DawPi

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

If 15+ people have quoted you that will very quickly become annoying though.
Currently say I've had members quote 3, the bubble says 3 and I can see clearly the 3 quoted posts as it has a different background colour. I click it, and click the first quoted post, the bubble goes BUT, when I click that dropdown again, the backgrounds have all been marked as read despite only reading one post.
The two remaining quoted posts should still show as unread. (but the bubble should not appear, as there are none new since last clicking it.)
Hope that makes sense
Basically keep it as it is, but keep the background colour noticeably unread on the dropdown list for those I've not checked.

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

To be clear, as I was one who brought up the security concerns in this topic, I absolutely was not referring to any known instances or developer here, but merely the potential for it to occur and increasingly so when IPS becomes 100% hands off with third party applications.  Apologies if it came across that way.  I've seen enough security exploits in my own career (not anything IPS or IPS third party related) to warrant the concern.  Again not a reflection of any developer here or the quality of their code, I'm simply proactively thinking about the possibility and considerations regarding preventative measures.  If anyone feels such a security concern is  completely unnecessary or overkill, I would appreciate your particular insight as to why.  I certainly don't know the underpinnings of IPS code, so perhaps there is a reason a client doesn't need to have an elevated concern over it.
I'd still like to know what IPS corporate customers do, if it's anything like the corporations I've worked with (unrelated to my IPS projects), there is full fledged InfoSec and AppSec scanning of all application code before any deployment with Production (real user/member) data.  Generally for a hobby site, I'm not very concerned with data loss (with regular backups available to restore as needed), but I am concerned about data breaches involving PII.

FastCGI sent in stderr: "PHP message: PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 10485760 bytes) in [...]/system/Node/Statistics.php on line 118" while reading response header from upstream, client: [], server: [], request: "GET /forum/17-[...]/?sortby=views&sortdirection=desc HTTP/2.0" That's in authorsPostedIn. It looks like there's two places where that gets called - computing the content that the current user has posted in, and computing which postedIn indicator to show.
The query that gets run for this will load about 260k entries (there are a bunch of topics with a very large range of contributors). I'm surprised that's enough to OOM PHP with 128M memory, but it seems to be the case.
For computing content that the current user has posted in, you can do a way more efficient query by filtering by user.
For computing the postedIn indicator, you could just skip it entirely on installs where that feature isn't used, but also I think you could make it much more efficient by joining the members in the query to just end up with the group IDs (though that query is probably a bit non-trivial).

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

I feel you may want to re-read the above. There are no claims anyone has done such as thing that I have read in this topic. Someone has asked about what security precautions they can use on their site when using items that are developed by someone other than Invision.  I'm sure as a developer yourself, you appreciate the importance of someone thinking about the security of their site?

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

We've got an open bug report for this, it will be addressed in a future release.

Your best option would be to reach out to a 3rd party who provides services for upgrading these kinds of sites. If you take a look here, there are quite a few providing this
https://invisioncommunity.com/third-party/providers-directory/

For the Geolocation settings, is there a way of filtering all countries EXCEPT the specified one (i.e., a whitelist instead of a blacklist)? My forum's users are all based in one country, so it would make sense for me to validate all users outside of this country.
Also, does the work for users who register via SSO (e.g. Google Login)?

Terrible idea. 😉
You can use that app instead:
 

Any of course.

My suggestion is contact @ASTRAPI, he's good and known servers specialist. I'm pretty sure that he would help you with these issues.

Spam has always been an ongoing battle for community owners as spammers find new ways to circumvent existing anti-spam practices.
We have seen an uptick in new ways spammers are breaking through existing defense.
As such, we here at Invision Community continue to look at new ways for community managers to combat against spam. For our September release, we have added several new tools that can prevent spammers from registering in the first place and help combat them even if they register successfully.
Let's take a look at these new tools and settings.
Geolocation based registration filtering
Oftentimes, spam attacks can originate using bots and servers from specific regions. Using our existing Geolocation service, we have now added filters that will allow administrators to hold registrations from specific regions for administrator review, or deny the registration entirely.

Using this, administrators whose communities are under a spam attack from a specific region, can temporarily filter registrations from that region. Multiple regions can be defined at once, and each individual region can either be held for administrator review, or denied completely.
Disposable Email Filtering
We have added an extra option to our spam defense system to filter users registering with throwaway disposable emails, which are often used by spammers to bypass email validation.

