dbj wrote: ↑Fri Feb 02, 2018 1:43 pm
Lumpy Burgertushie wrote: ↑Fri Feb 02, 2018 5:53 amand, in all this time since phpbb 3 came out, as far as I have heard , there has been no successful hacks of a default install of phpbb3
This has nothing to do with the topic. CSP is not a replacement for any security measures and CSP cannot be replaced by other security measures. If you don't know what CSP does, pleas look it up.
^ This. Security audits do not mean phpBB is safe full-stop, end of story. They are AWESOME, and it's AWESOME that phpBB takes it this seriously, but all a security audit means is it's safe to attacks the auditing company knew of and tested for at that time. It should go without saying that it's literally impossible for a company to audit against vulnerabilities that unknown at the time, and the CSP is a prevenative measure to potential future vulnerabilities. One does not negate the other, they are two completely seperate tools and method that simply happen to share a similar end-goal - Keep your website safe.
As we've all heard - the best treatment is good prevention. This is the power of the CSP, as I currently understand it.
Just out of curiosity actually: Did the auditing company make the issue of inline-scripts aware to the team with the audit? It seems like that is something that should've come up from their end.
JoshyPHP wrote: ↑Fri Feb 02, 2018 3:32 am
I've used phpBB with JavaScript off for a little while and apart from the editor, everything worked fine.
That's remarkable then. Zero modifications to the code on your end? Users frequently using your forum? This is NOT consistent with my experiences, all other reports so far, or the code itself. As I said, almost all control panel features go to sugar, along with just about anything else javascript related (quick replies), and database backups. You can easily download notepad++, do a bulk search for the keyword "<script" and immediately see what will or will not work - As you can see, your statement just isn't consistent with the code.
I've spent a lot of time combing over it now and unfortunately it's an issue that needs to be an addressed on a development level. As I said, you can not unfortunately just move all the <script> tags to an external script, point ot them, and voila. All the inline event handlers need to be rewritten to functions and called from external js as well - "onclick="jumpto(); return false;" - just as a random example, a CSP disallowing inline-scripts will not allow this even with all <script> tags moved externally.
I'm just wondering if it's on the development radar at all, and perhaps something we can look forward to in nearby release, or if webmasters concerned about this issue should start the grueling process of doing this manually now?
phpBB being an open source project I would of course be willing to "do my part", as it were - I can certainly, if nothing else, move all the <script> tags externally and update the vanilla install for this - but the event handlers may need someone that actually knows what they're doing. And it creates other issues as well - Do extension developers then have to do the same as well? Do all extensions that don't fall in line get marked "NOT SAFE" or something to that effect? I know it's a messy one but it is what it is.
Look forward to a response.