Page 1 of 1

Researching options for starting a fresh site installation

PostPosted: Fri Jun 14, 2019 6:41 pm
by joepal
As per ... tyorg.html, it currenly looks as if the only way forward is to make a new installation of the site software and then try to port data.

Before stating that, I've been researching what the options are.

For now, I can say I'll have to give up any hope that drupal would have come far enough to be able to shoulder both forum and wiki. It hasn't, and miserably so.

I have also considered moving the forum to something hosted by a third part, such as discourse. I remain sceptic about this, although I haven't completely ruled out the option. The main reasons against it are that any such forum provider might suddenly decide the images posted are too explicit and ban us, and that migrating the existing forum content to a such a solution probably would be impossible.

Atm. I'm thinking that pretty much the only option is going for fresh installs of the latest versions of what is in use today, at least drupal (for the asset repo) and phpbb (for the forum).

But I'm going to keep researching a bit before starting any form of implementing. So input is welcome.

Re: Researching options for starting a fresh site installati

PostPosted: Tue Jun 18, 2019 1:58 pm
by wolgade
A few weeks ago I thought about the visual appearance of the MH frontpage and decided that it should be improved. I was aware of the fact that anything proposed by me had to be compatible with the software runs on, which currently means Drupal 7. So I decided to learn Drupal, which was a bit harder than I initially thought.

It ended up with installing and configuring Apache, PHP, and MySQL on my local machine and having my share of mistakes and trouble while doing so. At this stage I realized what can go wrong on a web server that can and will be attacked by an army of assholes. On top of this hopefully properly configured bunch of software runs Drupal. Drupal itself gets most of its funtionality from externally developed modules. Maintenance status of these modules varies. Any module might increase vulnerability.

I'm still a noob when it comes to web developement, but from what I've learned I'd recommend the following:
  1. Switch to Drupal 8. Drupal 7 is deprecated and shouldn't be used for new projects.
  2. Use as few Drupal modules as possible.
The next thing I'll figure out is how passwords are stored in the database on my local machine. I suspect, that they're stored as plain text, which is not an issue on my local installation, but a very bad idea for a real world web server. Databases get stolen frequently and they shouldn't contain passwords as plain text, but as salted hashes.

Oh, BTW: While we're on it, the visual appearance of the MH frontpage should be improved.

Re: Researching options for starting a fresh site installati

PostPosted: Tue Jun 18, 2019 3:34 pm
by joepal
I'd love help re-designing the front page.

The drupal system does not need a whole lot of modules. The most important module in use is "views", which is necessary for the asset repos. Outside of that there's CKEditor and some image management modules.

After having dropped the idea of integrating forum functionality into drupal, I see no particular reason for sticking with drupal 7. The only showstopper for drupal 8 would have been that the "advanced forum" module isn't ported yet. But even with that module in place, the forums would have been a very depressing experience.

Also, I'm going to have to drop the authentication integration between drupal, mediawiki and phpbb. I'm strongly suspecting this was the attack vector. Unfortunately this means that the frontpage/repo, the wiki and the forums will in effect be three different sites which will require separate registration.

Re: Researching options for starting a fresh site installati

PostPosted: Mon Jun 24, 2019 11:20 am
by joepal
Researching the possible breach, I'm more and more starting to doubt that the problem is with the makehuman site. It's starting to look as if the culprit is an old breach at LinkedIn.

Investigations are continuing...

Re: Researching options for starting a fresh site installati

PostPosted: Mon Jul 01, 2019 3:49 pm
by jimoblak
While it is always good to prepare for the future, I would not worry too much about D7 EOL, unless you sit on D7 for 10 more years. I'm still running some D6 sites that continue to get security and PHP compatibility updates through the long term support project. It also helps to follow best security practices, regardless of the version of Drupal. This site might do best with the latest stable release, instead of the development release.

While you may have found the problem to be just the old LinkedIn breach, you should make sure that each of your web apps (Drupal, phpBB, etc) are segregated to their own databases and distinct accounts on your server. This protects your web apps if one of them becomes exploited. If someone wanted to exploit Drupal, they'd probably find the easier fault in phpBB first and then access the database shared with Drupal.