MigrateToFlarum Lab, the health scanner for Flarum

clarkwinkelmann · Jul 23, 2018

Lab update !

There is now a hall of fame on the homepage, showing the 5 most recent "A" ratings. I wasn't sure if it made sense, but as a few "bad" reviews are staying in the "recent" tab for weeks this will lighten the homepage a bit

Also I fixed the annoying fact that the lab didn't correctly handle a discussion/tag/profile url and was complaining about a wrong Flarum base url. Now if you paste an url that looks like a Flarum sub-page, the lab will do an extra check to see if you really installed Flarum in a subfolder named like that or if it is a Flarum sub-page, in which case the sub-path will be removed to scan the actual Flarum home page.

I'm totally doing this just to have a valid reason to bump the thread ?

jordanjay29 · Jul 23, 2018

clarkwinkelmann Is there a way to keep a scan out of the public stats?

clarkwinkelmann · Jul 23, 2018

jordanjay29 absolutely. You can check "Do not show the results on the homepage" before starting the scan. Only people knowing the scan ID (in the url) will be able to see the results.

There's currently no way to make a forum "unplottable". If somebody else scans your forum and don't check the box it will be listed. But of course you may contact me directly if you'd like something removed.

Normally failed scans (public not not) also don't show up but I think there's an issue with that right now.

clarkwinkelmann · Aug 29, 2018

Lab update !

I just added basic support for beta8 forums, so that the list of enabled extensions continues to work.

I still need to implement the extension version detection for beta8, but the good news is that after the refactoring and migration to webpack this will be a lot easier and I will be able to deprecate my horrible module-import-based detector ? Not that it concerns any of you, it's hidden deep in the codebase ?

Also the lab homepage now shows the Flarum version (of new scans, beta8 is shown as dev-master for now) and the number of enabled extensions (including core extensions)

Discuss still shows up as beta7 as it's running an older dev-master that doesn't include the changes to the extension API and webpack ?

jordanjay29 · Aug 29, 2018

clarkwinkelmann Discuss should probably be hard-coded to permanently show up as "bleeding edge" or some other humorous descriptor. ?

luceos · Aug 29, 2018

jordanjay29 that doesn't really apply because discuss wasn't updated for quite a while now. ?

clarkwinkelmann · Nov 10, 2018

The Lab now shows whether a forum is vulnerable to the recently disclosed security issue.

Time to update your forum folks ! Hopefully this will help you check your forum has been properly updated.

Your rating will be capped to D while the vulnerability is present.

A few notes:

Unlike the beta 7.1 vulnerability and because this one is a read-only vulnerability, I'm actually able to exploit the vulnerability without any impact on the forum. I'm not storing any private information that could get downloaded as a result of the test.
I don't think adding this feature to the lab increases any risk for unpatched forums. The vulnerability is so easy to exploit that any attacker can easily build a way faster tool than the Lab to check for vulnerable hosts anyway.
If you have deleted the original administrator user, the Lab will not tell if you're vulnerable or not (because I only check for that user in my test)

MikeJones · Jan 4, 2019

I get:

HTTP
Permanent redirect to https://seekadventure.net/

HTTPS
Permanent redirect to http://www.seekadventure.net/

But if you go to my website https://www.seekadventure.net it does not re-direct to http

Am I missing something?

clarkwinkelmann · Jan 5, 2019

MikeJones here's the redirect flow when you access https://seekadventure.net/:

$ curl -I https://seekadventure.net/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 05 Jan 2019 13:13:33 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://www.seekadventure.net/
Strict-Transport-Security: max-age=2592000; includeSubDomains; preload

$ curl -I http://www.seekadventure.net/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 05 Jan 2019 13:14:04 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://www.seekadventure.net/

However your browser will skip http://www.seekadventure.net/ and use https://www.seekadventure.net/ right away after the first redirect because you're serving an HSTS header telling the browser to always use HTTPS on your website.

