January 14, 2022 in Technical Problems
A user reported an issue today on our site that revealed a security issue.
If a forum has been set up to be a private area, like for instance an administrators forum, but the checkbox in forum permissions for "Read Topics" is accidentally selected for a group, the "Recent Topics" widget will reveal this to any members of the group who happen to be surfing in Incognito Mode in their browser.
In the case of our site, this happened to be an errant checkbox allowing Guest to read topics even though they'd been excluded from being able to see the forum. So for example, this is a valid setup that will properly prevent the widget from revealing anything:
If instead you accidentally have the checkboxes set this way, Guests can read the topics even if they're not supposed to see the forum at all:
If they happen to have the direct URL to the topic, they can also access that directly through the site without going through the widget. So there's apparently two different related issues at hand here. One that the widget is leaking info, and the other that the topic reading functions are not validating forum level permissions first.
I've checked over the remainder of our site and discovered this same issue was present on another forum intended to be private. The same flag allowing Guest users to read topics was enabled and I am 100% certain I did not set that flag myself.
So it seems as though this checkbox issue has been introduced into the package by a previous update and IMO other forum admins need to check this on their sites too.
By the permissions you have provided the user group, you in fact do want users to be able to read topics but not forums. While I do not believe this is a security issue in the software itself, as the software is doing exactly what you told it to do, I do think that this requires a little review internally as confusion can be had from this if you are expecting something to happen like you did here.
Well here's the issue. That box was NOT something I had checked myself. I've been over the logs and at no point was the forum permissions edited to allow that option. It got enabled by the package at some point during an update. I have no idea how long ago it was, but it also wasn't the only private area that was leaking.
The second issue is that the recent posts widget AND direct URL access to a thread are NOT validating the access controls properly. You currently have things set up to let the "read topics" permission override the "see forum" permission. If you've set things up to block them from seeing the forum, it should never have allowed them to read the topics, and the widget should not have displayed it for all to see when they're not even logged in. That means bots like Google could index things that should never have been exposed.
While I certainly understand the concern here, an upgrade will certainly not modify your permissions. This needs to be done from an administrator (or potentially, a third party add-on). Looking in your logs, I do see permissions changed back in September for guests. While I cannot confirm what was changed, there was a change which could include this.
Sorry that you encountered this but as mentioned, it is something that will be reviewed.
Started February 16
Started July 26, 2022
Started Yesterday at 08:33 AM