Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2019-09-18 23:11:52

JJones
Banned
Registered: 2019-04-28
Posts: 63

FluxBB Security Exploits!?!?!

Franz stated "There are no known security exploits" ... Are you implying that YOU are unaware of any exploits or that "nobody knows" of any Exploits?

To Date: the current version of FluxBB holds 17 "known" exploits.

Albeit .... to be clear, ONE of those SEVENTEEN are more classified a "design flaw" that is easily abused. So i would SURELY love clarification of what you mean by "no known"!?!?!

Offline

#2 2019-09-18 23:34:31

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: FluxBB Security Exploits!?!?!

"No known security exploits".

There have not been any reports to the FluxBB development team through the official channels described on our homepage.

Would you be so kind to share a link to your wondrous list?


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#3 2019-09-19 02:01:21

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: FluxBB Security Exploits!?!?!

Franz wrote:

"No known security exploits".

This sentence means that you are only considering exploits that are reported to you directly based on the quote next.


Franz wrote:

There have not been any reports to the FluxBB development team through the official channels described on our homepage.

Yet there are countless websites that rate CMS security systems ... but you ONLY make this claim on your own limited knowledge and comprehension ( I established that just prior to the last ban.

Franz wrote:

Would you be so kind to share a link to your wondrous list?

This should have been your question BEFORE you decided to punish people for "questioning" your "false" claims. ( I even attempted to BET you on it ). There simply is no incentive to report anything to your Dev Team. However, a quick google search containing the words ( FluxBB + Security ) will show several websites reporting several lists. Why should I do your work for you?

Offline

#4 2019-09-19 06:00:18

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: FluxBB Security Exploits!?!?!

JJones wrote:

There simply is no incentive to report anything to your Dev Team. However, a quick google search containing the words ( FluxBB + Security ) will show several websites reporting several lists. Why should I do your work for you?

The only CVE aggregators on the (personalized) first two pages of Google search results for this phrase are the following:

All of these issues have been fixed long ago.

What do you expect me to do? Browse the web all day in the hopes of randomly stumbling across vulnerability reports I haven't seen yet?

This is not how it works. We expect responsible users / researchers to contact us privately about security issues and support us in resolving them. That's how open-source works and it's the minimum we can expect for freely putting our work out there.

You, however, have been stomping around these forums, making (so far) unbacked claims. Are you interested in resolving real issues or are you just here to waste my time? So no, I simply expect you to do your work.

JJones wrote:

This should have been your question BEFORE you decided to punish people for "questioning" your "false" claims.

For the record: You were banned for breaking our forum rules, not for questioning things. Also for the record: if you still cannot manage to follow these rules, the next ban will not be temporary,


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#5 2019-09-19 07:29:58

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 574
Website

Re: FluxBB Security Exploits!?!?!

Franz wrote:

We expect responsible users / researchers to contact us privately about security issues and support us in resolving them. That's how open-source works and it's the minimum we can expect for freely putting our work out there.

It is always in a private way that I have been contacted about possible security breaches in my works. This allows problems to be corrected before they are released in the public arena.
Doing so comes from responsible people while putting potential security issues on the public agenda before notifying developers comes from totally irresponsible people whose sole purpose is to get noticed by bulging their chest.


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#6 2019-09-21 05:06:46

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: FluxBB Security Exploits!?!?!

Forgive the late response .... This week & weekend will be pure chaos due the Iran & Saudi Arabia issue which is resulting in an increase activity for out contracts ( I love war, but i hate the drama that comes before someone actually fights ).

Franz wrote:

The only CVE aggregators on the (personalized) first two pages of Google search results for this phrase are the following:

All of these issues have been fixed long ago.

I find it utterly depressing that your capability of searching for information is limited to 2 websites ( Albeit that is the first time i had ever seen the cvedetails website ). And for the record, not all of the listed exploits have been patched.

Franz wrote:

What do you expect me to do? Browse the web all day in the hopes of randomly stumbling across vulnerability reports I haven't seen yet?

YES .... if you do not have a reliable "user - base" of experienced users, then you have no other option!

Franz wrote:

This is not how it works. We expect responsible users / researchers to contact us privately about security issues and support us in resolving them. That's how open-source works and it's the minimum we can expect for freely putting our work out there.

You have no "user base" for reliance! Look at the numbers of websites operating FluxBB .... Open-Source success rates are based on the success of Development. You lack both a large enough user-base and development to achieve any type of success rate.

Franz wrote:

You, however, have been stomping around these forums, making (so far) unbacked claims. Are you interested in resolving real issues or are you just here to waste my time? So no, I simply expect you to do your work.

I did "my job" I reported the security issues that I found ( just not to you ). The authorization that you granted me, I also forwarded to my group of people, and they reported their findings ( They have a lot more experience dealing with exploitation that I do. You can claim "unbacked" all you want, however, contrary to your belief, there is NO incentive for Myself, My people, or even your own users to report directly to you. CMS reviews are a much better platform for security tracking! ( All of the other platforms follow this same protocol ).

