What's New in SMF 2.1 - Security

September 10, 2012, 02:46:21 AM Posted by Trekkie101 on September 10, 2012, 02:46:21 AM in What's New in SMF 2.1 - Security | 11 Comments
Last week we brought to you the first public alpha of SMF 2.1 in a blog post talking about current development. Over the coming weeks there will be a few blogs on some of the new features in SMF 2.1. Today I present our security enhancements.

We take security very seriously here at Simple Machines and to help further improve SMF 2.1 we have added the following features to strengthen our default guard.

IPv6 Support
Ban and post management now work by default with IPv6 and IPv4 without you needing to do anything. Enhancing your ability to block people from using your forum.

Moderation Sessions
Previously if you were logged in as an Administrator before completing any administration tasks you would be presented with a dialog asking you to re-enter your password - this allowed SMF to ensure that if you had forgot to logout elsewhere no-one could damage the settings of your forum. We realise that more often than not, there are more moderators on a forum than administrators and with a moderation account a malicious person could delete or harm many of your boards posts. To stop this, we have enabled moderation sessions too, so now before completing a moderation action your moderators will have to re-enter their password. Don't worry though its only once per active browsing session.

End Administration Session
In the same scope as above to stop any malicious activity if someone has access to your administration centre you can now select from the main menu in the administration centre "Admin End Session" and have them kicked right back out.

If your logged into SMF, and even if you've validated your session by re-entering your password, a malicious person could trick or fool you into clicking a link that would harm your forum by carrying out a given action (in some rare circumstances). To further protect SMF 2.1 there is now one use tokens in play for every page. You won't notice them and they won't harm the running of your forum but they will essentially stop anything off the page from interacting with anything on the page that you don't manually touch.

HTTP only cookies
This setting can be enabled to stop any script from touching your cookies and data files needed for SMF to run, essentially this will stop things like JavaScript from reading the cookies, gaining any access you have and carrying out actions on your behalf. This helps to protect from the rising threat of cross site scripting attacks where one site tries to get you to poison your own.

Open Development
SMF is Open Source software released under the BSD license, you can view our current progress and see the work on the features listed above on our github account (our main source of development) where you can try out the latest code and submit changes or fixes of your own to the codebase.



Robert. on September 10, 2012, 02:51:35 AM said
Great news :)

Adish - (F.L.A.M.E.R) on September 11, 2012, 08:42:56 AM said
Awesome! Security is extremely important and SMF always tries to get on top of the issues before others get into it. :)

vbgamer45 on September 11, 2012, 10:03:43 AM said
Lots of good stuff can't wait!

Joseph H on September 11, 2012, 11:50:09 AM said
Thats great.... And it a big step ahead... Cant wait

Deaks on September 12, 2012, 04:49:15 AM said
nice post

Antes on September 12, 2012, 09:40:05 AM said
awesome post :)

butchs on September 16, 2012, 10:05:54 AM said
Interesting...  Sessions sometimes give me a hard time.  I look forward to a new variation.

I have been playing with tokens.  Worked fine in a single php file but when I broke it into a source and template things went south.  Then my real job got into the way... preventing me from discovering why the tokens verification was failing between some script files.   Sounds like this new version will assist me to get back on track...  Sweet!!!


SimpleGost on October 09, 2012, 01:53:28 PM said
Great Job!
I really like it! :)

Xarcell on January 02, 2013, 04:57:35 PM said
For security, is there a chance you can add a slider for human verification? Basically, a "Are You Human? then slide a slider from left to right(works with touch devices).

Arantor on January 02, 2013, 04:59:47 PM said
Not recommended.

The methodology of such would not be difficult to break for bots. All a bot has to do is identify the form value that relates to the slider, and make sure that its value is empty on submission. Given that SMF would then be a 'standard installation', it would be worth a bot author taking the time to identify the routine that generates this.

Xarcell on January 02, 2013, 05:06:30 PM said
ok, thanks.