Jump to content

Jim M

Invision Community Team
  • Posts

    8,518
  • Joined

  • Last visited

  • Days Won

    41

 Content Type 

Downloads

Release Notes

IPS4 Guides

IPS4 Developer Documentation

Invision Community Blog

Development Blog

Deprecation Tracker

Providers Directory

Forums

Events

Store

Gallery

Everything posted by Jim M

  1. While I get what you're saying here, it is not intended to how we built the system. It is intended to only count answers, rather than voters. However, it still does provide you the voters next to the answers if you want to do your own calculations. If you would like to see this changed, you're more than welcome to submitting a topic in our Feedback forum for further information.
  2. We no longer cache full pages/responses. This was removed some time ago in effort to move customers more towards better solutions that wouldn't utilize so much server resources, e.g. CDN caching. We pass a cache header but it won't cache unless you have a CDN (or similar) servicing your community. Example of a HEAD request to our all activity stream. As you can see, there are caching headers which will tell our CDN to now cache this page for 900 seconds (15 min).
  3. I've moved this to a ticket so we can look further into this to see what we can do for you here. Please watch your email for further correspondence.
  4. This is added on purpose for the search pages. You can likely change this using the metatag editor though.
  5. You can just comment the lines out or copy/paste them somewhere else. The lines being: \define( 'REDIS_ENABLED', true ); \define( 'STORE_METHOD', 'Redis' ); \define( 'STORE_CONFIG', '[]' ); \define( 'CACHE_METHOD', 'Redis' ); \define( 'REDIS_CONFIG', '{"server":"127.0.0.1","port":6379,"password":""}' ); \define( 'SUITE_UNIQUE_KEY', '########' );
  6. Would recommend disabling Redis for testing purposes as it looks like you have template cache enabled. Would then ensure that all your folders are correctly writable to ensure everything is able to write/delete/regenerate.
  7. As you’re missing files, that would be the first thing you need to resolve. Is the queue task running and taking a while to complete or are you getting an error?
  8. When attempting to run that task, I am still getting a 503 service unavailable error. You will need to contact your hosting provider to find out what is stopping that service prematurely. It may be a resource issue, configuration issue, etc...
  9. Do you have an example of the request? This could be the form of an attack, if there are many requests at the same time, which would need to be mitigated at the server or network level for optimal results as the software would just cause more consumption of resources.
  10. At a basic level, we are not seeing any direct logs, errors, brute force attempts, etc... The user in question logged straight in which can only be done with having the credentials. The email on the most recent user which you banned also has had passwords exposed from different other, non-IPS websites. Which is why we're asking for further examples of why you believe it to be an issue with the software. It isn't pointing that way but of course, if you have further information, we're happy to explore it. Also, what Randy is stating here, they would not just attack normal members hold no importance significance to the community who can be deleted/banned/etc.... They would want to do more damage, gain more exposure, etc...
  11. As mentioned, please provide an example and we'd be happy to investigate further your particular case. However, what we have seen on your website is not a breach on your community or in our software but we're happy, of course, to confirm that with a specific example user.
  12. Please be advised I have split this off for you to the Feedback forum.
  13. As Randy, us, and others mentioned several times through these conversations, spam is a walk of life on the internet and odds are you will never be able to 100% combat it. It also comes in cycles. Points that are high, turn to lows as people adapt spam measures and combat spam accounts or our spam defense grows aware of individuals, etc... However, our methods posted here will make it significantly less annoying and to a degree remove it from being a daily hassle. As Randy mentioned, we take significant measures with each release to ensure that we release the best software possible to our customers. We have mentioned several times in this topic that we're happy to look at what you're seeing but we have not gotten a specific example. We have, however, looked at a recent example of a banned member and they have compromised email/password combinations from other websites around the web (non-IPS) so that would explain how a malicious-intended spammer could gain access directly, with no brute force. If this is not an active member, banning them, as you've done, is the right measure. If it is an active member, you may wish to change their password and contact them. However, it could be that the spammer/attacker has access to their email inbox so be mindful of that. If you would like us to take another look at another example or have a further complex example than just a username, please feel free to us the Contact Us form at the bottom of each page and we'll be happy to take a look.
  14. While I understand what you're stating here, I would advise putting in a suggestion in the Feedback forum. As this is the support forum, there is very little from a standpoint of support we can do to assist as currently, it is not supported.
  15. Unfortunately, I do not see that you have seen all measures taken. Unfortunately, without an example, we cannot review that. However, I looked at the user who you just recently banned in your administrator log, and they have indeed been a part of a data breach of non-IPS sites. You can use https://haveibeenpwned.com/ to check their email and see if their password(s) have been exposed from other website breaches.
  16. webp is not a supported extension of the Gallery by default.
  17. These images are .webp extensions. Our software, by default, does not support these as embedded images in content. They appear as downloaded files. If you're using a third-party service/application to convert these, you would need to work with them to assist you here.
  18. Keep in mind that we only support Amazon S3. Using another service's S3 may not work completely as intended as their API may be just slightly different and cause different results/issues. If you use any CDN or other server caching services, you will also want to clear these after doing a move of this magnitude. The current page is rendering a 500 Internal Server Error so I cannot access it currently.
  19. You can make a test installation of your community for you and your staff to test by appending -TESTINSTALL to the end of your license key. You can read more about it here:
  20. Thank you. I have reported what you mentioned here to our developers. However, I am unable to reproduce the exact error which has been originally reported. Therefore, we cannot guarantee this will resolve the OPs issue without access to their instance.
  21. ACP > Members > Force password reset
  22. Keep in mind that the biggest hole in any authentication/identity system is the human using it. Odds are that if that user setup several accounts around the internet with the same credentials, their email is more than likely also to be one of those. Your solution may solve the issue in some cases but odds are likely not in its favor. As the attacker, likely has access to their email as well. Which is why using a non-email source, like a Two Factor Authentication code generation with a cell phone app, is generally more secure. As an attacker obtaining access to that 2FA source is harder. The best case, would have been requiring it from the start of any community. That’s not always possible but the good news, you can require 2FA starting today and any new members or members who login will have it implemented. You can also use the logout all members and change password requirements to ensure that users need to reset their password prior to logging in again. In conjunction with requirements around password difficulty, this will help hopefully change passwords for your users. However, if you feel strongly about the code generating link to an email to login, you’re more than welcome to suggest that in our Feedback forum for further evaluation.
  23. A while back, we created a notifications area in for ACP items like this. You will want to check your configuration in ACP -> Notification bell -> Notification Settings. Please note that these settings are independent for each administrator so everyone will need to configure them how they would like.
  24. Please see what I have quoted from Marc, who posted above you, in response to the individual replying to your topic here. Again, it does not sound like our application was compromised but if you have specific details, please send them in a response to the accounts inbox at the Contact Us form at the bottom of each page.
  25. You will want to disable plugins and switch to an unmodified theme to see if the issue is still present. If it is not, enable each one by one again to see if it comes back. If you run into the error again, you will want to contact the author of the plugin/theme for assistance. As the warning indicates, this may be a sign of a plugin or theme is out of date. It does not confirm it is. There are specific functions which are guarded with a CSRF protection key. In those cases, the software is functioning as it should as your CSRF protection key does not match the key which the process generated.
×
×
  • Create New...