Re: List of all admin accounts in phpBB

From: Aaron Klein (klein.aaron_at_gmail.com)
Date: 01/27/05

  • Next message: Conectiva Updates: "[CLA-2005:923] Conectiva Security Announcement - squid"
    Date: Wed, 26 Jan 2005 18:25:32 -0500
    To: bugtraq@securityfocus.com
    
    

    Or just search your phpbb_users table in your database for users that
    have a user_level = 1. Those are admins. User_level of 0 coresponds
    to regular users and User_level of 2 are moderators.

    On Tue, 25 Jan 2005 23:48:20 +0100, Predrag Damnjanovic
    <bugtraq@mycity.co.yu> wrote:
    > After discovering 'highlight' vulnerability in phpBB, many forums
    > were patched, but... it is possible that attackers created a [secret]
    > admin accounts...
    > It is very hard to find secret admin accounts if the forum has too
    > many users... you must check every account...
    >
    > So, here is a simple PHP script, that will show a list of all admin
    > accounts on your phpBB forum.
    > Just simply copy this file to phpBB directory...
    >
    > After you find a attacker admin accounts, and remove admin status
    > from those accounts, you can delete this script, and of course, you
    > should upgrade your phpBB to the latest version.
    >
    > A demonstration of this script can be found at
    > http://www.mycity.co.yu/phpbb/admin_list.php
    >
    > Best regards,
    > Predrag Damnjanovic
    > http://www.mycity.co.yu/
    >
    >
    >

    -- 
    Have pets?  Get the help you need from the Pet Advice Network.
    We have 6 websites ready to help you.  http://www.petadvice.net
    

  • Next message: Conectiva Updates: "[CLA-2005:923] Conectiva Security Announcement - squid"

    Relevant Pages

    • RE: local admin account password
      ... Subject: local admin account password ... > 4) Only use domain accounts so delete the local ones. ... > The DB file would be encrypted with EFS so only the limited user SQL ... > backup user can make a zip backup of the DB whenever it gets changed ...
      (Focus-Microsoft)
    • RE: local admin account password
      ... Say you have more then 1000 systems, how do you handle the local admin ... Only use domain accounts so delete the local ones. ... The DB file would be encrypted with EFS so only the limited user SQL ... There would be basically two stored procs, ...
      (Focus-Microsoft)
    • local admin account password
      ... Only use domain accounts so delete the local ones. ... 5)My main idea/plan is to store all the passwords on a central SQL server. ... This way you can easily have a different random passwords for the admin ... There would be basically two stored procs, ...
      (Focus-Microsoft)
    • Re: Admin vs limited user account
      ... properly with limited user account (it does work fine with admin users). ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files ...
      (microsoft.public.windowsxp.security_admin)
    • Re: More on user permissions in a 2K AD domain
      ... strong pass phrase for the admin accounts then ... settings for workstations in a domain linked GPO, ... Given you are remote from the server and it ...
      (microsoft.public.win2000.active_directory)