Minor security issue

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
Protopia
Registered User
Posts: 20
Joined: Sun Nov 14, 2004 3:27 pm

Minor security issue

Post by Protopia » Sun Jul 27, 2008 11:42 pm

I would like to report a minor security issue with prosilver (probably also in subsilver2 though I have not checked).

I have configured my (invitation only) board to disallow member listings for Guest users - in order to protect the privacy of members from non-members.

However, guests still get to see who is on-line. I have changed index_body.html so that if you can't see the member list then you cannot see who is on-line as follows:

From

Code: Select all

<!-- IF S_DISPLAY_ONLINE_LIST -->
	<!-- IF U_VIEWONLINE --><h3><a href="{U_VIEWONLINE}">{L_WHO_IS_ONLINE}</a></h3><!-- ELSE --><h3>{L_WHO_IS_ONLINE}</h3><!-- ENDIF -->
	<p>{TOTAL_USERS_ONLINE} ({L_ONLINE_EXPLAIN})<br />{RECORD_USERS}<br /> <br />{LOGGED_IN_USER_LIST}
	<!-- IF LEGEND --><br /><em>{L_LEGEND}: {LEGEND}</em><!-- ENDIF --></p>
<!-- ENDIF -->

<!-- IF S_DISPLAY_BIRTHDAY_LIST and BIRTHDAY_LIST -->
	<h3>{L_BIRTHDAYS}</h3>
	<p><!-- IF BIRTHDAY_LIST -->{L_CONGRATULATIONS}: <strong>{BIRTHDAY_LIST}</strong><!-- ELSE -->{L_NO_BIRTHDAYS}<!-- ENDIF --></p>
<!-- ENDIF -->

<!-- IF NEWEST_USER -->
	<h3>{L_STATISTICS}</h3>
	<p>{TOTAL_POSTS} &bull; {TOTAL_TOPICS} &bull; {TOTAL_USERS} &bull; {NEWEST_USER}</p>
<!-- ENDIF -->
To

Code: Select all

<!-- IF S_DISPLAY_ONLINE_LIST -->
	<!-- IF U_VIEWONLINE --><h3><a href="{U_VIEWONLINE}">{L_WHO_IS_ONLINE}</a></h3><!-- ELSE --><h3>{L_WHO_IS_ONLINE}</h3><!-- ENDIF -->
	<p>{TOTAL_USERS_ONLINE} ({L_ONLINE_EXPLAIN})<br />{RECORD_USERS}<br /> 
<!-- ENDIF -->
<!-- IF S_DISPLAY_MEMBERLIST -->
	<!-- IF S_DISPLAY_ONLINE_LIST -->
		<br />{LOGGED_IN_USER_LIST}
		<!-- IF LEGEND --><br /><em>{L_LEGEND}: {LEGEND}</em><!-- ENDIF --></p>
	<!-- ENDIF -->

	<!-- IF S_DISPLAY_BIRTHDAY_LIST and BIRTHDAY_LIST -->
		<h3>{L_BIRTHDAYS}</h3>
		<p><!-- IF BIRTHDAY_LIST -->{L_CONGRATULATIONS}: <strong>{BIRTHDAY_LIST}</strong><!-- ELSE -->{L_NO_BIRTHDAYS}<!-- ENDIF --></p>
	<!-- ENDIF -->

	<!-- IF NEWEST_USER -->
		<h3>{L_STATISTICS}</h3>
		<p>{TOTAL_POSTS} &bull; {TOTAL_TOPICS} &bull; {TOTAL_USERS} &bull; {NEWEST_USER}</p>
	<!-- ENDIF -->
<!-- ENDIF -->
Note: I am a bit of a novice on phpbb3 modding - so I am not certain this is the correct / best way of achieving this. But it seems to work.

You may wish to consider this for inclusion in the next release of phpbb3.

Thanks.

Protopia

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Minor security issue

Post by Phil » Sun Jul 27, 2008 11:45 pm

This is a group setting. ACP -> Permissions -> Groups' Permissions -> Guests -> Advanced Permissions -> Profile Tab -> set "Can view profiles, memberlist and online list" to no.

It should also be noted that you should report any potential security issues to the Security Tracker in the future.
Moving on, with the wind. | My Corner of the Web

User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Spokane, WA
Name: David Lewis
Contact:

Re: Minor security issue

Post by Highway of Life » Sun Jul 27, 2008 11:59 pm

Guests by default cannot view the memberlist OR profiles (viewprofile).
Seeing online users is not a security issue. :)
The phpBB Weekly Podcast - Discussing the developments of phpBB4 and beyond.

New to phpBB3? Want to learn about programing?
Visit phpBB Academy at StarTrekGuide to learn how.

Protopia
Registered User
Posts: 20
Joined: Sun Nov 14, 2004 3:27 pm

Re: Minor security issue

Post by Protopia » Mon Jul 28, 2008 12:42 am

iWisdom wrote:This is a group setting. ACP -> Permissions -> Groups' Permissions -> Guests -> Advanced Permissions -> Profile Tab -> set "Can view profiles, memberlist and online list" to no.
I have already done this - guests cannot see memberlist or view profiles. But names of on-line users and newest user still appear at the bottom of the main page.
iWisdom wrote:It should also be noted that you should report any potential security issues to the Security Tracker in the future.
Thank you for pointing me in the right direction. I have posted this there.
Highway of Life wrote:Guests by default cannot view the memberlist OR profiles (viewprofile).
Seeing online users is not a security issue. :)
I guess that this is a matter of opinion. For me this is a security issue - I am unable to properly safeguard my members privacy. However, as I have said, I have logged this as a security item, and no doubt the phpbb3 powers-that-be will decide whether it is a security issue or not.

User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Spokane, WA
Name: David Lewis
Contact:

Re: Minor security issue

Post by Highway of Life » Mon Jul 28, 2008 1:41 am

Seeing of a list of members online is a privacy issue? Hardly. This is not a matter of opinion on privacy and security, it’s about how you want it to work for your site, and that’s fine. But for phpBB, it is not a matter of privacy or security. The issue is neither. This is the way it is intended to work.
The phpBB Weekly Podcast - Discussing the developments of phpBB4 and beyond.

New to phpBB3? Want to learn about programing?
Visit phpBB Academy at StarTrekGuide to learn how.

User avatar
A_O_C
Registered User
Posts: 2383
Joined: Sun Jul 01, 2007 11:26 pm
Location: phpbb_

Re: Minor security issue

Post by A_O_C » Mon Jul 28, 2008 2:29 am

Protopia, if your that worried, why not try adding <!-- IF S_USER_LOGGED_IN --> and <!-- ENDIF --> respectively?

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Minor security issue

Post by drathbun » Tue Jul 29, 2008 1:26 pm

I can see where someone might consider the list of online users to be a security issue... but not in the sense that the code is not secure, more that the member privacy rights are not secure. Meaning, there's no code to "exploit" and do nasty-bad-things to the server or database, but there is a potential exposure.

Given that profiles are not viewable by guests by default (which means that even if I do see a list of online users I cannot get any information about them) the exposure is limited. If someone opts to use their real name as their forum username then they have already opted to expose that information.

Bottom line is that it's easily fixed with a simple template switch.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Re: Minor security issue

Post by Acyd Burn » Tue Jul 29, 2008 2:02 pm

Moreover, the privacy decision is up to the user as he is able to hide himself from the online list.

Post Reply

Return to “phpBB Discussion”