Need Security advice.

exponder

Working on a sort of blog project. First handling the admin part..

Script checks to see if there's an Administrator account, if not.. prompted to create one via forms/php (mysql insert). The only problem with this, is if the user of the blogger doesn't Lock his admin directory, then it would be simple for some one who knows the script to run the creation file.

I've pondered either locking/unlocking the Username and Password feilds, so no more data can be inserted. Or using UnLink to delete the creation file. Obviously, if something happens and admin tables are deleted or destoyed, and the user won't be able to create a new user, untill he uploads create.php again.

Any suggestions?

bretticus

Is this some cookie-cutter blogger? Sounds kind of strange, normal joe users running admin scripts or creating user dirs, etc. For example, can you enlighten us on what exactly happens when a user "Lock ~~his admin directory"?~~

~~I've pondered either locking/unlocking the Username and Password feilds, so no more data can be inserted.~~

It is all to easy to POST data to a URL without using the form. So I can tell you right there, that will not be secure. However, this whole file access stuff sounds entirely unecessary as script functionality permissions are usually handled by the script, which leads me to believe this is some cookie-cutter setup where you run those scripts once for your Website and nobody else need ever touch them again.

justsomeone

exponder wrote:
Working on a sort of blog project. First handling the admin part..

Script checks to see if there's an Administrator account, if not.. prompted to create one via forms/php (mysql insert). The only problem with this, is if the user of the blogger doesn't Lock his admin directory, then it would be simple for some one who knows the script to run the creation file.

Any suggestions?

I don't fully understand what the relationship between an administrator, a blog user, and the rest of the world is. I'll tackle two different cases here. See if either of these matches what you are trying to do.

Case 1 - The site is run by an Administrator, individuals can register at the site in order to create their own blogs.

In this case, the absence of an Administrator account means that either the script ballsed up the setup process, the admin bailed out halfways through, the script or admin accidentally deleted the admin account, or some other Bad Thing happened (db problem, deliberate attack, etc)

All scripts could check for the existance of an admin account. If they fail to find one, they abort with a generic error message "Sorry, this service is currently unavailable". The admin should be equipped with a command line diagnostic tool which he runs to discover that the admin account is missing and he is then prompted for a new one. This script can only be run from the command line and so shields it from abuse by the passing web community.

In any case someone should investigate how the setup ended up in this situation.

Just one question on this - would you really need to have all pages check for this, or just the admin pages?

Case 2 - The site is run by an Administrator, individuals can register at the site in order to create their own blogs, bloging individuals need their own admin account.

In this case, the absence of an User's administrator account means that either the script ballsed up the registration process, the user bailed out halfways through, the script or admin accidentally deleted the admin account, or some other Bad Thing happened (db problem, deliberate attack, etc)

The individual's blog should not be activated until the whole setup process is completed. An "abandoned" registration does not create a halfassed blog.

As part of the registration process, you could send a mail to the new user, inviting them to click on an enclosed link. That link could contain hashed value to identify the user. Encourage the user to keep this in a safe place. When the user clicks on that link, it could submit to a form which completes the registration process by creating the user's admin account, unless it already exists. Now, if that admin account becomes deleted for any reason, the user has a skeleton key to recreate it.

To be honest, I don't thikn you've really explained what you're trying to do and how the problem you're trying to solve might come about in the first place, so it's hard to think of ways to help you out.