Kunena 7.0.4 Released

The Kunena team has announce the arrival of Kunena 7.0.4 [K 7.0.4] in stable which is now available for download as a native Joomla extension for J! 5.4.x/6.0.x. This version addresses most of the issues that were discovered in K 6.2 / K 6.3 / K 6.4 and issues discovered during the last development stages of K 7.0

Question SOLVED: Userlist security issue

More
17 years 2 months ago - 17 years 2 months ago #1298 by lcdservices
SOLVED: Userlist security issue was created by lcdservices
I'm really excited to see this project fork of Fireboard. As with many people, I was frustrated at the many lingering bugs in Fireboard and the very slow pace of development.

Anyway...

There's a security issue in Fireboard that I'm guessing is still present in Kunena, related to the userlist.

Basically, there's no way to completely "shut down" the userlist function. You can hack code to remove the link from the stats bar, but the page is still available if someone knows the correct url. And the sql run on that page includes things like email -- even if the site is configured to have no emails visible. While email may not show up on the userlist display, it *does* show up on google searches.

The problem is reported a few times on the old BOJ forums. It was discovered when people did google searches on a name and the name, username, and email appeared in results, linking back to the userlist page in fireboard forums.

There really needs to be a more secure way to shut that down and absolutely ensure people cannot view/access emails if that option is disabled.
Last edit: 17 years 2 months ago by fxstein.

Please Log in or Create an account to join the conversation.

More
17 years 2 months ago #1336 by fxstein
Replied by fxstein on topic Re:Userlist security issue
You've got PM
We love stars on the Joomla Extension Directory . :-)

Please Log in or Create an account to join the conversation.

More
17 years 2 months ago #1373 by Matias
Replied by Matias on topic Re:Userlist security issue
I'm just looking my forums user list / user profile and there are no email addesses. I believe that I found option to turn them of from the backend -- in FB 1.0.5RC2. Just checked the code: There are two ways to disable email: one is from backend and another by my profile.

The only problem for me is the real name, which can easily turned off by editing code -- but it needs a better solution. And you're right: there is no way to turn userlist off.

In short: yeah, you're right and we should have a way to disable the userlist view.

PS. check your theme (if not default) that it doesn't contain plugin/fbprofile directory. If it does, just remove it.

Please Log in or Create an account to join the conversation.

More
17 years 2 months ago #1385 by lcdservices
Replied by lcdservices on topic Re:Userlist security issue
You're right -- email is not included.
The user that brought it to my attention had used their email address as their username (!).

But there still needs to be a clean and effective way of turning the userlist completely off. I'm find for the time being (hacked the link out and removed the userlist script). But hopefully it can make it into a future release in a more complete way.

Please Log in or Create an account to join the conversation.

Time to create page: 0.233 seconds