| Re: Security module Profile |
| by redheadedrod on 2013/10/24 21:13:02 Ok, I am in a lull in my classes and between Richard and I (Mostly Richard) we have found that Profile has some serious deficiencies that not only allow spammers easy access but also presents a reason for spammers to gain many log entries. After I update the MySQLi connector to be included as an extra with 2.5.7 I will be devoting my free time to locking down Profile. I will be hopefully removing not only the easy spam logins but also try to make it so it is not attractive to do it in the first place. Rodney |
| Re: Security module Profile |
| by redheadedrod on 2013/10/13 17:59:10 Ok, I am assuming there is no server side verification with profile which is dangerous but I have not had time to look at it yet. I will do so when I look at the code. |
| Re: Security module Profile |
| by tatane on 2013/10/13 13:10:59 Quote:
Exactly |
| Re: Security module Profile |
| by redheadedrod on 2013/10/13 13:05:24 I will (hopefully) be looking at Profile this week. Please explain a little further what you mean? I am basically only looking to do security improvements and bug fixes at this time. Are you saying they can make new accounts with a user name that is already being used? If this is the case this is certainly a bug that needs to be addressed and I will do that when I am looking through the verification stuff. Rodney |
| Re: Security module Profile |
| by tatane on 2013/10/13 12:07:41 There is also another bug with the module profile. In addition to completing the fields they do not have access, they are able to create accounts with the same name! |