Hi,

I had a spam attack on my site and I believe there is somewhere a glitch in Pages.

• I use the latest version of IPS
• I had turned on "Post before register" 
• There are suddenly 8 pages on spam comments in nearby all records in all databases
• All comments are posted by Guest
• Guests are not allowed to comment in any of the databases
• I am subscribed to the records, but I have not got any notifications
• Comments are synchronized to the forum, but those spam comments have not been written into the forum, they only appear as comment in record.

Why I believe it is a security hole in Pages?

I have investigated some IPs and can see same weird thing:

Three databases are impacted.

• Guides is set to be viewed and commented by members. 
• Lessons - no comments are allowed except of admin. The database itself is not visible for guests.
• Drafts - the database and page is visible for admins only. This database and page have never been public or viewable for any other group as admin. The spammer should not even know that the database and page exist.
• The two additional databases that were not affected have both Allow comments option in database settings disabled.

The comments are backdated! I have a record with comments from my users and me. Today, I suddenly see the spam comments between the legal comments. Even before my own comment. It is impossible that I have not seen the spam comment right above my own comment at the time I have written mine.

This site in question: invisionify.com The credentials are valid.

I have deleted all spam comments, you can find them in deleted comments in ModCP. And I have turned off Post before register. The other settings and permissions are untouched.

Would you like to investigate it? 

I would post in support forum, but I believe it is really a security hole somewhere. If you think it belongs into a support forum, please move there, but delete the domain in question. Thank you!

 

Edited February 16, 20223 yr by Sonya*

It is a bug.

 

Another issue is the screen above, where comments to non-public databases are shown in IP tool. I cannot see any comments posted to these databases. But I can see for each IP the same number of comments for each database allowing comments. It means, when he has managed to post 10 spam comments in one database, IP tool will show you 10 per database. If he had made 6 comments in one database, IP tool will show you 6 per database.

Yes, it is another reproducible bug in IP Addresses Tool 

No security holes. Just a combination of two bugs. Sorry for the panic!