poll security

[zzzz]

Just wanted to prove a point and see if anyone can influence this poll.
After some discussion about how secure they can be.

I have had a quick look at how outerlimits board has the polls implemented and it looks to me like it is pretty good.

So vote for either yes or no and see if you can make the totals jump significantly.



P.S - Hope this is cool with the admins, if not feel free to delete it.

cheers

Z

[bj on roids]

there you go i made no = 100% by being the first and only vote so far

without the admins adjusting it, cause we know they will be fair.

so cmawwn... try it out

[robbie]

unless you have access to the database in phpbb, then you can't change the way you vote ..

from what I have seen when I used to run it

[bj on roids]

a WHOPPING 19 votes so far

SO CMAWWWN

let me know, how do y'all intend to influence the voting and who is doing it cmawwn?

the 10 that voted yes....

and to be truly influenced im talking about over 1000 votes, none of this 8 votes crap. like 8 votes is gunna influence a poll STONERS!

[zzzz]

Someone has managed it - and if it isn't the admins then that is pretty cool

If it is one of the admins then it is lame

So, fess up if you were the one...

[The Master]

Only one person has that sort of power.

That one person would be me.

Hmmm.

[83 lux]

Only one person has that sort of power.

That one person would be me.

Hmmm.

Nice work

[bj on roids]

Only one person has that sort of power.

That one person would be me.

Hmmm.

AWWW i said the admins shouldnt CHEAT!!

BUT i wanna see spice change it so CMAWWWN

nobody but carl and he is god on the site!!

so someone else?

anybody?

[robbie]

bj: no one can do it - they are sh!t talkers

its coded well

[antt]

hmmm, someone seems to have voted more than once 8)

[antt]

jeeze bj, you must be getting slack in your old age, i thought you would have booted this to chit-chat a looooooooong time ago

[bj on roids]

jeeze bj, you must be getting slack in your old age, i thought you would have booted this to chit-chat a looooooooong time ago

actually this thread is my baby, so i dont mind being hypocritical.

any OTHER posts not on about the poll, WILL BE REMOVED FORCEFULLY and a letter will be written to your mum

[bj on roids]

Only one person has that sort of power.

That one person would be me.

Hmmm.

hey carl, out of curiosity do you think you could put it back to normal...

a couple of guys on here think they are pretty l337 and want to show thier SKILLZ BIOTCH3Z!!!!! anyways, yeah if you could put it back to normal or somewhere close, THEN we'd be sweet, and i dont want them to go ahh its done, i wont worry or some other lame excuse. I want to see if anyone (EXCLUDING ADMIN) can modify it DRAMATICALLY as in over 100,000 votes, none of this pansy, i have made 12 votes crapola 8)

[antt]

i'll just sign up 100,000 user names

[RUFF]

It wasnt me i only just got home from work

[Dozoor]

So hows it going Bj ? Did carl put it up on both yes and no?
Just as a mtter of interest , one of my boys rekons it could probly be done but would mean creating a email nasty Eg: delivered by email to other putes - writes the site info and action to explorer then activates once only on internet access / I have no idea im old.
Just wondering of his black art .

[WICKED]

i did not think i would make the difference.................... :(

life is cool and shyt happens

[The Master]

I've reset the votes to zero.

Everyone will be able to vote again as I cleared the register of people who have voted for this poll.

The server and database use the following method to prevent multiple votes.

User Name AND user IP. If more than a couple of votes comes from the same IP address, all votes from that IP will be removed.

Goold luck hackers. Knock yourselves out.

BJ - Tell them to bring it on.

Everyone else - I am the only person who can access the database directly. I have set up the firewall to only allow access to the db port from my IP address. That's all the hints you get.

Cheers,

Carl

[bj on roids]

I've reset the votes to zero.

Everyone will be able to vote again as I cleared the register of people who have voted for this poll.

The server and database use the following method to prevent multiple votes.

User Name AND user IP. If more than a couple of votes comes from the same IP address, all votes from that IP will be removed.

Goold luck hackers. Knock yourselves out.

BJ - Tell them to bring it on.

Everyone else - I am the only person who can access the database directly. I have set up the firewall to only allow access to the db port from my IP address. That's all the hints you get.

Cheers,

Carl

CHEERS DUDE.. YOU tha man...

lets see what these ricers have got

[Strange Rover]

I guess that one way to do it would be to get on onother BB and get a heap of people over to vote for you.

