• Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
v3.5.2 Latest
Buy Hosting

Security, Security, Security.

Scheduled Pinned Locked Moved NodeBB Development
17 Posts 7 Posters 7.3k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    D Offline
    dylenbrivera
    wrote on last edited by
    #1

    Just how secure is NodeBB? Just wondering if we have any info-sec concerned devs here to support NodeBB. Any comments?

    jeremyJ I 2 Replies Last reply
    2
  • S Offline
    S Offline
    Scuzz
    wrote on last edited by
    #2

    Give me your Admin username and password and I can test the website out for you.
    Also, your root password would be nice too, just so I can test a few other things out.

    1 Reply Last reply
    1
  • D Offline
    D Offline
    dylenbrivera
    wrote on last edited by
    #3

    Sure thing coming right up. lol

    A F 2 Replies Last reply
    2
  • A Offline
    A Offline
    a_5mith
    replied to dylenbrivera on last edited by
    #4

    @dylenbrivera Assuming you use a good redis password and a good ssh password, I see no reason why it shouldn't be fine. Pretty sure all known exploits are patched/fixed etc. 👍

    Obviously though if someone has a keylogger on your computer and finds out what you typed into SSH, then, well. No, it's not. 😆

    julianJ 1 Reply Last reply
    0
  • D Offline
    D Offline
    dylenbrivera
    wrote on last edited by
    #5

    I think I'm more concerned with Web Sec vs Sys Admin Sec.

    A 1 Reply Last reply
    1
  • A Offline
    A Offline
    a_5mith
    replied to dylenbrivera on last edited by
    #6

    @dylenbrivera On a sidenote, just checked your forum, psychobunny made a simple CMS for nodebb, so your About Us and Join Us pages can go in the header along with everything else.

    You can find it here

    D 1 Reply Last reply
    1
  • D Offline
    D Offline
    dylenbrivera
    replied to a_5mith on last edited by
    #7

    @a_5mith Thanks for the feedback. Much appreciated.

    A 1 Reply Last reply
    0
  • A Offline
    A Offline
    a_5mith
    replied to dylenbrivera on last edited by
    #8

    @dylenbrivera This was supposed to go in your other thread, but the composer said otherwise. You're welcome. 👍

    1 Reply Last reply
    0
  • F Offline
    F Offline
    finid
    replied to dylenbrivera on last edited by finid
    #9

    @dylenbrivera said:

    Sure thing coming right up. lol

    It's a bad idea to give out your login creds to some dude you met online. If you want to test the security posture/profile of your site, there are any number of automated tools available just for that purpose. For starters, try http://w3af.org/.

    I'm not suggesting that @Josh can't be trusted, but if you have a valuable online asset, never give out the login creds like this.

    Btw, W3af ships with the latest edition of Kali Linux.

    D 1 Reply Last reply
    1
  • D Offline
    D Offline
    dylenbrivera
    replied to finid on last edited by
    #10

    @planner I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response(I'm bad with sarcasm). However thanks for looking out.

    F 1 Reply Last reply
    1
  • F Offline
    F Offline
    finid
    replied to dylenbrivera on last edited by finid
    #11

    @dylenbrivera said:

    I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response

    Good...

    I actually missed the import of that 3-letter acronym that starts and ends with an l.

    1 Reply Last reply
    0
  • S Offline
    S Offline
    Scuzz
    wrote on last edited by
    #12

    Gotta be ready for that social engineering too! 😛

    1 Reply Last reply
    0
  • julianJ Offline
    julianJ Offline
    julian GNU/Linux
    replied to a_5mith on last edited by
    #13

    @a_5mith said:

    Assuming you use a good redis password and a good ssh password, I see no reason why it shouldn't be fine.

    You can do one better by disabling text password logins completely and allowing only login from authorized ssh keys only 😄

    1 Reply Last reply
    0
  • jeremyJ Offline
    jeremyJ Offline
    jeremy
    replied to dylenbrivera on last edited by jeremy
    #14

    TL;DR. NodeBB is secure enough practically.

    In theory, NodeBB has some security weakness.

    • Lack of captcha support
      This is the only real security concern (I hate the captcha).
      • https://community.nodebb.org/topic/150/nodebb-anti-spam/12
      • https://community.nodebb.org/topic/1026/captcha-on-registration/4

    Oops, I had an outdated information.
    nodebb-plugin-spam-be-gone (https://github.com/akhoury/nodebb-plugin-spam-be-gone) supports Google recaptcha.

    • DBMS authentication
      NodeBB supports Redis, MongoDB and LevelDB.
      These DBMS don't support authentication in the default configuration.
      But, you can change the config, and NodeBB warns you when your DBMS doesn't support authentication.

    • Public readable src directory
      $NODEBB_HOME/public/src directory are readable by any web users. (for example. https://community.nodebb.org/src/variables.js)
      If you block this directory access, NodeBB doesn't work.
      IMO, This is not a security vulnerability.
      But, you can know whether your target is using NodeBB forum with ease and some security professionals would insist that this is the security vulnerability.

    And...

    • Transport layer security
      This is not the responsibility of NodeBB developers. it is yours. use SSL whenever possible.
      Upgrade Node.js to v0.8.27 or v0.10.29. (http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/)

    • Server side JavaScript injection, CSRF, XSS and other OWASP Top 10 things
      There is no known security vulnerability now.
      (I didn't perform the manual source code security audit or the automatic vulnerability assessment.)

    p.s. If you find the security vulnerability of NodeBB, please notify to Julian Lam @julian and the community.

    1 Reply Last reply
    2
  • I Offline
    I Offline
    igbuend
    replied to dylenbrivera on last edited by
    #15

    @dylenbrivera My NodeBB forum (The Cellar, still in alpha) is geared towards hackers. Although nobody did a full audit yet, many members already ran some tests. When I find the time, I will perform a full review.

    1 Reply Last reply
    0
  • julianJ Offline
    julianJ Offline
    julian GNU/Linux
    wrote on last edited by
    #16

    @igbuend I get an SSL warning when I go to your site 😞

    D 1 Reply Last reply
    1
  • D Offline
    D Offline
    dylenbrivera
    replied to julian on last edited by
    #17

    @julian said:

    @igbuend I get an SSL warning when I go to your site 😞

    same for me.

    1 Reply Last reply
    0

Copyright © 2023 NodeBB | Contributors
  • Login

  • Don't have an account? Register

  • Login or register to search.
Powered by NodeBB Contributors
  • First post
    Last post
0
  • Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development