Check my sites security

I have my site hosted and feel free to let me know of any security holes, if you find any.

The site is: securitybox.ddns.net

This site has a self-signed certificate, so you will have to add an exception. I tested the sites SSL at SSL Labs and I got an "A". Let me know if you find any weaknesses because as of now I think it is solid.

There are vulnerabilities in the CMS and system though; I'm sure of it, as there is no such thing as 100% secure.

I poked it for a couple of minutes and it seems ok.

Consider adding Captcha to register, since right now I can start pewpewing your DB with useless data :P

I know that register is "down" for the time being, but when you register why password is not required?!

I can't register so I couldn't check your cookie/sessions :P

Headers: X-Powered-By: PHP/5.4.16 (NO!) X-Generator: Drupal 7 (http://drupal.org) (NO!)

Server: Apache (That's much better, but still meh for me :D )

https://securitybox.ddns.net/icons/README remove that

cookie needs httpOnly and isSecure flags ### EDITED: I hope you issue a new cookie when the user authenticates (session fixation might occur)

Password autocomplete must be off!

That's what I've picked so far! Didn't run any scanners against it, since even my spider dos you :|

Sorry, asdas is not recognized as a user name or an e-mail address.

NO! That's an informative error message. An attacker may enumerate usernames/emails

Password issues! I registered with "a" as password.

Error: PDOException: SQLSTATE[HY000]: General error: 1 Can't create/write to file '/var/tmp/#sql_6d3_0.MAI' (Errcode: 2): SELECT DISTINCT b.* FROM {block} b LEFT JOIN {block_role} r ON b.module = r.module AND b.delta = r.delta WHERE b.status = 1 AND b.custom <> 0 AND (r.rid IN (:rids_0) OR r.rid IS NULL) ORDER BY b.weight, b.module; Array ( [:rids_0] => 2 ) in block_form_user_profile_form_alter() (line 578 of /var/www/html/index.html/modules/block/block.module).

Ok, I can get in there and change some password settings, but I deleted your old account. Go ahead and create another account. I am also going to set up messaging on the site real soon. Im thinking the captcha is not working …….damn

Don't worry, all of these are easy fixes. You've done a great work so far :D

Still can register with password "a". Btw enforce 8 characters long. 6 is not enough

don't blacklist "<script>" etc. I can find at least 1 payload that you haven't blacklisted.

Whitelist is recommended

Captcha in comments :P

I changed a few things; however, I haven't changed any of the password settings. I know I need to delete that directory that you mentioned ion the top post too.

https://www.google.com/recaptcha/intro/index.html

Don't reinvent the wheel. Change your captcha with Google's reCAPTCHA thumbs up

I'll keep what I have for right now. i made everything case sensitive and I am not a fan of Google lol..maybe in 2003, I know its a great search engine , but they really messed it up.

Image captcha is not loading and it is asking to verify the letters from an image……lol….fuck

Scar0ptics wrote: I'll keep what I have for right now. i made everything case sensitive and I am not a fan of Google lol..maybe in 2003, I know its a great search engine , but they really messed it up.

https://wappalyzer.com/applications/recaptcha Most of the optical character recognition tools will crack your captcha. :|

Yeah, I know, but how was the network scan?

lol I had to get on the server and remove the captcha as it locked ME out ha-ha

I also seen that I have my box set up to block email communication, so that would be why people see an error message regarding any emails.

I am still implementing a few things right now: captcha, password policy, etc.

You can test out that captcha too when you get a chance. I'm not so sure it is working right.

Seriously man I hate fucking captchas especially on my mobile, so if a site uses them for more than just logging in, especially in forum or comment posts, I just don't bother using it. There's forums I've been a member of for years, and never posted a thing, due to their insistence on using captchas and security questions, before you can even reply to a PM. Captchas should be for registration and nothing else, except maybe cracking challenges.

I'm working on that right now.

***Should only be on the registration page now.

I am going to rebuild the web server again this week, but for the meantime I have a Proxy and VPN server.

I am going to rebuild the web server again this week, but for the meantime I have a Proxy and VPN server.