Jump to content

Jim M

Invision Community Team
  • Posts

    8,319
  • Joined

  • Last visited

  • Days Won

    39

 Content Type 

Downloads

Release Notes

IPS4 Guides

IPS4 Developer Documentation

Invision Community Blog

Development Blog

Deprecation Tracker

Providers Directory

Forums

Events

Store

Gallery

Posts posted by Jim M

  1. 11 minutes ago, Svetozar Angelov said:

    Despite all the measures taken

    Unfortunately, I do not see that you have seen all measures taken.

    13 minutes ago, Svetozar Angelov said:

    I'm sure you have a bug in IPS that occurred after an update from the beginning of March. Our problems continue. 😣

    Unfortunately, without an example, we cannot review that. However, I looked at the user who you just recently banned in your administrator log, and they have indeed been a part of a data breach of non-IPS sites. You can use https://haveibeenpwned.com/ to check their email and see if their password(s) have been exposed from other website breaches. 

  2. 10 minutes ago, CheersnGears said:

    Huh? I'm not using any third party here for this.

    1. I upload them as webp to a gallery.
    2. I use the "existing attachment" method to insert the images into my article.
    3. Profit.

    This has "just worked" like this for a while. The only thing that has changed here is where those images are stored on the back end.

    I agree that this only seems to happen with webp images, however, the articles were fine until the S3 move and no third party was involved.

    webp is not a supported extension of the Gallery by default.

  3. Keep in mind that we only support Amazon S3. Using another service's S3 may not work completely as intended as their API may be just slightly different and cause different results/issues. 

    If you use any CDN or other server caching services, you will also want to clear these after doing a move of this magnitude.

    The current page is rendering a 500 Internal Server Error so I cannot access it currently.

  4. 3 hours ago, DawPi said:

    To be honest, it's quite easy to reproduce. See this:

    Could contain: Text, Page

    Someone or something is attempting to "hack" or something on the board. In the code, you may try to find it at applications\calendar\modules\front\calendar\view.php:

    	/* Pagination */
    		$offset = isset( \IPS\Request::i()->offset ) ? min( array( \IPS\Request::i()->offset, \count( $events ) ) ) : 0;

    As you can see, there is no check to ensure that the offset value is an integer. Please try changing it to:

    		/* Pagination */
    		$offset = isset( \IPS\Request::i()->offset ) ? \intval( \IPS\Request::i()->offset ) : 0;
            $offset = $offset ? min( array( $offset, \count( $events ) ) ) : 0;

    Should help.

    Thank you. I have reported what you mentioned here to our developers. However, I am unable to reproduce the exact error which has been originally reported. Therefore, we cannot guarantee this will resolve the OPs issue without access to their instance.

  5. Keep in mind that the biggest hole in any authentication/identity system is the human using it. Odds are that if that user setup several accounts around the internet with the same credentials, their email is more than likely also to be one of those. Your solution may solve the issue in some cases but odds are likely not in its favor. As the attacker, likely has access to their email as well.

    Which is why using a non-email source, like a Two Factor Authentication code generation with a cell phone app, is generally more secure. As an attacker obtaining access to that 2FA source is harder.

    The best case, would have been requiring it from the start of any community. That’s not always possible but the good news, you can require 2FA starting today and any new members or members who login will have it implemented.

    You can also use the logout all members and change password requirements to ensure that users need to reset their password prior to logging in again. In conjunction with requirements around password difficulty, this will help hopefully change passwords for your users.

    However, if you feel strongly about the code generating link to an email to login, you’re more than welcome to suggest that in our Feedback forum for further evaluation. 

  6. A while back, we created a notifications area in for ACP items like this. You will want to check your configuration in ACP -> Notification bell -> Notification Settings. Please note that these settings are independent for each administrator so everyone will need to configure them how they would like.

  7. 3 minutes ago, Svetozar Angelov said:

    As a result of my post, I received the following messages from fellow IPS users:

    Surely IPS should check our case thoroughly. As I have been a customer of IPS for over 10 years, and I am sure there is a problem.

     

    21 minutes ago, Marc Stridgen said:

    Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database. 

    If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP

    Please see what I have quoted from Marc, who posted above you, in response to the individual replying to your topic here. Again, it does not sound like our application was compromised but if you have specific details, please send them in a response to the accounts inbox at the Contact Us form at the bottom of each page.

  8. You will want to disable plugins and switch to an unmodified theme to see if the issue is still present. If it is not, enable each one by one again to see if it comes back. If you run into the error again, you will want to contact the author of the plugin/theme for assistance.

    As the warning indicates, this may be a sign of a plugin or theme is out of date. It does not confirm it is. There are specific functions which are guarded with a CSRF protection key. In those cases, the software is functioning as it should as your CSRF protection key does not match the key which the process generated.

  9. 1 minute ago, Svetozar Angelov said:

    Ok, so what solution do you propose specifically? How can we protect ourselves from this and fix the problem that depends on us?

    You will want to do the following Spam Prevention items mentioned in this guide: https://invisioncommunity.com/4guides/security-and-rules/spam-prevention-r9/

    Looking at your registration form, you are still using CAPTCHA2. You will want to switch to hCAPTCHA to prevent more automated spam bots.

    Check that your Spam Defense is configured correctly for our services in ACP -> Members -> Spam Prevention.

    Configure the Flag as Spammer option to be used by you and your administrator/moderator teams to quickly remove spam posts and ban spammers.

