search

MioVisman / FluxBB_by_Visman

My modification of FluxBB
GNU General Public License v2.0
78 stars 13 forks source link

Security #6

Closed Euea closed 6 years ago

Euea commented 6 years ago

Sorry about this topic, but I'm not a security expert. I would like to use this as start for project that will stand for years with integration of subscription memberships.

What about login/registration/encryption/xss/csrf/etc... Security at all? Could this give me quiet sleep after release?

Thank you!

MioVisman commented 6 years ago

registration - password_hash() and password_verify() https://github.com/MioVisman/FluxBB_by_Visman/commit/86963ea5856b80e154aab5f617e9694853bc93a9 login - mathematical captcha (anti-bruteforce) https://github.com/MioVisman/FluxBB_by_Visman/blob/master/addons/security_for_login.php encryption - no encryption of messages and private messages xss - htmlspecialchars() https://github.com/MioVisman/FluxBB_by_Visman/blob/master/include/functions.php#L1292 csrf - csrf_hash() and confirm_referrer() https://github.com/MioVisman/FluxBB_by_Visman/blob/master/include/functions.php#L1131

You can use https and send cookies only by https: include/config.php $cookie_secure = 0; replace to $cookie_secure = 1;

When you restore the password, the password is sent to your email. No two-factor authentication

Euea commented 6 years ago

First thank you for fast reply and this fluxbb fork.

Clear answer, only one (maybe strictly related to my project) give me point to this:

The app I would to make could give advantage by using bot accounts (use it to do auomatic clic during time). Is the math captcha really the best option both for brute force and bot accounts?

Maybe considering the max login attempts, but what about bot accounts? They will give always correct password and an alghoritm could almost easily broke the math captcha.

Just your opinion: do you think could be useful for me to use both math captcha (without removing it)and, for example, google invisible recaptcha?

MioVisman commented 6 years ago

You can use the reCAPTCHA https://fluxbb.org/resources/mods/new-recaptcha/ But it does not protect the login form from bruteforce.

You can use both captcha together. They are both implemented as addons, not code modifications.

P.S. reCAPTCHA did not test on the latest code changes.

Euea commented 6 years ago

ReCaptcha plugin still working.

Thank you!