Community

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

NodeBB 2.8.7 Security Update

NodeBB Development

1 Posts 1 Posters 65 Views

B Offline

B Offline
<baris> NodeBB
wrote on last edited by

#1

A bug in our message parsing code can result in remote code execution.

Affected versions >=2.5.0 <2.8.7

We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers.

The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7.

If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092
1 Reply Last reply
2

Suggested Topics

B

NodeBB 2.8.1 Security Update
Scheduled Pinned Locked Moved NodeBB Development security 2.8.1

3 Votes

4 Posts

286 Views

B

It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases.
You can either upgrade to 2.8.1 or only get the changes from the specific commit.
G

nodebb, nginx, and modsecurity?
Scheduled Pinned Locked Moved Technical Support security

2 Votes

5 Posts

556 Views

G

Maybe not a lot of interest in this due to complexity of deploying/configuring ModSecurity, combined w/absence of nodebb stack specific rulesets. Security is difficult so not much can be done about the deploy/config aspects but ModSecurity devs are starting to focus some efforts on the latter.

For those interested, and willing to roll up their sleeves, development of node.js targeted attack ruleset is slated for next release of OWASP CRS, scheduled for Sept. 2019. More info here:

https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1487#issuecomment-519071541

P.S.; Obviously ModSecurity can be deployed on Apache setups as well but my sense is that Nginx is the overwhelming favorite w/the nodebb community and I didn't want to start a new thread.
D

How to add a skin for NodeBB Persona
Scheduled Pinned Locked Moved NodeBB Development

0 Votes

4 Posts

1653 Views

D

I'd like to do the same. For instance, some folks don't like round avatars, so I would override the CSS for that. Other folks want zero color, so I'd make a monochrome skin.
X

Multifactor Authentication e.g. Authy, Google Authenticator
Scheduled Pinned Locked Moved Feature Requests two step auth authy multifactor security

2 Votes

3 Posts

2255 Views

S

On my to-do list. But it's down there a ways.
D

Security logging?
Scheduled Pinned Locked Moved NodeBB Development plugin logging security

0 Votes

3 Posts

2001 Views

D

Yeah, events.js seems like it should contain the functionality for this. It currently only logs UID, but a lot of those functions should probably log the IP of the triggering party as well.

It seems like the only way to do that is to have IP be a parameter for most of those calls. That's a little tedious.

my fantasy: events are logged to the db as well as flatfile, have severity/importance levels, contain as much info as possible about who triggered it if the logging fn is passed a socket or request object, there's hooks for events of high severity, by default sends email or notification to admins when high-sev occurs

Community

NodeBB 2.8.7 Security Update

Suggested Topics

NodeBB 2.8.1 Security Update

nodebb, nginx, and modsecurity?

How to add a skin for NodeBB Persona

Multifactor Authentication e.g. Authy, Google Authenticator

Security logging?