Kunena 6.3.0 released

The Kunena team has announce the arrival of Kunena 6.3.0 [K 6.3.0] in stable which is now available for download as a native Joomla extension for J! 4.4.x/5.0.x/5.1.x. This version addresses most of the issues that were discovered in K 6.2 and issues discovered during the last development stages of K 6.3

Please Read This First:

This category is only for reporting defects with K 3.0.

Do not use this category:

to ask general questions about how to use K 3.0 or to ask when new versions of Kunena will be released;
to ask about other (older) versions of Kunena; or
if you have tried to install K 3.0 on J! 1.5; or
if you installed K 3.0 on a live, production site and you want your site restored to its previous state; or
if this website ( www.kunena.org ) works but works differently to how you expected.

You must include your K 3.0 configuration report; if you do not include your configuration report, your topic may be closed (locked) or deleted without any further warnings from the moderators.

Topics that have been closed (resolved) will be archived and no further discussion on those topics will be allowed.

Solved Security: Configuration setting "Allow Guests to see Userlist = No" does not prevent guests viewing the userlist

sozzled
Topic Author
Offline
Banned

9 years 1 month ago - 9 years 1 month ago #1 by sozzled

Security: Configuration setting "Allow Guests to see Userlist = No" does not prevent guests viewing the userlist was created by sozzled

The following setting

Kunena Forum: Configuration » Security » Security Settings » Allow Guests to see Userlist = No

is designed to prevent people seeing the list of users on your website. What it does is to disable the link that appears on the bottom of the forum page (see screenshot below)

But, even though the link is disabled, it is possible for guests to view the userlist by entering the URL

http://<yoursite>/forum/user/list

This can easily be tested but, for the sake of completeness, I am attaching my configuration report below.

This message contains confidential information

Database collation check: The collation of your table fields are correct

Joomla! SEF: Enabled | Joomla! SEF rewrite: Enabled | FTP layer: Disabled |

This message contains confidential information
htaccess: Exists | PHP environment: Max execution time: 30 seconds | Max execution memory: 128M | Max file upload: 64M

Kunena menu details:

Warning: Spoiler!

ID Name Menutype Link Path In trash

146 Forum mainmenu Itemid=159 kunena-2013-06-28 No

159 Forum kunenamenu view=home&defaultmenu=160 forum No

160 Index kunenamenu view=category&layout=list forum/index No

161 Recent Topics kunenamenu view=topics&mode=replies forum/recent No

162 New Topic kunenamenu view=topic&layout=create forum/newtopic No

163 No Replies kunenamenu view=topics&mode=noreplies forum/noreplies No

164 My Topics kunenamenu view=topics&layout=user&mode=default forum/mylatest No

165 Profile kunenamenu view=user forum/profile No

166 Help kunenamenu view=misc forum/help No

167 Search kunenamenu view=search forum/search No

Joomla default template details : protostar | author: Kyle Ledbetter | version: 1.0 | creationdate: Unknown

Kunena default template details : Blue Eagle | author: Kunena Team | version: 3.0.7 | creationdate: 2015-02-01

Kunena version detailed: Kunena 3.0.7 | 2015-02-01 [ Galah ]
| Kunena detailed configuration:

Warning: Spoiler!

Kunena config settings:

