Pages: [1]
  Print  
Author Topic: OA message boards - a security risk!  (Read 14742 times)
Charlieb000
Nub


Cakes 0
Posts: 5


« on: November 04, 2011, 06:52:04 PM »

i checked my profile and it has "Hide email address from public?" checked. but if you hover the mouse over the icons under my name on the left, it shows my email address (the "public" referred to could be users not logged in, and i still think THIS IS BAD, especailly since there are users that dont have the envelope icon - how do i remove it?). also if you have a MSN account, i hovered my mouse over (for example) the user "Cacatoes" icons and i can see his email address for other sits too. a nice big security risk - just ripe for email harvesters. if this is not fixed (and rules enforced to not have @xyz.com), i would like someone to compeletly remove my information, posts, etc from this server!

i will try deleting my messages, including this message in a few hours.. no messages = no mention of my email address. d'oh! i dont think i can close topics...

Charlie.
Logged
Cacatoes
Banned for leasing own account
Posts a lot
*

Cakes 73
Posts: 1427


also banned for baiting another to violate rules


« Reply #1 on: November 04, 2011, 07:05:06 PM »

...

I voluntary display my email address.

Yours does not appear.

Feel better ?
Logged

Todo: Walk the cat.
fromhell
Administrator
GET A LIFE!
**********

Cakes 35
Posts: 14520



WWW
« Reply #2 on: November 04, 2011, 07:08:15 PM »

Guests can't see it, or cacatoes' either.
Logged

asking when OA3 will be done won't get OA3 done.
Progress of OA3 currently occurs behind closed doors alone

I do not provide technical support either.

new code development on github
WaspKiller
Bigger member


Cakes 8
Posts: 159



WWW
« Reply #3 on: November 04, 2011, 07:09:22 PM »

Jes*s H. Chr*st, stop being such a Drama Queen.  Either go to the many Free E-Mail sites and have an account just for your gaming activities or get a primary account that uses both SpamAssain and BoxTrapper.

All you have done now is bring attention to yourself.  Did it ever occur to you that the Admin could have given you an appropriate answer via the Forum's Private Messaging System and that at your request he/she could remove all your posts?

Next time THINK before you post.
Logged



Calm is for LOSERS!  ANGER fuels my game and btw you're NEXT!
fromhell
Administrator
GET A LIFE!
**********

Cakes 35
Posts: 14520



WWW
« Reply #4 on: November 04, 2011, 07:10:57 PM »

I should note I have the best email privacy options enabled as much as I could on SMF - there's no feature for php email forms I don't think.


Since I manually approve accounts I try my best to keep out the spammers.
Logged

asking when OA3 will be done won't get OA3 done.
Progress of OA3 currently occurs behind closed doors alone

I do not provide technical support either.

new code development on github
Charlieb000
Nub


Cakes 0
Posts: 5


« Reply #5 on: November 04, 2011, 07:13:30 PM »

ok then, i will do that..
Logged
fromhell
Administrator
GET A LIFE!
**********

Cakes 35
Posts: 14520



WWW
« Reply #6 on: November 04, 2011, 07:22:20 PM »

By the way I don't like to delete accounts and I disabled the self-deletion feature due to constant abuse (people would redact all their posts if they don't like the fact I keep out non-Free contributions)

You're probably best off changing to a less personal email address if you have one, or a disposable email inbox, if you're overly paranoid. Be aware some trigger auto-bans though (mailinator)

I hate spammers and email harvesters as much as you do and I respect the privacy of other users greatly
Logged

asking when OA3 will be done won't get OA3 done.
Progress of OA3 currently occurs behind closed doors alone

I do not provide technical support either.

new code development on github
Gig
In the year 3000
***

Cakes 45
Posts: 4394


WWW
« Reply #7 on: November 05, 2011, 04:15:02 AM »

i checked my profile and it has "Hide email address from public?" checked. but if you hover the mouse over the icons under my name on the left, it shows my email address (the "public" referred to could be users not logged in, and i still think THIS IS BAD, especailly since there are users that dont have the envelope icon - how do i remove it?). also if you have a MSN account, i hovered my mouse over (for example) the user "Cacatoes" icons and i can see his email address for other sits too. a nice big security risk - just ripe for email harvesters. if this is not fixed (and rules enforced to not have @xyz.com), i would like someone to compeletly remove my information, posts, etc from this server!
Hi, Charlie. I don't see your email address icon under your name, and in your profile it shows "hidden". Me too have the option to hide it enabled, but I see the email icon and the address shown in my profile in this case. Thus, I suppose that in case of "hide email address from public", each user is the only one allowed to see his own address, while it is not shown to all other users (maybe Fromhell -the admin- could be the exception. I don't know).

