Remove SQL Toolbox and Downloading Member List

[ap15]

I'm wanting to completely remove the SQL Toolbox and Download Member List features as I feel they are an unnecessary point of attack and not at all required. The tasks you would use these features for could and should be completed securely using a SQL client such as MySQL Workbench or the command line.

With the increasing amount of site breaches both big and small having features that allows a user to dump the entire member table is just inviting exploitation. Yet the official line from IPS Support is too just remove the permission to use these features... well a compromised admin account could just re-enable the feature, so I fail to see how that sufficiently resolves the issue.

I like IPS otherwise.

Thanks

[Martin A.]

The attacker would still be able to install an application or plugin that replicates that functionality with the compromised admin account. 

Wouldn't take me many minutes to create an app with just those two features.

[Ryan Ashbrook]

You can also limit their use via Admin restrictions:

[ap15]

Martin that would take more ability than just clicking download, and Ryan it could just be re-enabled, negating the entire purpose of that. 

[Randy Calvert]

If someone has compromised your forum to that degree, you have bigger problems to worry about IMO.  With the controls that are in place already such as renaming the Admin CP URL, using a separate username/password with .htaccess to restrict access to the AdminCP, etc... you should not need to worry about someone dumping the member list.  If they're already in that deep, they most likely already have access to the raw mySQL database and have the data anyway.  

[Marcher Technologies]

5 minutes ago, ap15 said:

Ryan it could just be re-enabled, negating the entire purpose of that. 

Why would you allow a restricted admin account access to manage admin restrictions? :|

[ap15]

4 minutes ago, Marcher Technologies said:

Why would you allow a restricted admin account access to manage admin restrictions? :|

Restricted admin? What about the full admin accounts? Someone has to be able to change those permissions and I don't yet see permissions for locking an account to a specific IP.

[Marcher Technologies]

3 minutes ago, ap15 said:

Restricted admin? What about the full admin accounts? Someone has to be able to change those permissions. 

At which point Randy is correct. if they have compromised an admin account with access to manage admin restrictions, they are far enough in to do much anything they want, even if by resorting to editing theme templates if the options mentioned have been removed and \IPS\NO_WRITES is enabled.

[ap15]

Just logging into an admin account (without those features existing) yes they could delete everything and everyone

[Randy Calvert]

Again, if they have that level of access... I can think of a BUNCH of ways of getting to the database.  (including through the IPB config file which contains the mySQL database username/password.)  

If you have a compromise that deep, you're already screwed.  Game over man.  Game over.  

(I was going to link to the video, but I realized what strong language it had in it and I did not want to get in trouble for language.  haha)

[Marcher Technologies]

^ This. All they need is theme access. Template logic, by design, allows arbitrary PHP code execution. From there, anything is possible. Game over.

[sudo]

I would like it if you could have a lock down variable in the config file which disables installing apps etc and mysql toolbox, it would be easy enough for me to toggle it on when I need to do heavy tasks like mass deleting, app updates etc but most of the time you dont need those features so it wouldnt hurt.

[Marcher Technologies]

To be clear, i'm not against an enhancement here, was just stating reality. To be of real usefulness such a constant would need to disable editing templates, sql toolbox, exporting any data such as members, templates, etc, and disallow installing applications and plugins. Disable, as in, fully error out, restrictions becoming irrelevant, nobody can use these features. I am aware of a constant for the latter two items.

[Joel R]

I agree that to worry about those two specific features when someone has compromised your admin account is to lose sight of your bigger problem.  As some users have eloquently expressed in bro language, it's game over.    

With that said - from one bro to another  - I think it may be better for you to focus on more proactive steps to protect your root administrator account to the highest degree, rather than to react to specific functions available to the admin.  There's this IPS news that just came out today:  

 

If you're still worried about the SQL toolbox and downloading member list if someone can get past 2FA, then you're beyond game over.  Turn off your console.  Throw out your Nintendo 64.  The hacker compromised your administrator account, potentially your email, and your smartphone -- at which point, you're probably more worried about the compromising photos on Tinder than you are about your website.  

 

[sudo]

6 hours ago, Joel R said:

I agree that to worry about those two specific features when someone has compromised your admin account is to lose sight of your bigger problem.  As some users have eloquently expressed in bro language, it's game over.    

With that said - from one bro to another  - I think it may be better for you to focus on more proactive steps to protect your root administrator account to the highest degree, rather than to react to specific functions available to the admin.  There's this IPS news that just came out today:  

 

If you're still worried about the SQL toolbox and downloading member list if someone can get past 2FA, then you're beyond game over.  Turn off your console.  Throw out your Nintendo 64.  The hacker compromised your administrator account, potentially your email, and your smartphone -- at which point, you're probably more worried about the compromising photos on Tinder than you are about your website.  

 

The problem is not password security or 2FA although I do love the addition of 2FA, its the fact invariably exploits do happen for web apps over time regardless.

A simple file system config to lock out a batch of certain mass damage vectors wouldnt hopefully require too much coding and for those that want that extra piece of mind they can activate it. A non writable config would be harder to exploit then a php hole that allowed an SQL injection which could disable 2FA, reset passwords etc. Yes that exploit may allow them to wipe the database and still cause a lot of damage but the issue nowadays is malware being slipped in as well as grabbing passwords via template edits, aka non-destructive changes that can be harder to spot but really damage your communities reputation. It happened to TAZ and it could happen to anyone. I am not saying IPB will even be the vector, with apps out there they could easily add a vector without realising and a config variable which was un-modifiable by the webserver wouldnt hurt.

Yes its not going to block everything in one go but I just dont see why it wouldnt be a simple addition to add.

[Daniel F]

12 minutes ago, ZeroHour said:

A simple file system config to lock out a batch of certain mass damage vectors wouldnt hopefully require too much coding and for those that want that extra piece of mind they can activate it.

You can set the NO_WRITES constant, which will disallow following features in the ACP

Quote

• installing new theme
• installing apps
• installing hook
• installing editor plugins

 

Edit: Sorry, haven't noticed that it was already mentioned https://invisionpower.com/forums/topic/435102-remove-sql-toolbox-and-downloading-member-list/?do=findComment&comment=2673007

[sudo]

2 minutes ago, Daniel F said:

You can set the NO_WRITES constant, which will disallow following features in the ACP

 

That sounds good, do you have a link to any documentation for that? I am just wondering if it affects anything else.