Important [Topic closed by moderator - version superseded] Userlist security issue - not solved for me - 1.5.8

www.kunena.com/forum?func=view&catid=4&id=1298

Hi people

When I do a search about my security issue with the Kunena user lists I get find the SOLVED post above.

46 people are looking at this post with me, so I think that indicates I am not alone.

I have the setting for access to userlist turned off.

History on my site means that it was turned on until Nov 2008.

A search for this list, or some users names, will give direct access to the user list via the href - with /forum/userlist?start=270 at the end.

In my CB field settings, the only fields available are the user name, everything else is no access, but add ons like newsletters and ads manager add thier public information.

It is still a problem for me because some users have put their real name as their user name, and then get upset when they see it on the improperly accessed list. They have the perception that my site is not secure with their information.


Action I have taken:

The forum is offline until I fix this issue

I have added a disallow to the robots.txt file for this access path

I have reported to google that this 2008 result is no longer valid - but they will just point me to the software glitch!

How do I prevent this direct access which overrides all my Kunena settings?

I consider it a bug.

Any help much appreciated.

Jay

Let me see if I correctly understand your situation. I am, for the time being, ignoring the reference to a discussion topic that occurred over 12 months ago, so let's move on from that.

If I understand correctly, you are using K 1.5.8. Please upgrade to K 1.5.9.

If I understand correctly, you have users, who do not have accounts or who do not login to your website, who are able to examine the Kunena user list. Is that what you are saying? Yes, that behaviour appears to be consistent with what occurs here at Kunena.com.

You state that you have changed the "setting for access to the userlist turned off". Which setting(s) have you changed?

Let's also discount the use of Community Builder for the time being, unless you want CB to be the main focus of your problem. For the purposes of establishing what, if anything, needs to be done to Kunena, would you please turn off integration of Kunena with Community Builder.

Yes, you could be right and this may be a genuine defect with Kunena, but let's eliminate anything extraneous to the current version of Kunena.

sozzled wrote:

Let me see if I correctly understand your situation. I am, for the time being, ignoring the reference to a discussion topic that occurred over 12 months ago, so let's move on from that.
ok, but it seems to be the same issue
If I understand correctly, you are using K 1.5.8. Please upgrade to K 1.5.9.
I am unable to do this right now, as the server is offline, but I have downloaded 1.5.9 and with any luck it will fix my problem.

I will report back as soon as I have a 1.5.9 install available to test.



If I understand correctly, you have users, who do not have accounts or who do not login to your website, who are able to examine the Kunena user list. Is that what you are saying? Yes, that behaviour appears to be consistent with what occurs here at Kunena.com.
Yes - but I do not want users outside of the site or even inside the site to see the user list. Seing the user list gives them the perception of no privacy.

You state that you have changed the "setting for access to the userlist turned off". Which setting(s) have you changed?
- it is the setting about userlists in the Kunena config (I have no access to my site at present because the hoster has taken the server down - when it is up I can tell you exactly, but I think there is only one setting for this within Kunena config)

Let's also discount the use of Community Builder for the time being, unless you want CB to be the main focus of your problem. For the purposes of establishing what, if anything, needs to be done to Kunena, would you please turn off integration of Kunena with Community Builder.
I just meant that all the field descriptions within CB are set to not show on the profile - but I agree that this has nothing to do with the Kunena problem.
I had turned off the integration, and the problem persist.




Yes, you could be right and this may be a genuine defect with Kunena, but let's eliminate anything extraneous to the current version of Kunena.

Thanks you very much for your reply and help.

