@Chris that's for the downvote 😉
Security, Security, Security.
@a_5mith Thanks for the feedback. Much appreciated.
@dylenbrivera This was supposed to go in your other thread, but the composer said otherwise. You're welcome.
Sure thing coming right up. lol
It's a bad idea to give out your login creds to some dude you met online. If you want to test the security posture/profile of your site, there are any number of automated tools available just for that purpose. For starters, try http://w3af.org/.
I'm not suggesting that @Josh can't be trusted, but if you have a valuable online asset, never give out the login creds like this.
Btw, W3af ships with the latest edition of Kali Linux.
@planner I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response(I'm bad with sarcasm). However thanks for looking out.
I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response
I actually missed the import of that 3-letter acronym that starts and ends with an l.
Gotta be ready for that social engineering too!
Assuming you use a good redis password and a good ssh password, I see no reason why it shouldn't be fine.
You can do one better by disabling text password logins completely and allowing only login from authorized ssh keys only
jeremy last edited by jeremy
TL;DR. NodeBB is secure enough practically.
In theory, NodeBB has some security weakness.
- Lack of captcha support
This is the only real security concern (I hate the captcha).
Oops, I had an outdated information.
nodebb-plugin-spam-be-gone (https://github.com/akhoury/nodebb-plugin-spam-be-gone) supports Google recaptcha.
NodeBB supports Redis, MongoDB and LevelDB.
These DBMS don't support authentication in the default configuration.
But, you can change the config, and NodeBB warns you when your DBMS doesn't support authentication.
Public readable src directory
$NODEBB_HOME/public/src directory are readable by any web users. (for example. https://community.nodebb.org/src/variables.js)
If you block this directory access, NodeBB doesn't work.
IMO, This is not a security vulnerability.
But, you can know whether your target is using NodeBB forum with ease and some security professionals would insist that this is the security vulnerability.
Transport layer security
This is not the responsibility of NodeBB developers. it is yours. use SSL whenever possible.
Upgrade Node.js to v0.8.27 or v0.10.29. (http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/)
There is no known security vulnerability now.
(I didn't perform the manual source code security audit or the automatic vulnerability assessment.)
p.s. If you find the security vulnerability of NodeBB, please notify to Julian Lam @julian and the community.
- Lack of captcha support
@igbuend I get an SSL warning when I go to your site