Security Configuration Settings

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
rizvinazish
Registered User
Posts: 2
Joined: Tue Nov 10, 2015 10:13 am

Security Configuration Settings

Post by rizvinazish »

Hi All
I got the following issues from my security department.
Unrestricted API Access/User Enumeration https://abc.com/memberlist.php?mode=vie ... &u={UserID}
Attacker can enumerate users by changing the userID value.

Unrestricted File Access
https://abc.com/download/file.php?mode=view&id={FileID}
Attacker can enumerate files by changing the id value.

Week Cipher Algorithms:
3DES and SSLv3

Both needs to be disabled on the server.

I tried to search solution on forums, but no luck.
User avatar
david63
Registered User
Posts: 17970
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Security Configuration Settings

Post by david63 »

If you believe that you have found security issues you should post them in the Security Tracker (found under the Development tab above) and not on the board for all the world to see.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
3Di
Former Team Member
Posts: 15697
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Security Configuration Settings

Post by 3Di »

rizvinazish wrote:
Tue Mar 31, 2020 6:17 am
I got the following issues from my security department.
Unrestricted API Access/User Enumeration
And what can they do once they know how many users or files exist? It also seems to me that the number of users is available in online statistics so there is no need to make much effort. Certain techniques only serve to understand how interesting an eventual attack could be, which would surely fail anyway.
An attacker can use enumeration methods to get a picture of whether or how a target can respond to system hacking activities. By uncovering information on whether or how a defender can respond will allow the attacker to modify their attack accordingly to make their activity more productive.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Looking for a specific feature or alternative option?
User avatar
Brf
Support Team Member
Support Team Member
Posts: 52018
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Security Configuration Settings

Post by Brf »

Yes. It is ridiculous to think that would be an attack. You can do the same thing with viewforum and viewtopic. Changing the IDs to view a different page is not an attack. Those altered page URLs still go through the same security to prevent viewing pages the user is not authorized to see.
Post Reply

Return to “phpBB Discussion”