Working on Security

luceos

Flarum is a beautiful piece of software; we're here for that reason, you are here because you appreciate it. But beauty has many forms.

The beauty of extensibility, no bloated content management system.
The beauty of its mobile-first approach, user interaction on mobile or handheld devices is excellent.

Yet beauty also exists in a technical sense when you look at the underlying quality of the code, and especially when we talk about security. Using well tested components like those from Symfony and Laravel, reduces the risk of security vulnerabilities in Flarum, yet we can always do better.

Security is at the heart of any widely-used project, and that includes Flarum. The core team only has limited ability to research, identify, and fix possible vulnerabilities within our code, and our familiarity with the project means we may make assumptions about areas of code without second thought to possible exploits which may be present. Auditing allows us to more confidently deliver Flarum to everyone -- from businesses, individual forum administrators, and end-users -- and lets you have more faith in the safety and security of the project.

For this reason we have opened a new fund, to give special attention to security in Flarum. Our goal is to invest heavily in recurring audits and commissioned security fixes. To get this arranged we need hard cash. Auditors do consider discounts for open source, but still don't work for free.

Find the fund on our Open Collective: https://opencollective.com/flarum/projects/security-audits

As a result from this security focused fund:

we will be able to identify security issues ahead of them becoming a problem
we can solve vulnerabilities in a targeted way using clear auditing reports
our team will be able to build better software, less prone to security vulnerabilities
we can label our software as audited by professional security researchers

Depending on the budget, we will request a security audit immediately after each minor (1.3, 1.4) and major (2.0, 3.0) release so that we are on top of any vulnerabilities at the soonest opportunity. The resulting audit report and discovered vulnerabilities will be kept private for as long as we work on their respective patches. Such patches will be prioritized above other work and released as soon as possible. Once these vulnerabilities are resolved, we will share the reports with the community. Later this year we will open up a partner program for parties relying heavily on Flarum, these partners will get a copy of these reports immediately when available.

Valeyard

This is a great step forward, if anyone wants to contribute to Flarum development but isn't able to program or write extensions/themes etc then then this would be a GREAT way to support the development. Just one security audit will be of massive benefit - as the old saying goes "you can't find errors in your own code".

luceos Once these vulnerabilities are resolved, we will share the reports with the community.

Excellent, that's a great policy. You'll get more value out of it that way, and improve trust and reputation. I'd recommend making a dedicated page on the Docs for security/audits.

clarkwinkelmann

Valeyard I'd recommend making a dedicated page on the Docs for security/audits

What do you suggest we list there? Until we have done an audit I'm not sure we have much to list? Afterwards yes we'll need a place to list the date, summary and links. We'll probably include that in the Flarum release notes as well, it will be even more visible and relevant there.

Existing security issues are currently logged to GitHub advisories https://github.com/flarum/framework/security/advisories

BurnNoticeSpy

We need a double-blind placebo controlled security audit asap!

Full support behind this. It can only be a good thing for Flarum 🙂

Valeyard

clarkwinkelmann Well if you make a general security page with links where to report issues and mention bug bounty through huntr.dev etc. Then later on when you get an audit you can add it - but there should be no hurry there. Just start with what you have and where you are.

Passwords

I'm concerned with getting the password security right as well, so I'll have to see if I can extend Flarum to make it do what I want in accordance with NIST's guidelines (that's just a simple 3rd-party summary the real guidelines are here) and general best practise. A quick summary of the guidelines and status:

1. Set minimum length.
status: X ' This should be enabled in core.
2. Do not enforce complexity.
status: ☑
3. Allow password paste-in.
status: ☑
4. Do not enforce periodic password changes.
status: ☑
5. Salt and hash passwords.
status: ☑ Bcrypt
6. Allow to display password.
status: X ' This should be enabled in core.
7. Scrutinise passwords against a breached password database.
status: ☑ Pwned Passwords extension.
' This belongs in an extension as some people may wish to use
' a different breached password database
8. Do not use password hints.
status: ☑
9. Limit login attempts.
status: X ' This should be enabled in core.
10. Use Multi-Factor Authentication.
status: X
11. Encourage the use of a password manager.
status: X
12. Secure the database.
status: ☑

Flarum implementation

I think we're not far off from having great password security in core. Obviously you can't just slavishly follow NIST's guidelines, you have to strike a balance. Encouraging the use of password managers for example isn't the job of the forum software.

The problem with password security, or for that matter security of any kind, is that it isn't very intuitive to the average user (including the average forum administrator). This is why I feel it's import to get as may of the points above right as is reasonably possible in core so that on the default settings you're starting with very good password security and you make it easy for a forum admin to have great security following most of the best practise guidelines.

