clarkwinkelmann such as mercury.

I used composer update -w command to update extensions but it does not works always. For example fof/sitemap extension is not updated this command. Then I found the new version (2.x) and I tried to update it changing composer json file. I learned the new version by chance. Composer outdated -Dshows other packages like illuminate etc.

Mercury shows a list current version and last versions. This is nice view to examine. But currently I cant use it I get error 🙁

https://discuss.flarum.org/d/27620-mercury-the-extiverse-extension-to-understand-extension-updates

command: php flarum mercury:update-check

    2 months later
    2 months later

    I have marked all Flarum versions that the lab can recognize (beta 7 to stable 1.6.1) as vulnerable.

    The Lab cannot tell Flarum version 1.6.3 apart from 1.6.2 since all changes are server-side and you need an account to probe for the vulnerability, so 1.6.2 will not show a vulnerable rating. You should still update as soon as possible if you are still running Flarum 1.6.2.

    If you are wondering why the list of recent scans disappeared (already a few weeks ago), the SQL query that fetched that information was poorly written and there are now so many entries in the database that the whole website would time out because of it. I still haven't had time to rewrite it properly, so for the time being the list is hidden.

    a month later

    Sorry to bother you Clark.
    I've previously gotten A+ score in your tool. 😃

    Now I get this

    I am 100% that it's my fault, but do you know which parameters control this?
    I've messed around with permissions, reinstalling composer and other stuff.
    Forum still works, but for example your anonymous extension don't.

    I'm grasping for clues for what to troubleshoot

      FullThrottle83 what's your Flarum version in admin dashboard? All versions below 1.6.2 will receive rate D. If you really are on Flarum beta 8 or 9 you need to update ASAP as there have been numerous security fixes since then. If you were up to date but no longer are, maybe you ran a composer update that accidentally forced Flarum to downgrade?

      I'll need to know your forum URL to investigate further. You can send it to me privately via Discord or email if you prefer.


        It is up to date 🙂

        My problem started when I updated composer from 2.4.2 to 2.5.2
        Don't remember exactly, but at some stage I ran it as root.
        That must've messed up permissions somehow. I think that is the cause of this.

        You are most kind, I'll reach out to you on discord. To seek your knowledge, not to demand anything!

        FullThrottle83 as confirmed on Discord, the odd "beta"/vulnerable results were because Cloudflare Rocket Loader interfered with my version detection code.

        I have published an update to the lab that fixes the version detection and shows a message at the top of the scan if Cloudflare Rocket Loader was detected. Most of the features work but the list of extensions on the Lab will be incomplete when Rocket Loader is active, because my code only looks for specific patterns in the assets and those are different when Rocket Loader is active.

        While Rocket Loader causes issues with my Lab scanner, I am not aware of it causing any issue when it comes to using Flarum. I am curious whether it brings any benefits though, because according to the Cloudflare documentation this feature accelerates the website rendering by prioritizing text and images and delaying javascript. But since Flarum is a single page app, nothing will be visible until javascript is loaded anyway. So it could maybe even be worse? I'd be curious to know if anyone made tests to compare the performance with any without Rocket Loader.

          Thank you for your fast fix, and for identifying and explaining the cause!

          You are correct, it makes hardly any difference with Rocket Loader enabled.

          Without

          With

          Cloudflare's own speed test - Upper value is with Rocket Loader

          I come from mainly handling WordPress, where Rocket Loader can have a bigger impact (depending on the site).
          I'll be trying out other settings in Cloudflare.

          3 months later

          The Lab can now scan Flarum 1.8 forums.

          I also fixed an issue that caused forums using the FontAwesome6 extension to be impossible to scan.

          3 months later

          I discovered it completely breaks with the extension Private Forum Facade, due to the redirect it does to the /login page, therefore it will always cap you to a C, and even when the extention is removed MTF Labs still thinks the homepage is https://example.com/login, despite the canonical domain being https://example.com, and no matter how it is typed in the scan bar, will revert to https://example.com/login 😐

            a month later
            10 months later
            3 months later

            Hello Clark,

            I build a new project, and i get a D into your scan tool. When i try to visit www.example.com/forum/vendor i got access denied at my browser and when i use your tool i get a missing vendor X your vendor folder is publicly reachable.

