Security

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Scottish2
Registered User
Posts: 124
Joined: Sun Mar 04, 2007 3:00 pm

Security

Post by Scottish2 » Thu Jan 17, 2019 9:46 pm

Hi

The other day I found I had to install my Security Certificate to secure my website did not realize I had to do it manually.

Anyways I did that and got the website secured, but today I noticed the forum was giving me a security alert. Below is the screen shot indicating what the alert was.

Image

Is there a fix for this or is this always going to be this way??

Thanks
Dave

User avatar
janus_zonstraal
Registered User
Posts: 3221
Joined: Sat Aug 30, 2014 1:30 pm

Re: Security

Post by janus_zonstraal » Thu Jan 17, 2019 10:02 pm

You have to search which parts (mostly images) are not coming from a secured url.

This one for example
http://dirtydozen2-0.com/wp-content/the ... attern.png
Sorry! My English is bat ;) !!!

Scottish2
Registered User
Posts: 124
Joined: Sun Mar 04, 2007 3:00 pm

Re: Security

Post by Scottish2 » Thu Jan 17, 2019 11:02 pm

So is it really a security issue if it is mostly images as indicated? I know the site is secure as my hosting support confirmed this the other day just seems to be this mostly images. If it's not really an issue then might not bother dealing with it. I know the forum itself is blocked to guests except one forum topic that being rules.

User avatar
janus_zonstraal
Registered User
Posts: 3221
Joined: Sat Aug 30, 2014 1:30 pm

Re: Security

Post by janus_zonstraal » Thu Jan 17, 2019 11:12 pm

Just change the url from that image and you will get the green lock.
Make it https://dirtydozen2-0.com/wp-content/themes/contango/images/bg-pattern.png
Sorry! My English is bat ;) !!!

Scottish2
Registered User
Posts: 124
Joined: Sun Mar 04, 2007 3:00 pm

Re: Security

Post by Scottish2 » Fri Jan 18, 2019 12:59 am

Right but even changing the URL for the forum link on my blog from HTTP to HTTPS and then using the new link to the forums the same issue happens when I go into the forums still shows unsecure even with the HTTPS in the forums

User avatar
janus_zonstraal
Registered User
Posts: 3221
Joined: Sat Aug 30, 2014 1:30 pm

Re: Security

Post by janus_zonstraal » Fri Jan 18, 2019 7:16 am

You have to change only the url from the image you are using for the background of the headerbar

Code: Select all

.headerbar {
    background-image: url("http://dirtydozen2-0.com/wp-content/themes/contango/images/bg-pattern.png");
You find it in the https://www.dirtydozen2-0.com/phpbb/sty ... .css?v=3.2

Line 92
Sorry! My English is bat ;) !!!

User avatar
AmigoJack
Registered User
Posts: 5574
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Security

Post by AmigoJack » Fri Jan 18, 2019 8:33 am

Scottish2 wrote:
Thu Jan 17, 2019 9:46 pm
got the website secured
janus_zonstraal wrote:
Thu Jan 17, 2019 10:02 pm
a secured url
Such things do not exist, and the screenshot even correctly informs about the connection, not the website. SSL is only about securing the transfer, neither your website, nor addresses.

Changing addresses from HTTP to HTTPS will only work if the corresponding servers support HTTPS at all.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
janus_zonstraal
Registered User
Posts: 3221
Joined: Sat Aug 30, 2014 1:30 pm

Re: Security

Post by janus_zonstraal » Fri Jan 18, 2019 3:48 pm

Changing addresses from HTTP to HTTPS will only work if the corresponding servers support HTTPS at all.
:?:
It is his own server so the support is there.
Only change the url and it will work.,
Sorry! My English is bat ;) !!!

User avatar
John connor
Registered User
Posts: 2074
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Security

Post by John connor » Sat Jan 19, 2019 1:05 am

Poor advice removed by Community Team see viewtopic.php?p=15184251#p15184251

User avatar
AmigoJack
Registered User
Posts: 5574
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Security

Post by AmigoJack » Mon Jan 21, 2019 8:55 am

janus_zonstraal wrote:
Fri Jan 18, 2019 3:48 pm
It is his own server
I was talking about referenced addresses - he has control over his own server, but not over others.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
janus_zonstraal
Registered User
Posts: 3221
Joined: Sat Aug 30, 2014 1:30 pm

Re: Security

Post by janus_zonstraal » Mon Jan 21, 2019 9:10 am

I was talking about referenced addresses - he has control over his own server, but not over others.
It is mixed content from his own server, he has only to change the url, nothing more nothing less.
Of course I'm speaking over the index.php I didn't check all his other pages.
Sorry! My English is bat ;) !!!

