Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
Arthmoor Posted January 14, 2022 Posted January 14, 2022 (edited) A user reported an issue today on our site that revealed a security issue. If a forum has been set up to be a private area, like for instance an administrators forum, but the checkbox in forum permissions for "Read Topics" is accidentally selected for a group, the "Recent Topics" widget will reveal this to any members of the group who happen to be surfing in Incognito Mode in their browser. In the case of our site, this happened to be an errant checkbox allowing Guest to read topics even though they'd been excluded from being able to see the forum. So for example, this is a valid setup that will properly prevent the widget from revealing anything: If instead you accidentally have the checkboxes set this way, Guests can read the topics even if they're not supposed to see the forum at all: If they happen to have the direct URL to the topic, they can also access that directly through the site without going through the widget. So there's apparently two different related issues at hand here. One that the widget is leaking info, and the other that the topic reading functions are not validating forum level permissions first. Edited January 14, 2022 by Arthmoor
Arthmoor Posted January 14, 2022 Author Posted January 14, 2022 I've checked over the remainder of our site and discovered this same issue was present on another forum intended to be private. The same flag allowing Guest users to read topics was enabled and I am 100% certain I did not set that flag myself. So it seems as though this checkbox issue has been introduced into the package by a previous update and IMO other forum admins need to check this on their sites too.
Solution Jim M Posted January 14, 2022 Solution Posted January 14, 2022 By the permissions you have provided the user group, you in fact do want users to be able to read topics but not forums. While I do not believe this is a security issue in the software itself, as the software is doing exactly what you told it to do, I do think that this requires a little review internally as confusion can be had from this if you are expecting something to happen like you did here. SeNioR- 1
Arthmoor Posted January 15, 2022 Author Posted January 15, 2022 Well here's the issue. That box was NOT something I had checked myself. I've been over the logs and at no point was the forum permissions edited to allow that option. It got enabled by the package at some point during an update. I have no idea how long ago it was, but it also wasn't the only private area that was leaking. The second issue is that the recent posts widget AND direct URL access to a thread are NOT validating the access controls properly. You currently have things set up to let the "read topics" permission override the "see forum" permission. If you've set things up to block them from seeing the forum, it should never have allowed them to read the topics, and the widget should not have displayed it for all to see when they're not even logged in. That means bots like Google could index things that should never have been exposed.
Jim M Posted January 15, 2022 Posted January 15, 2022 While I certainly understand the concern here, an upgrade will certainly not modify your permissions. This needs to be done from an administrator (or potentially, a third party add-on). Looking in your logs, I do see permissions changed back in September for guests. While I cannot confirm what was changed, there was a change which could include this. Sorry that you encountered this but as mentioned, it is something that will be reviewed.
Recommended Posts