If you inspect the "network" tab of your browser you will still see that the http:// url is returned in the Location header of the first response. It's a bit easier to see with a command line utility like curl as I did above.

Browsers without HSTS support will go through the 2 redirects and the connection could get hijacked when hitting http://www.seekadventure.net/.

I see you added the HSTS preload flag but you can see https://hstspreload.org/ itself refuses to preload it because you're serving that insecure redirect, and your max-age also does not qualify for preload

MikeJones · Jan 8, 2019

clarkwinkelmann Thanks for the tip! I am almost there, but still running into an issue on my NGINX server.

So I navigated to /etc/nginx/sites-available and I edited my seekadventure.net file there.

I edited my HST line to say this:

 # Security headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

But when I put it into the https://hstspreload.org/ I still get the max age to low... it's not reading my new number.

clarkwinkelmann · Jan 8, 2019

MikeJones I do get the current max-age when accessing your website and the preload website also doesn't complain anymore when I try.

Maybe you had not restarted/reloaded nginx (or the server) ?

There's still the redirect issue preventing preload through.

MikeJones · Jan 8, 2019

clarkwinkelmann forgot to update I found where I needed to double tap my max-age. I am still looking into the redirect issue though.

Uuser1993 · Jan 9, 2019

Thought everything with our forum was perfect, until we got a D and the following report:

Your vendor folder is currently being served by your webserver. This could expose untrusted scripts to the world and compromise your security. Use a rewrite rule to prevent your webserver from serving this folder.

Any idea how to fix that on a shared hosting?

OrdinaryJellyfish · Jan 9, 2019

user1993 In your forum's .htaccess, find lines 9-14 and uncomment those. That should fix the error.

MikeJones · Jan 9, 2019

clarkwinkelmann Looking at my nginx configs It looks like I have two listens on port 80:

If I get rid of one of those, could that be it?

Uuser1993 · Jan 9, 2019

OrdinaryJellyfish Thank you.

clarkwinkelmann · Jan 9, 2019

MikeJones yes there's one listen for www. and one for bare domain, they could be merged but it should work fine the way it is.

The redirect "issue" is on line 5. Replace return 301 http://www.seekadventure.net$request_uri; with return 301 https://www.seekadventure.net$request_uri;

user1993 great if it's fixed

MikeJones · Jan 9, 2019

clarkwinkelmann perfect will try that when I get to some wifi.

clarkwinkelmann · Mar 4, 2019

Hi guys, following a suggestion from @luceos I implemented a simple first version of a forum showcase feature at https://lab.migratetoflarum.com/showcase

The idea is as follow: any forum that has been scanned publicly (without checking "hide from homepage") will be added to the showcase tab. A ping is made every few weeks to check if the forum still exists and to update the metadata.

Anybody can scan your forum and therefore get it on the showcase (which is kind of the point here actually), but I know not everybody will want to end up in the showcase. So I also took the opportunity to implement a proper opt out feature at https://lab.migratetoflarum.com/opt-out

To opt out, you will have to add a meta tag to your forum, and it will instruct the lab to never show your forum in public results, including both the showcase and public scans. Users of the lab will still be able to scan the forum, but no link will appear on the homepage of the lab.

I will probably retroactively add some previously scanned forums to the showcase once I'm sure everything is working correctly. Right now I've only pinged some well known forums to get started.

Let me know if you notice any issue, it's an early version of the feature. Consider contacting me privately via the email in the footer if you have issues or concerns with the opt out feature.

If you see a particular issue with your website, consider opening a GitHub issue so we can better track the resolution.

Planned features (coming soon ) :

forum screenshot
ability to order by number of discussions/users

What do you think of the feature ? Any suggestion for future updates ?

luceos · Mar 4, 2019

What you forgot to mention is that this alleviates the issue with the Showcase tag and the discussions related to showcasing existing Flarum forums. The ping mentioned, checks whether the site is still serving an active Flarum installation and as such the Lab is able to provide an index/list of Flarum installations still used in production.

I think there's huge potential in such an index, thank you for jumping onto the idea