Is socket.uid reliably secure?

NodeBB Development

Suggested Topics

  • 3 Votes
    1 Posts

    Hello all,

    We are notifying you today about a security vulnerability that was present in older versions of NodeBB. We were notified of these vulnerabilities on 25 May 2022, and have patched and released fixed versions of NodeBB, v2.0.1 and v1.19.8, three days later, on 28 May.

    The specifics of this vulnerability are available upon request, but they are considered critical and affect the security of any site running an affected version of NodeBB. Admins are urged to upgrade to these patched versions as soon as possible.

    Alternatively, the following changesets can be cherry-picked into your installation of NodeBB in lieu of a full upgrade:

    v2.x v1.19.x

    As always, the NodeBB team is available at your disposal to answer any questions or provide assistance in implementing these changesets.

    For more information on the security vulnerability, please visit the GitHub Security Advisory page for this disclosure
  • 0 Votes
    7 Posts

    @Bri said in MongoDB reliability called into question?:

    Something else I've been looking at are graph databases like Neo4j and Arango, and now I'm kind of anticipating that you're going to tell me that it's in the same boat (i.e. old tech with a new name)

    Nope, old with still with the old name 🙂 Graph databases are known to go back to at least 1969.

  • 0 Votes
    9 Posts

    @julian said:

    I'm unfamiliar with C#, and we don't handle socket establishing on our end, we just let the library handle it.

    Perhaps you can get a better idea by investigating the source code of this project?

    Hi Julian,
    I am using that only. Can you provide some help on how can I connect using Chrome Web socket plugin, I mean what URL to use? That might clarify my query.

    My objective of using C# is that I want to see whether I can get notifications from outside without logging into my local NodeBB application.


  • 0 Votes
    3 Posts

    Yeah, events.js seems like it should contain the functionality for this. It currently only logs UID, but a lot of those functions should probably log the IP of the triggering party as well.

    It seems like the only way to do that is to have IP be a parameter for most of those calls. That's a little tedious.

    my fantasy: events are logged to the db as well as flatfile, have severity/importance levels, contain as much info as possible about who triggered it if the logging fn is passed a socket or request object, there's hooks for events of high severity, by default sends email or notification to admins when high-sev occurs

  • 4 Votes
    10 Posts

    Sounds like great news, looking forward to seeing NodeBB bloom using it 🙂