MyBB Community Forums

MyBB Community Forums > 1.8 Support > Security Management and Support > Inc Config Private Hosts setting
Full Version: Inc Config Private Hosts setting
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

gimbal

2019-07-31, 05:09 PM
I'm re-reading all of the current MyBB Security Docs, and have a question about this one:

MyBB.com > Docs > Security > Protecting your MyBB Forum > Configure access to private hosts and IP addresses
https://docs.mybb.com/1.8/administration/security/protection/

The instructions seem to say, go in to your MyBB installation's  inc/config.php  file and add your server's IP address to 2 sections. My question is, am I understanding that correctly? I'm confused because it combines the word "disallowed" with the server's IP address, and I don't want to lock out the server! Thanks if anyone can clarify.
 


/**
 * Disallowed Remote Hosts
 *  List of hosts the fetch_remote_file() function will not
 *  perform requests to.
 *  It is recommended that you enter hosts resolving to the
 *  forum server here to prevent Server Side Request
 *  Forgery attacks.
 */

$config['disallowed_remote_hosts'] = array(
	'localhost',
);

/**
 * Disallowed Remote Addresses
 *  List of IPv4 addresses the fetch_remote_file() function
 *  will not perform requests to.
 *  It is recommended that you enter addresses resolving to
 *  the forum server here to prevent Server Side Request
 *  Forgery attacks.
 *  Removing all values disables resolving hosts in that
 *  function.
 */

$config['disallowed_remote_addresses'] = array(
	'127.0.0.1',
	'10.0.0.0/8',
	'172.16.0.0/12',
	'192.168.0.0/16',
);

Devilshakerz

2019-07-31, 05:41 PM
Yes, these arrays should include all hostnames and IP addresses (including local/private ones, included by default) over which the forum server, and servers reachable from its network but not accessible publicly, can be reached.

During normal usage MyBB doesn't attempt to communicate with its own server using any network, and this prevents "tricking" it into doing so - disclosing sensitive information related to infrastructure or performing malicious operations (a SSRF vulnerability: https://www.owasp.org/index.php/Server_S...st_Forgery, https://portswigger.net/web-security/ssrf).

gimbal

2019-07-31, 05:55 PM
Thanks - and just so I actually get it right, I add the public IP address and the domain name to both sections, like this?

$config['disallowed_remote_hosts'] = array(
	'localhost',
	'123.456.789.123',
	'mydomainname.com',
);

$config['disallowed_remote_addresses'] = array(
	'127.0.0.1',
	'10.0.0.0/8',
	'172.16.0.0/12',
	'192.168.0.0/16',
	'123.456.789.123',
	'mydomainname.com',
);

Devilshakerz

2019-07-31, 06:20 PM
Looks good; the IP address in $config['disallowed_remote_hosts'] and the domain in $config['disallowed_remote_addresses'] are not necessary (hosts should be caught using the first array, and IPs using the second array).

User 2877

2019-07-31, 06:38 PM
I didn't know about this config change. Must have been in 1.8x. Nice.

gimbal

2019-07-31, 06:52 PM
Thanks again - I appreciate the info you all provide about MyBB here.

Do you happen to know anything about the other MyBB security recommendations - specifically the HTTPS and Header set Content-Security-Protocol (CSP) directives? 

To function with a CSP header, MyBB requires allowing default-src 'unsafe-inline' 'unsafe-eval' directives (to allow inline scripts), but apparently that basically defeats the purpose of having CSP? Just wondering if there is a roadmap to getting MyBB to comply with default-src 'self' which would be considered safer? Or, is this not really an issue?

I already asked this in another post, but got no response... Thanks again.
MyBB Community Forums > 1.8 Support > Security Management and Support > Inc Config Private Hosts setting