New alpha dev release

[ande]

Hello!

Just wanted to let people know I just released a new dev version of alpha at http://alpha.evilzone.org

Been a long time since last time I updated it, so I cant remember all the new changes. Here is what I remember:

- Minimized to complete asap (Removed a bunch of unnecessary and features)
- Profile should work now (Data, PM, some account settings)
- New logo idea (If anyone is up for making something better, please do! We have tried a lot of logo variations, but I havent found one that I am satesfied with)
- DB cleaned, so you will need to reregister

[HTTP]

I like this one more

[iTpHo3NiX]

Looks good ande

@HTTP
You have no idea how much improvement alpha has over SMF. the biggest being a custom forum software which will make it very difficult for people to attack. For example, skiddy gets 0day SMF exploit and pwns EZ, with alpha, only evilzone is using it. No vBulletin, no SMF, no phpBB, no etc. This already makes it more secure by leaps and bounds.

Also if problems and bugs arise they can be addressed by the creators of alpha and not rely on some hack patches. Furthermore additional services and APIs can enable for beautiful uniform integrated parts of evilzone (ie services that used to have a link in the previous alpha)

Change isn't always accepted, however I believe alpha is going to be one of the best things that has happened to EvilZone in a LONG time.

I would love to see a full CMS for other sites to use xD

[Schalla]

Sure, because a board system written by a single person - no offense ande - will be more secure than a system written by multiple people, where random people already looked at the source code.


That is nothing but security through obscurity, since no one knows how the code is written and most likely it won't be more secure, but also if there are vulnerabilities no one will find them unless they are abused.


I expected a better judgement on the situation tbh.

[iTpHo3NiX]

Sure, because a board system written by a single person - no offense ande - will be more secure than a system written by multiple people, where random people already looked at the source code.


That is nothing but security through obscurity, since no one knows how the code is written and most likely it won't be more secure, but also if there are vulnerabilities no one will find them unless they are abused.


I expected a better judgement on the situation tbh.

Exactly the point I was making. You're also forgetting the Creator is very skilled at discovering and exploiting web vulnerabilities and has been doing so for years. No system is 100% secure and having one forum in the midsts of millions using a custom built software does make it more secure. It would take someone who actually knows what they're doing to discover and exploit an attack on alpha, hence why I was saying skiddys won't be able to come across a SMF 0day and pwn EZ. Notice I said SKIDDY. Also on software like phpBB, SMF, vB, IPB, etc people can get the script and read through the code, same goes for addons makes it a lot more difficult to discover vulnerabilities. I never said it was impossible, but it is much more secure.

[Schalla]

Yeah, and since no one is checking alpha for any security holes it won't be noticed that quick till someone does. Same reasoning like saying Windows is more secure because the source is closed and the developers are doing it for ages. The reasoning is just broken.


First thing, I think I mentioned it before is that the CSRF tokens are not refreshed after submitting a form. Now...that shouldn't be like that.

[HTTP]

Looks good ande

@HTTP
You have no idea how much improvement alpha has over SMF. the biggest being a custom forum software which will make it very difficult for people to attack. For example, skiddy gets 0day SMF exploit and pwns EZ, with alpha, only evilzone is using it. No vBulletin, no SMF, no phpBB, no etc. This already makes it more secure by leaps and bounds.

Also if problems and bugs arise they can be addressed by the creators of alpha and not rely on some hack patches. Furthermore additional services and APIs can enable for beautiful uniform integrated parts of evilzone (ie services that used to have a link in the previous alpha)

Change isn't always accepted, however I believe alpha is going to be one of the best things that has happened to EvilZone in a LONG time.

I would love to see a full CMS for other sites to use xD

It might be harder, but finding a vulnerability I wouldn't think would be too difficult if you put time and energy into it. And the custom coded forum might not have the greatest security.

There could be SQLi, XSS vulnerabilities, if you dig deep enough into the site. Also, DDoS could also be a huge pain in the ass for ande.

[Schalla]

Alpha uses PDO, that should mitigate most SQLi. DDoS has nothing todo with the system itself, at least its unlikely.

[iTpHo3NiX]

As far as Security is concerned, a DDoS can take a site down, but does not get them on the box to take over the site or dump a database. So Security wise it's not an issue. DDoS will plague any site, regardless of the Security of the code.

[HTTP]

As far as Security is concerned, a DDoS can take a site down, but does not get them on the box to take over the site or dump a database. So Security wise it's not an issue. DDoS will plague any site, regardless of the Security of the code.

Well, it doesn't have anything to do with the code. But, an attack could hit the database itself and crash it, possibly causing big damage.

[ande]

Okay okay okay okay. Calm down ladies.

@HTTP, why do you like this one better? Security concerns or design/features?

@DeepCopy, I appreciate the trust you have in me, but even I can make mistakes. And there are some valid points here. Closed source and security has rarely ended well. But 'alpha' is not closed source, there have been many eyes on it and there will continue to be. We might even make it open source ish at some point. But I dont think it is a good idea to make it public open source just yet. It is still very much unfinished and unpolished.

PDO does take care of most database related vulnerabilities, but not all. There are queries that needs to be done in a different way than PDO wants, but thing is I am very much aware of these, and they are few.

As far as XSS goes I am fairly sure we are up to date.

DDoS has nothing to do with software. Unless you are speaking of a software DoS flaw, which there have been a few of in alpha but most of them have been corrected, and future ones will be fixed swiftly if discovered.

You are all more than welcome to go bug hunting as long as you report what you find I would very much appreciate in fact.

There has been some time since the alpha GIT was updated because of lack of interest, from me and others. Do tell if you are interested and we'll see what we can do about that.


EDIT: Ps: I just realized this reply might be slightly offending. That was not my intention. <3

[HTTP]

Okay okay okay okay. Calm down ladies.

@HTTP, why do you like this one better? Security concerns or design/features?

@DeepCopy, I appreciate the trust you have in me, but even I can make mistakes. And there are some valid points here. Closed source and security has rarely ended well. But 'alpha' is not closed source, there have been many eyes on it and there will continue to be. We might even make it open source ish at some point. But I dont think it is a good idea to make it public open source just yet. It is still very much unfinished and unpolished.

PDO does take care of most database related vulnerabilities, but not all. There are queries that needs to be done in a different way than PDO wants, but thing is I am very much aware of these, and they are few.

As far as XSS goes I am fairly sure we are up to date.

DDoS has nothing to do with software. Unless you are speaking of a software DoS flaw, which there have been a few of in alpha but most of them have been corrected, and future ones will be fixed swiftly if discovered.

You are all more than welcome to go bug hunting as long as you report what you find I would very much appreciate in fact.

There has been some time since the alpha GIT was updated because of lack of interest, from me and others. Do tell if you are interested and we'll see what we can do about that.


EDIT: Ps: I just realized this reply might be slightly offending. That was not my intention. <3

Style, I've never done any vulnerability hunting on this site

[Darkvision]

@ande - i will be poking around at it some, mainly looking for bugs and the like, doubt i would find anything security related . That said the look does continue to improve. kudos on the work

[Pak_Track]

Looks great, although, IMO, the logo could lose the 'Quality above Quantity' text. Doesn't seem to fit in.