[2.0.7] Printer-friendly topic mod

The cleanup is complete. This forum is now read only.

Rating:

Excellent!
48
45%
Very Good
26
25%
Good
11
10%
Fair
9
8%
Poor
12
11%
 
Total votes: 106

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28617
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [2.0.7] Printer-friendly topic mod

Post by Paul »

finlay wrote:WARNING: There appears to be a security issue in this MOD!

I installed this MOD some time ago. A few days back i discovered a cached Google copy of a full discussion from a PRIVATE FORUM, rendered via this mod.

I'm investigating the code further, but whereas phpBB treats Google as a Guest and doesn't allow it to 'see' private discussions, this mod appears to allow it in to index private pages!

If you value your private forums and groups, you should take a look at this.

Any further input appreciated.
Hello,

Please report next time security issues directory to the MOD author or a MOD teammember.

I have looked at the code of the MOD and cant find any thing that looks like it allows guests (if permissions are set correctly) to view it. Please provide by PM a topic whats private but can be viewed by the this MOD.

Thanks.
CaptainFlint
Registered User
Posts: 7
Joined: Tue Dec 19, 2006 5:44 pm
Location: Moscow, Russia
Contact:

Re: [2.0.7] Printer-friendly topic mod

Post by CaptainFlint »

I checked one forum I'm administering. It has private sub-forums (phpBB 2.0.23), and I tried to look in Google for some topics from them. Nothing was found.
User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: [2.0.7] Printer-friendly topic mod

Post by Dogs and things »

My printer button is only visible for logged_in users.
For phpBB2 support visit phpBB2refugees.
finlay
Registered User
Posts: 31
Joined: Tue Mar 04, 2003 5:07 pm

Re: [2.0.7] Printer-friendly topic mod

Post by finlay »

Paul wrote: Hello,

Please report next time security issues directory to the MOD author or a MOD teammember.
Apologies Paul, but as the MOD is so old, and because the Demo links placed in the early posts by the author no longer work, I assumed the author was no longer contactable. As your MOD report guidelines state that one should contact the author and then wait a week before contacting the phpBB mod team, I thought I'd compromise and post something on the thread to see if anyone else had experienced this.
I have looked at the code of the MOD and cant find any thing that looks like it allows guests (if permissions are set correctly) to view it. Please provide by PM a topic what's private but can be viewed by the this MOD.
So far I've spent 2 days examining this issue, attempting to explain the cached copy I found on Google of a 'private' topic and, like Captain Flint, I've spent ages trying to replicate the problem with other posts which I know to be 'private'. I can't replicate it, but neither can I deny the presence of the cached copy on Google. However, just as I was about to copy/paste the Google cached-copy into a PM to you, I had a flash of a further idea and just went off to investigate it. My idea concerned the date on the cached copy I saw on Google. This topic was actually a netiquette breach (it was a 'disguised' advert) which was moved to the moderators forum within minutes of being reported to a moderator on April 15th, but comparison of the dates shows that Google visited our forum that day and could have indexed the 'printer-friendly' copy literally seconds before it was moved from 'public' to 'private'. Although hugely coincidental, is this a more likely explanation of why it is now in the public domain, considering that your examination of the code suggests that the MOD treats 'private' pages in the same way as phpBB does normally?

I'll PM you the link anyway
Post Reply

Return to “[2.0.x] MOD Database Cleanup”