Joined: Jun 04, 2004 Posts: 119 Location: Chicago IL USA
Posted:
Wed Dec 15, 2004 9:56 pm
Using phpmyadmin, you could export all your relevant tables to a file. Open the file in a text editor (e.g.
Only registered users can see links on this board! Get registered or login to the forums!
), and do a find and replace for nuke_ to somenewprefix_.
Then upload the renamed tables via phpmyadmin -- in batches, if necessary, to avoid timeouts. Lastly, update your config.php to reflect the new prefix.
p.s. once you've verified that your setup is working fine with the new prefix, you could delete the old tables.
Has anyone heard of an exploit that was possible to pull off with just knowing a particular table's exact name? I sure haven't... Full path disclosure would only help a hacker attack an insecure webserver, and in today's hacker-aware environment, that's pretty rare to find an insecure webserver (at least one so weak that a full path disclosure would get them in). Knowing a exact table name seems to be a notch or two below FPD in terms of concern.
Again, I cite phpBB. Vastly popular, and I'd gather that a huge majority of those using it leave the default prefix of phpbb_. If a vuln surfaced where just 'hiding' the prefix solved the problem, we'd all be quite aware of it by now. All scripts conveniently provide $prefix, so obviously you could switch prefix names every hour, but in the end a script allowing a SQL injection is still going to allow it. :: shrug ::
This all makes about as much sense to me as renaming admin.php, but I guess if you have a lot of time on your hands, enjoy...
Joined: Jun 04, 2004 Posts: 119 Location: Chicago IL USA
Posted:
Wed Dec 15, 2004 11:03 pm
PHrEEkie wrote:
Has anyone heard of an exploit that was possible to pull off with just knowing a particular table's exact name?
Didn't all those UNION exploits from back in the days of the (orig) hack attempt script (before the time of NukeSentinel) use a particular table's exact name? If your site wasn't using the default nuke_, then the skiddies couldn't easily use the exploits.
Then again, "past performance is no indicator of future results. Historical performance does not promise the same results in the future." Or, at least that's what my broker tells me.
Hmm... if that's the case, it must of been during the time I was satisfied with my Nuke setup and wasn't trolling the communities as much ( watches Raven laugh heartily ). But at any rate, those are all fixed and honestly I don't remember anything from the past or anything current where knowing an exact table name allowed an attack, and a hidden table name thwarted it. I would assume that if such an attack became known, Sentinal would be programmed to catch it faster than most of us could change the prefixes. In Sentinal, we trust I'm not a blind Sentinal user either... I've been through the code for Sentinal, and I'm here to tell anyone that it's a great piece of work, and was written to be specifically flexible enough to add new vulns immediately. I wouldn't just use that as my only security layer, and I guess I'm lucky to have a dedicated server all my own where I can control all aspects of the server. Therefore, for me, server-side security in conjunction with Sentinal is all I use, and in 3 years, I've only been hacked once with the old News hack (very minor, site restored in about 2 mins). I won't be renaming my tables, but I guess if I were to do a fresh site install, I might make the prefix unique just for shiz 'n gigs
View next topic View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
