My fluxbb forum host!

Cyclone103 · 2010-02-11 16:19:54

Its not entirely unrelated to Fluxbb, but it doesn't really fit anywhere else.

I have created a free fluxbb forum host! The thing that sets us apart is the freedom. We don't force ads except for a small text link back to the main site, and I created a plugin specifically to allow site admins to place their own advertisements.

The site: http://forum.cyclonehost.info

(I am buying a domain soon, all old forum URLs will be redirected to the new one)

For a full features list, just visit http://forum.cyclonehost.info/features.php

Signups are quick and easy!

To see a list of all of our hosted forums, just visit http://forum.cyclonehost.info/list.php

The goal is to deliver as much fluxbb functionality as possible without any technical knowledge needed. There are several preinstalled plugins, including some custom ones I made just for this.

Enjoy! If you have any suggestions, feel free to let me know.

Cyclone103 · 2010-02-11 16:20:50

Oh yeah, and this is all coded by hand. I spent a few hours last week working on it, I'm fairly proud with how it turned out.

Smartys · 2010-02-11 16:36:08

Very interesting site! A couple things:
- Disabling a form field is not enough to make a user unable to change it. I just changed my base URL on http://forum.cyclonehost.info/forums/foobar/, which breaks my forum. I can also change the avatar upload directory, which would allow me to mess with other forum's avatars (except your uploading seems to fail).
- Your custom coded admin plugins are vulnerable to SQL injections.
- How do you plan to support the site financially? It's very nice to say that your site is all about "freedom" just because you don't post ads (even though that doesn't really make sense) but maintaining a website takes a fair amount of money every month. What guarantee do people have that your site won't disappear within 6 months, as so many other free hosts have?

Cyclone103 · 2010-02-11 16:44:47

Ah, just who I was hoping to see.

First off, I understand that disabling the form field does not prevent users from changing things. I'll fix the avatars thing, which I had assumed would not be an issue for a while.

As far as the admin plugins go, I was following the pattern of other plugins, which seemed to lack any sort of validation as well. How do you recommend I fix this?

I have no issues with supporting the site, this will not be a problem.

Also, you could have simply tested instead of actually trying to break the forum. I've banned your IP temporarily, until these issues have been worked out. By no means do I expect you to be stopped by this, but I'd imagine your intents are not malicious.

Instead of merely reporting an issue, how about helping me fix it?

Last edited by Cyclone103 (2010-02-11 16:48:01)

Smartys · 2010-02-11 16:46:53

As far as the admin plugins go, I was following the pattern of other plugins, which seemed to lack any sort of validation as well. How do you recommend I fix this?

By sanitizing input. Take a look at the FluxBB code.

Cyclone103 · 2010-02-11 16:49:03

$db->escape you mean? Didn't happen to see that before, thanks for the help.

Also, do you have any sort of chat client? I'd prefer we talk about this in private.

Last edited by Cyclone103 (2010-02-11 16:51:21)

Smartys · 2010-02-11 16:53:28

Shoot me an email, smartys at punbb-hosting.com

Cyclone103 · 2010-02-11 16:54:43

Alright.

Cyclone103 · 2010-02-11 18:05:11

Thanks for the help so far, I think it is more secure now.

MattF · 2010-02-11 20:03:55

Cyclone103 wrote:

Also, you could have simply tested instead of actually trying to break the forum. I've banned your IP temporarily, until these issues have been worked out. By no means do I expect you to be stopped by this, but I'd imagine your intents are not malicious.

Just out of curiosity, how is someone supposed to test something which may be broken without trying to break it? Through psychic ability?

Cyclone103 · 2010-02-11 20:17:26

It wasn't the fact that he tested, it was the method by which he did it.

MattF · 2010-02-11 20:29:43

I was just curious.

Cyclone103 · 2010-02-11 20:48:35

Haha lol!

I guess psychic powers (or FTP access) could help a bit lol

Smartys · 2010-02-11 21:18:27

Oh dear, it seems I missed your edits...

Cyclone103 wrote:

Also, you could have simply tested instead of actually trying to break the forum. I've banned your IP temporarily, until these issues have been worked out. By no means do I expect you to be stopped by this, but I'd imagine your intents are not malicious.

Now see, that's just not nice. I WAS testing for vulnerabilities, as we discussed; I'm not sure what you're objecting to. I think you'd agree that a vulnerability affecting only a forum I own is far different than a vulnerability that allows me to compromise other forums (and that identify which vulnerabilities are which is important). To be clear, at no time did I "break" anything related to the site as a whole (nor would I have): I even used an SQL injection to fix my forum's base URL. ;-)

Cyclone103 wrote:

Instead of merely reporting an issue, how about helping me fix it?

I do freelance work at very affordable rates: if you'd like me to do some coding for you, that's the way to get me to do it.

The burden is on you to code properly and securely, not on me to find and fix your system's vulnerabilities. Be happy that I found the vulnerabilities and alerted you so you could fix them; I could have just waited for malicious hackers to discover them.

Cyclone103 wrote:

It wasn't the fact that he tested, it was the method by which he did it.

I'm a little confused by this. Should I have somehow discovered all the vulnerabilities through mental telepathy and reported them to you? (kudos to Matt for making the point already)

I'm also a little curious what "method" I used to discover vulnerabilities that you found so objectionable. All I did was navigate in my browser and type values into fields (and maybe use LiveHTTPHeaders a bit). Those are fairly standard techniques.

