-
Posts
3,945 -
Joined
-
Last visited
-
Days Won
78
Content Type
Downloads
Release Notes
IPS4 Guides
IPS4 Developer Documentation
Invision Community Blog
Development Blog
Deprecation Tracker
Providers Directory
Projects
Release Notes v5
Invision Community 5 Bug Tracker
Forums
Events
Store
Gallery
Everything posted by Randy Calvert
-
Questions about Invision Community Classic
Randy Calvert replied to Myke Pro's topic in General Questions
There is not a set date for release. However the software is not far away from release. It’s being tested for bugs by some members of the community here. So it will be sooner than later! -
Introducing a fresh new vision for Invision Community 5
Randy Calvert replied to Ehren's topic in Invision Community Insider
The product is real and it's coming. I've been fortunate enough to play with the early alpha version and it's chugging along very nicely. The new editor is sweet and the UI update is slick. There are certain areas still under heavy development. It's not ready for prime time yet, but I've seen many bugs squashed and lots of great polishing being done to the stuff they've already announced. -
Remove test installation that doesn't exist
Randy Calvert replied to georgebkk's topic in Classic self-hosted technical help
The IPB software is detected on that hostname even though it's not configured. Remove the index.php or disable access to the site long enough for the license reset to be done and THEN make the files available. -
Yup. The major crawlers tend to come every so often and when they do, they might have several different spidering instances crawling the site at the same time.
-
You submitted basically the same post 2 months ago: Marc's response is still applicable... why are you worried about this? If you are self-hosted and are having issues with resources, your best bet is to block them using a WAF like a Cloudflare or working with your hosting provider to block them. If you're hosted on IPB's cloud platform, there should not be any impact from this in any way.
-
template_error - DivisionByZeroError
Randy Calvert replied to Grafidea's topic in Technical Problems
Take a look at the following: https://community.cloudflare.com/t/how-to-block-a-particular-ip-address-in-cloudflare-thank-you/498515 -
template_error - DivisionByZeroError
Randy Calvert replied to Grafidea's topic in Technical Problems
The software is not the place where you would want to block/ban an IP address. If they reach the software, the request still has to be executed. You would want to block them either at the network layer with a WAF (like Cloudflare) or at the server layer with a server firewall (CSF or .htaccess blocking). -
IPS has said they want to improve monetization in 5.x. It may not be in 5.0.0 but they’ve mentioned it several times as a major goal of the 5.x line. So this may be something that even happens natively. If not, I would imagine it might become easier to do over time.
-
This could also be an issue with the server’s image handler (imagemagik or GD). You might try switching whichever is being used to the other.
-
Is this a Windows 10 problem or are my emojis broken?
Randy Calvert replied to Odiss's topic in Technical Problems
Hi @Gary! Good to see you still around! Hope all is well! -
No, I did not write the software. I do not work for IPS. However I do work for one of it's large enterprise customers and I know for a fact that code has been subjected to some pretty serious scans before the company would allow it to be deployed outside of it's DMZ. This includes automated and manual code reviews and multiple types of pentesting. I also see these boards on a near daily basis and there is no difference of people complaining about spam following the March release than there has been literally over the last 10 years. There has not been any sort of large influx of hundreds of people saying "hey I'm seeing this now". As someone who has been around here when a "big" issue has occurred, there would be 10 pages of people posting about it. You would not be able to miss the flood. It would literally be the dominate issue of the month. The accusation you have made that attackers can just "take over" accounts is wildly huge that I don't think you fully understand what exactly you're implying here. If they can just take over random accounts, they could take over ANY account on the site including admins and that could lead to ANY and all data being able to be exfiltrated. It's not some "super annoying small hole" that you're stating. There are multiple ways of investigating this. I would start with the investigation of each account. When was it created? (New accounts vs old accounts, etc.) How many "relevant" posts have been made by the user? (Spammers can create accounts 3 months ago and post a few "oh me too" or other "AI generated" reply. I have had one spam attack that would have 5 different accounts reply to each other with ChatGPT junk promoting links on 10 year old topics that got picked up in Google.) Has there been a REAL user with a history of posting? If so, how did they get the credential? Was the associated username or email in a database of known compromised credentials? Does the user have malware installed on their device? Has the user been through a password reset to a new password that is not known to be compromised but also compromised a second time? Again... I want you to think through this. If I'm a malicious actor and I can just randomly take control of any user account on your site, why am I going to pick a random user account and post spam that can be immediately seen/blocked/stopped? If they could do that, they would instead gain access to a privileged account and do other things such as gaining access to the ACP and embedding links into older posts that are not frequently seen but would be picked up by Google. I would be editing the theme's code to have someone visiting your site trigger ad code in the background where the user never even had to click a link. I would have harvested your complete member list and email address to spam all of your users. There are literally HUNDREDS of more valuable things I could be doing if there was something in the software I could exploit to gain control of a user account. They are simply making random spam posts as an attack of opportunity where they can either create an account themselves or have a credential obtained from elsewhere and use it because it's available. Again, have you taken the advice given on here for reducing spam? For example: Are you using hCaptcha on the highest level? (To help reduce the impact of spam at time of registration?) Are you requiring user accounts to use 2FA? (This is so that if an account is compromised, the attacker would need not just the password but also access to a trusted user device for the one time code.) Do you ask questions on registration that would be difficult for spammers to figure out? (Hint... most bots can solve simple questions like "what is 1 plus one?". They need to be unique for your niche.) Are you forcing all users to reset their password if you think there is someone targeting your user base? Are you using other reputational services like CleanTalk? It can help which block registration of IPs and emails that have spammed not just forums but blogs, etc. There is no silver bullet for stopping spam. The attacks will come and go over time. There is not a single platform out there that does not deal with the problem. But you have many tools at your disposal to help you.
