*José Antonio Posted October 30, 2011 Share Posted October 30, 2011 I posted this once on the tracker: http://community.inv...itle-of-topics/ I tested here and saw that has not been fixed. So the question is, intend to fix it? I can not enable this because a member is discovering titles of topics restricted to my team of moderators. An alternative would be to have a setting to exclude certain forums from the use of FURL, team forums, for example. Of course this is just a suggestion. I do not use FURL some time, but would like to have them back if this it was solved. Sorry my bad english Tks! Link to comment Share on other sites More sharing options...
Rhett Posted October 30, 2011 Share Posted October 30, 2011 The best place for the info is on that tracker.... it was mentioned by brandon that it's working as intended. Link to comment Share on other sites More sharing options...
*José Antonio Posted October 30, 2011 Author Share Posted October 30, 2011 The best place for the info is on that tracker.... it was mentioned by brandon that it's working as intended. Precisely why I posted here. I think that might work better without this "error" that I mentioned in the tracker, because it is unpleasant other members discover topic title in protected forums. I do not use FURL now, but I intend to re-use them. Link to comment Share on other sites More sharing options...
*José Antonio Posted December 1, 2011 Author Share Posted December 1, 2011 No workaround? Something like the "findpost" redirect to ulr of topic as "showtopic" rather than their "Friendly URL." Thus they avoid the topic title was discovered by people who can not see it, right? Sorry my bad english. Tks! Link to comment Share on other sites More sharing options...
Lucas Fernando Posted December 3, 2011 Share Posted December 3, 2011 The Headings of restricted topics do not have to be discovered by members, because otherwise, are no longer restricted, certain? As suggested, must have an option where it could select fóruns that they would use "Friendly URL" Sorry my bad english. [2] Link to comment Share on other sites More sharing options...
*José Antonio Posted March 10, 2012 Author Share Posted March 10, 2012 Hello, I'm sorry for reviving the topic, but now that the IPS is asking for suggestions for improvements in IPB 3.3, implement this would be a good, no? Link to comment Share on other sites More sharing options...
Brett L Posted March 10, 2012 Share Posted March 10, 2012 You are misunderstanding what is being said. This is not an issue, this is how they want it. Friendly URLs like this are much better for google which is what most clients want. Link to comment Share on other sites More sharing options...
Intasar Posted March 10, 2012 Share Posted March 10, 2012 Its amazing to read the tracker issue from him, His answer is in his question. José Antonio can you tell me that how to "revealed" team section topic ID or post ID to unauthorized users ? even they can't access to the team area ? Are you trying to say, some one unauthorized user Gues the "Team section" topic IDs or Posts ? :twitch: Link to comment Share on other sites More sharing options...
*José Antonio Posted March 10, 2012 Author Share Posted March 10, 2012 Its amazing to read the tracker issue from him, His answer is in his question. José Antonio can you tell me that how to "revealed" team section topic ID or post ID to unauthorized users ? even they can't access to the team area ? Are you trying to say, some one unauthorized user Gues the "Team section" topic IDs or Posts ? :twitch: Hi, I'll try to explain in a simpler way. For example, imagine you have a sub-forum that only moderators can see. And this forum has a topic with the following title: "Invision Power Brasil". Imagine that you post on this topic and your post ID is 2050 If any user accessing the following URL: "http://yoursite.com/index.php?app=forums&module=forums§ion=findpost&pid=2050" He is redirecting by IPB to the following URL: "http://yoursite.com/index.php/topic/411-invision-power-brasil/page__p__2050 #entry2050" After being redirected and the title topic revealed that the IPB shows the message of lack of permission to view the topic. This happens with guests and users of any group. Excuse my bad English. Link to comment Share on other sites More sharing options...
Cyrem Posted March 10, 2012 Share Posted March 10, 2012 Hi, I'll try to explain in a simpler way. For example, imagine you have a sub-forum that only moderators can see. And this forum has a topic with the following title: "[color=#008000]Invision Power Brasil[/color][color=#008000]".[/color] Imagine that you post on this topic and your post ID is [color=#FF0000]2050[/color] He is redirecting by IPB to the following URL: "http://yoursite.com/index.php/topic/411-[color=#008000]inv[/color][color=#008000]ision-power-brasil[/color]/page__p__2050 #entry2050" After being redirected and the title topic revealed that the IPB shows the message of lack of permission to view the topic. This happens with guests and users of any group. Excuse my bad English. I don't see the problem.... Thats how it works. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted March 10, 2012 Share Posted March 10, 2012 ....I'm confused enough about what you expect as the behaviour to post now... The topic title being in the FURL is a security risk? :logik: Its not as if IPB itself is allowing the user to see the content in any way shape or form... It really is not a bug IMO, and would require a complete rewrite of how the core handles FURL's(it is an on-off switch, not a precise choice by content)... not something I would foresee being put in 3.3 regardless this far into it. Link to comment Share on other sites More sharing options...