But I think that a poll like this one would probably stop most of them because to vote they would have to firstly have a look over here. Try to vote - realise that they have to register. Do the registration thing - get the emailed password - come back - logon - and then finally vote. I dont think that many people from another bulliten board would be bothered doing this much work for somebody that they dont know.

If the tuff truck was going to do the internet voting then they would be best using a complicated, time consuming setup where you have to register, get an email, login (maybe do the email thing a couple of times) before you can finally vote.

Something like this would stop a lot of people voting just because it was posted on another BB.

Sam

[bj on roids]

I guess that one way to do it would be to get on onother BB and get a heap of people over to vote for you.

But I think that a poll like this one would probably stop most of them because to vote they would have to firstly have a look over here. Try to vote - realise that they have to register. Do the registration thing - get the emailed password - come back - logon - and then finally vote. I dont think that many people from another bulliten board would be bothered doing this much work for somebody that they dont know.

If the tuff truck was going to do the internet voting then they would be best using a complicated, time consuming setup where you have to register, get an email, login (maybe do the email thing a couple of times) before you can finally vote.

Something like this would stop a lot of people voting just because it was posted on another BB.

Sam

EXACTLY!!! plus it is fairly secure on here!

[zzzz]

I've reset the votes to zero.

Everyone will be able to vote again as I cleared the register of people who have voted for this poll.

The server and database use the following method to prevent multiple votes.

User Name AND user IP. If more than a couple of votes comes from the same IP address, all votes from that IP will be removed.

Goold luck hackers. Knock yourselves out.

BJ - Tell them to bring it on.

Everyone else - I am the only person who can access the database directly. I have set up the firewall to only allow access to the db port from my IP address. That's all the hints you get.

Cheers,

Carl

Would that happen to be: 2**.*9.69.73
I just put the *'s there to not give away the whole address

Also some more of a hint on how the poll works:

POST /PHP_Modules/phpBB2/posting.php?t=3274 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows XP) Opera 7.0 [en]
Host: www.outerlimits4x4.com
Accept: text/html, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en
Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
Referer: http://www.outerlimits4x4.com/PHP_Modul ... php?t=3274
Cookie: phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%225d2ef0ce101623cc9eab40afba534eb1%22%3Bs%3A6%3A%22userid%22%3Bi%3A180%3B%7D; phpbb2mysql_sid=e64a8d13fd4283b0656485902fbe5ec8; phpbb2mysql_t=a%3A14%3A%7Bi%3A3292%3Biblahblahblah
Cookie2: $Version="1"
Proxy-Connection: close
Content-type: application/x-www-form-urlencoded
Content-length: 52

vote_id=1&submit=Submit+Vote&topic_id=3274&mode=vote

[The Master]

If your refering to my IP addres your not even close.

I doubt that the extract from your browser's post will help you much in fooling the system.

Cheers,

Carl

[bj on roids]

If your refering to my IP addres your not even close.

I doubt that the extract from your browser's post will help you much in fooling the system.

Cheers,

Carl

ROFLMAO

[antt]

hmmmmmmmmmmm, no change yet

where's all these so called 1337 H4x0r5?????

[80diesel4play]

This is definitely appealing to all the IT geeks

Explains why I'm posting....

[bj on roids]

I see 9 leet haxxors that are all talk

[zzzz]

If your refering to my IP addres your not even close.

I doubt that the extract from your browser's post will help you much in fooling the system.

Cheers,

Carl

There was a vulnerability in this php board that obfuscated the IP address of the poster in the first few hex bytes of the address of their avatar image. All you needed to do was convert from hex to decimal and you had a posters id. Maybe that isn't working then, or you posted it from a proxy or something.

The outlimites BB itself looks pretty secure to me.
It is vulnerably to a XSS attacking that could be used to get all the members logins and emails, but is fairly complex for the results returned.

The poll is secure - but the underlying web server is not.

Anyways:

SSH-1.99-OpenSSH_3.1p1.
see here for the exploit - http://www.openssh.org/txt/preauth.adv,

Sendmail 8.11.6/8.11.6; Fri, 4 Apr 2003 08:52:09 +1000.. http://www.auscert.org.au/render.html?it=2815&cid=1

You probably are not too concerned as it is only a web server for the 4x4 forum, but who knows. Thought I would say so as I had been looking at the poll.

[The Master]

Sorry boys, but the server is secure.

Remember the 40 min outage last Monday?

That was for all the latest patches to be installed.

That included SSH and Sendmail.

We also run CHROOT and a very strong firewall / set of iptables rules.

Cheers,

Carl

[bj on roids]

12 people have said they can hack it!

CMAWWWN