Franz wrote:

For the record: You were banned for breaking our forum rules, not for questioning things. Also for the record: if you still cannot manage to follow these rules, the next ban will not be temporary,

Lets elaborate .. You GRANTED AUTHORIZATION for a complete stranger to "attack" this website! If you look back in history of all of the "hackers & cyber espionage" persons busted for breaking into websites, we are a majority of the time busted for "Unauthorized Access" which is a crime listed in the Computer Fraud and Abuse Act of 1986 act. Your "Invitation" completely bypasses the state from having the ability to prosecute hack style crimes. Unless I cause physical harm to the host, I ( and whomever i forward that permission to ) are immune from prosecution now..... NOT only was that FOOLISH, but the most incompetent action you could have made. I & My team now have unlimited access to do whatever we want with/to your website ( not including physical harm to the hardware )... You simply are offended that I called your action "stupid" ... This standard alone is why i have no need to report anything directly to you, and instead rely on "competent" persons to do your job for you!

Offline

#7 2019-09-21 10:39:33

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 214

Re: FluxBB Security Exploits!?!?!

You cannot forward permissions - permissions are - if not explicitely stated differently - exclusive to the receiver. It is a "exclusive permission" (same for stuff like FOSS - which Germany for now does not explicitely have, so we have a "non exclusive use permission" we can give to others).

Also in Germany it is a crime to surpass security mechanisms (does not matter how easy they are to bypass). We even have trouble blocking adblocker-detection-mechanisms. You can post instructions and get sued for this.



Regarding the potential security flaws you are aware of:
You are walking around here bursting with confidence - why not climb from your throne and at least post about _one_ exploit still working - if there are many you do not loose to much. At least it would give others the chance to take more serious what you write.
Replying with "there is no motivation for me to do this" will just result in reading your posts as "troll posts" - and I do not think this what you want.
Do us (the users of the forum script) and yourself a favor write what is still exploitable. It's good for your karma wink


@ Open Source Success rates
This rate is existing for each kind of project. Benefit of smaller FOSS is of course that they are less often target of (non-automated) hacking attempt except the target itself is of interest (the specific website or a specific user/user group).
I am glad to have found FluxBB and most users we have do not miss supersophisticated features, they like the "lightness" which comes with FluxBB and prioritize that higher than PM systems, image uploads (nothing you like to do in Germany!), ... for this stuff they could communicate with me by social networks (and they rarely do - except for "thumbs up"-stuff).


@ numbers of installations
Some people rename script files and remove credentials to make it harder for "script kiddies" to use pregenerated exploits. So the more generic you name your classes in the forum and the less specific patterns you provide for your templates to build the design ... the harder it becomes.
Of course this is only security-by-obscurity - but it explains why the numbers of user installations wont be exact.

Also keep in mind that less and less people use forums at all - blogs use comment systems, discourse etc. So people just wanting some "forum like" communication nowerdays might use one of the service platforms doing "all in one" for just the costs of owning the user data (you register there, not at your website).


bye
Ron

Offline

#8 2019-09-21 14:33:17

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: FluxBB Security Exploits!?!?!

GWR wrote:

You cannot forward permissions - permissions are - if not explicitely stated differently - exclusive to the receiver. It is a "exclusive permission" (same for stuff like FOSS - which Germany for now does not explicitely have, so we have a "non exclusive use permission" we can give to others).

Point of Clarity: fluxBB.org is hosted in Paris, France ( not Germany ) .... Nor does it matter where it is located, as again, Franz granted "you" ( in this context means whatever "entity" I am ) permission to attack this "website".  ( https://i.ibb.co/zV9hSHL/Screenshot-243.png ) .... while lawyers COULD argue the point of who is defined as "you", by contract law, "you" is whomever i wish it to be ( which is my entire company staff ). It completely nulls the fact someone was granted "Authority to Access".... Which is exactly what i did. Keep in mind, I am not subject to French Law, and under posted in the screenshot, I have been "granted Authorization", therby nullifying any legal claims. In terms of "forwarding" permission, welcome to "Business", yes, a company can employ their staff to do whatever the boss tells them to ( Check out "security Consulting Firms ) .... oddly enough the same legal base is used to employ people to "Break into businesses" to test security ( more common than you think ) ( but is NOT the business i am in ).

GWR wrote:

Also in Germany it is a crime to surpass security mechanisms (does not matter how easy they are to bypass). We even have trouble blocking adblocker-detection-mechanisms. You can post instructions and get sued for this.

FluxBB is not subject to German Law, it is subject to French Law ( https://www.whoishostingthis.com/#search=fluxbb.org ).



