Security, Security, Security.

dylenbrivera

Just how secure is NodeBB? Just wondering if we have any info-sec concerned devs here to support NodeBB. Any comments?

Scuzz

Give me your Admin username and password and I can test the website out for you.
Also, your root password would be nice too, just so I can test a few other things out.

dylenbrivera

Sure thing coming right up. lol

a_5mith

@dylenbrivera Assuming you use a good redis password and a good ssh password, I see no reason why it shouldn't be fine. Pretty sure all known exploits are patched/fixed etc.

Obviously though if someone has a keylogger on your computer and finds out what you typed into SSH, then, well. No, it's not.

dylenbrivera

I think I'm more concerned with Web Sec vs Sys Admin Sec.

a_5mith

@dylenbrivera On a sidenote, just checked your forum, psychobunny made a simple CMS for nodebb, so your About Us and Join Us pages can go in the header along with everything else.

You can find it here

dylenbrivera

@a_5mith Thanks for the feedback. Much appreciated.

a_5mith

@dylenbrivera This was supposed to go in your other thread, but the composer said otherwise. You're welcome.

finid

@dylenbrivera said:

Sure thing coming right up. lol

It's a bad idea to give out your login creds to some dude you met online. If you want to test the security posture/profile of your site, there are any number of automated tools available just for that purpose. For starters, try http://w3af.org/.

I'm not suggesting that @Josh can't be trusted, but if you have a valuable online asset, never give out the login creds like this.

Btw, W3af ships with the latest edition of Kali Linux.

dylenbrivera

@planner I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response(I'm bad with sarcasm). However thanks for looking out.

finid

@dylenbrivera said:

I'm a student of the Penetration Testing with Kali Linux Offensive Security Course.. I was being sarcastic in my response

Good...

I actually missed the import of that 3-letter acronym that starts and ends with an l.

Scuzz

Gotta be ready for that social engineering too!

julian

@a_5mith said:

Assuming you use a good redis password and a good ssh password, I see no reason why it shouldn't be fine.

You can do one better by disabling text password logins completely and allowing only login from authorized ssh keys only

jeremy

TL;DR. NodeBB is secure enough practically.

In theory, NodeBB has some security weakness.

• Lack of captcha support
  This is the only real security concern (I hate the captcha).
  • https://community.nodebb.org/topic/150/nodebb-anti-spam/12
  • https://community.nodebb.org/topic/1026/captcha-on-registration/4

Oops, I had an outdated information.
nodebb-plugin-spam-be-gone (https://github.com/akhoury/nodebb-plugin-spam-be-gone) supports Google recaptcha.

• DBMS authentication
  NodeBB supports Redis, MongoDB and LevelDB.
  These DBMS don't support authentication in the default configuration.
  But, you can change the config, and NodeBB warns you when your DBMS doesn't support authentication.

• Public readable src directory
  $NODEBB_HOME/public/src directory are readable by any web users. (for example. https://community.nodebb.org/src/variables.js)
  If you block this directory access, NodeBB doesn't work.
  IMO, This is not a security vulnerability.
  But, you can know whether your target is using NodeBB forum with ease and some security professionals would insist that this is the security vulnerability.

And...

• Transport layer security
  This is not the responsibility of NodeBB developers. it is yours. use SSL whenever possible.
  Upgrade Node.js to v0.8.27 or v0.10.29. (http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/)

• Server side JavaScript injection, CSRF, XSS and other OWASP Top 10 things
  There is no known security vulnerability now.
  (I didn't perform the manual source code security audit or the automatic vulnerability assessment.)

p.s. If you find the security vulnerability of NodeBB, please notify to Julian Lam @julian and the community.

igbuend

@dylenbrivera My NodeBB forum (The Cellar, still in alpha) is geared towards hackers. Although nobody did a full audit yet, many members already ran some tests. When I find the time, I will perform a full review.

julian

@igbuend I get an SSL warning when I go to your site

dylenbrivera

@julian said:

@igbuend I get an SSL warning when I go to your site

same for me.