Re: Possible security breach [Q and A] - XOOPS Web Application System

1

Possible security breach

2004/7/10 21:15
lavaburst
Just popping in
Posts: 77
Since: 2004/6/13

Hi, Im running XOOPS2.0.7 and this morning noticed a malicious new username. after looking at the email address of the new user, i checked the domain name... it was not registered. So, my concern is, how can a user gain registered user access with an invalid email address? I checked the profile and looked at the last login date/time. This does not seem to match with the access log.

Any ideas would be great... what is done on XOOPS about possible security holes?

Thx, lavaburst

2

Re: Possible security breach

2004/7/10 21:23
Stewdio
Community Support Member
Posts: 1560
Since: 2003/5/7 1

Chances are the user changed their email address after registration to avoid spam or beef up personal privacy concerns.

You could disble users from changing their email address in your preferences, although users will groan about that.

XOOPS does not revalidate an email adress if it has been changed after initial registration.

3

Re: Possible security breach

2004/7/10 21:28
lavaburst
Just popping in
Posts: 77
Since: 2004/6/13

Ok, thats good to know.. i wasnt aware of that possibility...

Still, they used for their username the same name as my domain. so im gunna havta delete them.

Thx for the tip, im not as concerned with that new info.

Cheers

4

Re: Possible security breach

2004/7/11 3:59
ali44
Just popping in
Posts: 86
Since: 2004/5/24

They user need not to have a valid email address to activate the account. The email account can be a forward one, for example, if I own a whatever.com, I forward all the email from whatever@whatever.com to go to my yahoo (or any valid) email address, i can click on the link to activate the account.

5

Re: Possible security breach

2004/7/11 4:53
koertzen
Just popping in
Posts: 79
Since: 2003/10/22

You can also prevent someone from creating any user name that you want to reserve. These are found in the preferences in the system admin module. I would suggest a best practice would be to always reserve user names that are similar to your domain name as well as 'admin', 'webmaster', etc.

6

Re: Possible security breach

2004/7/11 7:41
wtravel
Posts: 987
Since: 2003/8/27

You can also prevent users from using a number of specified domains in their e-mail addresses. This option can be found just below the reserved usernames field.

Regards,

Martijn

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Possible security breach

Re: Possible security breach

Re: Possible security breach

Re: Possible security breach

Re: Possible security breach

Re: Possible security breach

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}