Points 1, 6, and 9 are the only ones I feel are missing in core. On point 1 you would set the absolute minimum length to 8 and then probably set the default setting to 12 characters. Why 12? Well most people are not going to implement breached password protection because as mentioned the benefit is not intuitive to them, and they probably think that the passwords are being shared with a 3rd-party with a risk to privacy (which is not the case). Point 6 merely requires a toggle button be added to password fields - it's not difficult and even Discourse has this in theirs. Point 9 - similar to point 1 a good default setting will assist the admins. If you make it too restrictive then people will get locked out after 5 attempts or something (I've experienced this many times when trying to cycle through different variations of what I think my password is for a particular site), so a good setting might be something like 20 failed attempts per hour per IP address. After the first 5 or so failed log-in attempts you should display the number of remaining attempts.

An even better way to implement point 9 in my opinion is rather than locking the IP address out, just enable the use of hCapture after 10 failed login attempts. But admittedly that would extension territory.

Email by login link is also a good idea, and customising the Passwordless extension enables this perfectly fine (though I don't like the default wording I prefer to use my own). In may not be in accordance with NIST's guidelines, but at the end of the day the security of a user's account lies with their email account - if someone hacks their email then they can potentially then hack any of their online accounts that are registered with that email address.

clarkwinkelmann

Valeyard thanks for the suggestions!

Are you sure about the minimum password length issue?

I double-checked the code again right now and we do have a minimum length of 8 in UserValidator, which is used for registration and "forgot" password endpoints.

I think we used to have a discrepancy with the password validation logic being duplicated and not exactly the same in registration+forgot, but this has been solved since a few version.

Only the admin password during original Flarum setup seems to not have any length check applied.

Is there another place where the minimum length is not enforced?

linc

Have you planned out how you'll triage and respond to the audit? It was a bit overwhelming the first time I saw one of these. I hope your initial result is less daunting than that experience.

This made me notice I'd messed up my monthly donation on GitHub so I moved it over to Open Collective and backlogged what I'd missed and chipped in a bit extra for this.

luceos

linc Have you planned out how you'll triage and respond to the audit? It was a bit overwhelming the first time I saw one of these. I hope your initial result is less daunting than that experience.

I'd love to hear about these experiences so that we will be slightly more prepared 🙈

linc

luceos Sure, here are my suggestions off the top of my head. I'm sure you know much of this (and covered some of them already in your OP) but since I'm making it public I'm trying to be thorough.

Use a tool (preferably CVSS v2) to rate the severity of each issue if the audit doesn’t include it. You want cold, hard facts for severity, not engineer opinions.
Setup a private workflow tool (like a private GitHub issue tracker) to log, prioritize, and track progress of issues and take the time to translate the audit directly into it before starting work.
Cross-reference the audit to issue numbers in the workflow tool for later reference.
Do not publish or make the issues public until after the majority have shipped fixes, including as many Low-severity issues as possible.
Avoid writing and testing the patches in public for higher-severity issues (I set the bar at medium+ but that’s just my opinion). PRs essentially become disclosure in this case. A private fork shared between the security response team can be helpful for this and on an ongoing basis.
Assign an SLA per severity level and do your best to honor it.
Low-severity issues can daisy-chain together in non-obvious ways (that even the audit may miss) so don’t be complacent about or disregard them (generally speaking — it's of course perfectly fine to make 1-off decisions to set aside an issue).
Do not assume no one else knows about the issues but you. If they are present, anyone could already know about them. “Security by obscurity” is a fatal mindset to fall into.
Guesstimate how long issues will take to fix so you can batch their release appropriately. Don’t dribble out security patches as they are done, it freaks people out and makes it seem like the product is more flawed than it is.
If there are too many to do at once, prioritize and ship what you can get done in a reasonable period. Having less known security issues immediately is better than having none later.

I guess my short version would be: Make sure someone is in charge of managing the triage of the audit, and that the team is ready to go with the plan & tooling when it lands. That makes it matter a lot less whether it's 5 or 500 issues.

luceos

linc thanks these are really valuable!

Valeyard

linc Sure, here are my suggestions off the top of my head. I'm sure you know much of this (and covered some of them already in your OP) but since I'm making it public I'm trying to be thorough.

Most of those points are well made, especially the one on publishing/sharing the audit - I don't think they should share it with anyone that isn't either part of the Flarum development team or is a very trusted partner of theirs until they address the issues, and after you do that someone should write a short report outlining how each issue was responded to. Then when when you do eventually publish the audit you can also publish your response report alongside it. The security company may also send a follow-up report for you as a part of the audit after you've responded to the majority of issues so be sure to follow-up with them.

You also probably want to wait a further month at least after the security release before releasing the full un-redacted audit. It may be better to publish it redacted first and then un-redacted later on once users have had a good opportunity to install the new software version. People tend not to keep forum software up-to-date pro-actively when it's self-managed, there's still people using the beta versions, and like it or not that reality should be factored into the response.

Great advice on making a private issue tracker for security fixes!

Valeyard

I'm transposing this response from another thread as it has to do with security:

clarkwinkelmann And the same hostings where you can't adjust the amount of web resources are often the same ones that don't allow command line access, which automatically rule them out for any Composer-based package management even if we had a GUI available.