Jay

My comments in blue:

Jay44 wrote:

sozzled wrote:

Let me see if I correctly understand your situation. I am, for the time being, ignoring the reference to a discussion topic that occurred over 12 months ago, so let's move on from that.
ok, but it seems to be the same issue I sympathise with your predicament; this appears to be one of those grave security concerns that arose from Fireboard. The Kunena project is attempting to disengage from the many dozens of legacy issues that gave Fireboard an unfortunately poor reputation and this issue appears to be one of them. That point is agreed and, like I said, let's move on.
If I understand correctly, you are using K 1.5.8. Please upgrade to K 1.5.9.
I am unable to do this right now, as the server is offline, but I have downloaded 1.5.9 and with any luck it will fix my problem.

I will report back as soon as I have a 1.5.9 install available to test.K 1.5.9 is supported. K 1.5.8 is not. The development team is currently working releasing an end-of-life K 1.5.10 stable version in order to shift focus towards K 1.6 and, most importantly, K 2.0 after that. K 2.0 will be a total rewrite and will bear no resemblance to Fireboard. Therefore, it is reasonable to expect that some of the problems you refer to may not be fixable in the very short term.

If I understand correctly, you have users, who do not have accounts or who do not login to your website, who are able to examine the Kunena user list. Is that what you are saying? Yes, that behaviour appears to be consistent with what occurs here at Kunena.com.
Yes - but I do not want users outside of the site or even inside the site to see the user list. Seeing the user list gives them the perception of no privacy. An alternative proposition is to lock-out access to your Kunena forum by requiring users to have an account and to login. In view of the importance you place on the "security" of this information, have you considered this approach?

You state that you have changed the "setting for access to the userlist turned off". Which setting(s) have you changed?
- it is the setting about userlists in the Kunena config (I have no access to my site at present because the hoster has taken the server down - when it is up I can tell you exactly, but I think there is only one setting for this within Kunena config) I am looking forward to learning from you, what setting you have defined.

Let's also discount the use of Community Builder for the time being, unless you want CB to be the main focus of your problem. For the purposes of establishing what, if anything, needs to be done to Kunena, would you please turn off integration of Kunena with Community Builder.
I just meant that all the field descriptions within CB are set to not show on the profile - but I agree that this has nothing to do with the Kunena problem.
I had turned off the integration, and the problem persist.

Yes, you could be right and this may be a genuine defect with Kunena, but let's eliminate anything extraneous to the current version of Kunena.

The only other comment I would make about the Kunena user list is this: there isn't a lot of what I would describe as sensitive information that may lead to the identification of who your members are. I agree, the user list lists the usernames of your members, when they joined, and some other basic information, but it doesn't show email addresses, for example (well, not unless you want to show that information). So, really, maybe there aren't major security issues. But I agree: there should be a way of keeping this information away from the sight of those who are not registered members of your site. As I said, you may need to stop guests from having read access to your forums. That would solve the problem.

Quick fix:

components/com_kunena/template/default/plugin/userlist/userlist.php line 23

From:
defined( '_JEXEC' ) or die('Restricted access');

To:
defined( '_UNDEFINED' ) or die('Restricted access');

Added a bug report from this.

Thanks Matais and sozzled for your care and attention!

I though there was a setting to "Show User List" - which I had set to no.

The result of this was that if you clicked on the userlist link that appeared in the stats at the bottom of the main forum page - you just got a message "userlist not available".

I can't find this setting - I think it was a Fireboard setting!, but I have altered the setting in the Kunena Configuration in Plugins - userlist.

- I have set the number of rows to 0

The other fix I came up with was to chage the alias for the page that brings up my forum on the site. The page found via a google search was left over from 2008 when a previous moderation had the "Show userlist" set to yes. Because the SEF link name was the same, then the old result - mysite.com/forum/userlist?start=270 still worked and bypassed the other forum settings.

"forum" is a menu alias - so with this changed, the old google result now gets a 404

It was a bit of a shock that this old search result would produce the list!

Anyway - these fixes have worked to prevent access to the userlist.

Thanks for a great forum component, and I look forward to the 1.6 series!

J

We have already fixed userlist issue by adding a new setting to (yet to be released) K1.5.11. But it's good to know that there is workaround for it.