| 
			| 
					
						| Charlieb000 
								Nub
 
 Cakes 0
 Posts: 5
 
 
 
 | 
								|  | «  on: November 04, 2011, 06:52:04 PM » |  | 
 
 i checked my profile and it has "Hide email address from public?" checked. but if you hover the mouse over the icons under my name on the left, it shows my email address (the "public" referred to could be users not logged in, and i still think THIS IS BAD, especailly since there are users that dont have the envelope icon - how do i remove it?). also if you have a MSN account, i hovered my mouse over (for example) the user "Cacatoes" icons and i can see his email address for other sits too. a nice big security risk - just ripe for email harvesters. if this is not fixed (and rules enforced to not have @xyz.com), i would like someone to compeletly remove my information, posts, etc from this server! 
 i will try deleting my messages, including this message in a few hours.. no messages = no mention of my email address. d'oh! i dont think i can close topics...
 
 Charlie.
 |  
						| 
								|  |  
								|  |  Logged | 
 |  |  | 
	| 
			| 
					
						| Cacatoes 
								Banned for leasing own account 
								Posts a lot
								   
								Cakes 73 
								Posts: 1427
								
								 
								also banned for baiting another to violate rules
								
								
								
								
								
							 | 
								|  | « Reply #1 on: November 04, 2011, 07:05:06 PM » |  | 
 
 ...
 I voluntary display my email address.
 
 Yours does not appear.
 
 Feel better ?
 |  
						| 
								|  |  
								|  |  Logged | 
 
 Todo: Walk the cat. |  |  | 
	| 
			| 
					
						| fromhell | 
								|  | « Reply #2 on: November 04, 2011, 07:08:15 PM » |  | 
 
 Guests can't see it, or cacatoes' either. |  
						| 
								|  |  
								|  |  Logged | 
 
 asking when OA3 will be done won't get OA3 done. Progress of OA3 currently occurs behind closed doors aloneI do not provide technical support either.new code development on github |  |  | 
	| 
			| 
					
						| WaspKiller 
								Bigger member 
								Cakes 8 
								Posts: 159
								
								   | 
								|  | « Reply #3 on: November 04, 2011, 07:09:22 PM » |  | 
 
 Jes*s H. Chr*st, stop being such a Drama Queen.  Either go to the many Free E-Mail sites and have an account just for your gaming activities or get a primary account that uses both SpamAssain and BoxTrapper.
 All you have done now is bring attention to yourself.  Did it ever occur to you that the Admin could have given you an appropriate answer via the Forum's Private Messaging System and that at your request he/she could remove all your posts?
 
 Next time THINK before you post.
 
 |  
						| 
								|  |  
								|  |  Logged | 
 
  Calm is for LOSERS!  ANGER fuels my game and btw you're NEXT! |  |  | 
	| 
			| 
					
						| fromhell | 
								|  | « Reply #4 on: November 04, 2011, 07:10:57 PM » |  | 
 
 I should note I have the best email privacy options enabled as much as I could on SMF - there's no feature for php email forms I don't think.
 
 Since I manually approve accounts I try my best to keep out the spammers.
 |  
						| 
								|  |  
								|  |  Logged | 
 
 asking when OA3 will be done won't get OA3 done. Progress of OA3 currently occurs behind closed doors aloneI do not provide technical support either.new code development on github |  |  | 
	| 
			| 
					
						| Charlieb000 
								Nub
 
 Cakes 0
 Posts: 5
 
 
 
 | 
								|  | « Reply #5 on: November 04, 2011, 07:13:30 PM » |  | 
 
 ok then, i will do that.. |  
						| 
								|  |  
								|  |  Logged | 
 |  |  | 
	| 
			| 
					
						| fromhell | 
								|  | « Reply #6 on: November 04, 2011, 07:22:20 PM » |  | 
 
 By the way I don't like to delete accounts and I disabled the self-deletion feature due to constant abuse (people would redact all their posts if they don't like the fact I keep out non-Free contributions)
 You're probably best off changing to a less personal email address if you have one, or a disposable email inbox, if you're overly paranoid. Be aware some trigger auto-bans though (mailinator)
 
 I hate spammers and email harvesters as much as you do and I respect the privacy of other users greatly
 |  
						| 
								|  |  
								|  |  Logged | 
 
 asking when OA3 will be done won't get OA3 done. Progress of OA3 currently occurs behind closed doors aloneI do not provide technical support either.new code development on github |  |  | 
	| 
			| 
					
						| Gig 
								In the year 3000     
								Cakes 45 
								Posts: 4394
								
								
								
								
								
								   | 
								|  | « Reply #7 on: November 05, 2011, 04:15:02 AM » |  | 
 
 i checked my profile and it has "Hide email address from public?" checked. but if you hover the mouse over the icons under my name on the left, it shows my email address (the "public" referred to could be users not logged in, and i still think THIS IS BAD, especailly since there are users that dont have the envelope icon - how do i remove it?). also if you have a MSN account, i hovered my mouse over (for example) the user "Cacatoes" icons and i can see his email address for other sits too. a nice big security risk - just ripe for email harvesters. if this is not fixed (and rules enforced to not have @xyz.com), i would like someone to compeletly remove my information, posts, etc from this server! 
 Hi, Charlie. I don't see your email address icon  under your name, and in your profile it shows "hidden". Me too have the option to hide it enabled, but I see the email icon and the address shown in my profile in this case. Thus, I suppose that in case of "hide email address from public", each user is the only one allowed to see his own  address, while it is not shown to all other users  (maybe Fromhell -the admin- could be the exception. I don't know). If MSN accounts (I don't have one) include the email address in the URL to reach them, the problem is of MSN ... |  
						| 
								|  |  
								| « Last Edit: November 05, 2011, 05:30:34 AM by Gig » |  Logged | 
 
