Page 1 of 1
Forum version + Web server consideration
Posted: Fri Jan 04, 2019 6:49 pm
by Berbe
It seems the phpBB forum is currently at version v3.2.1.
v3.2.2 was flagged as an important security release, delivered on January 27th, 2018 while up-to-date version is v3.2.5.
I kow it's a pain, but staying at the most recent release helps reducing the occurrence you from an even more painful full recovery sooner or later...
More information available:
https://www.phpbb.com/support/documents ... &version=3
https://www.phpbb.com/community/viewforum.php?f=14
Re: Forum version + Web server considerations
Posted: Mon Jan 07, 2019 5:56 pm
by Berbe
By the way, I see the website & forum are serving pages with the 2 following domains:
with the following protocols:
What I noticed is it seems the website redirects HTTP -> HTTPS while keeping the requested domain.
The forum does not do such a redirection.
It is especially worrying the forum does not perform an immediate HTTP -> HTTPS redirection, as credentials can then be transmitted over a cleartext (as unencrypted) channel.
I would suggest the following:
- Make HTTP -> HTTPS redirection mandatory
- Restrict served domain to enlight.com and perform www.enlight.com -> enlight.com redirections (phpBB board would need to have its confiugration changed to generate emails containing enlight.com links instead of www.enlight.com ones)
I also noted you are using nginx v1.14.1 as load-balancer. It would be best to:
- Automatically update nginx to latest stable (currently v1.14.2)
- Hide nginx version (server_tokens configuration directive)
Re: Forum version + Web server consideration
Posted: Tue Jan 08, 2019 3:27 pm
by David
Thanks for the info and suggestions. We will look into it.
Re: Forum version + Web server considerations
Posted: Wed Jan 09, 2019 9:29 am
by williammgary1
Berbe wrote: ↑Mon Jan 07, 2019 5:56 pm
By the way, I see the website & forum are serving pages with the 2 following domains:
with the following protocols:
What I noticed is it seems the website redirects HTTP -> HTTPS while keeping the requested domain.
The forum does not do such a redirection.
It is especially worrying the forum does not perform an immediate HTTP -> HTTPS redirection, as credentials can then be transmitted over a cleartext (as unencrypted) channel.
I would suggest the following:
- Make HTTP -> HTTPS redirection mandatory
- Restrict served domain to enlight.com and perform www.enlight.com -> enlight.com redirections (phpBB board would need to have its confiugration changed to generate emails containing enlight.com links instead of www.enlight.com ones)
I also noted you are using nginx v1.14.1 as load-balancer. It would be best to:
- Automatically update nginx to latest stable (currently v1.14.2)
- Hide nginx version (server_tokens configuration directive)
Might actually explain how my disqus account got used even though I use steam to log-in.