              Xkyer at the bottom of the report, you can see the list of requests that were performed to make the report. The lab tries to access several known files inside those folders.

              Flarum comes with the necessary protections for these folders, make sure to follow the installation instructions carefully https://docs.flarum.org/install

              If the config file you shared in Xkyer is the one used on this forum, the Require all denied block might not be written correctly, I believe they might only block the directory index, but not any file underneath. You already have the AllowOverride All block that should enable Flarum's htaccess file. Make sure that .htaccess file still exists, that you un-commented the rewrite rules https://docs.flarum.org/install#customizing-paths and that the Apache Rewrite module is enabled on your server.

              If you need more help, it would be best to open a dedicated support discussion. Share your php flarum info output and details about your hosting company and the webserver software in use.

                    clarkwinkelmann

                    I do everything was in docs instal file, Require all denied its well writen, htaccess exists, rewrite rules are un-commented, rewrite module is on.

                    Requests made for the scan from migratetoflarum are all green, no error or something, just got a X on your vendor folder is publicly reachable but when i jump into url of domain.com/forum/vendor its locked.

                    Flarum info:

                    Flarum core: 1.8.5
PHP version: 8.2.24
MySQL version: 10.11.9-MariaDB-ubu2204
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, random, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, iconv, imagick, imap, intl, ldap, exif, mysqli, pdo_mysql, Phar, posix, pspell, readline, shmop, SimpleXML, soap, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache
+---------------------------+---------+--------+
| Flarum Extensions         |         |        |
+---------------------------+---------+--------+
| ID                        | Version | Commit |
+---------------------------+---------+--------+
| flarum-flags              | v1.8.0  |        |
| flarum-approval           | v1.8.1  |        |
| flarum-tags               | v1.8.1  |        |
| migratetoflarum-canonical | 1.0.0   |        |
| flarum-suspend            | v1.8.1  |        |
| flarum-subscriptions      | v1.8.0  |        |
| flarum-sticky             | v1.8.0  |        |
| flarum-statistics         | v1.8.0  |        |
| flarum-mentions           | v1.8.3  |        |
| flarum-markdown           | v1.8.0  |        |
| flarum-lock               | v1.8.0  |        |
| flarum-likes              | v1.8.0  |        |
| flarum-lang-english       | v1.8.0  |        |
| flarum-emoji              | v1.8.0  |        |
| flarum-bbcode             | v1.8.0  |        |
+---------------------------+---------+--------+
Base URL: https://www.domain.com/forum
Installation path: /home/xkyer/web/domain.com/public_html/forum
Queue driver: sync
Session driver: file
Mail driver: mail
Debug mode: off

                    Also why should we be the same user with the guy in the other thread, i try to help there cuz i have same prob i guess.

                    Thanks and if i need open a discussion separate let me know.

                        Xkyer unfortunately I don't have any other suggestion. If the htaccess file is correctly loaded and the required Apache modules are enabled, then the file access should be blocked. Double-check everything.

                        My personal method of testing is to write random text inside the ifmodule block of the htaccess. If the site crashes with a 500 error, the file is indeed loaded. If the website still loads fine, the htaccess is not being read.

                        The lab tries to access the following files, which you can also try in your browser:

                        • vendor/composer/installed.json
                        • storage/cache/77/e1/77e1ba46ee3a2b2d1558d7c5d07c4c0caa46c7bf

                        (warning: both files might be quite large, but the browser should handle it)

                        If you are not able to access those files and you think there's a problem with the lab results, you can share your forum URL with me (privately using the email at the bottom of the lab if needed). I see there are 3 different misconfigured forums scanned within the last 24h.

                            clarkwinkelmann

                            Hello clark, you are right everything its fine with migrateforumlab, problem its my httacces file i miss some rewriterule for composer/installed.json

                            storage/cache file its access denied

                            can you provide me rewriterule for that file ?

                                clarkwinkelmann i replace original htaccess and uncoment following lines cuz i am not use public folder ...into my htaccess but still composer/installed.json its not Access Denied.

                                edit:
                                https://www.domain.com/forum/vendor/composer/installed.json NOT acces denied
                                https://www.domain.com/forum/vendor/composer/ Acess denied
                                https://www.domain.com/forum/vendor/ Access denied
                                https://www.domain.com/forum/composer.json Access denied
                                https://www.domain.com/forum/composer.json Access denied