Lampwrights Forum > Other Stuff > Other Vbulletin Mods
Register Community Today's Posts Search

Reply
 
Thread Tools
09-05-2012, 11:26 AM   #1
Jeff
Administrator
 
Jeff's Avatar
 
Join Date: Jul 2010
Posts: 402
Rep Power: 10
Jeff is getting browny points
Protect Tables

This product is a layer of security that tries to protect the plugin and template tables for vBulletin for installs using MySQL 5.5 or higher. It will not, and CAN NOT work for earlier versions of MySQL.

Here is how it works:

The plugin creates triggers and signals that are activated whenever data in the plugin or template tables are edited, inserted, or deleted. If the plugin in combination with MySQL determines that the user in question does not have any business changing said data, it denies the action and then logs the activity and optionally emails the administrator. This is done at the database layer, not the PHP layer, so unless an attacker has your unique phrase, or is in your admincp, or the mysql user in question has trigger privileges, they should not be able to change data in these tables.

Basically once the administrator area properly authenticates a user, it sets a secret session variable in MySQL. Unless that variable is defined, the trigger will not allow the protected tables to be altered.

The plugin and template tables are ideal targets for hackers. The plugin table allows them to execute arbitrary code, and the template table allows them to inject HTML where your users will view it.

Once the product is installed properly, no user without admincp access should be able to alter data in either of these tables.

Installation:

!!!!!!!!IMPORTANT!!!!!!!!

You MUST open the product file with a plain text editor and edit every instance of the word CHANGE_ME to a phrase consisting of a 4-8 letter combination of English letters (a through Z). NO SPACES OR SPECIAL CHARACTERS! Do not use any MySQL method names, function names, etc.. In fact, it should not be a word at all. This phrase has to change EVERY INSTANCE of CHANGE_ME in the product file. Example: JDHEISPA. The phrase has to be the same throughout the file. This is the best way to make sure your phrase is unique, and the best way to keep it from being viewable potential hackers.

Make sure your MySQL user has trigger privileges.

BACKUP YOUR DATABASE!

Once you install the product file, your tables will then be protected.

I highly recommend that you remove the MySQL users trigger privileges after you install the product.

If you want to increase security, hard code the plugins into the scripts, that way none of the source code can be retrieved with MySQL injection attacks.

Edit the settings in the protect tables section of vboptions. You will see a log in the vboptions dropdown (left side) of the admincp menu.

Frequently Asked Questions

Can I protect other tables?

Certainly. I restricted this to plugin and template because I cannot foresee any reason why these templates should be changed anywhere except for a user in the admincp. If you determine there are other tables that meet this criteria, create the same triggers in those tables and the product will automatically log those errors too, providing the error message is the same.

So now I am un-hackable right?

Oh my no! There are definitely other avenues of attack! A hacker may just as easily hack your site by inserting data into the setting, signature, phrase or tens of other tables. The plugin and template tables however, are capable of the most damage and are by far the most targeted. This is just a LAYER of protection.

How can I remove the copyright notice?

You may not remove the copyright notice but you may purchase a license for a version with no copyright notice. This helps support me in making more products in the future. You can purchase this version here.

Is the copyright free version any different?

No, other than displaying the copyright, there is no difference.

What versions of Vbulletin does this run on?

As far as I have tested, it runs from version 3.8.x to 4.2.0. It should work until VB 5.0.

(previous download count: 12)
Attached Files
File Type: zip product-protect_tables.zip (2.8 KB, 24 views)
Jeff is offline   Reply With Quote

10-07-2012, 06:50 PM   #2
Jeff
Administrator
 
Jeff's Avatar
 
Join Date: Jul 2010
Posts: 402
Rep Power: 10
Jeff is getting browny points
I have updated this to also watch the style table.
Jeff is offline   Reply With Quote
Reply

Tags

vbulletin plugins

,

vbulletin templates

,

vbulletin other



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Add Prefix To Existing Vbulletin Tables Jeff vBulletin Talk 7 11-13-2012 04:02 AM


All times are GMT -4. The time now is 09:22 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2024, vBulletin Solutions, Inc.