Hi Frank,
New run, Penetration quick test, new test results:
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Server Leaks Version Information via "Server" HTTP Response Header Field
Possible starting points:
Code: Select all
// http://de.wikipedia.org/wiki/Liste_der_HTTP-Headerfelder
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
// remove PHP version Info
header_remove("X-Powered-By");
// End of send header
https://...contact.php - SQL injection may be possible
https://...comments.php - CSFR attack possible in HTML submission form
No verification of inputs, SQL statements, form attacks and so on ...
Interesting, during the setup with PHP 8.4.3 everything went smoothly, the login also worked. After saving the FlatPress configuration (customizing title and so on) FlatPress became slow, then no more clicks possible.
In the log:
Code: Select all
PHP Fatal error: Maximum execution time of 30 seconds exceeded in ../fpgit1853/fp-includes/core/core.language.php on line 260
PHP Fatal error: Maximum execution time of 30 seconds exceeded in ../fpgit1853/fp-includes/core/core.cookie.php on line 103
PHP Fatal error: Maximum execution time of 30 seconds exceeded in ../fpgit1853/fp-includes/core/core.language.php on line 260
After closing the browser and log in again, everything was ok again, including the previously saved configuration. Unfortunately, this could no longer be reproduced (theoretical cache problems?), but I will keep an eye on it.
Ok, new attack run

almost no more PHP errors, except for this one:
Code: Select all
PHP Warning: Undefined array key "user" in ../fpgit1853/fp-content/compile/e93fccb09cf8b04111b9595da102f3f4^f28d0dfa248b74b520244b0130a2b831960aa9fa_0.file.login.tpl.php on line 37
PHP Warning: strtok(): Both arguments must be provided when starting tokenization in ../fpgit1853/fp-includes/core/core.utils.php on line 104
PHP Warning: strtok(): Both arguments must be provided when starting tokenization in ../fpgit1853/fp-includes/core/core.utils.php on line 105
I think you've done a great job, the attack factor has decreased significantly (thumb up!)
best regards