Serious security issue in Forum / CMS chat_login.php

[hqarrse]

I posted this a couple of days ago and I'm not sure if this notice was removed by the mods because the thread was spammed and I reported it, or because the mods didn't like the content.

I'll try again - mods please leave this - it's really important! You could be opening a massive door in your clients forums and they should be told. It is not one to sweep under the carpet (melodrama over).

chat_login.php in the integration packages allows rapid unrestricted testing of username/password pairs and is therefore a major security weakpoint. It must be protected with .htaccess or in httpd.conf (or equivalent on other servers) by restricting access to only the IP of the chat server.

It would be a trivial task to take a username and write a script that bangs away on this file in a brute force / dictionary attack. There is no system to restrict this as there would normally be on a login system. It is also a very lightweight script so this could be done very fast, with no noticeable load on the server to alert the admin.

123Flashchat please include this point in your documentation for your integration packages.

[hqarrse]

This is what you need:

Code:

<Files login_chat.php>
order deny,allow
deny from all
allow from [your chat server IP]
</Files>

[daniel.j]

Thanks for your idea, we'll add it into our document, great idea!