GWR wrote:

Regarding the potential security flaws you are aware of:
You are walking around here bursting with confidence - why not climb from your throne and at least post about _one_ exploit still working - if there are many you do not loose to much. At least it would give others the chance to take more serious what you write.
Replying with "there is no motivation for me to do this" will just result in reading your posts as "troll posts" - and I do not think this what you want.
Do us (the users of the forum script) and yourself a favor write what is still exploitable. It's good for your karma wink

Karma is simply a superstitious view that i simply do not subscribe to. As stated, I Did "report" my findings to relevant authority ( FluxBB Devs are not an "authority" that are relevant ), i feel no need to report them "HERE". If someone wishes to believe i am a Troll, then so be it ... Time always spills Truth ( i guess we will wait for FluxBB 2.0 ) to find out!


GWR wrote:

@ Open Source Success rates
This rate is existing for each kind of project. Benefit of smaller FOSS is of course that they are less often target of (non-automated) hacking attempt except the target itself is of interest (the specific website or a specific user/user group).
I am glad to have found FluxBB and most users we have do not miss supersophisticated features, they like the "lightness" which comes with FluxBB and prioritize that higher than PM systems, image uploads (nothing you like to do in Germany!), ... for this stuff they could communicate with me by social networks (and they rarely do - except for "thumbs up"-stuff).

The only interest i had in FluxBB was a pure PHP base core to stip down to convert to a portal .... If i had been seeking a stand alone forum, that was open source, I would have used a more reputable stable forum ( phpBB or IPB ). If FluxBB had a real interest in serving "Germans" that would have German as a dominating language, not English.


GWR wrote:

@ numbers of installations
Some people rename script files and remove credentials to make it harder for "script kiddies" to use pregenerated exploits. So the more generic you name your classes in the forum and the less specific patterns you provide for your templates to build the design ... the harder it becomes.
Of course this is only security-by-obscurity - but it explains why the numbers of user installations wont be exact.

the vast majority of exploits would be combat by using a .htaccess rule set to specifically adress those exploits ( This website has attempted to do exactly that ) .... There is no way to obtain an "EXACT" number of FluxBB websites .... however, a nifty google search will give you a rather broad idea, the same as it would be if you attempted to find out what other cores were being used.... it just takes a little time to search.

GWR wrote:

Also keep in mind that less and less people use forums at all - blogs use comment systems, discourse etc. So people just wanting some "forum like" communication nowerdays might use one of the service platforms doing "all in one" for just the costs of owning the user data (you register there, not at your website).

I would actually agree with this, "Blogs" damn sure outnumber Forums ... in fact, wordpress alone boasts the majority used core ( It is technically classified as a menu based blog core )

Offline

#9 2019-09-21 15:58:12

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: FluxBB Security Exploits!?!?!

For the record: I certainly did not grant you (and especially not your associates) permission to do anything illegal with this website or service. I invited you to try out the alleged vulnerability that disabling these lines of code have on this website. Because it isn't one.

Beyond that, you obviously have no interest in contributing anything of value to this project, so I will refrain from further interaction.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#10 2019-09-21 17:51:19

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: FluxBB Security Exploits!?!?!

Screenshot showing your exact words:
https://i.ibb.co/zV9hSHL/Screenshot-243.png

And I did exploit via the $_POST method .... there was no "try" ... it was successful and reported... just not to YOU.

To be Clear, i find the Email system to be FluxBB biggest problem since it can be used to shut a website down via illegal means ( I used this server to send an Email to a law enforcement agency which included a 3D image of child pornography ) ... just "barely" legal since it is a computer generated image and not a REAL image .... but enough to force the Law Enforcement Agency to "take notice".

Last edited by JJones (2019-09-21 18:04:14)

Offline

#11 2019-09-21 20:25:37

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 214

Re: FluxBB Security Exploits!?!?!

FluxBB is not subject to German Law, it is subject to French Law ( https://www.whoishostingthis.com/#search=fluxbb.org ).

As said - do not mix up hosting location and owner location. The one who "runs" the page is where to look for, not where the computer is located. Exception is if you want to seize a server - then you need of course access to the hardware (or someone doing that for you).

In that case it means:
- you want to the colocation service to shutdown the hardware: ask them ("France")
- they will check if they would be allowed to react without interaction to owner ("Germany" ?)
- you want the hosting person to have to interact: ask their authorities ("Germany").


bye
Ron

Offline

#12 2019-09-27 02:37:22

moxie
New member
Registered: 2019-09-06
Posts: 4

Re: FluxBB Security Exploits!?!?!

OK, so does FluxBB *actually* have security exploits or is this complete BS?

Offline

#13 2019-09-27 07:51:41

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: FluxBB Security Exploits!?!?!

If there are any, they have not been reported to the core team. The ones referenced in links above have all been fixed, even if the CVE sites did not realize they are.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#14 2019-09-29 10:50:00

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 214

Re: FluxBB Security Exploits!?!?!

mail.log could contain information on whether emails were sent from "admin to someone" the last weeks (depends on how much logs you store).


bye
Ron

Offline

Board footer

Powered by FluxBB