Hi guys,
I've got a problem.
I have some hidden forums, BUT they are open to guests. (it's a custom mode)
Guests can post message using the "comments" pages:
http://www.itsall3.com/forums/viewcomments.php?t=2404
-- This is posting to a "hidden" forum, you can see the comments on the page, and you can post to it, but i can moderate the hidden forum in the phpbb forum that the guest cannot see.
For some reason, these hidden forums are getting spammed ALOT. And it cannot be through my comments page, as the length is restriced to 100chrs.
And this spam is really long.
I found out that somehow, if you know the forum ID and topic id, you can get to the posting.php page, and post comments,
Whats an easy way to check on the posting.php page if the forum is supposed to be hidden?
Many thanks.
No authentication on "posting.php"
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations
This forum is now closed due to phpBB2.0 being retired.
READ: phpBB.com Board-Wide Rules and Regulations
This forum is now closed due to phpBB2.0 being retired.
-
itsallgood
- Registered User
- Posts: 76
- Joined: Wed May 05, 2004 8:54 pm
Re: No authentication on "posting.php"
itsallgood wrote: I have some hidden forums, BUT they are open to guests.
For some reason, these hidden forums are getting spammed ALOT.
Because they are open to guest posting
itsallgood wrote: And it cannot be through my comments page, as the length is restriced to 100chrs.
And this spam is really long.
The post size on your comments page appears to be limited only by javascript. Turn javascript off and you can post as much as you want.
(the maxlength property doesn't apply to textarea fields)
itsallgood wrote: Whats an easy way to check on the posting.php page if the forum is supposed to be hidden?
Depending on where in the file you want to check, you could use:
Code: Select all
if (!$is_auth['auth_view'])
-
itsallgood
- Registered User
- Posts: 76
- Joined: Wed May 05, 2004 8:54 pm
Thankyou for your reply
Yes, you are right, javascript isnt a great way to secure the 100 limit rule. i will have to change it.
Is there a:
if (!$is_auth['auth_view'])
That checks if the forum should be "hidden"??? like a:
if (!$is_auth['SYSTEM_SHOULD_BE_HIDDEN'])
Type command?
Many thanks.
Regards.
Yes, you are right, javascript isnt a great way to secure the 100 limit rule. i will have to change it.
Is there a:
if (!$is_auth['auth_view'])
That checks if the forum should be "hidden"??? like a:
if (!$is_auth['SYSTEM_SHOULD_BE_HIDDEN'])
Type command?
Many thanks.
Regards.
-
Brf
- Support Team Member
- Posts: 52293
- Joined: Tue May 10, 2005 7:47 pm
- Location: {postrow.POSTER_FROM}
- Contact:
posting.php already checks the proper auths, otherwise everyone else would have guests posting to their forums too.
Remember, a poster does not have to be using your forum pages. They can always set up their own custom page, which posts to your webpage.
Therefore, posting.php has to check the auths on the way in, to make sure the user isnt trying to bypass the security.
As long as you haven't taken those checks out of posting.php, there is not any way for a guest to post to a forum without auths set to ALL.
Remember, a poster does not have to be using your forum pages. They can always set up their own custom page, which posts to your webpage.
Therefore, posting.php has to check the auths on the way in, to make sure the user isnt trying to bypass the security.
As long as you haven't taken those checks out of posting.php, there is not any way for a guest to post to a forum without auths set to ALL.