About Simple Machines
- Contact Us
- Core Values
- Open Source
- Why free is better
- Simple Machines Members
- Simple Machines Blogs
What's New in SMF 2.1 - SecuritySeptember 10, 2012, 02:46:21 AM Posted by Trekkie101 on September 10, 2012, 02:46:21 AM in What's New in SMF 2.1 - Security | 11 CommentsLast week we brought to you the first public alpha of SMF 2.1 in a blog post talking about current development. Over the coming weeks there will be a few blogs on some of the new features in SMF 2.1. Today I present our security enhancements.
We take security very seriously here at Simple Machines and to help further improve SMF 2.1 we have added the following features to strengthen our default guard.
Ban and post management now work by default with IPv6 and IPv4 without you needing to do anything. Enhancing your ability to block people from using your forum.
Previously if you were logged in as an Administrator before completing any administration tasks you would be presented with a dialog asking you to re-enter your password - this allowed SMF to ensure that if you had forgot to logout elsewhere no-one could damage the settings of your forum. We realise that more often than not, there are more moderators on a forum than administrators and with a moderation account a malicious person could delete or harm many of your boards posts. To stop this, we have enabled moderation sessions too, so now before completing a moderation action your moderators will have to re-enter their password. Don't worry though its only once per active browsing session.
End Administration Session
In the same scope as above to stop any malicious activity if someone has access to your administration centre you can now select from the main menu in the administration centre "Admin End Session" and have them kicked right back out.
If your logged into SMF, and even if you've validated your session by re-entering your password, a malicious person could trick or fool you into clicking a link that would harm your forum by carrying out a given action (in some rare circumstances). To further protect SMF 2.1 there is now one use tokens in play for every page. You won't notice them and they won't harm the running of your forum but they will essentially stop anything off the page from interacting with anything on the page that you don't manually touch.
HTTP only cookies
SMF is Open Source software released under the BSD license, you can view our current progress and see the work on the features listed above on our github account (our main source of development) where you can try out the latest code and submit changes or fixes of your own to the codebase.
Robert. on September 10, 2012, 02:51:35 AM saidGreat news
Adish - (F.L.A.M.E.R) on September 11, 2012, 08:42:56 AM saidAwesome! Security is extremely important and SMF always tries to get on top of the issues before others get into it.
vbgamer45 on September 11, 2012, 10:03:43 AM saidLots of good stuff can't wait!
Joseph H on September 11, 2012, 11:50:09 AM saidThats great.... And it a big step ahead... Cant wait
I B D on September 12, 2012, 04:49:15 AM saidnice post
Antes on September 12, 2012, 09:40:05 AM saidawesome post
butchs on September 16, 2012, 10:05:54 AM saidInteresting... Sessions sometimes give me a hard time. I look forward to a new variation.
I have been playing with tokens. Worked fine in a single php file but when I broke it into a source and template things went south. Then my real job got into the way... preventing me from discovering why the tokens verification was failing between some script files. Sounds like this new version will assist me to get back on track... Sweet!!!
SimpleGost on October 09, 2012, 01:53:28 PM saidGreat Job!
I really like it!
Xarcell on January 02, 2013, 04:57:35 PM saidFor security, is there a chance you can add a slider for human verification? Basically, a "Are You Human? then slide a slider from left to right(works with touch devices).
Arantor on January 02, 2013, 04:59:47 PM saidNot recommended.
The methodology of such would not be difficult to break for bots. All a bot has to do is identify the form value that relates to the slider, and make sure that its value is empty on submission. Given that SMF would then be a 'standard installation', it would be worth a bot author taking the time to identify the routine that generates this.
Xarcell on January 02, 2013, 05:06:30 PM saidok, thanks.Advertisement: