Important Security: Search option exposes account login data

That's your opinion, winuser. We will gladly refund all the money that you have given to the Kunena project. Thank you for your input.

We are working to improve Kunena and to do all that the community asks of us. Please have a little patience and don't assert that we have no business doing what we love to do and get no money and little gratitude for in return.

We agree that this is a defect of K 2.0.4 and we'll do our best to fix it. The developers are human and make mistakes (or "bugs" if you like). We agree that this is something that was not tested rigorously enough. Thank you for bringing this matter to our attention.

Sozzled's remark makes no sense to me. What are you on about?

In the post immediately before my follow-up, one of Kunena's developers just said that this is NOT a security bug.

I'm not sure why Sozzled is making an appeal to time and money. Does it mean this can be classified as a security bug only if I pay you to fix it? WTF! :ohmy:

No, nothing will make the bug to be classified as a security vulnerability. Trust me, I worked in a security company for 7 years. Besides only registered users can see that list -- the feature is disabled from visitors.

That said I still think that it's a serious bug which needs to be fixed as it is returning information which administrator has configured to hide. It also makes no sense to confuse users with list of names which have absolutely no meaning for the poor users.

As most of the forum software, Kunena (or earlier FireBoard) was originally designed to use login names. Many forums do not even today have option to hide that information. We added the feature because of someone asked for it. We have kept improving it as bugs are been found. But it looks like the feature isn't that much used, so some issues have gone unnoticed.

We do understand why the feature is needed and we have always tried to prioritize the bugs that relate to this feature. We will do it also this time.

[strike]PS. We are also using usernames in profile page URLs. Maybe I should disable them as well, depending on the settings.[/strike]

EDIT: I take that last sentence back. Looks like I've already fixed the code to use display name, not username.

Which file contains the code that is generating the "Search User" option? I want to delete it entirely. If you correct this behavior in another update, then fine--I won't need to delete it again.

Your reasoning that there is no security issue because only MEMBERS can access another member's login credentials is absurd.

Login Name vs. Display Name <<<---This is the reality that you keep denying. SMF, for instance, fully supported this distinction; but it didn't allow security lapses. If the forum was configured to publish display names, then no member would ever see the login name of another member.

I know full well that Kunena's problems trace back to Fireboard. If after several posts you still don't get the fundamental problem here, then I can only wait for another user to explain it better, because obviously I have not.

Anyway, if you can direct me to the file that is responsible for the "Search Users" option, I can solve the problem immediately--with only minor loss of functionality.

NEVERMIND: I found the code block nested within a div, in the following file:

component\kunena\template\...\html\search\default.php

If anyone needs the same modification, just search for the COM_KUNENA_SEARCH_SEARCHBY_USER language variable and you'll find the code segment to delete (look for the opening and closing DIV tags).

Winuser wrote: Your reasoning that there is no security issue because only MEMBERS can access another member's login credentials is absurd.

Login Name vs. Display Name <<<---This is the reality that you keep denying. SMF, for instance, fully supported this distinction; but it didn't allow security lapses. If the forum was configured to publish display names, then no member would ever see the login name of another member.

I know full well that Kunena's problems trace back to Fireboard. If after several posts you still don't get the fundamental problem here, then I can only wait for another user to explain it better, because obviously I have not.

We do no consider the view ability of login names instead of a display name as a security vulnerability. I can agree this could be a security issue, but limited to scope based on the purpose and reason of individual websites where seeing login name could have consequences (even in closed environment controlled by account registration). There is no such concept as display name in Joomla, as such Kunena does not provide this configuration ability out of the box. I myself have proposed to offer a display name alternative (especially where names would be temporary like on a gaming community). Really this is a feature request, and will be considered as such. This is an issue with Joomla as a whole and not specific to Kunena. And no I am not pointing fingers, Joomla or Kunena can both offer a solution, but this improvement would make more sense coming from Joomla to be consistent across other components. As such I do not think that its fair to point this as a Kunena software "problem". The software works as intended with the thought out intention of working closer to Joomla.