| Author |
 Topic  |
|
marktortolano
Starting Member
12 Posts |
 Posted - 11 June 2002 : 08:23:37
|
Hi,
I'm running 3.3.04, with the Active Users 3.4b and WhoIsInside mods.
I have a single forum which is set to Allowed Member List (hidden). Despite this, I keep finding guests accessing the forum, including even being seen accessing individual topics. What is going on, and how do I prevent this?
Thanks
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
marktortolano
Starting Member
12 Posts |
Posted - 11 June 2002 : 08:30:17
|
OK, am on the case now - is this a known issue with 3.3.04?
|
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 11 June 2002 : 08:45:30
|
quote:
OK, am on the case now - is this a known issue with 3.3.04?
Yeah, some "tampered cookie" related bug, if I can remember it. Upgrading should fix it. If the problem persists please post again.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 11 June 2002 : 13:35:56
|
1) This is not an issue with Snitz, but the Mods.
You need to make sure the mods are behaving correctly as well as installing the security fixes in 3.3.05, so check the Mod forums for any problems relating to these Mods
|
|
|
|
marktortolano
Starting Member
12 Posts |
Posted - 11 June 2002 : 14:49:00
|
cool - thanks guys.
|
|
|
|
marktortolano
Starting Member
12 Posts |
Posted - 17 June 2002 : 19:47:08
|
I have upgraded to 3.3.05 and looked around for any security issues regarding the mods in this forum but not found anything.
The guest is still getting into the restricted forum. Can anyone help?
Thanks,
Mark
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 17 June 2002 : 19:53:36
|
Do you know how he is doing it? Maybe have a look at your server logs and let us know what you found out?
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Edited by - ruirib on 17 June 2002 20:03:59 |
|
|
|
marktortolano
Starting Member
12 Posts |
Posted - 17 June 2002 : 20:00:40
|
quote:
Do you know what how he is doing it? Maybe have a look at your server logs and let us know what you found out?
No problem - will get hold of log snippet and post tomorrow. Thanks.
|
|
|
|
BWJM
Junior Member
Canada
193 Posts |
Posted - 20 July 2002 : 23:56:20
|
This is the most relevant topic I could find to my problem - I hope someone can lend some expertise...
I'm running a highly tweaked 3.3.03 (as far as I can tell) and we've got Active Users installed.
I've also got a couple forums that are "Allowed Member List (hidden)". Now, my problem arises because when one of those allowed members is viewing a topic in the hidden forum, the Active Users list displays the topic name to any users, even if they're not logged in. This presents a security risk since topic names by definition contain information about the topic being discussed. The reason that information is in a hidden forum is so that the information is limited to a select group of members and not the general public.
What I would like to do is hide those topic names to users who are either not logged in or who do not have access to the forum in which they reside. If that's not possible, then just to hide the topic names if the forum is protected in any way (password, hidden, member list, etc) Oh, another obvious thing is to not provide a link to the topic either in such cases.
I'm at a loss about how to proceed with this fix. I would appreciate any help anyone can offer. I'm prepared to post any required code but since I am discussing a security vulnerability, I will not divulge the address of my forums to anyone other than staff of this website.
Thank you!!!
"At first you appear intelligent, but when you open your mouth, the effect is spoiled."  |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 21 July 2002 : 00:39:49
|
I have to chime in on this one because no where did I read that this "guest" posted in the members (hidden) area. I am pretty sure I know what the issue here is because I have witnessed it at my forum. Here's the deal.
If an exclusive member that has access to a private forum is reading or posting a topic in the private forum it will show in Active Users. If someone clicks on the Viewing OR Posting link in Active Users it will display a message stating that they do not have privileges to view the private area BUT Active Users will show as if this person is in the Private Area when they are NOT.
Bottom line is, although this is a bug, it is not a security breach... now if this guest is actually posting then yes, you have a huge problem, but I'm inclined to think they can not. To test this theory, get an exclusive member to enter the Private Forum and read a topic, then using a generic account go to Active Users where you will see someone in a private thread. If you click on the link in Active Users you will NOT get in. I was concerned about this long ago and did some testing and to my relief it was not a breach of security. When I was running 3.1 I edited Active Users to EXCLUDE any information about Private Forums while in Active Users making it essentially stealth.
Anyway, that's my take on this issue....
http://www.nineinchnailz.com |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 21 July 2002 : 06:40:14
|
Dayve, I believe that BWJM wanted was for the topic title not to be shown, since he considered that a security liability by itself.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 21 July 2002 : 13:11:50
|
quote:
Dayve, I believe that BWJM wanted was for the topic title not to be shown, since he considered that a security liability by itself.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
my response was mainly for marktortolano because I needed to know if he was saying that in fact guest were posting in private forums.
http://www.nineinchnailz.com |
|
|
|
BWJM
Junior Member
Canada
193 Posts |
Posted - 21 July 2002 : 13:29:05
|
quote:
What Active Users version are you using?
I don't know. How do I figure that out?
quote:
Dayve, I believe that BWJM wanted was for the topic title not to be shown, since he considered that a security liability by itself.
Yes, my concern was that when a priviledged user - such as an admin - is viewing a topic in a protected forum, the topic name is displayed in the Active Users list, which I consider a liability.
When a "guest" clicks on a link to a protected topic, they get the "no permissions" error and it shows that they're viewing the protected thread, but they really aren't. I don't have a problem with guests being able to click links or get stopped at the "no permissions" page, but I do have a problem with the topic name being displayed publically.
"At first you appear intelligent, but when you open your mouth, the effect is spoiled." |
|
|
|
BWJM
Junior Member
Canada
193 Posts |
Posted - 21 July 2002 : 13:32:06
|
Oh, one other note... I am subscribed to this topic but I haven't received any notifications of your replies.
"At first you appear intelligent, but when you open your mouth, the effect is spoiled." |
|
|
|
Topic |
|
Topic Locked
