1
tatane
Security module Profile
  • 2013/9/28 12:14

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


Hello

I meet from time to time a security problem with the module profile on 2.5.5 or 2.5.6

In the configuration of the module, at the entry, I was left as options: Identifiers, email, password.

Resized Image


Despite this, some spamer able to find additional fields such as url, icq, etc. while they are visiblent and editable by administrators.

Resized Image


I asked Mamba but he failed to see where the problem was.

The site is not yet open to the public, I'm ready to give access to developers as an administrator.

2
Mamba
Re: Security module Profile
  • 2013/9/28 12:58

  • Mamba

  • Moderator

  • Posts: 11251

  • Since: 2004/4/23


Quote:
I asked Mamba but he failed to see where the problem was.

As I told you in the email, we need to see that particular registration to see what has happened, and then trying to figure out how it did happen.

You gave me access to the Website, and there was only one registered person besides you and me, and this person did NOT submit any information to any fields besides those that you've allowed him to during the registration.

So if there was "no hacking" of your registration, i.e. he did not enter any information to any extra fields, and it seems like he registered the way he supposed to, then unfortunately I am not sure what you're expecting us to do?

Show us the real case where it did happen, and then we can look at your server's access logs, error logs, Protector logs, your configuration, etc. and try to figure out what has happened.

But if a spammer registers on your particular Websites that you gave me access to, following your defined process, then there is no reason to call it a "security issue"

Tatane, what you did is like telling an auto mechanic: "Hey, my car just broke down, but here - you have my other car that runs just fine, and try to figure out what is wrong with the broken car, but without seeing it or testing it". I don't think that any mechanic will be able to fix your broken car this way.

If somebody else has the same issue, and we can replicate it, please let us know, so we can look into it.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

3
tatane
Re: Security module Profile
  • 2013/9/28 13:24

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


I deleted the member because it profits me nothing to keep spammers out of my database. The only one I've kept is screen-printed

Registered members are spammers even those with ootlook.com extension because they are on StopForumSpam

Quote:

Mamba wrote:
But if a spammer registers on your particular Websites that you gave me access to, following your defined process, then there is no reason to call it a "security issue"


I gave you access to the administration but a priori you have not looked at the configuration of my module.

Quote:

Tatane wrote
In the configuration of the module, at the entry, I was left as options: Identifiers, email, password.


Here is part of my setup

Resized Image

Resized Image

Resized Image


4
tatane
Re: Security module Profile
  • 2013/9/28 13:48

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


Here is one of my website here with just with: username, email, password and website. Despite this, spameur successfully to fields not demaindé. So, I was forced to close registration

Resized Image

5
xoobaru
Re: Security module Profile
  • 2013/9/28 14:05

  • xoobaru

  • Just can't stay away

  • Posts: 494

  • Since: 2010/12/2


Quote:

"Hey, my car just broke down, but here - you have my other car that runs just fine, and try to figure out what is wrong with the broken car, but without seeing it or testing it".


This is a good example. Sometimes a good framework for comparison is necessary especially across cultural/linguistic/cerebral boundaries.

6
tatane
Re: Security module Profile
  • 2013/9/28 14:09

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


That is why I am ready to give access to my site and a dévellopeur him to explain why despite the spammer get my setup to do this.

7
tatane
Re: Security module Profile
  • 2013/10/2 15:25

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


Hello
A new spammer just register and edit fields to which he is not authorized

8
redheadedrod
Re: Security module Profile

Sounds to me like the spammer is populating all of the fields with a custom program or "bot". In otherwords they are not using a browser and they are posting all of the fields. This is the only way I can think of for this to happen.

My guess is they are currently ignoring the actual form they are being sent and sending back a form with the data in it they want. I don't believe profile has a function to verify returned fields at this time. You could do it yourself if you know how to do it. Basically look for fields containing contents. None of the default fields you are not using should be populated. You could look for those and if they are there then ignore the user. You could actually then likely add their IP address to a blocked list.

You could also insert a hidden value into your form that you expect to get back. If you do not get it back then you also know it is a bot and not to accept it.

I don't know if you can program the solution yourself or not but this is where I would go about fixing this issue.

9
Mamba
Re: Security module Profile
  • 2013/10/3 1:20

  • Mamba

  • Moderator

  • Posts: 11251

  • Since: 2004/4/23


Quote:
Sounds to me like the spammer is populating all of the fields with a custom program or "bot". In otherwords they are not using a browser and they are posting all of the fields. This is the only way I can think of for this to happen.

I arrived at a similar conclusion, and that's what I've emailed earlier to Tatane:

- it seems like XOOPS is taking all the registration fields in the background from the profile, and then checks the values against the fields that have values provided by the user via $_POST. Since the bot is posting to all or most of the fields, then XOOPS takes them and saves them in the DB.

However, as long as all the fields are properly validated/sanitized, then this is not an issue, especially since he is going to delete the spammer registration anyway. And it's actually a good check to see who the spammer is

But certainly it would be better if we only accept fields that have been explicitly selected by the Admin for registration. Hopefully in XOOPS 2.6.0, unless it is already done there...

I also recommended Tatane to do the 2-step registration, to cut down the number of bots, as currently he's got only 1-step registration
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

10
Cesagonchu
Re: Security module Profile

This Method, recommended by Mamba here seems to work

Login

Who's Online

74 user(s) are online (52 user(s) are browsing Support Forums)


Members: 0


Guests: 74


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits