Security Configuration Settings

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
Post Reply
Registered User
Posts: 2
Joined: Tue Nov 10, 2015 10:13 am

Security Configuration Settings

Post by rizvinazish »

Hi All
I got the following issues from my security department.
Unrestricted API Access/User Enumeration ... &u={UserID}
Attacker can enumerate users by changing the userID value.

Unrestricted File Access{FileID}
Attacker can enumerate files by changing the id value.

Week Cipher Algorithms:
3DES and SSLv3

Both needs to be disabled on the server.

I tried to search solution on forums, but no luck.
User avatar
Registered User
Posts: 17950
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK

Re: Security Configuration Settings

Post by david63 »

If you believe that you have found security issues you should post them in the Security Tracker (found under the Development tab above) and not on the board for all the world to see.
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
Former Team Member
Posts: 15668
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco

Re: Security Configuration Settings

Post by 3Di »

rizvinazish wrote:
Tue Mar 31, 2020 6:17 am
I got the following issues from my security department.
Unrestricted API Access/User Enumeration
And what can they do once they know how many users or files exist? It also seems to me that the number of users is available in online statistics so there is no need to make much effort. Certain techniques only serve to understand how interesting an eventual attack could be, which would surely fail anyway.
An attacker can use enumeration methods to get a picture of whether or how a target can respond to system hacking activities. By uncovering information on whether or how a defender can respond will allow the attacker to modify their attack accordingly to make their activity more productive.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Looking for a specific feature or alternative option?
User avatar
Support Team Member
Support Team Member
Posts: 52018
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: Security Configuration Settings

Post by Brf »

Yes. It is ridiculous to think that would be an attack. You can do the same thing with viewforum and viewtopic. Changing the IDs to view a different page is not an attack. Those altered page URLs still go through the same security to prevent viewing pages the user is not authorized to see.
Post Reply

Return to “phpBB Discussion”