Last edited by Smartys (2010-02-11 21:19:30)

Cyclone103 · 2010-02-11 21:31:38

It would have been polite to ask if you could test for vulnerabilities first

Although it WAS nice of you to fix your URL by yourself lol.

You actually did fix it without requiring coding, I believe those problems should be gone now (By all means, please test, but email me to let me know what it is you are doing).

And you either forged some POST requests or used Firebug or the Webkit inspector to change the URL and avatar dir.

Smartys · 2010-02-11 21:41:57

It would have been polite to ask if you could test for vulnerabilities first

Polite? Maybe. Required? No.

You put your website up on the Internet and you advertised it here: nowhere did I agree to access the website only in ways you pre-approve. That's even ignoring the fact that several of the vulnerabilities could/would have been triggered by someone passively exploring the site (ie: the plugin vulnerabilities) and not doing anything you would consider "against your wishes."

And again, it wasn't like I tried to hide my intentions. As soon as I discovered vulnerabilities, I reported them to you: I didn't replace your website with a funny message or do anything malicious. I even suggested mitigation strategies. I'd call that more than polite.

And you either forged some POST requests or used Firebug or the Webkit inspector to change the URL and avatar dir.

Web Developer Toolbar.

Cyclone103 · 2010-02-11 21:44:46

Oh I know, but I'd have thought you'd have warned me first at least, though I certainly appreciate your efforts to help.

---

Is that the one for Chrome? I was close enough lol

Cyclone103 · 2010-02-16 20:18:57

Smartys, did you try something else on my site? Ever since you created that new user account, my users have been unable to login or post (Well, with varying degrees of success)

Smartys · 2010-02-16 20:48:44

No. I created an account. Correlation is not causation.

Cyclone103 · 2010-02-16 21:06:58

Can you think of some cause of chrome users being unable to login? I have no problems with FF anymore, nor IE. The problems appear to be Chrome-specific, though I have no trouble logging in elsewhere.

Upon login, the user is redirected back to login.php without a message of any kind.

Also, I never expected it to be you, I merely thought I would ask.

EDIT: Bizarrely, it seems to have fixed itself. Is it possible that Chrome pushed some kind of update which broke cookies temporarily, then they pushed another update to fix?

Last edited by Cyclone103 (2010-02-16 21:09:23)

twohawks · 2010-03-26 22:37:00

Hey Cyclone... looks very interesting. Ah... is it posted anywhere what version of FluxBB you are running?
It would be nice to know, like when you scroll to the bottom of the page where it shows "powered by fluxBB", what version is running. I hate it that they don't do that here (gotta hunt, search, guess -- but why? what usefulness is it to hide the version?).

Also, nice features list. Another thing I find rather lacking here, unfortunately.

Cyclone103 · 2010-04-10 20:58:44

Hi twohawks, all our forums in Forumify are running 1.2.22. The only advantage to not showing it would be to neaten the footer, or to prevent attacks on your version of fluxbb.

Thanks, I'm glad you like the features list! Sorry for the late response!

Also, all forums now have a subdomain of forumify.com instead of a folder, so the URL of each forum is 17 characters shorter than with my older system.

Last edited by Cyclone103 (2010-04-10 21:03:19)

twohawks · 2010-04-10 22:47:44

Cool. Thank you ;^)

Cyclone103 · 2010-04-13 01:55:14

No problem. If you don't mind my asking, why did you want to know?

Garry Hopkins · 2010-04-15 13:46:06

Doesn't matter, I like it and it works fine. This is the ultimate test,isn't it

Forums

#1 2010-02-11 16:19:54

My fluxbb forum host!

#2 2010-02-11 16:20:50

Re: My fluxbb forum host!

#3 2010-02-11 16:36:08

Re: My fluxbb forum host!

#4 2010-02-11 16:44:47

Re: My fluxbb forum host!

#5 2010-02-11 16:46:53

Re: My fluxbb forum host!

#6 2010-02-11 16:49:03

Re: My fluxbb forum host!

#7 2010-02-11 16:53:28

Re: My fluxbb forum host!

#8 2010-02-11 16:54:43

Re: My fluxbb forum host!

#9 2010-02-11 18:05:11

Re: My fluxbb forum host!

#10 2010-02-11 20:03:55

Re: My fluxbb forum host!

#11 2010-02-11 20:17:26

Re: My fluxbb forum host!

#12 2010-02-11 20:29:43

Re: My fluxbb forum host!

#13 2010-02-11 20:48:35

Re: My fluxbb forum host!

#14 2010-02-11 21:18:27

Re: My fluxbb forum host!

#15 2010-02-11 21:31:38

Re: My fluxbb forum host!

#16 2010-02-11 21:41:57

Re: My fluxbb forum host!

#17 2010-02-11 21:44:46

Re: My fluxbb forum host!

#18 2010-02-16 20:18:57

Re: My fluxbb forum host!

#19 2010-02-16 20:48:44

Re: My fluxbb forum host!

#20 2010-02-16 21:06:58

Re: My fluxbb forum host!

#21 2010-03-26 22:37:00

Re: My fluxbb forum host!

#22 2010-04-10 20:58:44

Re: My fluxbb forum host!

#23 2010-04-10 22:47:44

Re: My fluxbb forum host!

#24 2010-04-13 01:55:14

Re: My fluxbb forum host!

#25 2010-04-15 13:46:06

Re: My fluxbb forum host!

Board footer