Compatibility with CSP (Content Security Policy)?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
david63
Jr. Extension Validator
Posts: 15050
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by david63 » Sun Feb 11, 2018 2:25 am

Rogerjwilkinson wrote:
Sun Feb 11, 2018 2:07 am
I'm just wondering if it's on the development radar at all,
I have no idea but if you want to ensure that it is brought to the attention of the developers then you should create a ticket in the Bug Tracker on Area51- linking back to this topic
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Rogerjwilkinson
Registered User
Posts: 33
Joined: Wed Jan 17, 2018 2:42 pm

Re: Compatibility with CSP (Content Security Policy)?

Post by Rogerjwilkinson » Sun Feb 11, 2018 2:26 am

Ahh excellent, thank you very much for the tip. I will do this now.

dbj
Registered User
Posts: 18
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj » Sun Feb 11, 2018 10:11 am

Please also link the issue you created here :)

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 49734
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by stevemaury » Sun Feb 11, 2018 8:10 pm

If the structure of phpBB and its use of internal scripts makes it vulnerable, and since there are perhaps a million phpBB installations, why have there been no exploits?
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. PM or email me.

All unsolicited PMs will be ignored.

dbj
Registered User
Posts: 18
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj » Sun Feb 11, 2018 8:14 pm

stevemaury wrote:
Sun Feb 11, 2018 8:10 pm
If the structure of phpBB and its use of internal scripts makes it vulnerable, and since there are perhaps a million phpBB installations, why have there been no exploits?
That's some basic research you could have done yourself:

https://www.google.de/search?q=phpbb+xss

CSP makes XSS impossible.

User avatar
Lumpy Burgertushie
Registered User
Posts: 65310
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by Lumpy Burgertushie » Sun Feb 11, 2018 10:10 pm

the point is that phpbb3 has not had a xss vulnerability since it came out.
if it was there, I guarantee that someone would have exploited it by now.
not saying it couldn't happen in the future.

that link you posted does not show any verified problems since 3.0 came out.
most of those links are to either phpbb 2.0 problems or they were later found to not be true etc.

the team here works very hard to make sure that there are no security problems before they release anything.

just relax and enjoy your board with the knowledge that the very qualified team here at phpbb.com are looking out for you.
Image

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 49734
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by stevemaury » Sun Feb 11, 2018 10:55 pm

As this is not a phpBB support topic, I am moving it to phpBB Discussion .
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. PM or email me.

All unsolicited PMs will be ignored.

dbj
Registered User
Posts: 18
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj » Sun Feb 11, 2018 11:42 pm

Lumpy Burgertushie wrote:
Sun Feb 11, 2018 10:10 pm
the point is that phpbb3 has not had a xss vulnerability since it came out.
if it was there, I guarantee that someone would have exploited it by now.
not saying it couldn't happen in the future.

that link you posted does not show any verified problems since 3.0 came out.
most of those links are to either phpbb 2.0 problems or they were later found to not be true etc.
Did you even bother to click on the link I posted?

Ok, look at this: viewtopic.php?f=14&t=2270766

I will copy the relevant part: "Firstly, despite our best efforts and a full security audit of the 3.1 codebase by SektionEins, Dingjie Yang of Qualys, Inc. discovered an XSS vulnerability that may be utilized against users of older browsers."

Highlighting by me.

Oh, and here is another one: https://cve.mitre.org/cgi-bin/cvename.c ... -2015-1431

"Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path Overwrite."

Do you want to stick with your statement that phpBB never had any problems with XSS?
Lumpy Burgertushie wrote:
Sun Feb 11, 2018 10:10 pm
not saying it couldn't happen in the future.
That's funny. So which one do you pick:
- Wait until there is a XSS vulnerability that is publicly known and exploited, then fix it
- Deploy CSP and never worry about XSS again

For me it's not a hard choice.

User avatar
Lumpy Burgertushie
Registered User
Posts: 65310
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by Lumpy Burgertushie » Mon Feb 12, 2018 12:07 am

yep, I clicked on it and read almost the whole page of links. otherwise I would not have known that most of them were about phpbb 2.0 and the others were usually things that turned out not to be true or at least not a real problem.

these reports show up all the time that turn out to be not accurate.

It is interesting that you left out the relevant part of the post you linked to from naderman here, :
naderman wrote:Our tests indicate that this does not seem to affect major browsers released after 2009, making all browsers officially supported by phpBB 3.1 immune and around 99.9% of phpBB.com visitors unaffected. Nevertheless, we are not taking any chances and urge everyone to update. Thanks to Mr. Yang for bringing this to our attention.
I am not trying to talk you or anyone else out of using this or other things to help protect their boards.
however, you come across like you think phpbb has all types of vulnerabilities and that the creators of it don't know what they are doing.

that is simply not true.

ok, I am out of this one. I did not mean to step on your toes about this, I know you are just trying to help.

thanks,
robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

JustChise
Registered User
Posts: 73
Joined: Thu Oct 30, 2014 4:56 am

Re: Compatibility with CSP (Content Security Policy)?

Post by JustChise » Wed Jun 20, 2018 1:02 am

Sorry to revive this old topic but I have a different question regarding CSP. I am trying to implement a site-wide CSP by whitelisting domains that are able to run scripts, i.e. execute java or php or whatever. I found that while implementing my policy, I broke some of the phpbb functionality. My question is what specific outside libraries/sources does PHP call/use to implement primarily its AJAX functionality and I guess maybe some of the fontawesome stuff? I saw what someone mentioned above about the AJAX stuff but was wondering if there was anything else I need to make sure I whitelist?

User avatar
AmigoJack
Registered User
Posts: 5384
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by AmigoJack » Wed Jun 20, 2018 6:52 am

I wrote that already. Java is no scripting language; PHP can't be executed locally.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

JustChise
Registered User
Posts: 73
Joined: Thu Oct 30, 2014 4:56 am

Re: Compatibility with CSP (Content Security Policy)?

Post by JustChise » Wed Jun 20, 2018 7:02 am

AmigoJack wrote:
Wed Jun 20, 2018 6:52 am
I wrote that already. Java is no scripting language; PHP can't be executed locally.
Right but that specifically said 3.1. Sorry I meant for 3.2. I imagine it's probably the same but just wanted to confirm.

User avatar
AmigoJack
Registered User
Posts: 5384
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by AmigoJack » Wed Jun 20, 2018 8:45 am

3.2 might (based on its settings) additionally want to embed http://active.macromedia.com/, http://fonts.googleapis.com/ and http://ghbtns.com/. However, the whole sense of CSP is to interfere, so just use your board until you encounter a denial and then act upon it (after all CSP can also trigger a notification).
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

JustChise
Registered User
Posts: 73
Joined: Thu Oct 30, 2014 4:56 am

Re: Compatibility with CSP (Content Security Policy)?

Post by JustChise » Wed Jun 20, 2018 2:21 pm

Thanks AmigoJack.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 27 guests