MyBB Central

Full Version: Suggestion for Mybb Plugin
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I still don't have persmissions to post a new thread in the subscription, so I'll post it here so someone can move it Tongue THANKS! Smile

Suggestion is for Administrator Control Panel:

Taking a look around the admin control panel I've noticed a few things here and there. Now, this plugin would require alot of work and time, but I think it's a very good Idea. For sites that contain more than one administrator and/or troubled moderators, this plugin would be ideal.

The idea is to add a a section to the ACP which does the following:

Allows the administrators (or could specify only one administrator access or a specific group) to be able to

a) see a log of all changes made in the admin control panel made by which administrator did this (not just what they DID but also every link they clicked on and every tab they accessed).

b) add's an "undo" option for the administrator(s) who are allowed to access this panel to not only see exactly what code in a template or file changed by whatever administrator was but also to be able to make modifications and changes to the code in another window to either add or subtract from the "Undo" process. So not only could you opt to just undo the changes made, but also see the original code, compare it with the code changed, as well as make changes to either code and submit it as the official "undo" code.

c) make reports for administrators to be reviewed by other administrators to see their activity of a specified time and export them.

d) adds more security to the administrator's access to the admin panel, including password requirements for certain sections of the admin CP.

Well, that's about all I've come up with so far, but I'd like to see if this might maybe be a good idea for an additional plugin for the admin control planet.
A) does this already for the most part
B) Templates have a revert option...that's good enough
C) you can just look in the logs anytime you want
D) Why have double passwords? If you want that add an htaccess password
a) you're right, that's not a primary requirement, and yes, the original admin cp logs do already do this for the most part, but I want to be able to tell where they went as well and everything they did. it helps me in understanding their intentions.

b) that's not good enough for me. If an admin goes haywire and decides to really screw some stuff up and I don't want to do a full system recovery, or if an administrator becomes compromised, I like the option of being able to not only see what they did, but compare what they did against what was already there. This shows me several things. As an example I'll use my most recent problem (which you're obviously most aware of). If an exploit is used on a site this will be able to tell me exactly what it was. I want something that can compare codes. Not all administrators on a forum know everything about a forum. some people are just starting off, some are still learning, and some are experts. I'm not a complete newbie, but i'm no expert i'll admit. When it comes to the exploit I experienced I simply had to rely on doing research on known exploits and found one that "matched" what happened, but i'm not 100% sure it was the right one. The only way to know that is to be able to compare codes to what was changed or accessed. For example. A new member is created by simple registration. I should be able to see the code used to create that user. now in a plugin stance i would assume this would be a simple disable if you want enabled if you want etc. etc. (option selection), but I like to know exactly what happens to my site and be able to detect every bit of it as it happened step by step. Like i said, this obviously wouldn't be a very easy plugin, but it'd prove very valuable to an administrator trying to sort out problems with other administrators or even hacked admin accounts or user accounts. Maybe this idea, part "b", isn't completely practical, and i know that, which is why i only proposed as much as i did. my ideas are ambitious for this plugin, because i see the potential for a prototype and for a beta and eventually a final product, each progressive, each doing more. The current administrator panel limits the administrators quite a bit. an exploit happens and an admin, unless they test their own sites exactly the way the hacker did, simply won't know what happened unless they're an expert in mybb or coding, which, everyone must admin, not all admins are "experts" in coding. knowing what happened is more important than constantly fighting off exploit attacks etc. etc. This option would also be extremely valuale in troubleshooting member problems with the site, and other things, it could be very valuable in many areas. Part "B" is the most important part of this plugin to me, which is why i even considered it.

c) The logs won't give me a detailed report. All the log does is says "so and so did this at this time and date". that's it. it doesn't let me specify it to a member and everything they've done, and it doesn't tell where they go the most and when. All a hacker has to do is change one file to screw up a forum, but who's to say they didn't gain access to some other data while they were at it? they can change the file, and anything they changed is "generally" announced in the log files (general meaning it doesn't give any detail at all), but it doesn't say if they looked at our ip addresses, our accounts, another "specific" member's account, read various codes in other templates, or copies codes, etc. etc. You simply don't know what they did other than what they actually changed. Which for me, is not a good thing at all, especially in a security situation. I want to know what everyone is doing on my site, including what they look at, and i want full detailed reports of them specified by users. Now if i knew this were a simple task, i would simply wait it out till someone else made it somewhere, check it out, and possibly install it, but as it's most definitely not just an ordinary every day task or an ordinary plugin, this site was the absolute first one i posted it at.

d) you're correct about the htaccess password, i didn't think about that. i'll have to do more research on editing the htaccess files.
Quote:You simply don't know what they did other than what they actually changed.

You would if you understood security better. When I had HF penetrated by this exploit I went at it. I found the problem. I fixed it. I didn't need any of the tools you're asking for. The apache and mysql logs gave me all I needed. The admincp has very little info and even if it did you shouldn't trust it. In case you didn't know..I was the one that actually discovered the hacker and his exploit along with Ryan Gordon of the mybb team. When I had someone popup as an Admin at HF I went at it right away. Found the exploit, worked with Ryan, and a patch was released.

You were compromised on the 28th. The patch for that exploit was released on the 14th. Of course after 2 weeks you're gonna get hacked. You practice some of the worst security I have ever seen.
I know you were the one who found the exploit, my research determined that much. I had not been accessing the sites that much because I was busy and preocupied with my real and current job. I assumed, incorrectly, that my other administrator would take up the task of upgrading. Yes I probably should have done it myself, but you have one upper hand that i don't, time. This is your permanent job. it's not mine.