topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 2:16 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Request for help - potential website security issue  (Read 6584 times)

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Request for help - potential website security issue
« on: May 21, 2012, 04:56 PM »
I have set up a website for my local running club. A member has informed me that the private members' forum can be access just by browsing the website without entering a username and password and is therefore not private.

The website is www.swaledaleroadrunners.co.uk and I can't find any way to read forum messages without logging in.

Unfortunately the member is being unhelpful and refusing to tell me how they can achieve this.

Personally I suspect that it is them either being difficult or else just that they never log out so when they visit the site the stored cookie allows them to access the website again but the challenge is can anyone here read the forum without logging in and if so how?

Cheers

Carol

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #1 on: May 21, 2012, 05:04 PM »
rr.png

Thats what I see on the forum page.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #2 on: May 21, 2012, 05:06 PM »
Side note...I think I just broke your disclaimer (No part of this website can be reproduced in any form without written permission) :P

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #3 on: May 21, 2012, 05:06 PM »
Precisely - BUT this difficult member is saying that simply by browsing the website she can read the forum without logging in - I can't see how this is possible. AS far as I can tell no articles on the website link directly to forum articles and even if they did they should lead to a login page before being able to read the posting.

Side note...I think I just broke your disclaimer (No part of this website can be reproduced in any form without written permission) :P
-Stephen66515 (May 21, 2012, 05:06 PM)

May be that should be 'may be reproduced' ! Anyway I give you permission ;-)

By the way if any one does find a security whole please let me know by PM - not on the open forum here.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #4 on: May 21, 2012, 05:09 PM »
Precisely - BUT this difficult member is saying that simply by browsing the website she can read the forum without logging in - I can't see how this is possible. AS far as I can tell no articles on the website link directly to forum articles and even if they did they should lead to a login page before being able to read the posting.

Side note...I think I just broke your disclaimer (No part of this website can be reproduced in any form without written permission) :P
-Stephen66515 (May 21, 2012, 05:06 PM)

May be that should be 'may be reproduced' ! Anyway I give you permission ;-)

By the way if any one does find a security whole please let me know by PM - not on the open forum here.
-Carol Haynes (May 21, 2012, 05:06 PM)

The member is probably just being stupid and not realized they are actually logged in lol

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,192
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #5 on: May 21, 2012, 05:21 PM »
See the same as Stephen.

Only thing I can think of is masking or identifying as googlebot, but I don't believe many users know how and it won't work in many cases anyway.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #6 on: May 21, 2012, 05:46 PM »
Try

Code: Text [Select]
  1. http://webcache.googleusercontent.com/search?sourceid=chrome&ie=UTF-8&q=cache%3Awww.swaledaleroadrunners.co.uk%2Fforum


with the actual link to a page in place of the

Code: Text [Select]
  1. www.swaledaleroadrunners.co.uk%2Fforum
.  

I doubt that it will work, but it sometimes does.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #7 on: May 21, 2012, 06:02 PM »
Yes I wondered about caching but the forum pages aren't in the site map and are set not to index by google etc. As far as I can tell they are not cached (looking at the google webadmin index) and certainly if I look for a cached copy of a specific forum thread it comes up as not indexed by google.

I don't think the member would be able to craft that sort of URL anyway - they said it was just from browsing on the website.

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #8 on: May 21, 2012, 06:17 PM »
Well, if you can disable your user's site account, then that shouldn't interrupt access from what the user said, right?
vi vi vi - editor of the beast

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #9 on: May 21, 2012, 06:49 PM »
Well, if you can disable your user's site account, then that shouldn't interrupt access from what the user said, right?

That was precisely my thought - unfortunately I only set up the site, I am not a club member myself so I can't really make that decision.

hamradio

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 825
  • Amateur Radio Guy
    • View Profile
    • HamRadioUSA.net
    • Read more about this member.
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #10 on: May 21, 2012, 09:01 PM »
I cant find a way in my brief tests either however I did notice the website designed by link doesn't lead to Dales Computer Service...don't know if that is by design or if you forgot to change it.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Request for help - potential website security issue
« Reply #11 on: May 22, 2012, 03:54 AM »
Thanks hamradio - someone must have edited the link though I can't think why! (They largely manage their own content)