SSL HTTPS help URGENT PLEASE HELP

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
hunterhusker
Registered User
Posts: 8
Joined: Sat Apr 14, 2018 10:20 pm

Re: SSL HTTPS help URGENT PLEASE HELP

Post by hunterhusker »

Not sure if any of you will see this, because this thing is a little old, but I remember hearing some of you would be curious as to the phpBB's status after the competition. I'm happy to report we got 7th out of 40. We almost got 4th but in the last 5 minutes of the competition my forum was breached, by means of SSH. It is a capture the flag game, and my /etc flag was captured by a compromised admin account.(before you say I needed better passwords the password for this account was randomly generated and provided to us by staff, we couldn't use our own.) Anyways the site itself had two flags to be placed by red team. One to post in the admin only announcements forum, and one to post in the password protected developer forum. They didn't get any of those. However in the bug forum the red team decided to do some mind games and told us how they would get in. Not gonna lie scary af. They successfully XSS scripted my site. However we used barracuda WAF and it blocked them. Needless to say they were very unhappy. We have a phone service to address "customer calls" and the red team called us and complained about it, then hung up and rick rolled us lol. So yeah my team wonders if it may have been set up errors that caused that, but I used mostly default settings. So I guess that's it if you guys are securing stuff work on XSS to stop cross site/html injection attacks or buy Barracuda WAF its amazing.

Oh any sorry John I'm pretty sure you have to be a student or alumni of Iowa State University to red team, if you want look up Iowa State CDC and since I am in high school it should be the ITO one. I'll also link the scoring site and if you want to chat with them about next year I can send you the mail that we use to contact them.

the scoring site -> https://iscore.iseage.org/
Its down right now while they move the server out of the basketball court. If it is back up with scores, and you want to find us, we were team 3.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by thecoalman »

hunterhusker wrote: Sun Apr 22, 2018 7:57 pm So I guess that's it if you guys are securing stuff work on XSS to stop cross site/html injection attacks or buy Barracuda WAF its amazing.
If there is a security risk within phpBB please report it to the security tracker.

https://tracker.phpbb.com/secure/Browse ... jspa#10020

Thanks.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: SSL HTTPS help URGENT PLEASE HELP

Post by 2600 »

You could have blocked that SSH breach by properly using CloudFlare.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26505
Joined: Fri Aug 29, 2008 9:49 am

Re: SSL HTTPS help URGENT PLEASE HELP

Post by Mick »

And spend the rest of the test period getting it to work.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: SSL HTTPS help URGENT PLEASE HELP

Post by 2600 »

Getting what to work?

I use and have used CloudFlare for 3 years with no issues. There are more than one reverse proxy out there. If you know what you are doing there won't be an issue and it will greatly increase your security. Mostly from a DDoS attack. CloudFlare sits in front of my origin IP and if some chuckle head decides to DDoS the CloudFlare IP he'll have a very hard time. He would have to use an absolute ton of IoT devices, etc to knock me off line. CloudFlare has mitigated some of the largest DDoSes ever.

Go ahead. Look at my site and try to find the origin IP. You won't. And because of that you can't Nmap the IP and find my SSH port, FTP port, etc. So that mitigates any hacking attempt.

If there are issues you can always set up a page rule. One of my page rules specifies that the styles folder be cached. That means the server isn't used to pull the styles data with every page load and the site is that much faster.

In my CloudFlare dashboard it tells me how much I saved on origin server resources and it's roughly 70%. Meaning most data transfer comes over CloudFlare rather than my host. I have also installed the Amazon S3 extension for image hosting and that reduces page load even further by serving all images via Amazon's servers. And since CloudFlare uses a special mechanism to encrypt all mixed content, I don't have any issues with SSL mixed content warnings. Interesting to note that CloudFlare uses the HTTPS Anywhere database and something else to achieve that result.

If anyone is remotely concerned about security then learn how to use a reverse proxy like CloudFlare. And for free you can't beat it. I would not use the CloudFlare option in cPanel though. You have more control by creating a free account.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26505
Joined: Fri Aug 29, 2008 9:49 am

Re: SSL HTTPS help URGENT PLEASE HELP

Post by Mick »

But, there is no need for Cloudflare, whatsoever. You talk about it like it’s the be all and end all, there is even an extension to correct Cloudflare issues. In any case, it’s a server thing.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: SSL HTTPS help URGENT PLEASE HELP

Post by 2600 »

No, you don't need CloudFlare at all, but it offers an ability to protect your server.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: SSL HTTPS help URGENT PLEASE HELP

Post by david63 »

John connor wrote: Tue Apr 24, 2018 8:58 pm it offers an ability to protect your server.
But most people do not have their own server
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: SSL HTTPS help URGENT PLEASE HELP

Post by 2600 »

david63 wrote: Tue Apr 24, 2018 9:03 pm
John connor wrote: Tue Apr 24, 2018 8:58 pm it offers an ability to protect your server.
But most people do not have their own server
You don't need your own server. I have a shared account.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: SSL HTTPS help URGENT PLEASE HELP

Post by david63 »

John connor wrote: Wed Apr 25, 2018 4:54 pm
david63 wrote: Tue Apr 24, 2018 9:03 pm
John connor wrote: Tue Apr 24, 2018 8:58 pm it offers an ability to protect your server.
But most people do not have their own server
You don't need your own server. I have a shared account.
But you specifically said your server implying that you had to have your own dedicated server.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: SSL HTTPS help URGENT PLEASE HELP

Post by 2600 »

I wasn't trying to imply that. If you have a VPS or dedicated server then all the more power to you. It just means you have to block all IPs except CloudFlare IPs and update those when ever there is an update range. Fortunately that isn't very often.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
Wes of StarArmy
Registered User
Posts: 291
Joined: Fri Mar 04, 2005 2:59 am
Location: StarArmy.com
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by Wes of StarArmy »

I agree Cloudflare is very useful even on the free tier.

One thing to remember is that any non-Cloudflare subdomains like mail.example.com could reveal the server's real IP if not correctly configured.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by thecoalman »

Mick wrote: Tue Apr 24, 2018 2:31 pm But, there is no need for Cloudflare,
Cloudflare adds a huge layer of security and allows for things you simply cannot do without it. If you ever have the unfortunate experinece of having a site DDOS'd you will quickly learn what the need is.
there is even an extension to correct Cloudflare issues
What you are referring to as an issue is one of the biggest benefits of using Cloudflare, you can allow Cloudflare IP's in the firewall and deny the rest of the world for ports 80, 443 and any other port being proxied through Cloudflare.There is an Apache module you need to install so the correct IP is passed onto applications like phpBB, server logs etc. Of course if you do not have your own server or your host won't install the module you will need to use the workaround in the extension.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: SSL HTTPS help URGENT PLEASE HELP

Post by 2600 »

The Apache module is called mod_cloudflare. If your host doesn't have it installed, ask them to install it. If you use WordPress there is a plugin from CloudFlare as well that will do what that extension does for phpBB.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
Post Reply

Return to “phpBB Discussion”