PKIDelirium Posted March 10, 2012 Share Posted March 10, 2012 If you're concerned about it, just don't use topic titles in your staff forums that contain anything you don't want known by members. Hell, most of my staff forum topics are titled mundane stuff like "lol", "fail", "upcoming updates", etc. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted March 10, 2012 Share Posted March 10, 2012 If you're concerned about it, just don't use topic titles in your staff forums that contain anything you don't want known by members. Hell, most of my staff forum topics are titled mundane stuff like "lol", "fail", "upcoming updates", etc. :laugh: All I kept thinking was why do you put such revealing information in a topic title anyway? The same effect would occur if you let users see a topic listing, but not the actual topics. Link to comment Share on other sites More sharing options...
*José Antonio Posted March 10, 2012 Author Share Posted March 10, 2012 I don't see the problem.... Thats how it works. Yes, yes, but work better if the permissions of the topic were checked before and not after of redirect, so the title would not be exposed to anyone. ....I'm confused enough about what you expect as the behaviour to post now... The topic title being in the FURL is a security risk? :logik: Its not as if IPB itself is allowing the user to see the content in any way shape or form... It really is not a bug IMO, and would require a complete rewrite of how the core handles FURL's(it is an on-off switch, not a precise choice by content)... not something I would foresee being put in 3.3 regardless this far into it. This isn't a security risk. But it's nothing nice to know that other members are getting to see topic title restricted to moderators. If you're concerned about it, just don't use topic titles in your staff forums that contain anything you don't want known by members. Hell, most of my staff forum topics are titled mundane stuff like "lol", "fail", "upcoming updates", etc. hehe It is still a good idea, but gets very disorganized rs :laugh: Link to comment Share on other sites More sharing options...
Heyhoe Posted March 11, 2012 Share Posted March 11, 2012 I can see what you are getting at, but like people have suggested, just name your titles carefully. Link to comment Share on other sites More sharing options...
Intasar Posted March 11, 2012 Share Posted March 11, 2012 Hi, I'll try to explain in a simpler way. For example, imagine you have a sub-forum that only moderators can see. And this forum has a topic with the following title: "[color=#008000]Invision Power Brasil[/color][color=#008000]".[/color] Imagine that you post on this topic and your post ID is [color=#FF0000]2050[/color] He is redirecting by IPB to the following URL: "http://yoursite.com/index.php/topic/411-[color=#008000]inv[/color][color=#008000]ision-power-brasil[/color]/page__p__2050 #entry2050" After being redirected and the title topic revealed that the IPB shows the message of lack of permission to view the topic. This happens with guests and users of any group. Excuse my bad English. I Understand, what is your "POINT". but just define me this. "How could it possible that some one Gues the "corect" ID of posts and topic ID from your "Moderating area" ? Suppose, I M Guest, and i m register on your forum. in your forum have "Moderating forum" and when i click and try to access to the forum so i get "Permission Denied" message on screen. Thats it. but "How can it possible that i start Guessing your forum topic IDs and Posts ? even i don't have idea that how many posts and topics made in your forums ? and from where i start searching to your "Moderating posts" ? you said: "And this forum has a topic with the following title: "[color=#008000]Invision Power Brasil[/color][color=#008000]".[/color] Imagine that you post on this topic and your post ID is [color=#FF0000]2050[/color] Ok, i imagine that my topic is title: "Invision Power Brasil". and my post ID is 2050. i imagine this because i m Moderator right ? and i posted this topic in Secure area. so its not possible that this Post ID is leaked in anyway. so how could it possible that someone directly Gone to this URL "http://yoursite.com/index.php/topic/411-invision-power-brasil/page__p__2050 #entry2050" ????? Only team and staff person knows the IDs, so its not possible in anyway that unauthorize user start guessing the correct IDs. Link to comment Share on other sites More sharing options...
