Security Configuration Settings

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
Post Reply
rizvinazish
Registered User
Posts: 2
Joined: Tue Nov 10, 2015 10:13 am

Security Configuration Settings

Post by rizvinazish »

Hi All
I got the following issues from my security department.
Unrestricted API Access/User Enumeration https://abc.com/memberlist.php?mode=vie ... &u={UserID}
Attacker can enumerate users by changing the userID value.

Unrestricted File Access
https://abc.com/download/file.php?mode=view&id={FileID}
Attacker can enumerate files by changing the id value.

Week Cipher Algorithms:
3DES and SSLv3

Both needs to be disabled on the server.

I tried to search solution on forums, but no luck.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Security Configuration Settings

Post by david63 »

If you believe that you have found security issues you should post them in the Security Tracker (found under the Development tab above) and not on the board for all the world to see.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco
Contact:

Re: Security Configuration Settings

Post by 3Di »

rizvinazish wrote: Tue Mar 31, 2020 6:17 am I got the following issues from my security department.
Unrestricted API Access/User Enumeration
And what can they do once they know how many users or files exist? It also seems to me that the number of users is available in online statistics so there is no need to make much effort. Certain techniques only serve to understand how interesting an eventual attack could be, which would surely fail anyway.
An attacker can use enumeration methods to get a picture of whether or how a target can respond to system hacking activities. By uncovering information on whether or how a defender can respond will allow the attacker to modify their attack accordingly to make their activity more productive.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53401
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Security Configuration Settings

Post by Brf »

Yes. It is ridiculous to think that would be an attack. You can do the same thing with viewforum and viewtopic. Changing the IDs to view a different page is not an attack. Those altered page URLs still go through the same security to prevent viewing pages the user is not authorized to see.
Post Reply

Return to “phpBB Discussion”