Dangerous information displayed to anybody!

Algernon Sydney is Dead · Post by **Algernon Sydney is Dead** » Fri Sep 02, 2011 10:24 pm

Visited the site from a different computer (no cookies, no login) and this is what I see:

: Forum is showing EVERYONE, browser details and user IP!!!; Drabblecast Info disp.gif (33.26 KiB) Viewed 4909 times

And this:

: Forum offers anyone, some admin controls!; Drabblecast Info disp 2.gif (30.67 KiB) Viewed 4909 times

Obviously, it is a serious problem to show everyone (and everything) who looks, browser details and IP addresses for users! This information should be restricted to mods and admins.

Offering some admin controls to everyone, is misleading and poor practice, even if the guests will not have permission to actually effect administrative changes. At the least, this degrades user confidence in the forum's security and privacy protections.

StalinSays · Post by **StalinSays** » Sat Sep 03, 2011 7:38 am

Thinking it's because you're a global mod. Make a puppet account, double-check those options are still available to you. If so, yeh, needs to have a blanket thrown over it pronto.

Algernon Sydney is Dead · Post by **Algernon Sydney is Dead** » Sat Sep 03, 2011 8:20 am

Already did that:

No account.
No cookies.
Different machine.
Different IP.

It shows that stuff to everybody.

tbaker2500 · Post by **tbaker2500** » Sat Sep 03, 2011 4:34 pm

What the...
Hokay, delving into it now.
Good catch, ASID!!!

tbaker2500 · Post by **tbaker2500** » Sat Sep 03, 2011 4:41 pm

Ok, it looks good now on my end. Is it clear on yours now?
It looks like an account merge went bidirectional instead on unidirectional, and the anonymous user got Founder privileges. Yikes.

Thanks for spotting that ASID!

Algernon Sydney is Dead · Post by **Algernon Sydney is Dead** » Sat Sep 03, 2011 5:31 pm

tbaker2500 wrote:Ok, it looks good now on my end. Is it clear on yours now?

Yep.
Looks like the "WHO IS ONLINE" is not even a link for unregistered viewers and does not show sensitive information to a normal member.

The admin-like controls, on the profile view (now not visible at all to guests), are all but gone and do not appear to let a regular member change anything.

On an important side note: The CAPTCHA is now way, WAY too hard!

It took me about 8 tries to create a test account. With the new, 1st-post moderation and post throttling, the CAPTCHA can safely be made passable for old geezers with ordinary vision.

See, perhaps, http://captcha2.com/.

tbaker2500 · Post by **tbaker2500** » Sat Sep 03, 2011 6:58 pm

Gosh darn it, it didn't save my reCaptcha setting!
Were you getting s sudo-3d image? Yea, pretty awful. reCaptcha should be installed and running now. See if it's easier for you.

Thanks!

Algernon Sydney is Dead · Post by **Algernon Sydney is Dead** » Sat Sep 03, 2011 9:00 pm

Yeah, that's better.

Thanks!

tbaker2500 · Post by **tbaker2500** » Sat Sep 03, 2011 9:49 pm

Glad you caught these things.
It seems like the first post requiring moderation is helping.

Algernon Sydney is Dead · Post by **Algernon Sydney is Dead** » Sat Sep 03, 2011 10:23 pm

Yeah, sure beats deleting 60 spams the hard way.

themorg · Post by **themorg** » Thu Dec 08, 2011 9:46 am

Algernon Sydney is Dead wrote:Yeah, sure beats deleting 60 spams the hard way.

with a knife and fork like we did in the 80s

The Drabblecast Forums

Dangerous information displayed to anybody!

Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!

Re: Dangerous information displayed to anybody!