Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Inc Config Private Hosts setting
#1
I'm re-reading all of the current MyBB Security Docs, and have a question about this one:

MyBB.com > Docs > Security > Protecting your MyBB Forum > Configure access to private hosts and IP addresses
https://docs.mybb.com/1.8/administration/security/protection/

The instructions seem to say, go in to your MyBB installation's  inc/config.php  file and add your server's IP address to 2 sections. My question is, am I understanding that correctly? I'm confused because it combines the word "disallowed" with the server's IP address, and I don't want to lock out the server! Thanks if anyone can clarify.
 


/**
 * Disallowed Remote Hosts
 *  List of hosts the fetch_remote_file() function will not
 *  perform requests to.
 *  It is recommended that you enter hosts resolving to the
 *  forum server here to prevent Server Side Request
 *  Forgery attacks.
 */

$config['disallowed_remote_hosts'] = array(
	'localhost',
);

/**
 * Disallowed Remote Addresses
 *  List of IPv4 addresses the fetch_remote_file() function
 *  will not perform requests to.
 *  It is recommended that you enter addresses resolving to
 *  the forum server here to prevent Server Side Request
 *  Forgery attacks.
 *  Removing all values disables resolving hosts in that
 *  function.
 */

$config['disallowed_remote_addresses'] = array(
	'127.0.0.1',
	'10.0.0.0/8',
	'172.16.0.0/12',
	'192.168.0.0/16',
);
Reply
#2
Yes, these arrays should include all hostnames and IP addresses (including local/private ones, included by default) over which the forum server, and servers reachable from its network but not accessible publicly, can be reached.

During normal usage MyBB doesn't attempt to communicate with its own server using any network, and this prevents "tricking" it into doing so - disclosing sensitive information related to infrastructure or performing malicious operations (a SSRF vulnerability: https://www.owasp.org/index.php/Server_S...st_Forgery, https://portswigger.net/web-security/ssrf).
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#3
Thanks - and just so I actually get it right, I add the public IP address and the domain name to both sections, like this?

$config['disallowed_remote_hosts'] = array(
	'localhost',
	'123.456.789.123',
	'mydomainname.com',
);

$config['disallowed_remote_addresses'] = array(
	'127.0.0.1',
	'10.0.0.0/8',
	'172.16.0.0/12',
	'192.168.0.0/16',
	'123.456.789.123',
	'mydomainname.com',
);
Reply
#4
Looks good; the IP address in $config['disallowed_remote_hosts'] and the domain in $config['disallowed_remote_addresses'] are not necessary (hosts should be caught using the first array, and IPs using the second array).
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#5
I didn't know about this config change. Must have been in 1.8x. Nice.
Reply
#6
Thanks again - I appreciate the info you all provide about MyBB here.

Do you happen to know anything about the other MyBB security recommendations - specifically the HTTPS and Header set Content-Security-Protocol (CSP) directives? 

To function with a CSP header, MyBB requires allowing default-src 'unsafe-inline' 'unsafe-eval' directives (to allow inline scripts), but apparently that basically defeats the purpose of having CSP? Just wondering if there is a roadmap to getting MyBB to comply with default-src 'self' which would be considered safer? Or, is this not really an issue?

I already asked this in another post, but got no response... Thanks again.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)