I am Guybrush Threepwood, mighty developer?

User avatar
LRAM
Master Bludit
Posts: 199
Joined: Sat Sep 24, 2016 4:02 pm
Location: France
Has thanked: 22 times
Been thanked: 2 times
Contact:

Ok I have to wait until it happens again to measure the differences
https://sucrepop.com
Candies for the ears
User avatar
tiloschroeder
Ssr. Bludit
Posts: 23
Joined: Sat Feb 25, 2023 10:59 am
Location: Klosterlechfeld
Has thanked: 3 times
Been thanked: 9 times
Contact:

Okay, now that I've tested your website, I've find out 3 things:

1. Script not found
Your website load a script from jsdelivr.net, that can not be found (error 404).

Code: Select all

<!-- Load Bludit Plugins: Site head -->
...
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/amplitudejs@{{v5.1.0}}/dist/amplitude.js"></script>
2. HSTS and http:// -> https://
Your website returns an HSTS header, which tells the browser to connect to your website only via https:// for the next at least 6 month. Good.
But there is no automatically redirection from http:// to https://. This means, your website is also reachable unsecure (http://).

To solve this issue, open the file .htaccess in the root directory and add the following lines:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If after this your website goes blank (white) or return an error 500, remove the lines from the file and ask your provider, how the redirect can be implemented.

3. Special security header

You can also add some special security header (recommend), i.e. against cross-site-scripting attaks by adding the following lines to the file .htaccess:

Code: Select all

<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-UA-Compatible "IE=edge"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
</IfModule>
You can scan and test the website-headers on Observatory from Mozialla: https://observatory.mozilla.org/analyze ... and-me.com
User avatar
LRAM
Master Bludit
Posts: 199
Joined: Sat Sep 24, 2016 4:02 pm
Location: France
Has thanked: 22 times
Been thanked: 2 times
Contact:

Thank you very much for this analysis, I am very grateful.
I don't know what this missing script is, it seems to load a jquery
HTaccess modified as specified; thank you again,
hoping that this will solve the problem.
what is surprising is that I don't encounter it on my other sites
https://sucrepop.com
Candies for the ears
AzzakaPrime
Jr. Bludit
Posts: 3
Joined: Wed Jun 09, 2021 11:19 am
Has thanked: 1 time
Been thanked: 1 time

Base steps for any installation:

Redirect Port 80 to 443
Always redirect to SSL to stop pages being served on Port 80. There is no need to serve pages on Port 80 anymore:

<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

No Indexing and No Following Symlinks
Remove directory indexing to stop people from scouring the server for sensitive information or pages that should not be visible externally. (this can be over-ridden in the .htaccess file.)

<Directory "/var/www/html">
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Extra Server Hardening
The below amendments will stop Cross-Site-Scripting, set the Cross-Framing to the 'Same Origin', turns on the Rewrite engine, and other pieces.

Note: X-Clacks-Overhead "GNU Terry Pratchett" is optional, and is used to keep Sir Terry's name alive. See here: Clacks Overhead - GNU Terry Pratchett

ServerTokens Prod
ServerSignature Off
FileETag None
TraceEnable off
Header append X-Frame-Options "SAMEORIGIN"
Header set X-Clacks-Overhead "GNU Terry Pratchett"
Header set X-XSS-Protection "1; mode=block"
ExtendedStatus Off
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

There are other steps.These include installing 'fail2ban', and an AV software. Also, disable, TLS1.0, and TLS1.1. These are no longer secure, TLS1.2 and TLS1.3 should be used ONLY.
User avatar
LRAM
Master Bludit
Posts: 199
Joined: Sat Sep 24, 2016 4:02 pm
Location: France
Has thanked: 22 times
Been thanked: 2 times
Contact:

it just happen gain :evil:
but Now if have a backup of the altered version and the original
which file should I compare
https://sucrepop.com
Candies for the ears
randomuser
Jr. Bludit
Posts: 2
Joined: Sun Oct 29, 2023 2:21 pm

Hi,

I got the same problem... but things may be different this time !

It was a draft blog, no backlinks online, only 2 people know the URL of it.

Still happened.

As @Edi proposes here : viewtopic.php?t=1878, I don't have any other file on the server, I don't use third party script.

But I noticed the strings were already on the zip file directly downloaded from bludit ! And it's on Github since long : https://github.com/bludit/bludit/blob/v ... .class.php

So I guess when an update/change/manipulation fails, it erased the content of bl-content/databases/site.php and just put version and theme

In my case, it's a change of domain name / theme that erased most of the content of file, after that changed it was only that in the file :

Code: Select all

<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{"currentBuild":20230715,"theme":"darktheme"}

So the title/footer has no default value here, and is taken from bl-kernel/site.class.php !

So it's probably not a hack ! Just an Easter egg !
Last edited by randomuser on Sun Oct 29, 2023 3:17 pm, edited 5 times in total.
Post Reply