Why aren't security warnings on the Dashboard?

[Washerhelp]

Hi. I recently updated my forums. I took the advice of the pre-upgrade checker to get PHP 7 installed on my server. Anyway, several weeks later I happened to click on the "security" link in the control panel and found 3 warnings. One of them in red and flagged as serious. The warnings are related to the new PHP and included disabling several commands in PHP. I had done this already in the past, but updating to PHP 7 had re-enabled these apparently dangerous commands.

I'm disappointed that if IPS finds serious security issues it doesn't actually tell me. Why aren't those warnings on the dashboard with the other warnings about admins logging in and failed login attempts?

I appreciate someone might say I should have realised installing a new version of PHP would override previous amendments or that I should regularly click the security link to check for new warnings. But the dashboard is already designated as a place to display important information and stats and is where I'm always taken when I log in. From there I navigate to the place I came to do work on. I haven't felt I needed to regularly check the security tab.

I appreciate from now on if I change anything or upgrade IPS I will check the link but surely admins should be proactively warned about security issues as soon as they log onto the control panel? Ideally in the dashboard widgets?

 

Andy

[Charles]

The security center in the AdminCP are designed as best-practice advice. Those issues you see there are not issue with our software but are issues with your hosting environment that we are simply giving you advice on. In the end, securing your server is of course your responsibility.

We offer that section as assistance but only a good web host can be sure you are totally secure. Those areas highlighted are things we can easily detect and suggest but it is concerning if such basic things are not handled by your host. There may be other security issues our software can not easily detect and warn you about. You should ask your web host to audit your environment.

[Washerhelp]

Thanks Charles. Like many other people I run my own server supplied by a big hosting company so I have to do everything myself. It's beyond me why even the most up to date PHP comes with all these "dangerous" features switched on.  If you are only checking and advising as a good will gesture (which we greatly appreciate)  it seems a little disingenuous to then say but we won't actually proactively tell you. It's up to you to discover the warning yourself.

I fully appreciate that these issues are technically not part of the forums, but someone at IPS thinks it's important to check these things. It's built into the control panel to display these warnings. So why after doing that would you just leave it up to us to discover them when you could so easily display them in the dashboard?

Either IPS think it's nothing to do with them how our servers are configured or they don't. As they clearly do think it's important to check some things and warn us it feels a little like a friend noticing my house has a serious potential security vulnerability and if I ask him he'll tell me about it but otherwise he'd leave me to discover it myself  

[Aaron M]

1 hour ago, Washerhelp said:

Thanks Charles. Like many other people I run my own server supplied by a big hosting company so I have to do everything myself. It's beyond me why even the most up to date PHP comes with all these "dangerous" features switched on.  If you are only checking and advising as a good will gesture (which we greatly appreciate)  it seems a little disingenuous to then say but we won't actually proactively tell you. It's up to you to discover the warning yourself.

I fully appreciate that these issues are technically not part of the forums, but someone at IPS thinks it's important to check these things. It's built into the control panel to display these warnings. So why after doing that would you just leave it up to us to discover them when you could so easily display them in the dashboard?

Either IPS think it's nothing to do with them how our servers are configured or they don't. As they clearly do think it's important to check some things and warn us it feels a little like a friend noticing my house has a serious potential security vulnerability and if I ask him he'll tell me about it but otherwise he'd leave me to discover it myself  

I assume you're on about the list of PHP commands that get flagged (like exec); those are enabled with many hosts because of the fact that while they are able to be abused in the wrong hands, they are also very powerful (which is partly what makes them somewhat "dangerous") - if you are just running IPS then you're fine and can disable those commands, but if you have other applications then you might stop them working if they make use of those. 

[Washerhelp]

Thanks, although the issue is about being notified of warnings rather than how to deal with these specific ones. I've sadly just found another example of this issue. Two people have recently complained that they are receiving a server error when trying to post. So I logged into my Dashboard and clicked "support/Something isn't working correctly". I was then shown another warning -

"You are running the latest version, but there are known issues:

An issue has been identified with PHP7.1 when using the Zend Opcache extension that may cause features on your site, such as member posting, not to work correctly. To resolve this issue, please disable the Zend Opcache PHP extension. The underlying issue is related to a third party library used by the Community Suite which has been updated in our upcoming 4.2 release, at which point the Opcache extension may be re-enabled"

I apologise if I'm not using the control panel properly or misunderstanding something, but again I find this quite astounding, and to be honest unacceptable as a paying customer.

