Any other leaks

[deeb7]

When they view the main page or the registration forum they show up as a guest without any privileges - all they can do is register - no matter where they look, they keep being redirected back to the registration box.

Here's what I don't get, this is the main page just now ....

In total there are 4 users online :: 3 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 22 on Tue 08 Apr, 2008 7:08 am

Registered users: deeb7, mrchina, tcwu

Then at the foot of the Repros section.

Users browsing this forum: deeb7, mrchina and 1 guest

If I log out, I can't get past Registration, how does that guest get to be on the forum?

 

[bfrench]

When they view the main page or the registration forum they show up as a guest without any privileges - all they can do is register - no matter where they look, they keep being redirected back to the registration box.

Here's what I don't get, this is the main page just now ....

In total there are 4 users online :: 3 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 22 on Tue 08 Apr, 2008 7:08 am

Registered users: deeb7, mrchina, tcwu

Then at the foot of the Repros section.

Users browsing this forum: deeb7, mrchina and 1 guest

If I log out, I can't get past Registration, how does that guest get to be on the forum?

Hi, Deeb,

That I don't have an answer for.

I just tried logging as a guest and got nowhere.

Deeb - next time it happens, please do a Print Screen and save the page as a jpg and email it to me.

Thanks
Bill French

 

[Andrew]

Given the understanding that guests don't get past the home page it's interesting that there is even notification at the bottom of each thread of how many guests may be "in" it. You would expect it just to say the number of other registered users in that thread.

Thinking it through, I suspect that's just part of the standard template and some forums possibly allow guests. Still doesn't explain why or how they could show up as David indicates. I wondered perhaps whether it just showed you who was at the front door, but after checking I see it has no relationship to that.

 

[siddhartha]

It's also possible that it's a bot of some sort.

I would highly doubt that it's anything more than that, as the security here is pretty tight.

Chris

 

[Anonymous]

If permissions are set correctly all should be OK.

The guests you see (screenshot below) are bots and/or folk following links from others sites with links to the site.

For example, 'Happy Hooligan' posting a link to the redwing boots review on supertalk or Chris's link to the site on phpbb support forums or referrers from embedded Youtube or Xtremetracking etc.

Just type 'vintageleatherjackets.org' into google and you'll see links to posts and threads in the forum. Those links bring people to certain areas of the forum but they cannot see anything.

 

[Andrew]

Didn't work for me, so maybe it's now locked?

 

[bfrench]

It's also possible that it's a bot of some sort.

I would highly doubt that it's anything more than that, as the security here is pretty tight.

Chris

Hi, Chris,

I have all of our known bots "deactivated" - but not sure if we're being tracked by others not on the list.

Even if we are, I don't feel they can get past the main page - every link you click brings you to a registration page.

Bill French

 

[Anonymous]

Even if we are, I don't feel they can get past the main page - every link you click brings you to a registration page.

Correct. If you have bots exluded then these are just folk linking from the web e.g. look at where the fourth, fifth and last links here are pointed to:

http://www.google.com/search?hl=en&q=vi ... gle+Search

They link to specific posts in certain parts of the forum but they can't see the message they just see the registration page.

So no worries.

 

[bfrench]

Even if we are, I don't feel they can get past the main page - every link you click brings you to a registration page.

Correct. If you have bots exluded then these are just folk linking from the web e.g. look at where the fourth, fifth and last links here are pointed to:

http://www.google.com/search?hl=en&q=vi ... gle+Search

They link to specific posts in certain parts of the forum but they can't see the message they just see the registration page.

So no worries.

Thanks, Simon,

Tried the same thing and got redirected to the Registration page every time.

And, Yes, the bots are excluded.

So, I think we're about as secure as you can make phpbb.

Bill French

 

[airfrogusmc]

Even if we are, I don't feel they can get past the main page - every link you click brings you to a registration page.

Correct. If you have bots exluded then these are just folk linking from the web e.g. look at where the fourth, fifth and last links here are pointed to:

http://www.google.com/search?hl=en&q=vi ... gle+Search

They link to specific posts in certain parts of the forum but they can't see the message they just see the registration page.

So no worries.

Thanks, Simon,

Tried the same thing and got redirected to the Registration page every time.

And, Yes, the bots are excluded.

So, I think we're about as secure as you can make phpbb.

Bill French

So all of our old passwords are known? Just curious...

 

[bfrench]

So all of our old passwords are known? Just curious...

Only if someone has a means of cracking the security to get in our database and then decrypting the passwords.

Pretty good job if they can.

Bill French

 

[airfrogusmc]

So all of our old passwords are known? Just curious...

Only if someone has a means of cracking the security to get in our database and then decrypting the passwords.

Pretty good job if they can.

Bill French

Thanks Bill I thought that TB said our passwords were compromised. I musta misread it.

 

[Anonymous]

Thanks Bill I thought that TB said our passwords were compromised. I musta misread it.

Well, let me put it like this. I would be sure that your forum password and your email and online banking (assuming you do) passwords are very different. phpbb 2 was very easy to hack. I was just assuming the old forum was compromised, though because of its character (quite limited membership of old boys with obscure tastes) it was probably not high risk.

But passwords were stored in MD5 algorithim and could be cracked in seconds. Combine a cracked password with the email a member used to register here and the hacker has an instant opportunity.

Hacker goes away and tries to login to your email with the password they found ... eventually they'll get luck, you'd be surprised, many people use the same password for everything! ; )

At that point they have access to your email and possibly much more. Then they just sit tight, read your email, find out what bank you're with etc. Identity theft follows, often very discreetly done. ...you get the picture.

But wouldn't want to worry anyone here with more info. As I said, prob low risk. phpbb 3 uses salted algorithim, which is much stronger. But my point was that if you're using the same password as on the old less secure phpbb 2 / forum then the better crypto in place now doesn't really count for much.

Kind of like coming home finding your safe open (someone has identifed the combination) and you react by going out by a bigger better safe but using the same combination - a bit daft.

Anyway, just play safe and use different passwords.

 

[airfrogusmc]

Thanks TB...