During Spam Defense checking, we now also check the domain in use for the registration against a frequently maintained list. If the user passes through the normal spam defense checking, but is found to have a disposable email address, then the administrator can define one of the following actions to be taken.
Allow the registration to proceed Allow the registration, but moderate all posts (which an option to remove moderation after a certain amount) Flag the account for administrator review Register the account but immediately ban it Completely deny the registration For both Geolocation and disposable email filtering, the existing Spam Defense Whitelist is always honored ahead of these filters.
Contact Us Email Verification
A common pain point has been the Contact Us page. While the spam does not go to a user facing location, it does still land in the administrators inbox, or other area defined by the sites Contact Us settings.
To help with this, if a visitor who is not logged in attempts to use the Contact Us page, then in addition to the existing CAPTCHA, the administrator can optionally require the person to verify their email address before the message is ever sent. This applies to all Contact Us behaviors, including any added by third party applications.
Cloud Content Analysis
For our Invision Community Cloud customers, we have also added an additional layer of spam prevention after registration.

After a user registers, or if the account has been dormant, then the first few content submissions will be analyzed using a custom developed algorithm within our platform.
The algorithm takes into factor many different elements of the content, and will rank the post between 1 (not spam) and 5 (definitely spam).
The algorithm can be constantly adjusted and improved based on trends without any intervention from the administrator, and without the need to update to new releases of Invision Community.
The administrator can then decide one of the following actions to take based on the score that was received.
Allow the submission Hold the submission for moderator review Deny the submission completely Of course, specific groups can be made exempt from this and not have their content checked at all, which is useful for sites with subscription based registrations which may not want to have this applied to new subscribers, but do want to have new non-subscribers checked.
Spam can quickly become a headache for most community managers, and these new tools will help further combat it at the source. For our enterprise and Invision Community Cloud customers, being able to check for spam when posting is a new tool which will further filter out more of those annoying topics and posts.
We hope these new features give you additional tools in the fight against spam.
The features and changes presented here are available in the following packages:
Geolocation based registration filtering, Disposable Email Filtering, Contact Us Email Verification: Beginner, Creator, Creator Pro, Team, Business, Enterprise, Invision Community Classic (Self Hosted).
Content Analysis: Beginner, Creator, Creator Pro, Team, Business, Enterprise.

View full blog entry

My suggestion is contact @ASTRAPI, he's good and known servers specialist. I'm pretty sure that he would help you with these issues.

My suggestion is contact @ASTRAPI, he's good and known servers specialist. I'm pretty sure that he would help you with these issues.

Could someone do that please?

My goal is to provide a listing directory to make it easy for developers to list their apps.
A directory will provide visibility, scale, and ease for everyone to visit.  
Developers will handle payments and support on their own.  

Woah. Do not anything via that sql query! What about search index and other important things? 

@LiveG, this sounds frustrating.  I'd suggest hiring one of the people on this thread with "Provider" under their name.  Or find someone from here: https://invisioncommunity.com/third-party/providers-directory/. 

Greeting everyone,
I'm thrilled to announce that I have secured an opportunity to interview none other than Charles from Invision Community. This is a rare and exciting occasion, and I believe that involving you as our community members can make this experience even more enriching! In recent happenings, I can imagine some of you might have some questions you'd like to see included in this interview.
As I always say, a community is the backbone of any platform. So, I thought: Why not let YOU have a say in the interview? I'm offering all of you a chance to send in your questions, and I'll do our best to include as many as I can in our conversation with Charles.
 
How to Submit Your Questions:
Reply to this topic with your question for Charles. You may PM me your question if you wish to send it anonymously.  Please keep your questions respectful, relevant, and constructive. If you see a question from another member that resonates with you, give it a "like". This will help us gauge the most popular and sought-after questions. You can submit multiple questions, but please post each question separately to make it easier to tally and sort.
Deadline:
The last date for submitting your questions is September 1st. I'll compile them shortly afterward and then proceed with our interview.
A Few Guidelines:
Avoid asking questions that have been answered multiple times in previous communications or on the official FAQ. While I appreciate all the input, I may not be able to include every question in the interview due to time constraints. This is a golden chance to get insights, clarifications, or just to know more about the visions and aspirations of Invision Community from one of its key figures. So, let your curiosity run wild and be a part of this unique opportunity! Looking forward to seeing what you all come up with. 😄 I'm very grateful for this opportunity and hope to receive many questions and interest for this interview.
Best regards,
Cedric (Admin Junkies)