 I never want to be aggressive, offensive or ironic with my posts. If you find something offending in my posts, read them again searching for a different mood there. If you still see something bad with them, please ask me infos. I can be wrong at times, but I never want to upset anyone. |  |  | 
	| 
			| 
					
						| Peter Silie 
								Member 
								Cakes 2008 
								Posts: 610
								
								 | 
								|  | « Reply #8 on: November 05, 2011, 05:20:48 AM » |  | 
 
 Gig is right:the email can just be seen by yourself (you have the right to see the mail address of your account) and the board administration (they also have the right to see the email of your account).
 all other user-lookups do not get this information.
 so no security risc.
 |  
						| 
								|  |  
								|  |  Logged | 
 |  |  | 
	| 
			| 
					
						| grey matter 
								Member
 
 Cakes 8
 Posts: 381
 
 >9k
 
 
 
 | 
								|  | « Reply #9 on: November 14, 2011, 02:49:02 PM » |  | 
 
 I just registered few days ago and noted another issue; I got an welcome-mail which contains my username and password in plain text. I seriously hope that passwords do not get saved in plaintext as well.
 And if I remember correctly, I initially checked "Do NOT display my email to public" during registration just to see that "hide email from public" was not checked after my account was approved.
 |  
						| 
								|  |  
								|  |  Logged | 
 
 This space is for rent. |  |  | 
	| 
			| 
					
						| Graion Dilach 
								Member 
								Cakes 12 
								Posts: 403
								
								 | 
								|  | « Reply #10 on: November 14, 2011, 03:37:59 PM » |  | 
 
 First, I can't see your e-mails.
 Second, passwords are saved in SHA1 format within MySQL.
 |  
						| 
								|  |  
								|  |  Logged | 
 
 One shall remind what have he left behind... to actually realize that it's still cool. |  |  | 
	| 
			| 
					
						| Cacatoes 
								Banned for leasing own account 
								Posts a lot
								   
								Cakes 73 
								Posts: 1427
								
								 
								also banned for baiting another to violate rules
								
								
								
								
								
							 | 
								|  | « Reply #11 on: November 14, 2011, 03:53:14 PM » |  | 
 
 Third, first is because s/he re-enabled that hiding option after registering. Fourth, I haven't tried to subscribe a new account to check the fact.  |  
						| 
								|  |  
								|  |  Logged | 
 
 Todo: Walk the cat. |  |  | 
	| 
			| 
					
						| RMF 
								Member 
								Cakes 12 
								Posts: 694
								
								 | 
								|  | « Reply #12 on: November 16, 2011, 04:24:50 AM » |  | 
 
 I just registered few days ago and noted another issue; I got an welcome-mail which contains my username and password in plain text. The mail is probably sent with the same script as which registers you in the database. The script simply gets the password from what it sent via the registration form to send the email, saves it with a salted sha1 hash in the database, and quits. Unless your mailserver is hacked, your password is not saved anywhere (well maybe someone installed a tap on your connection, but that's quite unlikely lol). By the way, there is actually a security risk on this forum. I don't think it's exploitable because of the current settings, but SMF 1.1.15 solves a security issue from 1.1.14 - which we are currently running. You can find details about the exploit elsewhere if you're really interested, I won't post it here (would make it too easy to go and try it on other SMF 1.1.14 forums, now you at least have to search for it yourself). Upgrading to SMF 2 would make the forum IPv6-capable, but the server itself isn't yet anyway so that's no use now. If the server were to get IPv6 support (if the host would add it) and we wouldn't block IPv6 users, SMF 1.x will say "Unknown" where the IP address should be. This means that there is no way to track users or ipban people. |  
						| 
								|  |  
								|  |  Logged | 
 |  |  | 
	| 
			| 
					
						| fromhell | 
								|  | « Reply #13 on: November 16, 2011, 07:56:17 PM » |  | 
 
 good catch, i'll upgrade tonight
 but the problem of upgrading is that i must do it manually, and REAPPLY THAT DAMN CAPTCHA AGAIN
 |  
						| 
								|  |  
								|  |  Logged | 
 
 asking when OA3 will be done won't get OA3 done. Progress of OA3 currently occurs behind closed doors aloneI do not provide technical support either.new code development on github |  |  | 
	| 
			| 
					
						| Graion Dilach 
								Member 
								Cakes 12 
								Posts: 403
								
								 | 
								|  | « Reply #14 on: November 17, 2011, 02:52:52 AM » |  | 
 
 Why?
 If you update it through the admin section, I doubt it'd break itself. Diffs in SMF searches for sections to be replaced, not lines.
 |  
						| 
								|  |  
								|  |  Logged | 
 
 One shall remind what have he left behind... to actually realize that it's still cool. |  |  | 
	| 
			| 
					
						| fromhell | 
								|  | « Reply #15 on: November 17, 2011, 05:29:52 AM » |  | 
 
 ftp is no longer used. |  
						| 
								|  |  
								|  |  Logged | 
 
 asking when OA3 will be done won't get OA3 done. Progress of OA3 currently occurs behind closed doors aloneI do not provide technical support either.new code development on github |  |  | 
	|  |