Important Security: Search option exposes account login data

Kunena has had a long history of confounding the username and screen name, and I think I've discovered yet another security problem connected with that old habbit.

Searching for a member name triggers a list of login names--not only for the user in question, but for other members with a matching search!

Am I correct in assuming that the search option behavior assumes login = real name? What a terrible revelation for websites that opt for separate login and display names.

If you search for a known screen name, you can get a list of member's login names. Wow!

Your K 2.0 configuration report would greatly assist.

It hasn't changed. I'll refer you a few topics down:

www.kunena.org/forum/K-2-0-Support/12699...ntom-accounts#141786

As an aside, there ought to be fewer knee-jerk configuration requests and more emphasis on thinking about what is being reported.

I've described a design flaw that impacts the use of "Real Name" logic, so obviously the only relevant setting is Display User Name, which must be disabled if the website is using separate display and login names.

You'll probably save precious time by ignoring the configuration report and instead going directly to your source code to confirm or deny that a problem exists when you search for posts by JohnScreenName, who logs in using john.at.mail.dot.com.

Wouldn't you get a nice little droplist revealing email addresses for users matching the search???

Whenever the Kunena team sees the word "SECURITY" (in capitals) as the subject of a topic posted in the K 2.0 Support category, everything stops! We take security questions very seriously! Whenever someone reports something that has this keyword "SECURITY" in the topic, we assume that people are serious and do not want the team to overlook something that could have massive repercussions both in terms of the reputation and prestige of Kunena as a product, but also in terms of the potential risks that people believe exist for the whole community.

In serious cases, like these, the quicker we get the most up-to-date configuration report, the sooner we can investigate the problem.

Therefore, let's forget that we had to spend time searching around the forum to try to find the last configuration report that you posted and had hoped that nothing had changed since then and now.

"Knee-jerk reaction" assertions, aside, we're only trying to obtain the most information that we can obtain to establish what's going on in this case - the only one that has been reported so far - to see whether we can reproduce the conditions on our own testing environments.

Winuser wrote: Searching for a member name triggers a list of login names--not only for the user in question, but for other members with a matching search!

I spent a lot of time trying this out, here, at www.kunena.org . In our case here, entering a partial name in the "search by username" field (see image below) generates a list of username "suggestions" populated by AJAX:



Is this what we are discussing?

I want to be very clear that we understand exactly what it is that you believe is a security issue. Looking forward to your reply.

I think it's this one.

Personally I don't see this as security bug as it cannot be used on attacks against the site. If someone wants to attack and knows an existing vulnerability, why not create account by his own and use that instead..

But that said, I do agree that the search box is revealing information that administrator wants to hide, which is why it needs to be fixed.

github.com/Kunena/Kunena-2.0/issues/1620

I kind of pointed out earlier why this might not appear like an important security issues at THIS website: you assume login name = display name !!!

The entire purpose of the Real Name toggle is to secure the login details. I really wish the developers would stop lapsing on this fact, because it has been explained to the team before and backed up by other ordinary Joomla administrators.

So start with the Sozzled screenshot, but don't turn off your brain yet. You have to change the Real Name mode and imagine that members login with a private string (e.g., an email address). For example, I am seen as "winuser" but maybe I login as "winuser4321."

If you cannot see this as a legitimate security issue, then you have no real business designing forum software that will be used on thousands and thousands of Joomla websites. I say that out of pure astonishment--not to impugn your work or dedication.