OA message boards - a security risk!

[Charlieb000]

i checked my profile and it has "Hide email address from public?" checked. but if you hover the mouse over the icons under my name on the left, it shows my email address (the "public" referred to could be users not logged in, and i still think THIS IS BAD, especailly since there are users that dont have the envelope icon - how do i remove it?). also if you have a MSN account, i hovered my mouse over (for example) the user "Cacatoes" icons and i can see his email address for other sits too. a nice big security risk - just ripe for email harvesters. if this is not fixed (and rules enforced to not have @xyz.com), i would like someone to compeletly remove my information, posts, etc from this server!

i will try deleting my messages, including this message in a few hours.. no messages = no mention of my email address. d'oh! i dont think i can close topics...

Charlie.

[Cacatoes]

...

I voluntary display my email address.

Yours does not appear.

Feel better ?

[fromhell]

Guests can't see it, or cacatoes' either.

[WaspKiller]

Jes*s H. Chr*st, stop being such a Drama Queen.  Either go to the many Free E-Mail sites and have an account just for your gaming activities or get a primary account that uses both SpamAssain and BoxTrapper.

All you have done now is bring attention to yourself.  Did it ever occur to you that the Admin could have given you an appropriate answer via the Forum's Private Messaging System and that at your request he/she could remove all your posts?

Next time THINK before you post.

[fromhell]

I should note I have the best email privacy options enabled as much as I could on SMF - there's no feature for php email forms I don't think.


Since I manually approve accounts I try my best to keep out the spammers.

[Charlieb000]

ok then, i will do that..

[fromhell]

By the way I don't like to delete accounts and I disabled the self-deletion feature due to constant abuse (people would redact all their posts if they don't like the fact I keep out non-Free contributions)

You're probably best off changing to a less personal email address if you have one, or a disposable email inbox, if you're overly paranoid. Be aware some trigger auto-bans though (mailinator)

I hate spammers and email harvesters as much as you do and I respect the privacy of other users greatly

[Gig]

i checked my profile and it has "Hide email address from public?" checked. but if you hover the mouse over the icons under my name on the left, it shows my email address (the "public" referred to could be users not logged in, and i still think THIS IS BAD, especailly since there are users that dont have the envelope icon - how do i remove it?). also if you have a MSN account, i hovered my mouse over (for example) the user "Cacatoes" icons and i can see his email address for other sits too. a nice big security risk - just ripe for email harvesters. if this is not fixed (and rules enforced to not have @xyz.com), i would like someone to compeletly remove my information, posts, etc from this server!

Hi, Charlie. I don't see your email address icon under your name, and in your profile it shows "hidden". Me too have the option to hide it enabled, but I see the email icon and the address shown in my profile in this case. Thus, I suppose that in case of "hide email address from public", each user is the only one allowed to see his own address, while it is not shown to all other users (maybe Fromhell -the admin- could be the exception. I don't know).

If MSN accounts (I don't have one) include the email address in the URL to reach them, the problem is of MSN...

[Peter Silie]

Gig is right:
the email can just be seen by yourself (you have the right to see the mail address of your account) and the board administration (they also have the right to see the email of your account).
all other user-lookups do not get this information.
so no security risc.

[grey matter]

I just registered few days ago and noted another issue; I got an welcome-mail which contains my username and password in plain text. I seriously hope that passwords do not get saved in plaintext as well.

And if I remember correctly, I initially checked "Do NOT display my email to public" during registration just to see that "hide email from public" was not checked after my account was approved.

[Graion Dilach]

First, I can't see your e-mails.

Second, passwords are saved in SHA1 format within MySQL.

[Cacatoes]

Third, first is because s/he re-enabled that hiding option after registering.
Fourth, I haven't tried to subscribe a new account to check the fact.

[RMF]

I just registered few days ago and noted another issue; I got an welcome-mail which contains my username and password in plain text.

The mail is probably sent with the same script as which registers you in the database. The script simply gets the password from what it sent via the registration form to send the email, saves it with a salted sha1 hash in the database, and quits. Unless your mailserver is hacked, your password is not saved anywhere (well maybe someone installed a tap on your connection, but that's quite unlikely lol).


By the way, there is actually a security risk on this forum. I don't think it's exploitable because of the current settings, but SMF 1.1.15 solves a security issue from 1.1.14 - which we are currently running. You can find details about the exploit elsewhere if you're really interested, I won't post it here (would make it too easy to go and try it on other SMF 1.1.14 forums, now you at least have to search for it yourself).

Upgrading to SMF 2 would make the forum IPv6-capable, but the server itself isn't yet anyway so that's no use now. If the server were to get IPv6 support (if the host would add it) and we wouldn't block IPv6 users, SMF 1.x will say "Unknown" where the IP address should be. This means that there is no way to track users or ipban people.

[fromhell]

good catch, i'll upgrade tonight

but the problem of upgrading is that i must do it manually, and REAPPLY THAT DAMN CAPTCHA AGAIN

[Graion Dilach]

Why?

If you update it through the admin section, I doubt it'd break itself. Diffs in SMF searches for sections to be replaced, not lines.

[fromhell]

ftp is no longer used.