Kunena 6.2.5 & module Kunena Latest 6.0.7 released

The Kunena team has announce the arrival of Kunena 6.2.5 [K 6.2.5] which is now available for download as a native Joomla extension for J! 4.3.x/4.4.x/5.0.x. This version addresses most of the issues that were discovered in K 6.1 / K 6.2 and issues discovered during the last development stages of K 6.2

Please Read This First:


Please read the guides posted as sticky topics in this category. For a quicker response, please give as much information to help us understand the problem (see How To Ask Questions The Smart Way and What information should I include when I ask for help (including how to post my configuration report)? ).

This category is only for reporting defects with K 2.0 Please read, before you post, Before you post your question, read this first .

Do not use this category:
  • if this website ( www.kunena.org ) works but works differently to how you expected
  • for requests to add or remove the standard features of Kunena;
  • for questions commonly asked or "how to" in nature (see the FAQs menu tab above);
  • for help with Kunena versions that are not the latest stable release; or
  • for general Joomla or website administration matters

You must include your K 2.0 configuration report; if you do not include your configuration report, your topic may be closed (locked) or deleted without any further warnings from the moderators.

K 2.0 support will cease on 31 August 2013 and this section of the forum will be closed and archived after that time and no further questions will be answered about this version.

Important Security: Search option exposes account login data

More
10 years 11 months ago #1 by Winuser
Kunena has had a long history of confounding the username and screen name, and I think I've discovered yet another security problem connected with that old habbit.

Searching for a member name triggers a list of login names--not only for the user in question, but for other members with a matching search!

Am I correct in assuming that the search option behavior assumes login = real name? What a terrible revelation for websites that opt for separate login and display names.

If you search for a known screen name, you can get a list of member's login names. Wow!

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago #2 by sozzled
Your K 2.0 configuration report would greatly assist.

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago #3 by Winuser
It hasn't changed. I'll refer you a few topics down:

www.kunena.org/forum/K-2-0-Support/12699...ntom-accounts#141786

As an aside, there ought to be fewer knee-jerk configuration requests and more emphasis on thinking about what is being reported.

I've described a design flaw that impacts the use of "Real Name" logic, so obviously the only relevant setting is Display User Name, which must be disabled if the website is using separate display and login names.

You'll probably save precious time by ignoring the configuration report and instead going directly to your source code to confirm or deny that a problem exists when you search for posts by JohnScreenName, who logs in using john.at.mail.dot.com.

Wouldn't you get a nice little droplist revealing email addresses for users matching the search???

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago - 10 years 11 months ago #4 by sozzled
Whenever the Kunena team sees the word "SECURITY" (in capitals) as the subject of a topic posted in the K 2.0 Support category, everything stops! We take security questions very seriously! Whenever someone reports something that has this keyword "SECURITY" in the topic, we assume that people are serious and do not want the team to overlook something that could have massive repercussions both in terms of the reputation and prestige of Kunena as a product, but also in terms of the potential risks that people believe exist for the whole community.

In serious cases, like these, the quicker we get the most up-to-date configuration report, the sooner we can investigate the problem.

Therefore, let's forget that we had to spend time searching around the forum to try to find the last configuration report that you posted and had hoped that nothing had changed since then and now.

"Knee-jerk reaction" assertions, aside, we're only trying to obtain the most information that we can obtain to establish what's going on in this case - the only one that has been reported so far - to see whether we can reproduce the conditions on our own testing environments.

Winuser wrote: Searching for a member name triggers a list of login names--not only for the user in question, but for other members with a matching search!

I spent a lot of time trying this out, here, at www.kunena.org . In our case here, entering a partial name in the "search by username" field (see image below) generates a list of username "suggestions" populated by AJAX:



Is this what we are discussing?

I want to be very clear that we understand exactly what it is that you believe is a security issue. Looking forward to your reply.
Attachments:
Last edit: 10 years 11 months ago by sozzled.

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago #5 by Matias
I think it's this one.

