age: 51
Posts: 5,391
|
Quote:
Nevertheless the situation is slightly different. Pushing updates all the time isn't exactly the same as an emergency fix. Was CrowdStrike update a security fix or did it contain a shitload of other things (especially that users didn't want) ? |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Thoughts..? | Charlie | Retrogaming General Discussion | 4 | 21 April 2006 16:46 |
Some Thoughts | pgf | request.UAE Wishlist | 1 | 16 May 2005 08:55 |
My thoughts on RetroCoding... | Jim | project.CARE | 2 | 03 April 2004 09:54 |
|
|