Security issues, problems, ideas after the 2023.11 Forum update

[mx5kevin]

Security issues, problems, ideas after the 2023.11 Forum update

-Security:

Users profile are accessible for Guests, bots are try to this way collect sensitive data from users. Access to this information is also easier through security gaps. On earlier IPS suite had some similar vulnerability.

On comment selection Guests can access report/share option. This helps in sending spam messages by bots. The same as with the Contact Us option. (but seems ok if CAPTCHA are used)

On Blogs Anonymous commenting for unregistered Guest are allowed. This is allowing Bots to send SPAM in the blogs. (but seems ok if CAPTCHA are used) And a fine idea to allow anonymous commenting. But need to allow bloggers to edit, delete their own comments and recommended users comments too in this case.

Prevent users' IP addresses from being recorded by the forum software and log only 127.0.0.1 in all user. From the MSQL database everyone can get all sensitive data from the users. IPS suite log too much things from the users.

https://www.amateurpyro.com/forums/topic/14203-security-issue-the-website-using-http-and-not-https-ssl-in-several-cases/

Similar forum are infected with C99 PHP shell which allowed files to be searched across the entire server. Disable file indexes.

Start new topic are allowed globally in the forum for Guest (unregistered users) without reCAPTCHA bot filtering but commenting are not.

File upload are enable for unregistered Guests (Start New Topic) in some messaging options, important to disable it!

-Problems:

Please check Blogs, Gallery, Downloads, uploaded files (edit, delete) permission options. I checked and gone after the update. Example Blog posts can not edited or deleted after the update. It would be important for users to have the greatest possible freedom over their content. The forum software provides all the possibilities for this. These are indispensable things for a modern quality forum and quality content publication. The publisher content is being developed, supplemented and in many cases needs improvement. Check the comment editing limit, there may be a preset value for time (please remove it).

Uploads: The page does not state that there is a limitation in the size and quantity of files that can be uploaded. There are content owners with content of up to totall 5 GB of if all files combined. Because there are people who can bring more major content. Of course, this is a huge advantage!

Fix donation page.

Please add Blogs, Gallery, Downloads line to list in the Home page the new contents in it before the Forum Statics line.

Please make public everyone who liked your content. Anonymous likes are pointless and not community-building thing.

-Ideas:

On the Clubs selection members could create multilingual forums there would be demand for this. Everyone would be an administrator of their own forum. Foreign pyro forums do not work except in English. Many of us are foreigners, technically it is already a given that we open up to other languages with the clubs option. The option could be rename to members/multi language forums. Could write about it, the function is already given. It would be a huge step in the history of the forum.

IPS suite have a great chat option BIM Chatbox that function worth to be integrated.

As much as possible, users should be able to edit, delete their content as freely as possible. This is essential for creating quality content. The forum's software ensures this very effectively if configured well.

Anonymous sub forum for Guests where unregistered users can commenting, opening new topics solving a reCAPTCHA and a word filter (To isolate the blurring of a less knowledgeable community with the advanced registered users). There was a similar forum in Hungary and this option was a huge success.

Allow crypto donations, and make sure donations with Bank Card are allowed too.

In Blogs maybe in Gallery selection and Clubs selection for the current publishers possible to allow to moderate the users comments there not just his own content. For more advanced members, this is useful for creating quality content. Clubs selection anyone can create their own forum in which they are the administrator (and edit delete users content) if the site administrator setup this correctly. This is very useful for creating different pyro forums with possibly different orientations. Here it is also possible to select more professional people from the main forum.

Sub forum, gallery (after the first publication) only for content creators, and an outstanding rank. Users who are publishing blogs, uploading files, video and pictures in gallery people with much more knowledge than those who just comment and we don't see their work. This is how someone proves their true knowledge and reliability. Members should also be encouraged to post quality content that helps others. Those who are actively working on something are not necessarily interested in unnecessary comments or to converse with those who do not have the necessary knowledge on a given topic. Or to educate those who do not have any stable knowledge on a subject. Anyone who publishes literature and content can choose she wants to talk everyone or only similar publishers.

Private mailing required for a rank. Example users who have more than 100 comments can only send private. This is also a security function, if someone write a letter to you, you can assess who you are talking to based on their content on the forum. This is a good setup for screening people from the authorities. And that more knowledgeable people in some themes are bothered with unnecessary letters by unknown people about whom nothing can be known.

Edited November 25, 2023 by mx5kevin

[MicroGram]

That's interesting, and a bit concerning to say the least. Lets hope the Admins are taking steps to fix these problems!

[Guest]

There's a whole lotta WOW! Here. 

It all makes a guy leary of having an account.

 

Edited November 25, 2023 by Bbqjoe

[TheSidewinder]

Looks like some permissions did go missing in the upgrade, I'm going to check those. Blog, Gallery, Downloads issues should already be fixed.

Regarding your "Security".... 

Guests should not be able to view profiles, and I believe I have that sorted out.

What do you mean by "Fix donation page"?

Your other ideas are noted.