SecureGuard - plugin

Hello flatboard community,

I am going to be working on a new security plugin called FlatSecurity. If anyone has a better name please tell me, I'm terriable with project names

What is this

This is a flatboards personal risk management addon that will detect any software that might be a risk to this software or your device.

@Fred please don't make this because I want to make it.

Objectives

• Manual/Auto detect security risk codes
• Displays the risk and how to improve it
• Has a leveling system of the risk (customizable ranking) low, medium, high, and severe
• It would use the CVE guidelines and CWE guidelines and label the information security risks
• Security history will always be stored. (This CANNOT be deleted)

Configurations

• Customizable secuirty rankings
• Scheduled automation (hourly, daily, weekly, monthly, and yearly)
• Select file/folder to get a quick check any vulnerabilities
• Actions:
  • Quick Scan (Scans a specific directory)
  • Quarantine (Quarantines a file or directory)
  • Remove (Removes a file or directory)
• Resolve options
  • False positive - Alert has found a false positive
  • Used in test - Ignore the directory/file because it was used for testing purposes
  • Won't fix - Means you fixed the issue but still reads it.
  • Description: A short description of closure

Adminsitrator side

• Security history outline of past security risks that may have been found. This is to prevent future problems
• Number of security risk in the past 1h, 24h, 1w, 1m, 1y
• A graph showing the risks and threats
• It will show the number of each malware i.e. virus, adware, ransomware, spyware, rootkits, keyloggers, bots, Fileless malware, cryptojacking, and wiper attacks
• View quarantine/removed files

APIs

• FlatSecurity::quickScan(string|string[] $FileOrDir): SecurityReport - Does a quick scan for any list of vulnerabilies in a directory(ies)/file(s).
• FlatSecurity::quarantine(string|string[] $FileOrDir): bool - Quarantines any file(s)/directory(ies) and returns a boolean if its successfully did the task.
• FlatSecurity::remove(string|string $FileOrDir): bool - Removes any file(s)/directory(ies) the the device
• FlatSecurity::setSchedule(int $time, string $duration): void - Sets the automation schedule time. time: number of durations and duration is the short version of the time i.e. s=>seconds; i=>minutes; h=>hours; d=>days; m=>month; y=>years
• FlatSecurity::scanUpload(string $name, string|array $settings='balanced'): SecurityReport - Scans everything from the uploaded file. You can customize your settings

PHP array (if used for custom)

$config = [
'types'=>'...', # file extenstions (without the ".")
'size'=>5000000, # in Bytes 
'mmb'=>true, #  MIME + magic bytes TRUE/FALSE
'avscanning'=>true, # AV Scanning TRUE/FALSE
'sanitization'=>true, # Content sanitization
'isolation'=>false, # Storage isolation
'execution'=>false, # Execution
'logging'=>false, # Logging
'alerts'=>false, # Alerts
'naming'=>'original', # File nameing 'original', 'sanitize', 'random'
'multiple'=>false, # Multiple files
'error'=>'silent', # 'silent', 'friendly', 'logged'
'crsf'=>true, # CSRF protection
]

• FlatSecurity::ScanCompression(string $zip):SecurityReport - Scans through any compression files i.e. zip, 7Z, RAR, etc.
• FlatSecurity::getMalwareType(string $codeline): string - Detects the kind of malware base on the type of code
• FlatSecurity::getCVE(SecurityReport $report): string - Returns the CVE guidline issue
• FlatSecurity::getCWE(SecurityReport $report): string - Returns the CVE guidline issue
• FlatSecurity::isXSS(string $code): bool - Returns a boolean if there is a XSS
• FlatSecurity::isSQLInjection(string $code): bool - Returns a boolean if there is a SQL Injection
• FlatSecurity::isVirus(string $file): bool - Returns a boolean if the file is a virus
• FlatSecurity::isAdware(string $file): bool - Returns a boolean if the file is a adware
• FlatSecurity::iRansomware(string $file): bool - Returns a boolean if the file is a Ransomware
• FlatSecurity::isSpyware(string $file): bool - Returns a boolean if the file is a spyware
• FlatSecurity::isRootkit(string $file): bool - Returns a boolean if the file is a rootkit
• FlatSecurity::isKeyLogger(string $file): bool - Returns a boolean if the file is a keylogger
• FlatSecurity::isBot(string $file): bool - Returns a boolean if the file is a bot
• FlatSecurity::isFileless(string $file): bool - Returns a boolean if the file is a Fileless Malware
• FlatSecurity::isCryptojacking(string $file): bool - Returns a boolean if the file is a cryptojacking
• FlatSecurity::isWiper(string $file): bool - Returns a boolean if the file is a wiper attack

More will be added on future includements

Diagram

Note: This is a AI generated diagram, so it may not be up-to-scale

Hi Gavin,

The initiative is nice and you've clearly put some thought into it, but I just released a new update of Flatboard and you're already proposing a security plugin — have you actually had the time to audit this new version first?

Also worth noting: this is still just an idea at this stage, the plugin doesn't even exist yet. I think security shouldn't be delegated to a plugin — it belongs in the core engine itself. A security plugin, by definition, is installed after the fact, can be disabled, misconfigured, or simply forgotten. If something feels lacking in Flatboard's security, the right approach is to report it as a Security vulnerability directly on the contact page, not to compensate with an external layer that may never be finished.