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3182
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security

Post by thecoalman » Mon Jan 21, 2019 5:23 pm

John connor wrote:
Sat Jan 19, 2019 1:05 am
and find all HTTP entries and change to HTTPS.
If you are giving advice like this you need to be aware of the consequences and make sure you advise the person you are telling to do this. Running such a general find and replace is never advisable and your suggestion has specific issues. Text links pointing to another site are irrelevant and if they do not have https site the user is now directed to page with SSL warning if they click the link. The other issue is with the embedded images, the site hosting the image may not have https and the user may get warning about content from site with invalid certificate which is worse than mixed content. As another example someone that simply typed http in a post like I did right here.

Whenever you are going to run a find and replace you need to determine how the text is stored in the database and use a specific string for the find. e.g. if you were using bbcode code for youtube you might do something like find http://youtube.com/ replace with https://youtube.com/. Something like that should not cause any issues elsewhere and if there is any they will minor.

The domain is wildcard for embedded images so you need some other specific string. Looking at the stock text for how images are embedded a simple find and replace is likely going to cause issues even with somewhat specific strings because they are likely used elsewhere. You can do this successfully using regexp_replace because you can use the entire string from start to finish with wildcards for the domain/URL but that gets complicated, research it.

As I don't know phpmyadmin commands, I just opt for the Notepad ++ option.
This is built in function in phpMyadmin. Open the database if it's not already open and select the phpbb_posts table. Click the search tab on the top, below the tabs click the button labeled find and replace. Enter your find and replace text and select the post_text table. When you click the go button it should give you preview where you can proceed with carrying out the operation.

As above you need to be very careful, finding cat and replacing it with dog is going to result in catastrophe being turned into dogastrophe.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21087
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - definitely

Re: Security

Post by Mick » Mon Jan 21, 2019 9:38 pm

thecoalman wrote:
Mon Jan 21, 2019 5:23 pm
. . . and make sure you advise the person you are telling to do this
And don't forget to have a known good database back up before you start any shenanigans.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
John connor
Registered User
Posts: 2074
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Security

Post by John connor » Tue Jan 22, 2019 11:05 am

I'm just going to go ahead and requote what I said bolding the pertinent.


Another very primitive, but crude way of doing this would be to download your database SQL file, open it with Notepad ++ and find all HTTP entries and change to HTTPS. Then reupload the newly changed database file in phpmyadmin. Of course keep an original backup first before you do anything. This really isn't recommend, but I have done similar things with my database and Notepad ++. Ideally you'd run a SQL command in phpmyadmin. Someone here could tell you what command it is that you need to use. As I don't know phpmyadmin commands, I just opt for the Notepad ++ option.
I merely mentioned the use of Notepad++ since I used it a couple times for search and replace when I changed domains a few times. I made sure to note that it wasn't recommend and that phpMyadmin should be used, but someone here would have to give out the right command. Reading your response I see now the search and replace isn't as straight forward as I would have thought.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3182
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security

Post by thecoalman » Tue Jan 22, 2019 3:32 pm

John connor wrote:
Tue Jan 22, 2019 11:05 am
I'm just going to go ahead and requote what I said bolding the pertinent.
People are coming here for advice and need to fully understand the consequences of their actions. I've probably made all the mistakes you can when dealing with a database however they were on me, I wasn't offering them up in support forum. If you are unsure or unfamiliar with the advice you are offering you should probably just keep it to yourself unless you are posing it as a question.

I merely mentioned the use of Notepad++ since I used it a couple times for search and replace when I changed domains a few times. I made sure to note that it wasn't recommend and that phpMyadmin should be used, but someone here would have to give out the right command. Reading your response I see now the search and replace isn't as straight forward as I would have thought.
It makes no difference whether it's Notepad++ or phpMyadmin, the issues I outlined apply to both equally. Find and replace is a blunt tool and needs to be used with caution no matter where you are using it. To elaborate a little more you can refine your cat string by adding a space before and after it. This however does not account for occurrences that have punctuation immediately before or after and other things like text used by phpBB for parsing, etc.

Post Reply

Return to “[3.2.x] Support Forum”