How to fix BREACH security exploit

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
x-rated
Registered User
Posts: 25
Joined: Mon Dec 29, 2014 2:52 pm
Location: Prague

How to fix BREACH security exploit

Post by x-rated » Sat Feb 24, 2018 10:08 pm

hello, i did a SSL test on my forum with all extensions disabled, but i have BREACH exploit detected
link to the result: https://ssl.arodax.com/07cc72020a4c39fd9d40386a10acf46d (or do a new test for centriozone.cz)
when all extensions are enabled, result is the same
this is not a webhosting issue because on same webhosting with invision forum there is no such exploit detected (upczone.cz https://ssl.arodax.com/2efada2efd173d208a0b18116e9e3a8f)
is there a way how to fix that? in forum settings i have gzip compression disabled
btw this exploit is on phpbb.com too https://ssl.arodax.com/79bd84edc4c9389794417eea27c52700

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19312
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff
Contact:

Re: How to fix BREACH security exploit

Post by Mick » Sun Feb 25, 2018 8:38 am

In my experience these security checkers generally throw up non-existent issues. If it were the case there was a common breech in phpBB we would be getting users shouting right left and centre and we’re not but we shall see.

If your board has been hacked and you'd like our team to have an in-depth look at it, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the Support Toolkit, etc.):
  1. Save an archive file comprising copies of all the files (this can be done by creating a zip or tarball of the files).
  2. Save a copy of the database.
  3. Save the server access logs for the time of the hack (they may be available in the “logs” directory on the server, in your host’s control panel or only by request directly from your host).
  4. File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download.
And or please fill out the Support Request Template and post it back here to enable us to assist you better.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5290
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: How to fix BREACH security exploit

Post by Marc » Sun Feb 25, 2018 9:36 am

While tests like the mentioned are helpful for doing basic checks of the server setup, it's also important to understand what each of these mean. The BREACH exploit is a server side and browser side issue. It's unrelated to the software being used.

In fact, the reason why there is a difference between the two sites you used to compare is that upczone.cz forces users to www.upczone.cz while centriozone.cz does not do such a thing. It's therefore fooling the test and this actually shows why one should know how to employ those type of tests.

The point at which software comes into play is however the mitigation of the attack itself. TLS currently does not have a proper mitigation in place yet (something that might change with TLS 1.3). As for example Qualys suggest, the best mitigation for now is using CSRF tokens which phpBB has been using for a long time (see https://blog.qualys.com/ssllabs/2013/08 ... ach-attack).
Quickedit for phpBB 3.1
I'm available for custom work - just send me a PM for a quote.

x-rated
Registered User
Posts: 25
Joined: Mon Dec 29, 2014 2:52 pm
Location: Prague

Re: How to fix BREACH security exploit

Post by x-rated » Sun Feb 25, 2018 9:56 am

Marc wrote:
Sun Feb 25, 2018 9:36 am
In fact, the reason why there is a difference between the two sites you used to compare is that upczone.cz forces users to www.upczone.cz while centriozone.cz does not do such a thing. It's therefore fooling the test and this actually shows why one should how to employ those type of tests.
that was it :D thank you
https://ssl.arodax.com/5747e1eb5f0f34b5bf8d63c74f321767
the rest is related to webhosting (some old unsafe ciphers)

Post Reply

Return to “[3.2.x] Support Forum”

Who is online

Users browsing this forum: shortmort37 and 14 guests