board_offline 0

enablerss 1

threads_per_page 20

messages_per_page 6

messages_per_page_search 15

showhistory 1

historylimit 6

shownew 1

disemoticons 0

template blue_eagle

showannouncement 1

avataroncat 0

catimagepath category_images

showchildcaticon 1

rtewidth 450

rteheight 300

enableforumjump 1

reportmsg 1

username 1

askemail 0

showemail 0

showuserstats 1

showkarma 0

useredit 1

useredittime 0

useredittimegrace 600

editmarkup 1

allowsubscriptions 1

subscriptionschecked 0

allowfavorites 1

maxsubject 50

maxsig 300

regonly 0

pubwrite 0

floodprotection 0

mailmod 0

mailadmin 0

captcha 0

mailfull 1

allowavatarupload 1

allowavatargallery 1

avatarquality 75

avatarsize 2048

imageheight 800

imagewidth 800

imagesize 150

filetypes txt,rtf,pdf,zip,tar.gz,tgz,tar.bz2

filesize 120

showranking 1

rankimages 1

userlist_rows 30

userlist_online 1

userlist_avatar 1

userlist_name 1

userlist_posts 1

userlist_karma 1

userlist_email 0

userlist_joindate 1

userlist_lastvisitdate 1

userlist_userhits 1

latestcategory

showstats 1

showwhoisonline 1

showgenstats 1

showpopuserstats 1

popusercount 5

showpopsubjectstats 1

popsubjectcount 5

usernamechange 0

showspoilertag 1

showvideotag 1

showebaytag 1

trimlongurls 1

trimlongurlsfront 40

trimlongurlsback 20

autoembedyoutube 1

autoembedebay 1

sessiontimeout 1800

highlightcode 0

rss_type topic

rss_timelimit month

rss_limit 100

rss_included_categories

rss_excluded_categories

rss_specification rss2.0

rss_allow_html 1

rss_author_format name

rss_author_in_title 1

rss_word_count 0

rss_old_titles 1

rss_cache 900

defaultpage recent

default_sort asc

sef 1

showimgforguest 1

showfileforguest 1

pollnboptions 4

pollallowvoteone 1

pollenabled 1

poppollscount 5

showpoppollstats 1

polltimebtvotes 00:15:00

pollnbvotesbyuser 100

pollresultsuserslist 1

maxpersotext 50

ordering_system mesid

post_dateformat ago

post_dateformat_hover datetime

hide_ip 1

imagetypes jpg,jpeg,gif,png

checkmimetypes 1

imagemimetypes image/jpeg,image/jpg,image/gif,image/png

imagequality 50

thumbheight 32

thumbwidth 32

hideuserprofileinfo put_empty

boxghostmessage 0

userdeletetmessage 0

latestcategory_in 1

topicicons 1

debug 0

catsautosubscribed 0

showbannedreason 0

version_check 1

showthankyou 1

showpopthankyoustats 1

popthankscount 5

mod_see_deleted 0

bbcode_img_secure text

listcat_show_moderators 1

lightbox 1

show_list_time 720

show_session_type 0

show_session_starttime 0

userlist_allowed 1

userlist_count_users 1

enable_threaded_layouts 0

category_subscriptions post

topic_subscriptions every

pubprofile 0

thankyou_max 10

email_recipient_count 0

email_recipient_privacy bcc

captcha_post_limit 0

keywords 0

userkeywords 0

image_upload registered

file_upload registered

topic_layout flat

time_to_create_page 1

show_imgfiles_manage_profile 1

hold_newusers_posts 0

hold_guest_posts 0

attachment_limit 8

pickup_category 0

article_display intro

send_emails 1

fallback_english 1

cache 1

cache_time 60

iptracking 1

rss_feedburner_url

autolink 1

access_component 1

statslink_allowed 0

superadmin_userlist 0

ebay_language 0

ebaylanguagecode en-us

credits 1

| Kunena integration settings:

Warning: Spoiler!

Kunena - AlphaUserPoints Disabled
Kunena - Community Builder Disabled
Kunena - Gravatar Disabled
Kunena - JomSocial Disabled
Kunena - Joomla Enabled: access=1 login=1
Kunena - Kunena Enabled: avatar=1 profile=1
Kunena - UddeIM Disabled

| Joomla! detailed language files installed:

Warning: Spoiler!

Joomla! languages installed:

en-GB English (en-GB)

