[Question] Obtaining site information

[Random American]

Just had a quick look and one immediate problem I noticed is the cookie: Secure is set to False but SameSite is set to None. I thought that was changed sometime last year. Anyway the cookie is rejected after a second clickthrough.
cookiedomain is missing the leading dot also.

Site is running op php 5.5 > time to change host? or at least upgrade the software on the server

Got a warning about: The character encoding of the HTML document was not declared. Not sure how that is possible. Never before have I encountered that.
The files are version 3.2.2 and I can't see phpBB being the cause

Hi. I hope you don't mind that I quote you here, but I have a bit of a question.
This doesn't matter for me as I obviously don't participate in the Wanted! forum (with the exception of the comments I made today as everyone was impatient with that guy for not instantly replying), but may I ask how you obtain that information? It seems to me to be a good skill to have, and I'm here to learn.

Thanks.

[AbaddonOrmuz]

The easiest way is to use curl:

Code: Select all

curl -IL "https://example.com"

Or if the server does not allow HEAD requests (like phpbb.com), you can send a GET request (-X GET):

Code: Select all

curl -ILX GET "https://example.com"

Which will return the headers where you can get that information:



The phpBB version can be guessed from the style.cfg file from the prosilver style, however it's not a reliable way to know which phpBB version a site is running.

[Random American]

Thanks man. I appreciate it.

[P_I]

Which will return the headers where you can get that information

That's a poorly configured server. Properly configured and secured, the Server information won't reveal version information like that.

Checking here:

Code: Select all

curl -ILX GET https://www.phpbb.com/community/

Returns:

Code: Select all

HTTP/1.1 200 OK
Date: Thu, 03 Dec 2020 03:47:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Set-Cookie: phpbb3_1fh61_u=1; expires=Sat, 02-Jan-2021 03:47:55 GMT; path=/; domain=.phpbb.com; secure; HttpOnly
Set-Cookie: phpbb3_1fh61_k=; expires=Sat, 02-Jan-2021 03:47:55 GMT; path=/; domain=.phpbb.com; secure; HttpOnly
Set-Cookie: phpbb3_1fh61_sid=77457b598277c3d55540d9755622608c; expires=Sat, 02-Jan-2021 03:47:55 GMT; path=/; domain=.phpbb.com; secure; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Referrer-Policy: strict-origin-when-cross-origin
Pragma: no-cache
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Notice the Server information doesn't give up version information.

Your browser DevTools will reveal the same information in the Network tab by looking at first request and reply.

Another method to double-check the phpBB version, check the docs/CHANGELOG.html, i.e. docs/CHANGELOG.html

[AbaddonOrmuz]

That's a poorly configured server. Properly configured and secured, the Server information won't reveal version information like that.

Obviously I only answered how to get that information (without server access), the intention was not to discuss security hardening best practices, of a server that's not even mine.

[P_I]

That's a poorly configured server. Properly configured and secured, the Server information won't reveal version information like that.

Obviously I only answered how to get that information (without server access), the intention was not to discuss security hardening best practices, of a server that's not even mine.

Totally agree with you.

I was trying to point out that the information below shouldn't be attainable without asking the board admin.

Site is running op php 5.5 > time to change host? or at least upgrade the software on the server

Generally getting the server's PHP version is difficult with the board admin providing the information.