Security, Security, Security.
-
Just how secure is NodeBB? Just wondering if we have any info-sec concerned devs here to support NodeBB. Any comments?
-
Sure thing coming right up. lol
-
@dylenbrivera Assuming you use a good redis password and a good ssh password, I see no reason why it shouldn't be fine. Pretty sure all known exploits are patched/fixed etc.
Obviously though if someone has a keylogger on your computer and finds out what you typed into SSH, then, well. No, it's not.
-
I think I'm more concerned with Web Sec vs Sys Admin Sec.
-
@dylenbrivera On a sidenote, just checked your forum, psychobunny made a simple CMS for nodebb, so your About Us and Join Us pages can go in the header along with everything else.
You can find it here
-
@dylenbrivera This was supposed to go in your other thread, but the composer said otherwise. You're welcome.
-
@dylenbrivera said:
Sure thing coming right up. lol
It's a bad idea to give out your login creds to some dude you met online. If you want to test the security posture/profile of your site, there are any number of automated tools available just for that purpose. For starters, try http://w3af.org/.
I'm not suggesting that @Josh can't be trusted, but if you have a valuable online asset, never give out the login creds like this.
Btw, W3af ships with the latest edition of Kali Linux.
-
@planner I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response(I'm bad with sarcasm). However thanks for looking out.
-
@dylenbrivera said:
I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response
Good...
I actually missed the import of that 3-letter acronym that starts and ends with an l.
-
@a_5mith said:
Assuming you use a good redis password and a good ssh password, I see no reason why it shouldn't be fine.
You can do one better by disabling text password logins completely and allowing only login from authorized ssh keys only
-
TL;DR. NodeBB is secure enough practically.
In theory, NodeBB has some security weakness.
- Lack of captcha support
This is the only real security concern (I hate the captcha).
Oops, I had an outdated information.
nodebb-plugin-spam-be-gone (https://github.com/akhoury/nodebb-plugin-spam-be-gone) supports Google recaptcha.-
DBMS authentication
NodeBB supports Redis, MongoDB and LevelDB.
These DBMS don't support authentication in the default configuration.
But, you can change the config, and NodeBB warns you when your DBMS doesn't support authentication. -
Public readable src directory
$NODEBB_HOME/public/src directory are readable by any web users. (for example. https://community.nodebb.org/src/variables.js)
If you block this directory access, NodeBB doesn't work.
IMO, This is not a security vulnerability.
But, you can know whether your target is using NodeBB forum with ease and some security professionals would insist that this is the security vulnerability.
And...
-
Transport layer security
This is not the responsibility of NodeBB developers. it is yours. use SSL whenever possible.
Upgrade Node.js to v0.8.27 or v0.10.29. (http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/) -
Server side JavaScript injection, CSRF, XSS and other OWASP Top 10 things
There is no known security vulnerability now.
(I didn't perform the manual source code security audit or the automatic vulnerability assessment.)
p.s. If you find the security vulnerability of NodeBB, please notify to Julian Lam @julian and the community.
- Lack of captcha support
-
@dylenbrivera My NodeBB forum (The Cellar, still in alpha) is geared towards hackers. Although nobody did a full audit yet, many members already ran some tests. When I find the time, I will perform a full review.