I for one don't want it in the admin gui - forum admins are not server admins. We need security by design.

This is why with email for example the SRS (Sender Rewriting Scheme) allows you to authenticate emails you forward, even though you're not an authorised party and could be spoofing the SRS if you were determined enough to. It's hardly a 100% secure scheme - however the security is in the fact that only the server administrator has the ability to set it up.

In a similar way you don't want forum admins who have a different skill set to a server admin to have the ability to run back-end commands that may break something or may create problems or security vulnerabilities. Also if someone hacks an administrator's account (which is far more likely than hacking the server) then if they have access to running any commend-line back-end commands that's a serious problem for security, even if it is limited to only PHP & Composer. They could discover your database password, and then dump the database and steal it. Note that the MyBB RCE exploit patched in v1.8.30 required administrative access to the forum to exploit and it was graded as a HIGH RISK security vulnerability.

If you ever wish to have the ability to upgrade core or plugins or to install new ones, it should be done through a non-core extension that explicitly installs and upgrades the extensions and does nothing else. If such an extension were to be created it could be bundled with the Softaculous version of Flarum and should be self-uninstallable for those who wish to remove it and use SSH. Furthermore it should create an extra userclass called "Server Admin" and rename regular admins to "Forum Admin" and then that way you can separate which of your Forum Admins can have access to that extension/functionality.

I know that sounds like a lot, but doing it any other way is a bad idea IMHO.

clarkwinkelmann

Valeyard I agree that having more levels of admin access should be an option, however if we take a look at or "competitors"/ other self-hosted apps, don't most of them allow site admins to install plugins from the UI?

One particular danger if we added a GUI right now for Composer and not change anything else, is that a malicious actor could publish a new package/extension to Packagist and immediately become able to install it on the forum they control. It might be a bit safer in the future when we'll eventually have our own "marketplace" and we could limit the installation UI to only approved extensions from the marketplace. Then you would have to compromise both the forum and an approved extension. But at the same time you might also find extensions in the marketplace that include RCE by design, like my scratchpad extension. Maybe there could be a flag for dangerous extensions that would require installation via the command line or an edit in config.php.

Regarding the forum and server admin, I don't think we have any data to back this up, but I'm pretty sure most of the forums using Flarum have a single person assuming both roles. Would be interesting to survey at some point.

Valeyard

clarkwinkelmann Valeyard I agree that having more levels of admin access should be an option, however if we take a look at or "competitors"/ other self-hosted apps, don't most of them allow site admins to install plugins from the UI?

Perhaps but this is poor argument because how many security mistakes have they made? LOTS. The weakest part of any forum's security is their administrator forum accounts since that allows you multiple attack vectors, and if you discover their forum password you can hack their account. Yes you can see IP addresses and emails if you do this as it is, but what you can't do is see the password hashes in the database as an example. If you could you could then take those, dump them and attempt to hack them:

So as mentioned we need security by design - and that means recognising that the Flarum Admin's front-end must not allow access to the server's back-end beyond what it needs to to run forum administration tasks.

clarkwinkelmann One particular danger if we added a GUI right now for Composer and not change anything else, is that a malicious actor could publish a new package/extension to Packagist and immediately become able to install it on the forum they control. It might be a bit safer in the future when we'll eventually have our own "marketplace" and we could limit the installation UI to only approved extensions from the marketplace.

Exactly. If you want to provide the ability to add or update plugins in the UI they should be limited to first-party plugins and those of trusted developers, not like how Wordpress works where you can install anything.

clarkwinkelmann Regarding the forum and server admin, I don't think we have any data to back this up, but I'm pretty sure most of the forums using Flarum have a single person assuming both roles. Would be interesting to survey at some point.

This is a poor argument from a security POV. The argument is actually a re-phrasing of an old one about software bugs that programmers would commonly make in the 70's-90's. And that is when someone would break their code such as a beta tester they would say "you're not meant to do that" or "don't do that" or "who would do that?!" When HTML markup was created there were arguments amongst the browser coders about how to implement parsing for rendering the output, and you can still read them today - there were programmers that literally said "if there is an error you throw an error message to the user and don't render the output". Guess how popular Netscape Navigator or Internet Explorer would have been if they were throwing an error whenever there an error in HTML?! The argument against it is simple: it would create a poor user experience, and then they're going to use a compete web browser instead that's kinder with how it handles parsing errors.

When it comes to security the argument is just not appropriate. Even if true that most forums only have one admin who is also the server admin, it doesn't matter what "most" people do because we're ultimately responsible for what everyone is doing. And I can certainly name a whole bunch of forums that have 3 or more admins, not necessarily Flarum forums, but active in-use forums. Professional corporate forums for example very often have multiple admins - there's at least 5 on Blackmagic's one just to give you an actual example there.

The whole point of security is not to expect users to use the software in a certain way, it's to make sure when they use it their way that it's not exposing them to preventable security risks.