No authentication on "posting.php"

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Post Reply
itsallgood
Registered User
Posts: 76
Joined: Wed May 05, 2004 8:54 pm

No authentication on "posting.php"

Post by itsallgood »

Hi guys,

I've got a problem.


I have some hidden forums, BUT they are open to guests. (it's a custom mode)

Guests can post message using the "comments" pages:

http://www.itsall3.com/forums/viewcomments.php?t=2404

-- This is posting to a "hidden" forum, you can see the comments on the page, and you can post to it, but i can moderate the hidden forum in the phpbb forum that the guest cannot see.

For some reason, these hidden forums are getting spammed ALOT. And it cannot be through my comments page, as the length is restriced to 100chrs.

And this spam is really long.

I found out that somehow, if you know the forum ID and topic id, you can get to the posting.php page, and post comments,

Whats an easy way to check on the posting.php page if the forum is supposed to be hidden?

Many thanks.
User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Re: No authentication on "posting.php"

Post by T0ny »

itsallgood wrote: I have some hidden forums, BUT they are open to guests.

For some reason, these hidden forums are getting spammed ALOT.


Because they are open to guest posting :)

itsallgood wrote: And it cannot be through my comments page, as the length is restriced to 100chrs.

And this spam is really long.


The post size on your comments page appears to be limited only by javascript. Turn javascript off and you can post as much as you want.
(the maxlength property doesn't apply to textarea fields)

itsallgood wrote: Whats an easy way to check on the posting.php page if the forum is supposed to be hidden?


Depending on where in the file you want to check, you could use:

Code: Select all

if (!$is_auth['auth_view'])
but guests (and therefore spammers) have to be allowed to post to these fora for your system to work.
itsallgood
Registered User
Posts: 76
Joined: Wed May 05, 2004 8:54 pm

Post by itsallgood »

Thankyou for your reply :)

Yes, you are right, javascript isnt a great way to secure the 100 limit rule. i will have to change it.


Is there a:

if (!$is_auth['auth_view'])

That checks if the forum should be "hidden"??? like a:

if (!$is_auth['SYSTEM_SHOULD_BE_HIDDEN'])

Type command?

Many thanks.

Regards.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 52293
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Post by Brf »

posting.php already checks the proper auths, otherwise everyone else would have guests posting to their forums too.

Remember, a poster does not have to be using your forum pages. They can always set up their own custom page, which posts to your webpage.

Therefore, posting.php has to check the auths on the way in, to make sure the user isnt trying to bypass the security.

As long as you haven't taken those checks out of posting.php, there is not any way for a guest to post to a forum without auths set to ALL.
Post Reply

Return to “[2.0.x] MOD Writers Discussion”