Guest access to hidden resources

[wireless]

Kindred,

I have just PM'ed to you URL with two screenshots of this issue. Please, let me know, if you need any other information ...

[wireless]

Another case (quite different, than previous one, described by me). This time I have managed to prepare a scenario:

Assumptions:

1. You are not logged in
2. You are provoding the following URL in your web browser:
http://yourmachine/index.php?action=profile;u=X;area=showposts;sa=topics
where X is the identifier of a non-existing user

In that case engine returns a message, which informs you directly, that you want to review a profile of a non-existing user, i.e. you, as a non-logged guest, get information, that this particular id is not in use.
Additionally to that, such guest session is visible in active user list as doing "Nothing, or nothing you can see"

If, instead of unused ID, you set X to an existing values, engine redirects you to a login screen, and "list of active users" informs, that this guest session "reviews the forum index"

Please, note, that this issue is (probably) quite different, than the first one described in this thread

[Kindred]

the second one is not an issue at all and is performing exactly as intended.

[wireless]

But, in this way, someone, who is not a registered forum user, can easily get identifiers of all.

Wouldn't it be better to redirect such requests to logon screen in both cases? This is the reason, why you get generic "Logon denied" on Linux, or "Invalid username/password" on some other systems, regardless of providing invalid username OR invalid password ...

[margarett]

Yes, I do agree that a more generic reply could be given.
Anyway, you having the user ID of a user does you no good, no matter how evil your intentions are

You need either a username or email address to login. User ID is worth nothing when it comes to hijack an account

Bottom line: a more generic reply could be given yes, but there is no advantage (other than aesthetics) comparing to the current method

[wireless]

Margarett,

I hope that But I can imagine a scenario, where a particular ID is used, for instance, as a, say, part of encryption key for a password.
Please, note, that I do not know if this scenario is true (hope, that not ), but - mathematically it is possible (probability > 0 )
Anyway, I'd say, that it is always better to do not inform anyone from "outer world" about existing user identifiers

[Kindred]

no...   the user number would never be used as part of the encrypted password...


I tend to disagree with your contention that user number has any useful quality to hackers at all...
after all, the user number is displayed as part of the URL when you hover over the user's name (it's part of the URL) -  always has been -- and has never been a vector

Additionally, a hacker could just try all user numbers from 1 to 1,000,000 if they cared.... the fatc is - the number is a finite and easily guessable object...   which is why it has never and will never be used as part of any security.

[wireless]

As I said, I HOPE, that this id has no deeper meanng

Anyway, regardless of that, I do not think, that it is a major issue. The most important for us is to solve the first problem reported in this thread.

[wireless]

Hello,

Any news with issues reported in this thread ?

[margarett]

Which problem is that? The supposed access of guests to boards they shouldn't?
That's a non-problem because it doesn't happen

[wireless]

Which problem is that? The supposed access of guests to boards they shouldn't?
That's a non-problem because it doesn't happen

I must say, that SMF is the software with the worst technical support I have ever met.
Every issue reported on this forum is commented as "non existing" or "working as assumed". If it is true, then, please, answer me, why to hell do you provide patches? For what?

I have provided several proofs, that this "guest access issue" is real. 
And the only answer is as above.

In fact, SMF guys are permanently trolling, nothing more.

Margarett - are you really "Support Lead"? What are you supporting?
And the same question to KindRed ...

Complete waste of time.

[Kindred]

I am sorry you feel that way...  However, the fact is that I have attempted to recreate your issue on several different servers with several different set ups and can not do so.

So...   Either you are misinterpreting something (likely) or you have some mod or other personalized code change which has broken the standard security.

I have already told you that, just because a user or guest is shown to be accessing a URL does not mean that did individual is actually SEEING anything at that URL, aside from the login screen. And, as far as I can see, that is all that is happening.

No guest is actually viewing the content on those inaccessible pages.

[wireless]

But the fact, that you have not managed to reproduce the issue, doesn't mean, that it doesn't exist.