*José Antonio Posted March 11, 2012 Author Share Posted March 11, 2012 I Understand, what is your "POINT". but just define me this. "How could it possible that some one Gues the "corect" ID of posts and topic ID from your "Moderating area" ? Suppose, I M Guest, and i m register on your forum. in your forum have "Moderating forum" and when i click and try to access to the forum so i get "Permission Denied" message on screen. Thats it. but "How can it possible that i start Guessing your forum topic IDs and Posts ? even i don't have idea that how many posts and topics made in your forums ? and from where i start searching to your "Moderating posts" ? Ok, i imagine that my topic is title: "[color=#008000]Invision Power Brasil[/color][color=#008000]". and my [/color]post ID is [color=#FF0000]2050.[/color] i imagine this because i m Moderator right ? and i posted this topic in Secure area. so its not possible that this Post ID is leaked in anyway. so how could it possible that someone directly Gone to this URL "http://yoursite.com/index.php/topic/411-[color=#008000]inv[/color][color=#008000]ision-power-brasil[/color]/page__p__2050 #entry2050" ????? Only team and staff person knows the IDs, so its not possible in anyway that unauthorize user start guessing the correct IDs. But just look in post more recent of forum, since the ID's of posts are always in ascending order. For example, the last post of forum has the ID 2000. The user will add in URL of "findpost" the numbers 1999, 1998, 1997, 1996 and so on until find something. I say this because I've seen some members of my forum doing it. Is not exactly a problem with the FURL's but with the "findpost", since this function redirects before checking permissions. Sorry my bad english Link to comment Share on other sites More sharing options...
Fast Lane! Posted March 13, 2012 Share Posted March 13, 2012 It could be an issue, in my mind. If in my moderator forum we have a topic labeled, "XYZ users complaint about ABC user stalking them"... the expectation is this topic is private, but if the topic title can be seen by members without permissions this would be a bad thing. The work around in my mind is to either notify people that this is possible and to not post sensitive info in topic titles (IPB would need to announce this or put in the product docs) or when redirecting do a permission check on the forum_id that the topic is in before doing the rewrite. Link to comment Share on other sites More sharing options...
Fast Lane! Posted March 13, 2012 Share Posted March 13, 2012 You can also do it with topics too which seems much faster because searching by posts results in listing many topics and over over (multiple posts per topic): http://community.invisionpower.com/index.php?showtopic=358481 that said I searched until I hit a "do not have permission" with the above and it did not give me the new furl with the topic title. Maybe it has been fixed? Link to comment Share on other sites More sharing options...
*José Antonio Posted March 13, 2012 Author Share Posted March 13, 2012 http://community.inv...howtopic=358481 that said I searched until I hit a "do not have permission" with the above and it did not give me the new furl with the topic title. Maybe it has been fixed? Not yet. The URL with the title appears only with the post ID, with the topic ID no. For example, access this URL without being logged: http://community.inv...ost&pid=2240126 You will be redirected to: http://community.inv...26#entry2240126 Link to comment Share on other sites More sharing options...
Fast Lane! Posted March 14, 2012 Share Posted March 14, 2012 So if I were an evil person then I would write a script to basically repeatedly query that url and increment the post number, collecting topic titles. I would log all that came back with the "restricted" message in the html body but save the title tag. I could use that data to collect what otherwise was likely considered private information. Seems like an issue. Link to comment Share on other sites More sharing options...
Management Matt Posted March 14, 2012 Management Share Posted March 14, 2012 Guys, it's already been fixed. If you have access to the client forum, grab the topic ID and try and access it via the old index.php?showtopic=x method while logged out. Link to comment Share on other sites More sharing options...
*José Antonio Posted March 14, 2012 Author Share Posted March 14, 2012 Guys, it's already been fixed. If you have access to the client forum, grab the topic ID and try and access it via the old index.php?showtopic=x method while logged out. Hello Matt, I tested here and it seems that has not been fixed yet. Access this URL without being logged: "community.invisionpower.com/index.php?app=forums&module=forums§ion=findpost&pid=2240126" Link to comment Share on other sites More sharing options...
CalendarOfUpdates Posted March 14, 2012 Share Posted March 14, 2012 Hello Matt, I tested here and it seems that has not been fixed yet. Access this URL without being logged: "community.invisionpower.com/index.php?app=forums&module=forums§ion=findpost&pid=2240126"I can confirm that I can get the topic title from that link in IE 9 and FF 10.0.2. Link to comment Share on other sites More sharing options...
Management Matt Posted March 15, 2012 Management Share Posted March 15, 2012 Thanks. It's fixed now. :) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.