Compatibility with CSP (Content Security Policy)?

[david63]

I'm just wondering if it's on the development radar at all,

I have no idea but if you want to ensure that it is brought to the attention of the developers then you should create a ticket in the Bug Tracker on Area51- linking back to this topic

[Rogerjwilkinson]

Ahh excellent, thank you very much for the tip. I will do this now.

[dbj]

Please also link the issue you created here

[stevemaury]

If the structure of phpBB and its use of internal scripts makes it vulnerable, and since there are perhaps a million phpBB installations, why have there been no exploits?

[dbj]

If the structure of phpBB and its use of internal scripts makes it vulnerable, and since there are perhaps a million phpBB installations, why have there been no exploits?

That's some basic research you could have done yourself:

https://www.google.de/search?q=phpbb+xss

CSP makes XSS impossible.

[Lumpy Burgertushie]

the point is that phpbb3 has not had a xss vulnerability since it came out.
if it was there, I guarantee that someone would have exploited it by now.
not saying it couldn't happen in the future.

that link you posted does not show any verified problems since 3.0 came out.
most of those links are to either phpbb 2.0 problems or they were later found to not be true etc.

the team here works very hard to make sure that there are no security problems before they release anything.

just relax and enjoy your board with the knowledge that the very qualified team here at phpbb.com are looking out for you.


robert

[stevemaury]

As this is not a phpBB support topic, I am moving it to phpBB Discussion .

[dbj]

the point is that phpbb3 has not had a xss vulnerability since it came out.
if it was there, I guarantee that someone would have exploited it by now.
not saying it couldn't happen in the future.

that link you posted does not show any verified problems since 3.0 came out.
most of those links are to either phpbb 2.0 problems or they were later found to not be true etc.

Did you even bother to click on the link I posted?

Ok, look at this: viewtopic.php?f=14&t=2270766

I will copy the relevant part: "Firstly, despite our best efforts and a full security audit of the 3.1 codebase by SektionEins, Dingjie Yang of Qualys, Inc. discovered an XSS vulnerability that may be utilized against users of older browsers."

Highlighting by me.

Oh, and here is another one: https://cve.mitre.org/cgi-bin/cvename.c ... -2015-1431

"Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path Overwrite."

Do you want to stick with your statement that phpBB never had any problems with XSS?

not saying it couldn't happen in the future.

That's funny. So which one do you pick:
- Wait until there is a XSS vulnerability that is publicly known and exploited, then fix it
- Deploy CSP and never worry about XSS again

For me it's not a hard choice.

[Lumpy Burgertushie]

yep, I clicked on it and read almost the whole page of links. otherwise I would not have known that most of them were about phpbb 2.0 and the others were usually things that turned out not to be true or at least not a real problem.

these reports show up all the time that turn out to be not accurate.

It is interesting that you left out the relevant part of the post you linked to from naderman here, :

Our tests indicate that this does not seem to affect major browsers released after 2009, making all browsers officially supported by phpBB 3.1 immune and around 99.9% of phpBB.com visitors unaffected. Nevertheless, we are not taking any chances and urge everyone to update. Thanks to Mr. Yang for bringing this to our attention.

I am not trying to talk you or anyone else out of using this or other things to help protect their boards.
however, you come across like you think phpbb has all types of vulnerabilities and that the creators of it don't know what they are doing.

that is simply not true.

ok, I am out of this one. I did not mean to step on your toes about this, I know you are just trying to help.

thanks,
robert

[JustChise]

Sorry to revive this old topic but I have a different question regarding CSP. I am trying to implement a site-wide CSP by whitelisting domains that are able to run scripts, i.e. execute java or php or whatever. I found that while implementing my policy, I broke some of the phpbb functionality. My question is what specific outside libraries/sources does PHP call/use to implement primarily its AJAX functionality and I guess maybe some of the fontawesome stuff? I saw what someone mentioned above about the AJAX stuff but was wondering if there was anything else I need to make sure I whitelist?

[AmigoJack]

I wrote that already. Java is no scripting language; PHP can't be executed locally.

[JustChise]

I wrote that already. Java is no scripting language; PHP can't be executed locally.

Right but that specifically said 3.1. Sorry I meant for 3.2. I imagine it's probably the same but just wanted to confirm.

[AmigoJack]

3.2 might (based on its settings) additionally want to embed http://active.macromedia.com/, http://fonts.googleapis.com/ and http://ghbtns.com/. However, the whole sense of CSP is to interfere, so just use your board until you encounter a denial and then act upon it (after all CSP can also trigger a notification).

[JustChise]

Thanks AmigoJack.