[Dav999]

How do you know the issue exists on your forum then? Have you been able to see any hidden resource as a guest? It is known that the who's online list will not check whether anyone can see the things they are listed as seeing, and that the actual page does check and will block access appropriately. So according to you, why would your forum be different and not only list guests in who's online but also actually show the hidden pages on your forum?

[Kindred]

But the fact, that you have not managed to reproduce the issue, doesn't mean, that it doesn't exist.

While that is technically true...   
the fact that we can not reproduce it after testing on a variety of configurations and servers suggests that - if this is an actual issue and not a misunderstanding on your part on how the system displays certain details - then the issue is related to something very specific to YOUR configuration which is (likely) not an issue in the core code.

So, in the interest of proving that we are not the monsters that you have accused us of being, I will offer --  we have a team member who is a wizard at finding and debugging weird issues -- if you are willing to give this individual from the SMF team admin access to you forum (and likely server access to view configurations and logs), we will try to take a look at it on your system (since that seems to be the only place that anyone has ever seen this happen)

[wireless]

No. Technically and logically it is NOT true. Technically it only means, what it means: that you do not know how to repreoduce the problem. As well as me ... but I, at least, have tried to gather some proofs for that.

[margarett]

Ouch, that hurt...

I could dissect some more semantics with you, but I'm not interested in it. Because I'm on vacations this week (still I found some time to tell you - again - that this problem doesn't exist) next week I will go one step further. You know, because I don't actually provide any support and I'm only around so that some users can bash me at will.

Next week I'll provide you a mod that will record any REAL access from a guest to any topic in given boards. Then you can check your database and my bets are that you will find that table empty every single time.

[wireless]

This problem EXISTS. I have provided to Kindred screenshots prooving it. Can you provide a scenario, with EXACTLY the same visible results, which doesn't mean, that someone has an access to restricted resources ?

At this moment it seems, that SMF is the only one piece of software without any problems, and, despite to that, its developers still release new patches ... probably they simply like increasing version numbers ....

[margarett]

This problem EXISTS. I have provided to Kindred screenshots prooving it. Can you provide a scenario, with EXACTLY the same visible results, which doesn't mean, that someone has an access to restricted resources ?

I haven't seen it so I can't comment.
The scenario: I see 3 possibilities
1 - the wrong information given by who is online (because, as it was told to you, it shows what the user attempts to do based only on the URL currently accessed and NOT what the user is actually doing) confuses you
2 - misconfigured permissions
3 - a MOD or in any other way some custom coding that effectively breaks SMF's access control.

At this moment it seems, that SMF is the only one piece of software without any problems, and, despite to that, its developers still release new patches ... probably they simply like increasing version numbers ....

Are you always this stubborn or is this discussion amusing you?
Check SMF's changelogs if you are interested. We don't have a *SERIOUS* security problem since RC stages. Everything that has been patched recently (at least from 2.0.6, since I am on the team) are "possible attack vectors" that require a compromised admin account to begin with.
As Kindred stated, there are no KNOWN security problems in SMF 2.0.10 and 1.1.21. Of course, it is possible that any issues exist, but they are not known.
I am trying to understand if you have a genuine security problem or not. Which is why I offered my time to build a package which would allow CLEARLY to know if a guest accessed protected content or not.

[wireless]

...
I haven't seen it so I can't comment.
The scenario: I see 3 possibilities
1 - the wrong information given by who is online (because, as it was told to you, it shows what the user attempts to do based only on the URL currently accessed and NOT what the user is actually doing) confuses you
2 - misconfigured permissions
3 - a MOD or in any other way some custom coding that effectively breaks SMF's access control.
...

1. no, it is not possible - we have performed some tests related to that, described in this thread
2. it is possible. But I assume, that so called technical support should try to help us to solve this problem, instead of writing, that the issue doesn't exist. I have written few times: "please, let me know, if you need any information, whcih could us help to solve this problem". And - never got any questions. Instead of this - only posts, that the issue doesn't exist.
3. answer exactly as at #2