2 Serious Bugs in RSS

DavidCT · July 24, 2007, 03:51:40 PM

RSS Feed, SMF v1.1.3 (latest)

1) RSS feed shows EMAIL of author of post even if set to not make it public in user settings
2) *serious security flaw* Feed shows admin-only areas in feed

I hope you guys think this is as important to fix as I do

Thanks for the software.

SlammedDime · July 24, 2007, 04:03:29 PM

What URL are you using to access the feed? I can't reproduce #2 on my live or test site.

karlbenson · July 24, 2007, 04:04:40 PM

welcome to smf! Enjoy your stay.

I'm sure some of the staff here will take a good look at the 2 bugs you reported here.

Edit* well a member of the team responded before i could

DavidCT · July 24, 2007, 04:06:29 PM

Visit my url/forums and view my feed. I think my settings are correct as guests can't view the admin board and emails are off. The admin area is "Deleted Posts" where I put spam and such, I don't know why

SlammedDime · July 24, 2007, 04:09:48 PM

I don't see anything abnormal. This is the URL that I'm using...

http://spankeesyuck.com/forums/index.php?type=rss;action=.xml

DavidCT · July 24, 2007, 04:18:20 PM

I feel like an idiot - it only does this if logged in as ADMIN. Ignore/delete the whole thread

Sorry to waste your time, I just paniced when I saw my email going public to the spambots LOL

karlbenson · July 24, 2007, 04:21:10 PM

I've checked your forum.

Any chance you are logged in as admin when your seeing these posts?
For me as a guest, I can't see any areas I shouldnt

*Edit: Guess so
Well glad we managed to figure it out.

DavidCT · July 24, 2007, 04:27:46 PM

Yeah, I never would have thought it mattered (actually, it shouldn't - so technically it is a bug just not a serious one)

karlbenson · July 24, 2007, 04:33:34 PM

If your an admin and were viewing rss feeds in your browser (including if you have an automated extension on your browser).
I'd expect then you would want the ones in the 'private' forums.
So being logged in is necessary

Hence not a bug

DavidCT · July 24, 2007, 04:38:20 PM

Yes, I suppose so. Okay, I already admitted to being an idiot so don't rub it in LOL

Can we delete this whole thread?

karlbenson · July 24, 2007, 04:39:50 PM

No, we'll keep it for your future grandchildren to see

LOL

(Don't worry, this topic will probably get moved to the Fixed or Bogus bugs forum)

DavidCT · July 24, 2007, 04:44:22 PM

I hope so, it is a bogus bug by a bonehead bum.

Okay which one of you using Cox cable loves my robots.txt file? You hit it like 2 dozen times

karlbenson · July 24, 2007, 04:49:20 PM

Cox Cable, not I (I'm BritishTelecom)

Please don't feel I'm shooting you down.

Its always better to report anything you believe is a bug in the software.
With some other well known forum software, the mere suggestion of a bug generates an aggresive rebuttle (hence why their software gets hacked all day, every day).

We will see whether I end up with egg on my face for the bug report I just posted

greyknight17 · July 25, 2007, 09:59:04 PM

Looks like it's not a bug after all then

Both issues resolved then?

karlbenson · July 25, 2007, 11:01:10 PM

both resolved

A mod moved this from bug reports to general support. I think they were aiming to moved it to bogus bugs?

SlammedDime · July 26, 2007, 04:08:23 AM

I moved it to the appropriate board now.

DavidCT · July 26, 2007, 07:00:25 AM

I disagree - it should be moved to the recycle bin

karlbenson · July 26, 2007, 10:52:01 AM

At least if its in the bogus bugs area and someone searches for the same thing thinking it was a bug, hopefully they will find their way to this topic

KB · August 15, 2007, 04:33:30 AM

DavidCT :
I can tell you feel embarassed, but please take some relief in knowing that there are others out here that can learn from your situation. I feel like an idiot too, because I was wondering the exact same thing!!!! My site has some sensitive content areas as well, and I am new to this RSS deal, so when I saw that some of the private content was in a test feed url...I was more than a little worried about exploitation myself.

Sorry to bring this back up, but I really thought you should know that the rest of us idiots appreciate your "martyrdom"

..lol..but seriously...thanks and dont feel bad!!!

I do have one nagging question, which Im hoping will be ok to post in this thread, because I need still need edumacat'n and cant seem to find the answer or a more appropriate thread via search.
So, what if I were to submit a rss url to a aggregator(?) service like feeddemon? If the url was "generic" or not board specific, would a non-member subscriber still not see the "private board" info???

Thanks!!!

DavidCT · August 15, 2007, 06:39:13 AM

The URL to the RSS feed in SMF is defined by SMF, you don't define it by board. Either way the feed is generated "on-the-fly" when someone hits it and only information available to that user group (i.e. guest, admin, regular joe) is shown.

I see my feed on My.Yahoo and it doesn't show the admin stuff. Log out as admin, view as guest, and you'll see what other people see. I paniced when I wrote this originally but it appears to work properly

Except for minor flaws here and there, SMF is wonderful software - FAR superior to PHPBB.

News:

2 Serious Bugs in RSS