Here's how it feels to me -

I was advised a new version of IPS was available. I updated and was advised that upgrading to PHP 7 was recommended.

I upgraded to PHP 7 

After upgrading to PHP 7, IPS ran tests and discovered 3 security issues related to PHP 7 - 1 of them "serious". It didn't tell me, or in anyway flag up that there were new security warnings found. Then (presumably some time later) IPS discovered the above issue with the Zend Opcache extension that can cause some users to be unable to post. But again IPS or my Control panel didn't tell me. I only discovered it after trying to contact support.

How is it possible that these things are found but not notified? They deserve to be flagged on the Dashboard with far more priority than the current relatively benign notifications about members waiting for approval, how many people have registered recently and the percentage of users by app.

I appreciate there might be an argument that anyone running and administrating forums should maybe constantly roam around in the control panel. But I can't be the only person that uses the control panel like I do. I open control panel to carry out specific tasks like deal with a member issue or maybe edit an advert etc. So when I go to control panel it opens up on my dashboard. I look at the information in the dashboard before moving directly to the area I came to deal with and then log out. I thought dashboards were the place where an admin can quickly get a look at how things are going. Anything important should be there surely? 

How can there be known security or php issues that are not there for admins to see? Why is the information essentially hidden and left for us to chance across? I don't think it's fair to say that these particular issues are related to the server and not IPS because it was IPS that advised me to update the PHP. Basically if IPS has looked for and found any security or functional issues related directly or indirectly to the forums they should be flagged up to admins - ideally on the dashboard please

 

[Simon Woods]

2 hours ago, Washerhelp said:

I don't think it's fair to say that these particular issues are related to the server and not IPS because it was IPS that advised me to update the PHP.

Lol.

[sweethoney]

On 4/25/2017 at 3:25 AM, Washerhelp said:

Thanks, although the issue is about being notified of warnings rather than how to deal with these specific ones. I've sadly just found another example of this issue. Two people have recently complained that they are receiving a server error when trying to post. So I logged into my Dashboard and clicked "support/Something isn't working correctly". I was then shown another warning -

"You are running the latest version, but there are known issues:

An issue has been identified with PHP7.1 when using the Zend Opcache extension that may cause features on your site, such as member posting, not to work correctly. To resolve this issue, please disable the Zend Opcache PHP extension. The underlying issue is related to a third party library used by the Community Suite which has been updated in our upcoming 4.2 release, at which point the Opcache extension may be re-enabled"

I apologise if I'm not using the control panel properly or misunderstanding something, but again I find this quite astounding, and to be honest unacceptable as a paying customer.

Here's how it feels to me -

I was advised a new version of IPS was available. I updated and was advised that upgrading to PHP 7 was recommended.

I upgraded to PHP 7 

After upgrading to PHP 7, IPS ran tests and discovered 3 security issues related to PHP 7 - 1 of them "serious". It didn't tell me, or in anyway flag up that there were new security warnings found. Then (presumably some time later) IPS discovered the above issue with the Zend Opcache extension that can cause some users to be unable to post. But again IPS or my Control panel didn't tell me. I only discovered it after trying to contact support.

How is it possible that these things are found but not notified? They deserve to be flagged on the Dashboard with far more priority than the current relatively benign notifications about members waiting for approval, how many people have registered recently and the percentage of users by app.

I appreciate there might be an argument that anyone running and administrating forums should maybe constantly roam around in the control panel. But I can't be the only person that uses the control panel like I do. I open control panel to carry out specific tasks like deal with a member issue or maybe edit an advert etc. So when I go to control panel it opens up on my dashboard. I look at the information in the dashboard before moving directly to the area I came to deal with and then log out. I thought dashboards were the place where an admin can quickly get a look at how things are going. Anything important should be there surely? 