    You will also want to rotate your Question and Answer challenges frequently and ensure that they are things which you are target audience knows but is not easily Googled. This will prevent spam human users from registering.

    If you are seeing spammers from a certain country that your community does not serve, you can also block them in ACP -> Members -> Spam Prevention -> Geolocation Settings.

    Finally, if you believe spammers are gaining access to accounts through means of exposed credentials from the dark web. Enabling and requiring Two Factor Authentication will help prevent that.

    Outside of the items mentioned above, the next steps would be to take moderation action. Require your base member group to have 1 or more posts approved by a moderator prior to them showing up to the rest of your community without being moderated. Use the automated moderation tools so that if a post is reported x times as spam, the system will automatically hide it for your team to review.

    If any spammers do get through, be sure to use the Flag as Spammer option as that will report it to our system and help your fellow administrators.

    I will say that no 1 spam prevention method will be 100%. However, hopefully, with all the above, it should cut enough down that you are able to not just wake up to a bunch of spam posts that plague your community. If you deploy the moderation techniques, you will not have your community publicly plagued by spammers.

    Unfortunately, in the event that a spammer has dormant account(s) on your site and they have already surpassed an acceptable amount of posts (I say acceptable as some may be borderline that your moderation team may still allow) to bypass the moderation queue, the only thing that will help are successful moderation practices by humans and staying vigilant about the future with the above.

  10. 2 minutes ago, Svetozar Angelov said:

    This is about an exploit in user accounts.

    I'm afraid, this is not a security issue. However, it is a case of spammers trying to sneak under the radar and access counts they've setup in the past.. Keep in mind that a spammer can reset a password to an account if they have access to the email address tied to the account.

     

  11. 1 hour ago, rayzir said:

    Sorry, that didn’t work.  Please try again or come back later.  503 Error. Service Unavailable.

    This would indicate that you're hitting a server resource issue. It may be the file you're attempting to send is too large and you're hitting a timeout, it could be the server simply can't process it, etc... Only your hosting provider would be able to inform you what that is if there is nothing in your logs related to this request/resource consumption.

    31 minutes ago, rayzir said:

    [Wed Apr 17 20:57:04.423820 2024] [autoindex:error] [pid 855658:tid 22816006412032] [client 193.203.238.224:54209] AH01276: Cannot serve directory /home3/rayzir/public_html/hostedsites/ssv/admin/: No matching DirectoryIndex (index.html.var,index.htm,index.html,index.shtml,index.xhtml,index.wml,index.perl,index.pl,index.plx,index.ppl,index.cgi,index.jsp,index.js,index.jp,index.php4,index.php3,index.php,index.phtml,default.htm,default.html,home.htm,index.php5,Default.html,Default.htm,home.html) found, and server-generated directory index forbidden by Options directive

    This is not related to the process here. This is stating that someone tried to access that directory on your webserver but there is no index file to serve them.

  12. 1 minute ago, Clover13 said:

    Alright, so you mentioned CF so I disabled that and low and behold it worked again.  Re-enabled and after a short while, it broke again.  That lead me to think it was a corrupt cache but purging the entire cache did not resolve it.  The one primary difference is this one site is on a CF Pro account and the others are not.  So now it's matter of what on CF changed with Pro accounts recently that influences this.

    CloudFlare Pro has managed firewall rules and improved bot filtering. You would need to review it. I'm afraid, it is outside our scope of support so you would need to contact CloudFlare if you have any questions.

  13. 1 hour ago, Clover13 said:

    Is there not any log anywhere that would identify what is causing the error or causing the API admin page to go into an infinite loop of Continue despite the .htaccess file (downloaded from that same screen) being present in the /api directory?

    The software is getting an unexpected response from your server so is showing the .htaccess information as it is acting like it isn't present. The items mentioned were just suggestions, there may be something else entirely and it will take someone familiar with your hosting setup to fully look into that. Do you use CloudFlare or another firewall product? Is it stopping this from running functionally? Is there a rouge Apache setting only for this site? Tons of things to investigate.

  14. 50 minutes ago, Clover13 said:

    Heh, and the host says their accounts for each site are identical (ala cPanel, etc), so it can only be the software.  I wonder if @Thomas Hop figured it out.

     

    You would want to ensure your configuration for all sites are the same. Just because they are all on the same server, does not mean they are configured the same. Maybe there's a php.ini or .htaccess causing something screwy to happen or the opposite, the php.ini or .htaccess is required to undo something in the core configuration. Your host would need to assist you with this if you are unsure how to check these.

  15. On 4/8/2024 at 1:40 PM, Christian Fry said:

    So is there a way to stay on version 4 once version 5 comes out?

    Apologies, looks like we missed this. We plan to support version 4 for a period of time after version 5 comes out. We will issue security releases and minor bug fixes for version 4 in that period but we will not be issuing new features. 

    In theory, on self-hosted, you could stay on version 4 indefinitely. The only thing from our end is that we would likely phase out support of version 4 at some point so you would not be able to obtain support for the software once past that. Additionally, once security patches end and the software version is past end of life, you start to run the risk of security vulnerabilities in not only the software but the underlying server components as well. 

    On 4/8/2024 at 1:40 PM, Christian Fry said:

    Do you know if Zapier can do this Shopify link?

    Commerce is not integrated with Zapier at this time so a customization would be needed.

×
×
  • Create New...