Today I received a series of strange jabber messages to my forum's jabber account. These messages were communications from the board to one particular user regarding password reactivation and topic subscription area notifications.
I then realised that I had set the board admin jabber account to be the same as the board itself jabber account. I've change this and now I now longer receive these messages for the particular user? I don't fully understand why I was in the first place as the forum admin account had a jabber address but was set to only receive email alerts from the site and had nothing to do with the other users interactions with the board.
However, it then made me realise that any user could join the board and then set their user profile jabber name to become the boards name. Seeing as any communication sent using jabber from user to user shows as coming from the board's account. Of course they wouldn't be able to get access to the jabber password and therefore read any of the board's jabber communications (hopefully).
Shouldn't the system check for unique jabber addresses as it does for unique email addresses if the admin wants it to?
Bug tracker
Potenitial for Jabber misuse by reusing the same jabber username or cloning the board's jabber use (fix completed in vcs)
Comments / History
Posted by x-rayman on Nov 14th 2008, 11:32
This morning I got another message from the board with a different users communication within it. I therefore realised I hadn't fixed the problem by changing the admin and board jabber accounts to be different.
This is potentially worse than I mentioned in my first post. I have just figured out why the nonrelated user's communications were getting sent to the board admin account.
I'm not certain if I should post it here or wait for a PM from a board admin/moderator/bug tracker. This behaviour I believe is something to do with the new jabber setup in 3.0.3 as I don't recall seeing it before the update.
I'm not certain what the implications are exactly to this bug.
This is potentially worse than I mentioned in my first post. I have just figured out why the nonrelated user's communications were getting sent to the board admin account.
I'm not certain if I should post it here or wait for a PM from a board admin/moderator/bug tracker. This behaviour I believe is something to do with the new jabber setup in 3.0.3 as I don't recall seeing it before the update.
I'm not certain what the implications are exactly to this bug.
Assigned ticket to user "Acyd Burn"
Action performed by Acyd Burn (Server Manager) on Nov 22nd 2008, 19:54
Linked ticket with changeset: r9078
Action performed by Anonymous (I am too lazy to register) on Nov 22nd 2008, 19:55
Changed ticket status from "New" to "Fix completed in SVN"
Action performed by Acyd Burn (Server Manager) on Nov 22nd 2008, 19:57
Linked ticket with changeset: r9079
Action performed by Anonymous (I am too lazy to register) on Nov 22nd 2008, 19:58