How can there be known security or php issues that are not there for admins to see? Why is the information essentially hidden and left for us to chance across? I don't think it's fair to say that these particular issues are related to the server and not IPS because it was IPS that advised me to update the PHP. Basically if IPS has looked for and found any security or functional issues related directly or indirectly to the forums they should be flagged up to admins - ideally on the dashboard please

 

same here i have that same issue on my test site

when you switch it to 5.6 it will still say the same thing it must be a bug because i dont have any of those installed in my php

 

[Rhett]

To clarify on the php 7.1 issue noted, it does not affect all setups of php 7.1 and opcache, I can count on one hand how many customers I have seen affect, it is a valid bug with some configurations, however it does not apply to everyone that is running php 7.1 and zend opcache. It's posted as a notice in the support tool area and/our release notes. You would normally run the support tool on any sign of an issue first, so the information is noted there for that reason. (if you are affected, follow it) if you are not, there is no reason to do anything. This one is not a security warning, only information if you are having issues. 

 

[Washerhelp]

11 hours ago, Rhett said:

To clarify on the php 7.1 issue noted, it does not affect all setups of php 7.1 and opcache, I can count on one hand how many customers I have seen affect, it is a valid bug with some configurations, however it does not apply to everyone that is running php 7.1 and zend opcache. It's posted as a notice in the support tool area and/our release notes. You would normally run the support tool on any sign of an issue first, so the information is noted there for that reason. (if you are affected, follow it) if you are not, there is no reason to do anything. This one is not a security warning, only information if you are having issues. 

 

Thanks. When my first user emailed me saying they couldn't post I checked my site, it seemed OK. So I replied back asking for more details but they didn't respond. I couldn't see any issue with my forums so I left it at that. It was only after another user emailed me a week later that I decided to contact support. That's when I saw the notice. If I'd have been notified about the identified issue I would have been able to deal with it before another user had the frustration of not being able to post. Presumably someone has to make judgement calls about these things but I don't think it would do any harm to keep us more informed - especially on the dashboard. 

As with my original point about the security issues it feels to me as a customer of IPS that the system is aware of issues but leaving me to discover them myself instead of letting me know asap. It's puzzling to me that software I am using identifies known bugs and serious security issues but doesn't proactively notify users about them. What possible harm could it do to put newly found security warnings on the dashboard so as soon as an admin logs in they can see them?

[The Old Man]

I can see both sides of the argument here, but at the end of the day, surely it's in everyone's best interest and best practice that security (and reliability) issues/concerns are for what it would take to implement, prominently displayed within the AdminCP, visible on the first AdminCP page when logging in and perhaps even by a courtesy email notification alert to the admin.

I've also noticed this before myself, sometimes my web hosting company might sort an issue with htaccess or there is an update, and suddenly my server has dangerous functions but the php ini is no longer recursive in all sub-folders, but I don't know about it until I next click on the AdminCP Security page, which 99.9% of the time stays the same. Or I run the Support Tool to recache everything to make some widget changes live sooner, and then I see a notice about some issue or another. 

When I say in everyone's best interest, I think this includes IPS and the Admin, Members (in terms of getting a service and knowing their personal data is safe), the Web Hosting provider (in terms of security, support time and overall service), and potentially even other third party users on the same web hosting server, but certainly it certainly includes IPS from the perspective of helping elevate the profile and quality of their product from security and reliability aspects; also because it could result in less restorative and fault diagnosis time in terms of Support. Reduced Support resource consumption is better for IPS and the customers who rely on it.

 

[Simon Woods]

IPS already include notices for security, they're even stuck to the top of your site and ACP with no way of dismissing them.

From what I can gather those messages are for security issues that affect (or have the potential to affect) a significant number of people, whilst the issues described in this topic are for a small group of people -- as Rhett's anecdotal evidence points to. So my questions is, why should a lot of people have their ACP dashboard show them alarming messages that have nothing to do with them, when in reality for people who are self-hosted you are going that route and accepting a lot of responsibility for managing these things?

You are self hosted, which means that you manage your set up, you keep on top of news and information about these types of issues, and you are answerable to the people who interact with your site. Either get on board with self-hosting or GTFO.