Kunena config settings:
board_offline	0
enablerss	1
threads_per_page	20
messages_per_page	6
messages_per_page_search	15
showhistory	1
historylimit	6
shownew	1
disemoticons	0
template	blue_eagle
showannouncement	1
avataroncat	0
catimagepath	category_images
showchildcaticon	1
rtewidth	450
rteheight	300
enableforumjump	1
reportmsg	1
username	1
askemail	0
showemail	0
showuserstats	1
showkarma	0
useredit	1
useredittime	0
useredittimegrace	600
editmarkup	1
allowsubscriptions	1
subscriptionschecked	0
allowfavorites	1
maxsubject	50
maxsig	300
regonly	0
pubwrite	0
floodprotection	0
mailmod	0
mailadmin	0
captcha	0
mailfull	1
allowavatarupload	1
allowavatargallery	1
avatarquality	75
avatarsize	2048
imageheight	800
imagewidth	800
imagesize	150
filetypes	txt,rtf,pdf,zip,tar.gz,tgz,tar.bz2
filesize	120
showranking	1
rankimages	1
userlist_rows	30
userlist_online	1
userlist_avatar	1
userlist_name	1
userlist_posts	1
userlist_karma	1
userlist_email	0
userlist_joindate	1
userlist_lastvisitdate	1
userlist_userhits	1
latestcategory
showstats	1
showwhoisonline	1
showgenstats	1
showpopuserstats	1
popusercount	5
showpopsubjectstats	1
popsubjectcount	5
usernamechange	0
showspoilertag	1
showvideotag	1
showebaytag	1
trimlongurls	1
trimlongurlsfront	40
trimlongurlsback	20
autoembedyoutube	1
autoembedebay	1
sessiontimeout	1800
highlightcode	0
rss_type	topic
rss_timelimit	month
rss_limit	100
rss_included_categories
rss_excluded_categories
rss_specification	rss2.0
rss_allow_html	1
rss_author_format	name
rss_author_in_title	1
rss_word_count	0
rss_old_titles	1
rss_cache	900
defaultpage	recent
default_sort	asc
sef	1
showimgforguest	1
showfileforguest	1
pollnboptions	4
pollallowvoteone	1
pollenabled	1
poppollscount	5
showpoppollstats	1
polltimebtvotes	00:15:00
pollnbvotesbyuser	100
pollresultsuserslist	1
maxpersotext	50
ordering_system	mesid
post_dateformat	ago
post_dateformat_hover	datetime
hide_ip	1
imagetypes	jpg,jpeg,gif,png
checkmimetypes	1
imagemimetypes	image/jpeg,image/jpg,image/gif,image/png
imagequality	50
thumbheight	32
thumbwidth	32
hideuserprofileinfo	put_empty
boxghostmessage	0
userdeletetmessage	0
latestcategory_in	1
topicicons	1
debug	0
catsautosubscribed	0
showbannedreason	0
version_check	1
showthankyou	1
showpopthankyoustats	1
popthankscount	5
mod_see_deleted	0
bbcode_img_secure	text
listcat_show_moderators	1
lightbox	1
show_list_time	720
show_session_type	0
show_session_starttime	0
userlist_allowed	1
userlist_count_users	1
enable_threaded_layouts	0
category_subscriptions	post
topic_subscriptions	every
pubprofile	0
thankyou_max	10
email_recipient_count	0
email_recipient_privacy	bcc
captcha_post_limit	0
keywords	0
userkeywords	0
image_upload	registered
file_upload	registered
topic_layout	flat
time_to_create_page	1
show_imgfiles_manage_profile	1
hold_newusers_posts	0
hold_guest_posts	0
attachment_limit	8
pickup_category	0
article_display	intro
send_emails	1
fallback_english	1
cache	1
cache_time	60
iptracking	1
rss_feedburner_url
autolink	1
access_component	1
statslink_allowed	0
superadmin_userlist	0
ebay_language	0
ebaylanguagecode	en-us
credits	1

Joomla! languages installed:
en-GB	English (en-GB)

Third-party components: None

Third-party SEF components: None

Plugins: None

Modules: None

I will be interested to hear what the Kunena developers have to say about plugging this security hole.

Blue Eagle vs. Crypsis reference guide
Read my blog and

Attachments:

Last edit: 9 years 1 month ago by sozzled.

Please Log in or Create an account to join the conversation.

rich
Offline
Kunena Moderator

9 years 1 month ago #2 by rich

Replied by rich on topic Security: Configuration setting "Allow Guests to see Userlist = No" does not prevent guests viewing the userlist

I've reported it on git.
github.com/Kunena/Kunena-Forum/issues/2835

Please Log in or Create an account to join the conversation.

sozzled
Topic Author
Offline
Banned

9 years 1 month ago #3 by sozzled

Replied by sozzled on topic Security: Configuration setting "Allow Guests to see Userlist = No" does not prevent guests viewing the userlist

I am pleased to see that 810 has found a solution to this issue and that it will be included in K 3.0.8. I am sure that a lot of people will be very happy when this security hole has been closed when K 3.0.8 is released. I hope that K 3.0.8 will be released very soon to address this security problem.

Please leave this topic open until K 3.0.8 has been released.

Thank you.

Blue Eagle vs. Crypsis reference guide
Read my blog and

Please Log in or Create an account to join the conversation.

sozzled
Topic Author
Offline
Banned

8 years 10 months ago #4 by sozzled

Replied by sozzled on topic Security: Configuration setting "Allow Guests to see Userlist = No" does not prevent guests viewing the userlist

We can mark this one as solved and the topic can be archived.

Thanks, guys.

Blue Eagle vs. Crypsis reference guide
Read my blog and

Please Log in or Create an account to join the conversation.

Time to create page: 0.603 seconds