Protect Tables
1 Attachment(s)
This product is a layer of security that tries to protect the plugin and template tables for vBulletin for installs using MySQL 5.5 or higher. It will not, and CAN NOT work for earlier versions of MySQL.
Here is how it works: The plugin creates triggers and signals that are activated whenever data in the plugin or template tables are edited, inserted, or deleted. If the plugin in combination with MySQL determines that the user in question does not have any business changing said data, it denies the action and then logs the activity and optionally emails the administrator. This is done at the database layer, not the PHP layer, so unless an attacker has your unique phrase, or is in your admincp, or the mysql user in question has trigger privileges, they should not be able to change data in these tables. Basically once the administrator area properly authenticates a user, it sets a secret session variable in MySQL. Unless that variable is defined, the trigger will not allow the protected tables to be altered. The plugin and template tables are ideal targets for hackers. The plugin table allows them to execute arbitrary code, and the template table allows them to inject HTML where your users will view it. Once the product is installed properly, no user without admincp access should be able to alter data in either of these tables. Installation: !!!!!!!!IMPORTANT!!!!!!!! You MUST open the product file with a plain text editor and edit every instance of the word CHANGE_ME to a phrase consisting of a 4-8 letter combination of English letters (a through Z). NO SPACES OR SPECIAL CHARACTERS! Do not use any MySQL method names, function names, etc.. In fact, it should not be a word at all. This phrase has to change EVERY INSTANCE of CHANGE_ME in the product file. Example: JDHEISPA. The phrase has to be the same throughout the file. This is the best way to make sure your phrase is unique, and the best way to keep it from being viewable potential hackers. Make sure your MySQL user has trigger privileges. BACKUP YOUR DATABASE! Once you install the product file, your tables will then be protected. I highly recommend that you remove the MySQL users trigger privileges after you install the product. If you want to increase security, hard code the plugins into the scripts, that way none of the source code can be retrieved with MySQL injection attacks. Edit the settings in the protect tables section of vboptions. You will see a log in the vboptions dropdown (left side) of the admincp menu. Frequently Asked Questions Can I protect other tables? Certainly. I restricted this to plugin and template because I cannot foresee any reason why these templates should be changed anywhere except for a user in the admincp. If you determine there are other tables that meet this criteria, create the same triggers in those tables and the product will automatically log those errors too, providing the error message is the same. So now I am un-hackable right? Oh my no! There are definitely other avenues of attack! A hacker may just as easily hack your site by inserting data into the setting, signature, phrase or tens of other tables. The plugin and template tables however, are capable of the most damage and are by far the most targeted. This is just a LAYER of protection. How can I remove the copyright notice? You may not remove the copyright notice but you may purchase a license for a version with no copyright notice. This helps support me in making more products in the future. You can purchase this version here. Is the copyright free version any different? No, other than displaying the copyright, there is no difference. What versions of Vbulletin does this run on? As far as I have tested, it runs from version 3.8.x to 4.2.0. It should work until VB 5.0. (previous download count: 12) |
I have updated this to also watch the style table.
|
All times are GMT -4. The time now is 01:58 PM. |
Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2024, vBulletin Solutions, Inc.