Simple Machines Community Forum

SMF Development => Feature Requests => Topic started by: William Wolfe on February 15, 2013, 06:11:32 PM

Title: Security within reporting a PM
Post by: William Wolfe on February 15, 2013, 06:11:32 PM
When someone reports a PM, I've noticed all it does is send a PM to the admins containing the reported pm. I've also noticed that there's no special "tick" that tells you it's a real report with a real quoted message rather than a hand typed PM. It simply just gives you a PM with the info:

<reporter> has reported the below personal message, sent by <sender>, for the following reason:
<reason>

Below are the original contents of the personal message which was reported:
Quote from: <user> on <date> at <time>

Quote<original message>


Given that any user may send an admin a PM, it'd be easy to impersonate a reported message. It'd be more secure if the forum automatically added some type of mark indicating it's a real report instead of a PM that a user made that looked like a report.

My suggestion: Make it so that when a user reports a pm, it uses the same system as reporting a post does. It alerts mods/admins of the forum and has a snippet of the post/pm.
Title: Re: Security within reporting a PM
Post by: Arantor on February 15, 2013, 06:35:28 PM
There is a huge problem with using the same system as reporting a post - privacy. Many people on a forum can see the reports area, only actual admins can see the PM report.

Which sort of means it needs to stay in the PMs (especially as you can select who it would be sent to.) Trouble is, pretty much anything that you can think of in a PM could potentially be spoofed...
Title: Re: Security within reporting a PM
Post by: emanuele on February 16, 2013, 09:48:14 AM
Yep, it would need at least a separated page/s, something like that may work:
https://github.com/emanuele45/playpen/compare/pm_report
I was just playing a bit: the text strings should be different from posts and PMs, and something may be broken. O:)

Being the "permission" system based on board ids, having 0 in id_board is enough to exclude anyone that doesn't have admin rights from seeing the reported PMs.
Title: Re: Security within reporting a PM
Post by: Arantor on February 16, 2013, 10:13:08 AM
Actually, I know how it could be done without having to create a separate page - and in a way that can't be faked.

Send it with a 'guest' account. Guests can't send PMs, so unless the spoof is being sent then the account is deleted almost immediately after, there's no way to even spoof the look.

In fact you could do it in a way that couldn't be done any other way (no sender id, no sender name) and forcibly display that in a different fashion so there's no chance of it being spoofed.
Title: Re: Security within reporting a PM
Post by: emanuele on February 16, 2013, 10:43:18 AM
Yep, that would be a solution too.

But I'm also thinking about edge cases: for example if a PM is reported and the admin/s change. Let's say there is only 1 admin and while a PM is reported he decide to go and let someone else handle the forum. The report is lost. No way for the new admin to know that a PM was reported unless the old admin forward the PM (that in theory would be borderline about privacy) or the user report the PM again (that would be annoying for the user because he doesn't see any action at first and then he has to report it again).

Yes, very, very uncommon. Probably never happened. Though...

Also having it included in the moderation log would be a way to actually have a record that something happened at some point (unless the log is pruned, of course).

Dunno.
Title: Re: Security within reporting a PM
Post by: Arantor on February 16, 2013, 01:15:50 PM
Yeah in that case reusing the mod centre reporting code would be better, but I'd rather see it with a proper interface to indicate reported PMs versus reported posts (didn't check your code, you may have done that already)
Title: Re: Security within reporting a PM
Post by: emanuele on February 16, 2013, 02:49:13 PM
Yep, it's another menu entry in the dropdown (everything else is the same, just a toggle on some queries to be sure to count and return only the PM reports), I just didn't change the text because I'm lazy... :P (ad it was something written quickly O:))
Title: Re: Security within reporting a PM
Post by: Arantor on February 16, 2013, 02:50:51 PM
There is one issue in there, though.

One of the original features was to choose the admin you sent it to - obviously this isn't an option now. I've used that in the past if I had what I felt was a legitimate complaint against one admin and wanted to refer it to a different admin.