Web Wiz Support and Community Forums : About RSS Topic & Post Feeds

Web Wiz Support and Community Forums : About RSS Topic & Post Feeds https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Sat, 11 Apr 2026 13:23:26 +0000 Mon, 19 Jun 2006 10:17:51 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=19986 <![CDATA[Web Wiz Support and Community Forums]]> https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ <![CDATA[About RSS Topic & Post Feeds : I don't know your code, but...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109255.html#109255 Author: WebWiz-Bruce
Subject: 19986
Posted: 19 June 2006 at 10:17am

I don't know your code, but to me just adding a 4 characters to a querystring will not take very long at all for a hacker to find an exploit in this and publish the results so that anyone can view posts they shouldn't do in forums.

If all you are doing is having 1 link for Guests and having a different link for Registered users then you have no security at all, all it needs is for someone to give out the link they shouldn't and anyone has access to posts they shouldn't.
]]> Mon, 19 Jun 2006 10:17:51 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109255.html#109255 <![CDATA[About RSS Topic & Post Feeds : Hi Borg, I try an implement for...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109229.html#109229 Author: superlative
Subject: 19986
Posted: 17 June 2006 at 9:24pm

Hi Borg,

I try an implement for RSS security, this is very simple and easy. Please check my implement for securty holes :

This link for guests :

http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?hVQ=F

This link automatically generating for who didnt logon to forum.

This link for my a new user :

http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?hVQ=HGFL

All RSS topic feed links generate automatically and for user. Checking permissions. If Borg's answer safely, I publish my code to Modification Forum.

]]> Sat, 17 Jun 2006 21:24:38 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109229.html#109229 <![CDATA[About RSS Topic & Post Feeds : I think alternate way for check...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109167.html#109167 Author: superlative
Subject: 19986
Posted: 16 June 2006 at 10:23am

I think alternate way for check RSS System.

For this way using ticket system. Tickets update each week. And user must obtain new RSS link.

Tickets use same way, for example

http://forums.webwiz.net/RSS_topic_feed.asp?FID=18&ticket=sdf787cvxcv547s8dfs8d7fwe4r564

Then RSS page read ticket. Tickets contain user id and date but do not understandin (Ex:asd787a8d78a7s87d244f) Check ticket date (expired?) and user permission for this forum. If ok only publish XML content.

This way guarantee user will not hack. If somebody learn this RSS link who will access via RSS reader (not forum). And after 1 week, ticket expire. Only user must obtain new RSS link. RSS link automaticly generating when user browse to forum. Each user's RSS link is different. If user dont access to some forum (permission denied) user can not obtain RSS link.

Ticket expire date is last logon time + 7 days

What do you think this way borg ? Any security bug ?

]]> Fri, 16 Jun 2006 10:23:23 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109167.html#109167 <![CDATA[About RSS Topic & Post Feeds : You right Borg, I didnt think...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109165.html#109165 Author: superlative
Subject: 19986
Posted: 16 June 2006 at 10:02am

You right Borg, I didnt think this. But be must a way for accomplish for RSS. I dont want to open our forums to public and I want to our members can follow forum via RSS. How how how ? I start our brain

. I created any security system for our articles. (Prevent copying,stole or etc.) Check it :

http://www.knowhow.gen.tr/makaleler/article.asp?id=264

May be I find a way how to accomplish this.

]]> Fri, 16 Jun 2006 10:02:33 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109165.html#109165 <![CDATA[About RSS Topic & Post Feeds : Using the encrypted password...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109164.html#109164 Author: WebWiz-Bruce
Subject: 19986
Posted: 16 June 2006 at 9:52am

Using the encrypted password in the querystring is also a a BIG security hole and not something I would want to use.

For security reasons the database encrypted passwords, security codes, etc. are updated periodically to add extra security to the system.

There is no permanent way to ID a user and any permanent solution through the use of querystrings and/or cookies would open a huge security hole in the software.

Cookies, querystrings, etc. are cached and can be got by hackers very easily, if a hacker gets hold of any permanent way of ID'ing a member they can use this to gain control of that users account.

Using the system you mention a hacker can very easily get hold of encrypted password, forum tracking codes, etc. then append this to an RSS Feed to view posts that they are not permitted to.

I have done allot of work in securing web wiz forums with white hat hackers and spent allot of time following security sites on hacking, and know that if such a system were implemented it would be only weeks, if not days, before hackers were announcing this as a big security hole in the software, and people demanding it be patched.

