1
charpres
userinfo and Google security problem
  • 2004/11/18 23:26

  • charpres

  • Not too shy to talk

  • Posts: 168

  • Since: 2003/9/4 2


I didn't find anything on this by searching, but I had a complaint from a user today who Googled his site and found that his profile from my XOOPS site was in Google and that the link takes anyone to his profile where they can edit his profile information. In other words, a link to his site was part of his profile and put his profile page into Google where anyone has access to his profile -no password, no security.

I have put userinfo.php and user.php as Disallows in robots.txt. Is there anything else I should be doing?

2
ackbarr
Re: userinfo and Google security problem

they may be able to view his information, but the only way you can modify a user's information is:

1. if you are logged in as that user
2. you are an admin (and then only within System -> Edit Users).

Can you double check his claim by googling for him as well?

3
ackbarr
Re: userinfo and Google security problem

btw - I just tried this myself. If I am already logged into the site, when I google for my url I can modify my profile. However if I am logged out the website I cannot.

More than likely he was currently logged into your site when he clicked his link from google.

4
charpres
Re: userinfo and Google security problem
  • 2004/11/18 23:42

  • charpres

  • Not too shy to talk

  • Posts: 168

  • Since: 2003/9/4 2


Actually, anyone can follow the link and edit his profile. If it was just a matter of indexing his profile page it would not be a problem.

I followed the link directly from Google and edited his profile myself. I can email you the link, if you like.

5
charpres
Re: userinfo and Google security problem
  • 2004/11/18 23:47

  • charpres

  • Not too shy to talk

  • Posts: 168

  • Since: 2003/9/4 2


I have to take that back. I have the autologin hack and it apparently logs me in as admin even though I am coming from the Google link. When I tried logging out from my site and then going through the Google link, there was no edit option.

Now it is just a matter of a profile display that anyone can see from the site. So, no problem. Thanks.

Login

Who's Online

325 user(s) are online (274 user(s) are browsing Support Forums)


Members: 0


Guests: 325


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits