- Edited
jordanjay29 that doesn't really apply because discuss wasn't updated for quite a while now. ?
MigrateToFlarum Lab, the health scanner for Flarum
2 months later
The Lab now shows whether a forum is vulnerable to the recently disclosed security issue.
Time to update your forum folks ! Hopefully this will help you check your forum has been properly updated.
Your rating will be capped to D while the vulnerability is present.
A few notes:
- Unlike the beta 7.1 vulnerability and because this one is a read-only vulnerability, I'm actually able to exploit the vulnerability without any impact on the forum. I'm not storing any private information that could get downloaded as a result of the test.
- I don't think adding this feature to the lab increases any risk for unpatched forums. The vulnerability is so easy to exploit that any attacker can easily build a way faster tool than the Lab to check for vulnerable hosts anyway.
- If you have deleted the original administrator user, the Lab will not tell if you're vulnerable or not (because I only check for that user in my test)
2 months later
I get:
HTTP
Permanent redirect to https://seekadventure.net/HTTPS
Permanent redirect to http://www.seekadventure.net/
But if you go to my website https://www.seekadventure.net it does not re-direct to http
Am I missing something?
MikeJones here's the redirect flow when you access https://seekadventure.net/:
$ curl -I https://seekadventure.net/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 05 Jan 2019 13:13:33 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://www.seekadventure.net/
Strict-Transport-Security: max-age=2592000; includeSubDomains; preload
$ curl -I http://www.seekadventure.net/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 05 Jan 2019 13:14:04 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://www.seekadventure.net/However your browser will skip http://www.seekadventure.net/ and use https://www.seekadventure.net/ right away after the first redirect because you're serving an HSTS header telling the browser to always use HTTPS on your website.
If you inspect the "network" tab of your browser you will still see that the http:// url is returned in the Location header of the first response. It's a bit easier to see with a command line utility like curl as I did above.
Browsers without HSTS support will go through the 2 redirects and the connection could get hijacked when hitting http://www.seekadventure.net/.
I see you added the HSTS preload flag but you can see https://hstspreload.org/ itself refuses to preload it because you're serving that insecure redirect, and your max-age also does not qualify for preload 
clarkwinkelmann Thanks for the tip! I am almost there, but still running into an issue on my NGINX server.
So I navigated to /etc/nginx/sites-available and I edited my seekadventure.net file there.
I edited my HST line to say this:
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";But when I put it into the https://hstspreload.org/ I still get the max age to low... it's not reading my new number.
MikeJones I do get the current max-age when accessing your website and the preload website also doesn't complain anymore when I try.
Maybe you had not restarted/reloaded nginx (or the server) ?
There's still the redirect issue preventing preload through.
clarkwinkelmann forgot to update I found where I needed to double tap my max-age. I am still looking into the redirect issue though.
Thought everything with our forum was perfect, until we got a D and the following report:
Your vendor folder is currently being served by your webserver. This could expose untrusted scripts to the world and compromise your security. Use a rewrite rule to prevent your webserver from serving this folder.
Any idea how to fix that on a shared hosting?
user1993 In your forum's .htaccess, find lines 9-14 and uncomment those. That should fix the error.
clarkwinkelmann Looking at my nginx configs It looks like I have two listens on port 80:
If I get rid of one of those, could that be it?
OrdinaryJellyfish Thank you.
MikeJones yes there's one listen for www. and one for bare domain, they could be merged but it should work fine the way it is.
The redirect "issue" is on line 5. Replace return 301 http://www.seekadventure.net$request_uri; with return 301 https://www.seekadventure.net$request_uri;
user1993 great if it's fixed 
clarkwinkelmann perfect will try that when I get to some wifi.
2 months later
- Edited
Hi guys, following a suggestion from @luceos I implemented a simple first version of a forum showcase feature at https://lab.migratetoflarum.com/showcase
The idea is as follow: any forum that has been scanned publicly (without checking "hide from homepage") will be added to the showcase tab. A ping is made every few weeks to check if the forum still exists and to update the metadata.
Anybody can scan your forum and therefore get it on the showcase (which is kind of the point here actually), but I know not everybody will want to end up in the showcase. So I also took the opportunity to implement a proper opt out feature at https://lab.migratetoflarum.com/opt-out
To opt out, you will have to add a meta tag to your forum, and it will instruct the lab to never show your forum in public results, including both the showcase and public scans. Users of the lab will still be able to scan the forum, but no link will appear on the homepage of the lab.
I will probably retroactively add some previously scanned forums to the showcase once I'm sure everything is working correctly. Right now I've only pinged some well known forums to get started.
Let me know if you notice any issue, it's an early version of the feature. Consider contacting me privately via the email in the footer if you have issues or concerns with the opt out feature.
If you see a particular issue with your website, consider opening a GitHub issue so we can better track the resolution.
Planned features (coming soon 
) :
- forum screenshot
- ability to order by number of discussions/users
What do you think of the feature ? Any suggestion for future updates ?
- Edited
What you forgot to mention is that this alleviates the issue with the Showcase tag and the discussions related to showcasing existing Flarum forums. The ping mentioned, checks whether the site is still serving an active Flarum installation and as such the Lab is able to provide an index/list of Flarum installations still used in production.
I think there's huge potential in such an index, thank you for jumping onto the idea 
clarkwinkelmann love it!!
Maybe extend search in the future to sort by HTML metadata? (more specifically by keywords if anything) 
- Edited
I gave detailed information here
https://lab.migratetoflarum.com/scans/1b7e58f3-dbea-44f5-8786-7f9941aa6c60
YusufYldrm anything you want me to comment on, or are you just sharing the results for us to enjoy ? 
clarkwinkelmann very nice!
An idea would be to have a way to filter forums by language. I think the HTML "lang" attribute could be useful for this, but it seems it's not always populated 
4 posts were split to Fixing public file warnings.