-
Email notification of new registrations
Randy Calvert replied to Dknelson's topic in General Questions
Are you getting other emails from your site? I’m curious if your email provider might not be delivering your mail or marking it as spam. -
IPS has literally thousands of customers ranging from international brands to small hobby sites. If this was a big hole in the software that happened in the March update, there would be a huge flood of customers suddenly posting about it. Let me turn that back around on you… Why do you think it’s a problem with the software suddenly when there has not been a change in others having a similar issue? And in looking at the change notes, nothing in it would impact what you are reporting. You are blaming the software update because this happened afterwards but that can simply be causality. Just because something happened around that time does not mean it is what caused the situation. Also let’s think about this for a moment… if a spammer could just take over any account on your site, why would they not target important accounts? Why not target admin or moderators? They could mass change content and do significantly more “damage” that way. They would also be able to bypass any sort of restrictions such as post approval or content moderation. They dont have access to specific or exact members. They’ve either gotten a credential from somewhere else or they registered the account themselves a while back and working back to using it now.
-
This would require some sort of native app which IPS is not supporting. So don’t expect this sort of functionality anytime soon given they abandoned the idea of developing a native app in favor of PWA.
-
Ummm I hope you realize IPS does this already as part of its software release process. This includes dynamic and static code scanning. IPS also has its software reviewed on a regular basis by 3rd party security companies. In addition the software is used by MANY large corporate customers who do their own independent testing in order to use it in their environment. So sitting here stomping your feet and simply saying it’s some random problem “somewhere” in the software is simply shows that you are uninformed. There have been recommendations provided on how to improve blocking spam including using hCaptcha (where you can also increase its difficulty), requiring your users to use 2FA, and others. Spam is a problem EVERYWHERE on the internet and is a cat/mouse game. If someone has an account somewhere else compromised and uses the same credentials on your site, that is NOT a problem in the software. It’s a user problem for being stupid and using a credential in multiple places. That’s why it’s important to use things like 2FA to prevent a malicious actor from getting a password from somewhere else. By the way… did you know most large banks despite having FANTASTIC cyber security have on average over 3000 compromised accounts a month? Thats despite spending hundreds of millions of dollars a month on security tools that small site owners can only dream about. If this is a challenge for them with literally dozens to hundreds of dedicated cyber security experts and budgets in the millions of dollars… how realistic is it for “the rest of us”?
-
Yes, you want to make a completely separate installation. This means uploading a copy of the software files again and also using a different MySQL database so that you don’t risk impacting your live installation. I personally would suggest using a separate hostname like test.mydomain.com as well. That way if you need to delete/reinstall your test instance you won’t have issues with the license key saying it is already in use.
-
So you asked someone who literally knows nothing about the software, its security or configuration and you expect them to know what they’re talking about? That would be like going up to a random police officer and asking them who committed a crime in your country without them knowing anything about the circumstances. Based on my personal experience… I have seen numerous circumstances where accounts have been created by spammers that instead make a few “innocent” posts and several months later come back and start spamming. In researching the account IP that posted the “innocent” content was posted from a VPN where the spammer would attempt to mask their real IP. They would switch to a different VPN IP for spamming. If this was truly a situation where it was a software level exploit it would not happen with just a few accounts. A majority of the accounts would be used including admin/moderator accounts. It would also be impacting EVERY single board.
-
You don’t for a VPN. IPS would not control the Cloudflare site they are visiting to adjust the settings. They would have to tell their customers to turn off cloudflare for their site while troubleshooting. For what can you do as the site owner? Turn off all bot related protections. That will help you confirm it is a bot issue. Once confirmed, you could whitelist your server’s IP. If other third party servers are also accessing the IP, you might have to whitelist those IPs as well.
-
Moving Attachments Files Stuck
Randy Calvert replied to rayzir's topic in Classic self-hosted technical help
It will work itself out. I’ve seen this issue and while it may seem stuck it will eventually finish after a day or so. -
There is no way to "undo" an account delete. You would need to restore from a backup. If this is important, you need to do it sooner than before so you don't keep losing data since your last backup. Regarding changing email, I just changed my email on this site and my personal forum and don't have that behavior occurring. Do you use some kind of 3rd party app or login system?
-
Profile: "Last Visited" should state "online now" when user is online
Randy Calvert replied to David N.'s topic in Feedback
One suggestion if this is really bothering you is to change the language string for "Last Visited" to something like "Last Signed In". -
In that case, if you have a dedicated IPB database and database user, just give it full permission and call it a day. It is no more/less secure and will avoid problems later down the road.
-
My suggestion would be to give it full permission. If IPB is kept in its own database with nothing else in it, there is no risk to it having full permission. It should not be interfering with other applications. Restricting permissions only can lead to problems later when it potentially can't do something it needs later and you think the software itself is broken when it's instead just a platform configuration on your side. A few months down the road, you're never going to remember this and it will be a big mess and waste of time figuring out how to fix the issue when it could be avoided in the first place. You're not really increasing the security of anything as long as you keep IPB in its own DB without other applications installed in it.