Flatboard already covers the serious bases natively: CSRF protection with a global middleware, 2FA/TOTP, rate limiting, upload validation with an extension whitelist and MIME verification, AES-256-CBC encryption, an audit log, and a full HTTP security header stack — including CSP with a plugin hook system, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. XSS escaping is also consistently handled across views. This isn't a forum built from scratch with no security in mind.

Back to FlatSecurity: beyond the architectural question, there are also deeper design issues in the proposal itself. Malware detection through PHP pattern-matching (isVirus(), getMalwareType(), isXSS()…) without a real AV engine like ClamAV will inevitably generate false positives and miss obfuscated threats. The Lazy mode of scanUpload is actually below what Flatboard already does natively. And a plugin capable of deleting arbitrary files on the server (FlatSecurity::remove()) becomes an attack vector in itself if it contains the slightest flaw.

Good luck with your projects!

Fred

I had some level of time with the security.

I guess I'll break it down to what the actual purpose of the plugin is since I may had made it too complex. It's suppose to be a UI risk management system. So realistically its suppose to documentate any issues that's found through not just the core aspect but before installing a plugin or addon and will check if the plugin is safe, which I don't think ClamAV checks for any bad codes in JS based on what I read in the documentation. So it's not 100% targeting frontend issues it also checking the backend problems. This will lower the number of time of having anyone searching for it.

Long story short is just a quicker way to report issues without having users going running around the source code and finding issues to break in since it can be missed. This is basically a plugin version of Windows Defender sortof.

It's still in the planning mode so its not 100% what I would like to be something like that.

Here is a few issues with TOTP, rate limiting, upload validation:

TOTP risks:

1. Brute force
2. TOTP secret can be stolen and extracted into 6 digits using outside tools which I would guess the also if a developer adds/publishes the addon all they have to do is

$user['two_factor_secret']

Which with that in mind all I have to do is send the code over to myself (through random software), use an extraction tool to have split into 6 digits and which leads to a breakage into the TOTP.

Rate limiting

1. Brute force
2. It only checks for IP address so a VPN change surly will bypass the rate limit and really makes it easier for brute force. Also yes, I do know how to create a DDoS attacks which changing IP addresses.

$this->rateLimiter->check('rss_feed', $ip, self::RATE_LIMIT_ATTEMPTS, self::RATE_LIMIT_WINDOW)

3. Upload validation is only checking the front end of it and not the context which if the code isn't being read, it will miss it entirly and I bet you probably don't have the time to check the code before publishing it esepally if someone uploads their plugin to github and doesn't get reviewed at all.

A security plugin, by definition, is installed after the fact, can be disabled, misconfigured, or simply forgotten.

You must not know the power of Javascript 😂.

Also your audits are just activity audits, that's not security audits because it's missint important things like login history.

The point of the plugin is to do all that running in the background.

Lazy mode is the designed to be terrible so you don't use that, unless the user wants to.

As any cybersecurity professional would say

The best way to have the best security is to have documentation in the past so you don't repeat the same mistakes.

Anyway, that's my rundown ramballing.

Thanks for the initiative, but I need to correct a few points based on Flatboard's actual source code.

Your main criticism was about upload validation — you claimed it was only done on the frontend. In practice, UploadService (the centralized service used by the avatar, markdown image, and attachment endpoints) already does:

• Server-side MIME detection with finfo_file() on the actual file content
• Magic byte verification (binary signatures: JPEG, PNG, GIF, PDF, ZIP, RAR…)
• Archive content scanning for ZIP/RAR/7Z (forbidden extensions, path traversal…)
• Optional ClamAV antivirus integration
• Upload rate limiting via a dedicated middleware

There was indeed one weak spot: the legacy upload() endpoint still used $_FILES['type'], which is browser-supplied and trivially forgeable. That was simply a missed migration to UploadService. Two lines to fix — done in 5.3.1, no plugin needed.

On your other points:

• TOTP brute-force: there is already a rate limiter on authentication attempts.
• Rate limiting bypassable via IP rotation: that is an inherent limitation of any IP-based rate limiter — a plugin would not change that.

A security audit dashboard (login history, 2FA failures, rejected uploads) would be genuinely useful and realistic. But that does not require a malware scanner, quarantine, or file deletion capabilities — those features introduce more risk than they solve, and duplicate what the core already handles.

That last part is actually a good idea worth pursuing — if you want to scope a plugin around surfacing existing security events into an admin dashboard, that would be a real contribution.

One last thing: please avoid using the "Flat" prefix for your plugin name. That prefix is reserved for official Flatboard plugins — using it would create confusion about whether it is maintained or endorsed by the project.

Fred

Alright I have changed the name to SecureGuard

Here is a snapshot (in progress) what it may look like for the admin side

obviously its in build right now, but it's going to scan through files and its contents to make sure its safe execution and will automatically disable any suspisious activity on the software.

Here is the UI format

@Fred, are you able to make a Public API for plugins/themes so it returns public current versions for it. The reason is to be able to pull out the metadata of those so it compares to the users current version and which it will allow it to warn any users of outdated version? Also (I know this is suppose to be a bug report) but your current core version update checker doesn't work on my end and returns a certificate error. Which I have something else to help out with that.