Personally I don't see this as security bug as it cannot be used on attacks against the site. If someone wants to attack and knows an existing vulnerability, why not create account by his own and use that instead..

But that said, I do agree that the search box is revealing information that administrator wants to hide, which is why it needs to be fixed.

github.com/Kunena/Kunena-2.0/issues/1620

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago #6 by Winuser
I kind of pointed out earlier why this might not appear like an important security issues at THIS website: you assume login name = display name !!!

The entire purpose of the Real Name toggle is to secure the login details. I really wish the developers would stop lapsing on this fact, because it has been explained to the team before and backed up by other ordinary Joomla administrators.

So start with the Sozzled screenshot, but don't turn off your brain yet. You have to change the Real Name mode and imagine that members login with a private string (e.g., an email address). For example, I am seen as "winuser" but maybe I login as "winuser4321."

If you cannot see this as a legitimate security issue, then you have no real business designing forum software that will be used on thousands and thousands of Joomla websites. I say that out of pure astonishment--not to impugn your work or dedication.

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago - 10 years 11 months ago #7 by sozzled
That's your opinion, winuser. We will gladly refund all the money that you have given to the Kunena project. Thank you for your input.

We are working to improve Kunena and to do all that the community asks of us. Please have a little patience and don't assert that we have no business doing what we love to do and get no money and little gratitude for in return.

We agree that this is a defect of K 2.0.4 and we'll do our best to fix it. The developers are human and make mistakes (or "bugs" if you like). We agree that this is something that was not tested rigorously enough. Thank you for bringing this matter to our attention. :)
Last edit: 10 years 11 months ago by sozzled.

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago #8 by Winuser
Sozzled's remark makes no sense to me. What are you on about?

In the post immediately before my follow-up, one of Kunena's developers just said that this is NOT a security bug.

I'm not sure why Sozzled is making an appeal to time and money. Does it mean this can be classified as a security bug only if I pay you to fix it? WTF! :ohmy:
The following user(s) said Thank You: ChaosHead

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago #9 by Matias
No, nothing will make the bug to be classified as a security vulnerability. Trust me, I worked in a security company for 7 years. Besides only registered users can see that list -- the feature is disabled from visitors.

That said I still think that it's a serious bug which needs to be fixed as it is returning information which administrator has configured to hide. It also makes no sense to confuse users with list of names which have absolutely no meaning for the poor users.

As most of the forum software, Kunena (or earlier FireBoard) was originally designed to use login names. Many forums do not even today have option to hide that information. We added the feature because of someone asked for it. We have kept improving it as bugs are been found. But it looks like the feature isn't that much used, so some issues have gone unnoticed.

We do understand why the feature is needed and we have always tried to prioritize the bugs that relate to this feature. We will do it also this time.

[strike]PS. We are also using usernames in profile page URLs. Maybe I should disable them as well, depending on the settings.[/strike]

EDIT: I take that last sentence back. Looks like I've already fixed the code to use display name, not username.

Please Log in or Create an account to join the conversation.

More
10 years 11 months ago - 10 years 11 months ago #10 by Winuser
Which file contains the code that is generating the "Search User" option? I want to delete it entirely. If you correct this behavior in another update, then fine--I won't need to delete it again.

Your reasoning that there is no security issue because only MEMBERS can access another member's login credentials is absurd.

Login Name vs. Display Name <<<---This is the reality that you keep denying. SMF, for instance, fully supported this distinction; but it didn't allow security lapses. If the forum was configured to publish display names, then no member would ever see the login name of another member.

I know full well that Kunena's problems trace back to Fireboard. If after several posts you still don't get the fundamental problem here, then I can only wait for another user to explain it better, because obviously I have not.

Anyway, if you can direct me to the file that is responsible for the "Search Users" option, I can solve the problem immediately--with only minor loss of functionality.
Last edit: 10 years 11 months ago by Winuser.

Please Log in or Create an account to join the conversation.

Time to create page: 0.358 seconds