If MSN accounts (I don't have one) include the email address in the URL to reach them, the problem is of MSN...
« Last Edit: November 05, 2011, 05:30:34 AM by Gig » Logged

I never want to be aggressive, offensive or ironic with my posts. If you find something offending in my posts, read them again searching for a different mood there. If you still see something bad with them, please ask me infos. I can be wrong at times, but I never want to upset anyone.
Peter Silie
Member


Cakes 2008
Posts: 610



« Reply #8 on: November 05, 2011, 05:20:48 AM »

Gig is right:
the email can just be seen by yourself (you have the right to see the mail address of your account) and the board administration (they also have the right to see the email of your account).
all other user-lookups do not get this information.
so no security risc.
Logged
grey matter
Member


Cakes 8
Posts: 381

>9k


« Reply #9 on: November 14, 2011, 02:49:02 PM »

I just registered few days ago and noted another issue; I got an welcome-mail which contains my username and password in plain text. I seriously hope that passwords do not get saved in plaintext as well.

And if I remember correctly, I initially checked "Do NOT display my email to public" during registration just to see that "hide email from public" was not checked after my account was approved.
Logged

This space is for rent.
Graion Dilach
Member


Cakes 12
Posts: 403



« Reply #10 on: November 14, 2011, 03:37:59 PM »

First, I can't see your e-mails.

Second, passwords are saved in SHA1 format within MySQL.
Logged

One shall remind what have he left behind... to actually realize that it's still cool.
Cacatoes
Banned for leasing own account
Posts a lot
*

Cakes 73
Posts: 1427


also banned for baiting another to violate rules


« Reply #11 on: November 14, 2011, 03:53:14 PM »

Third, first is because s/he re-enabled that hiding option after registering.
Fourth, I haven't tried to subscribe a new account to check the fact.

Tongue
Logged

Todo: Walk the cat.
RMF
Member


Cakes 12
Posts: 694



« Reply #12 on: November 16, 2011, 04:24:50 AM »

I just registered few days ago and noted another issue; I got an welcome-mail which contains my username and password in plain text.
The mail is probably sent with the same script as which registers you in the database. The script simply gets the password from what it sent via the registration form to send the email, saves it with a salted sha1 hash in the database, and quits. Unless your mailserver is hacked, your password is not saved anywhere (well maybe someone installed a tap on your connection, but that's quite unlikely lol).


By the way, there is actually a security risk on this forum. I don't think it's exploitable because of the current settings, but SMF 1.1.15 solves a security issue from 1.1.14 - which we are currently running. You can find details about the exploit elsewhere if you're really interested, I won't post it here (would make it too easy to go and try it on other SMF 1.1.14 forums, now you at least have to search for it yourself).

Upgrading to SMF 2 would make the forum IPv6-capable, but the server itself isn't yet anyway so that's no use now. If the server were to get IPv6 support (if the host would add it) and we wouldn't block IPv6 users, SMF 1.x will say "Unknown" where the IP address should be. This means that there is no way to track users or ipban people.
Logged
fromhell
Administrator
GET A LIFE!
**********

Cakes 35
Posts: 14520



WWW
« Reply #13 on: November 16, 2011, 07:56:17 PM »

good catch, i'll upgrade tonight

but the problem of upgrading is that i must do it manually, and REAPPLY THAT DAMN CAPTCHA AGAIN
Logged

asking when OA3 will be done won't get OA3 done.
Progress of OA3 currently occurs behind closed doors alone

I do not provide technical support either.

new code development on github
Graion Dilach
Member


Cakes 12
Posts: 403



« Reply #14 on: November 17, 2011, 02:52:52 AM »

Why?

If you update it through the admin section, I doubt it'd break itself. Diffs in SMF searches for sections to be replaced, not lines.
Logged

One shall remind what have he left behind... to actually realize that it's still cool.
fromhell
Administrator
GET A LIFE!
**********

Cakes 35
Posts: 14520



WWW
« Reply #15 on: November 17, 2011, 05:29:52 AM »

ftp is no longer used.
Logged

asking when OA3 will be done won't get OA3 done.
Progress of OA3 currently occurs behind closed doors alone

I do not provide technical support either.

new code development on github
Pages: [1]
  Print  
 
Jump to: