Re: Security module Profile [Module usage questions]

21

Re: Security module Profile

2013/10/5 19:42
redheadedrod
Home away from home
Posts: 1296
Since: 2008/2/26

Of course after I posted this I got called into work. I will likely not get to Profile until later in the week but it should be a relatively easy fix I believe. Just will take some time to track it down and test it out. I am going to shoot for next weekend since this weekend is pretty much shot for me coding wise with the projects I have yet to get finished up. Plus with us due to have more storms I may get called into work again.

22

Re: Security module Profile

2013/10/13 12:07
tatane
Just can't stay away
Posts: 649
Since: 2008/5/6 1

There is also another bug with the module profile. In addition to completing the fields they do not have access, they are able to create accounts with the same name!

23

Re: Security module Profile

2013/10/13 13:05
redheadedrod
Home away from home
Posts: 1296
Since: 2008/2/26

I will (hopefully) be looking at Profile this week. Please explain a little further what you mean?

I am basically only looking to do security improvements and bug fixes at this time.

Are you saying they can make new accounts with a user name that is already being used?

If this is the case this is certainly a bug that needs to be addressed and I will do that when I am looking through the verification stuff.

Rodney

24

Re: Security module Profile

2013/10/13 13:10
tatane
Just can't stay away
Posts: 649
Since: 2008/5/6 1

Quote:

redheadedrod wrote:
Are you saying they can make new accounts with a user name that is already being used?

Exactly

25

Re: Security module Profile

2013/10/13 17:59
redheadedrod
Home away from home
Posts: 1296
Since: 2008/2/26

Ok, I am assuming there is no server side verification with profile which is dangerous but I have not had time to look at it yet.

I will do so when I look at the code.

26

Re: Security module Profile

2013/10/24 21:13
redheadedrod
Home away from home
Posts: 1296
Since: 2008/2/26

Ok, I am in a lull in my classes and between Richard and I (Mostly Richard) we have found that Profile has some serious deficiencies that not only allow spammers easy access but also presents a reason for spammers to gain many log entries.

After I update the MySQLi connector to be included as an extra with 2.5.7 I will be devoting my free time to locking down Profile. I will be hopefully removing not only the easy spam logins but also try to make it so it is not attractive to do it in the first place.

Rodney

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: Security module Profile

Re: Security module Profile

Re: Security module Profile

Re: Security module Profile

Re: Security module Profile

Re: Security module Profile

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}