Edited by -boRg- - 16 June 2006 at 9:56am]]> Fri, 16 Jun 2006 09:52:18 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109164.html#109164 <![CDATA[About RSS Topic & Post Feeds : SUJO, I like your supermarket...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109086.html#109086 Author: superlative
Subject: 19986
Posted: 15 June 2006 at 10:15am

SUJO, I like your supermarket imitation. But this is not interested in our case.

By providing the RSS feed to others, they just might get interested enough to go to your page and register

You wrote this, If you dont give access permission to guest, anybody follow content via RSS Feed. But guests register and be member and read content via forum (Not RSS)

RSS Feeds is not only for computer users. Visitors read content via mobile phone. Many software exist for smartphones.

RSS Feeds nice feature. Some members want to follow forums, blogs via RSS. If you want to reply they will go to forum. In this case we don't discussion RSS benefits/injuries. We discussion :

How to give to RSS access permission to our members without any security hole. isn't it ?

]]> Thu, 15 Jun 2006 10:15:52 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109086.html#109086 <![CDATA[About RSS Topic & Post Feeds : I agree with -boRg- here. The...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109083.html#109083 Author: SUJO
Subject: 19986
Posted: 15 June 2006 at 9:54am

I agree with -boRg- here. The RSS itself was designed to be available to everyone who wants to use it. It's like going into a supermarket - everybody can go in, and everybody can buy anything (except the things they keep in stock

). It is also encouraging. By providing the RSS feed to others, they just might get interested enough to go to your page and register - for more, or just to keep up. You have no idea how many feeds can/are being read...(you could be gaining people by not even knowing of it). Also, RSS does not include topics/threads/pages that you do not want to - eg. the permissions for forums you set. So - why would you want to complicate things where/when they are not necessary?]]> Thu, 15 Jun 2006 09:54:26 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109083.html#109083 <![CDATA[About RSS Topic & Post Feeds : Borg I explained as wrong, ID...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109080.html#109080 Author: superlative
Subject: 19986
Posted: 15 June 2006 at 9:08am

Borg I explained as wrong, ID is not permanent. Hackers can forund AID (Author ID) but can not find PW. Because PW is encryted user password. RSS links different for each user. For example :

User 1 :

User name : Borg, AID (Author ID) : 1, Real PW : 1234, Encrypted PW : sdfs545d4f5645s, Permission for WWF 8x Support : Access, RSS Link :

http://forums.webwiz.net/RSS_topic_feed.asp?FID=18&AID=1&PW=sdfs545d4f5645s

User 2 :

User name : superlative, AID (Author ID) : 18438, Real PW : 369874, Encrypted PW : sdfsuyuewrjhss, Permission for WWF 8x Support : No Access, RSS Link : N/A (Because No Access forum)

In This case, User 1 copy his own RSS link to RSS Reader software and RSS asp page decrypt to PW and check the user permission. If OK publish content.

User 2 do not access the same forum. I am not hacker but this way very secure for RSS. RSS links generate for each member who have got access right. If guest access OK, bypass this security system for improve performance.

]]> Thu, 15 Jun 2006 09:08:15 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109080.html#109080 <![CDATA[About RSS Topic & Post Feeds : By using the method you mention...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109077.html#109077 Author: WebWiz-Bruce
Subject: 19986
Posted: 15 June 2006 at 8:25am

By using the method you mention using permanent ID within a URL would open a huge security hole that hackers could easily use to hack the forum and gain access to information that they shouldn't be allowed to view.

Cookies to do the same thing also would not be secure, and most RSS Readers do not support cookies.

Edited by -boRg- - 15 June 2006 at 8:26am]]> Thu, 15 Jun 2006 08:25:50 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109077.html#109077 <![CDATA[About RSS Topic & Post Feeds : Hi Again Borg; Can you use...]]> https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109061.html#109061 Author: superlative
Subject: 19986
Posted: 14 June 2006 at 11:51pm

Hi Again Borg;

Can you use cookie authentication for RSS News Reader ? For special reasons we close our forum to guests. Only members can display. For this reason members can not follow our forum via RSS. If cookies support this maybe work. Or simple auth system may be add to RSS asp pages.

For Example :

Author ID and excrypted password send to RSS pages and simple check user permissions.

http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?FID=28

insted of

http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?FID=28&AID=blahblah&pw=asjdhkajsd76678a5sdhhh

Then RSS page check AID (Author ID) and encyrpted PW, then appyle user permissions. Also, members can follow forum via RSS. Sory for my bad english grammar. Borg I hope you understand me :)

]]> Wed, 14 Jun 2006 23:51:20 +0000 https://forums.webwiz.net/about-rss-topic-post-feeds_topic19986_post109061.html#109061