21
redheadedrod
Re: Security module Profile

Of course after I posted this I got called into work. I will likely not get to Profile until later in the week but it should be a relatively easy fix I believe. Just will take some time to track it down and test it out. I am going to shoot for next weekend since this weekend is pretty much shot for me coding wise with the projects I have yet to get finished up. Plus with us due to have more storms I may get called into work again.

22
tatane
Re: Security module Profile
  • 2013/10/13 12:07

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


There is also another bug with the module profile. In addition to completing the fields they do not have access, they are able to create accounts with the same name!

23
redheadedrod
Re: Security module Profile

I will (hopefully) be looking at Profile this week. Please explain a little further what you mean?

I am basically only looking to do security improvements and bug fixes at this time.

Are you saying they can make new accounts with a user name that is already being used?

If this is the case this is certainly a bug that needs to be addressed and I will do that when I am looking through the verification stuff.

Rodney

24
tatane
Re: Security module Profile
  • 2013/10/13 13:10

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


Quote:

redheadedrod wrote:
Are you saying they can make new accounts with a user name that is already being used?


Exactly

25
redheadedrod
Re: Security module Profile

Ok, I am assuming there is no server side verification with profile which is dangerous but I have not had time to look at it yet.

I will do so when I look at the code.

26
redheadedrod
Re: Security module Profile

Ok, I am in a lull in my classes and between Richard and I (Mostly Richard) we have found that Profile has some serious deficiencies that not only allow spammers easy access but also presents a reason for spammers to gain many log entries.

After I update the MySQLi connector to be included as an extra with 2.5.7 I will be devoting my free time to locking down Profile. I will be hopefully removing not only the easy spam logins but also try to make it so it is not attractive to do it in the first place.

Rodney

Login

Who's Online

145 user(s) are online (127 user(s) are browsing Support Forums)


Members: 0


Guests: 145


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits