Dangerous information displayed to anybody!

What works for Drabblecast? What doesn't? New ideas? Speak up!
User avatar
Algernon Sydney is Dead
Moderator
Posts: 3497
Joined: Thu Oct 16, 2008 11:22 pm
Location: PRK (California)

Dangerous information displayed to anybody!

Postby Algernon Sydney is Dead » Fri Sep 02, 2011 10:24 pm

Visited the site from a different computer (no cookies, no login) and this is what I see:

Drabblecast Info disp.gif
Forum is showing EVERYONE, browser details and user IP!!!
Drabblecast Info disp.gif (33.26 KiB) Viewed 2904 times


And this:

Drabblecast Info disp 2.gif
Forum offers anyone, some admin controls!
Drabblecast Info disp 2.gif (30.67 KiB) Viewed 2904 times


Obviously, it is a serious problem to show everyone (and everything) who looks, browser details and IP addresses for users! This information should be restricted to mods and admins.

Offering some admin controls to everyone, is misleading and poor practice, even if the guests will not have permission to actually effect administrative changes. At the least, this degrades user confidence in the forum's security and privacy protections.

User avatar
StalinSays
Beast-Master
Posts: 1709
Joined: Sat Oct 13, 2007 4:58 am
Location: West Los Angeles, CA
Contact:

Re: Dangerous information displayed to anybody!

Postby StalinSays » Sat Sep 03, 2011 7:38 am

Thinking it's because you're a global mod. Make a puppet account, double-check those options are still available to you. If so, yeh, needs to have a blanket thrown over it pronto.
Instagram: @Bokaier | Twitter: @BoKaier | Vine: @BoKaier | Tumblr: bokaier.tumblr.com

User avatar
Algernon Sydney is Dead
Moderator
Posts: 3497
Joined: Thu Oct 16, 2008 11:22 pm
Location: PRK (California)

Re: Dangerous information displayed to anybody!

Postby Algernon Sydney is Dead » Sat Sep 03, 2011 8:20 am

Already did that:
  1. No account.
  2. No cookies.
  3. Different machine.
  4. Different IP.

It shows that stuff to everybody.

User avatar
tbaker2500
Site Admin
Posts: 3592
Joined: Wed Nov 21, 2007 7:03 pm
Location: West Lafayette, IN
Contact:

Re: Dangerous information displayed to anybody!

Postby tbaker2500 » Sat Sep 03, 2011 4:34 pm

What the...
Hokay, delving into it now.
Good catch, ASID!!!
You're my quasi-ichthian angel, you're my half-amphibian queen...

The Dribblecast, we don't care if you sound like an idiot.

User avatar
tbaker2500
Site Admin
Posts: 3592
Joined: Wed Nov 21, 2007 7:03 pm
Location: West Lafayette, IN
Contact:

Re: Dangerous information displayed to anybody!

Postby tbaker2500 » Sat Sep 03, 2011 4:41 pm

Ok, it looks good now on my end. Is it clear on yours now?
It looks like an account merge went bidirectional instead on unidirectional, and the anonymous user got Founder privileges. Yikes.

Thanks for spotting that ASID! :shock:
You're my quasi-ichthian angel, you're my half-amphibian queen...

The Dribblecast, we don't care if you sound like an idiot.

User avatar
Algernon Sydney is Dead
Moderator
Posts: 3497
Joined: Thu Oct 16, 2008 11:22 pm
Location: PRK (California)

Re: Dangerous information displayed to anybody!

Postby Algernon Sydney is Dead » Sat Sep 03, 2011 5:31 pm

tbaker2500 wrote:Ok, it looks good now on my end. Is it clear on yours now?

Yep.
Looks like the "WHO IS ONLINE" is not even a link for unregistered viewers and does not show sensitive information to a normal member.

The admin-like controls, on the profile view (now not visible at all to guests), are all but gone and do not appear to let a regular member change anything.

On an important side note: The CAPTCHA is now way, WAY too hard!

It took me about 8 tries to create a test account. With the new, 1st-post moderation and post throttling, the CAPTCHA can safely be made passable for old geezers with ordinary vision.

See, perhaps, http://captcha2.com/.

User avatar
tbaker2500
Site Admin
Posts: 3592
Joined: Wed Nov 21, 2007 7:03 pm
Location: West Lafayette, IN
Contact:

Re: Dangerous information displayed to anybody!

Postby tbaker2500 » Sat Sep 03, 2011 6:58 pm

Gosh darn it, it didn't save my reCaptcha setting!
Were you getting s sudo-3d image? Yea, pretty awful. reCaptcha should be installed and running now. See if it's easier for you.

Thanks!
You're my quasi-ichthian angel, you're my half-amphibian queen...

The Dribblecast, we don't care if you sound like an idiot.

User avatar
Algernon Sydney is Dead
Moderator
Posts: 3497
Joined: Thu Oct 16, 2008 11:22 pm
Location: PRK (California)

Re: Dangerous information displayed to anybody!

Postby Algernon Sydney is Dead » Sat Sep 03, 2011 9:00 pm

Yeah, that's better.

Thanks!

User avatar
tbaker2500
Site Admin
Posts: 3592
Joined: Wed Nov 21, 2007 7:03 pm
Location: West Lafayette, IN
Contact:

Re: Dangerous information displayed to anybody!

Postby tbaker2500 » Sat Sep 03, 2011 9:49 pm

Glad you caught these things.
It seems like the first post requiring moderation is helping.
You're my quasi-ichthian angel, you're my half-amphibian queen...

The Dribblecast, we don't care if you sound like an idiot.

User avatar
Algernon Sydney is Dead
Moderator
Posts: 3497
Joined: Thu Oct 16, 2008 11:22 pm
Location: PRK (California)

Re: Dangerous information displayed to anybody!

Postby Algernon Sydney is Dead » Sat Sep 03, 2011 10:23 pm

Yeah, sure beats deleting 60 spams the hard way.

User avatar
themorg
Member
Posts: 612
Joined: Sat Dec 05, 2009 4:52 am
Location: Portland OR

Re: Dangerous information displayed to anybody!

Postby themorg » Thu Dec 08, 2011 9:46 am

Algernon Sydney is Dead wrote:Yeah, sure beats deleting 60 spams the hard way.


with a knife and fork like we did in the 80s


Return to “Don't be Shy...”



Who is online

Users browsing this forum: No registered users and 1 guest

cron