Web Wiz - Green Windows Web Hosting - Celebrating 25 Years!
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - About RSS Topic & Post Feeds
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

About RSS Topic & Post Feeds
 Post Reply Post Reply Page  <12
Author
  Topic Search Topic Search  Topic Options Topic Options
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 16 June 2006 at 9:52am
Using the encrypted password in the querystring is also a a BIG security hole and not something I would want to use.

For security reasons the database encrypted passwords, security codes, etc. are updated periodically to add extra security to the system.

There is no permanent way to ID a user and any permanent solution through the use of querystrings and/or cookies would open a huge security hole in the software.

Cookies, querystrings, etc. are cached and can be got by hackers very easily, if a hacker gets hold of any permanent way of ID'ing a member they can use this to gain control of that users account.

Using the system you mention a hacker can very easily get hold of encrypted password, forum tracking codes, etc. then append this to an RSS Feed to view posts that they are not permitted to.

I have done allot of work in securing web wiz forums with white hat hackers and spent allot of time following security sites on hacking, and know that if such a system were implemented it would be only weeks, if not days, before hackers were announcing this as a big security hole in the software, and people demanding it be patched.


Edited by -boRg- - 16 June 2006 at 9:56am
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
superlative View Drop Down
Groupie
Groupie

Not Comparative, I m Superlative :)

Joined: 26 November 2004
Location: Turkey
Status: Offline
Points: 125 		Post Options Post Options   Thanks (0) Thanks(0)   Quote superlative Quote  Post ReplyReply Direct Link To This Post Posted: 16 June 2006 at 10:02am
You right Borg, I didnt think this. But be must a way for accomplish for RSS. I dont want to open our forums to public and I want to our members can follow forum via RSS. How how how ? I start our brain Smile. I created any security system for our articles. (Prevent copying,stole or etc.) Check it :
 
 
May be I find a way how to accomplish this. 

Back to Top
superlative View Drop Down
Groupie
Groupie

Not Comparative, I m Superlative :)

Joined: 26 November 2004
Location: Turkey
Status: Offline
Points: 125 		Post Options Post Options   Thanks (0) Thanks(0)   Quote superlative Quote  Post ReplyReply Direct Link To This Post Posted: 16 June 2006 at 10:23am
I think alternate way for check RSS System.
 
For this way using ticket system. Tickets update each week. And user must obtain new RSS link.
 
Tickets use same way, for example
 
 
Then RSS page read ticket. Tickets contain user id and date but do not understandin (Ex:asd787a8d78a7s87d244f) Check ticket date (expired?) and user permission for this forum. If ok only publish XML content.
 
This way guarantee user will not hack. If somebody learn this RSS link who will access via RSS reader (not forum). And after 1 week, ticket expire. Only user must obtain new RSS link. RSS link automaticly generating when user browse to forum. Each user's RSS link is different. If user dont access to some forum (permission denied) user can not obtain RSS link.
 
Ticket expire date is last logon time + 7 days
 
What do you think this way borg ? Any security bug ?

Back to Top
superlative View Drop Down
Groupie
Groupie

Not Comparative, I m Superlative :)

Joined: 26 November 2004
Location: Turkey
Status: Offline
Points: 125 		Post Options Post Options   Thanks (0) Thanks(0)   Quote superlative Quote  Post ReplyReply Direct Link To This Post Posted: 17 June 2006 at 9:24pm

Hi Borg,

I try an implement for RSS security, this is very simple and easy. Please check my implement for securty holes :
 
This link for guests :
 
 
This link automatically generating for who didnt logon to forum.
 
This link for my a new user :
 
 
All RSS topic feed links generate automatically and for user. Checking permissions. If Borg's answer safely, I publish my code to Modification Forum.
 

Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 19 June 2006 at 10:17am
I don't know your code, but to me just adding a 4 characters to a querystring will not take very long at all for a hacker to find an exploit in this and publish the results so that anyone can view posts they shouldn't do in forums.

If all you are doing is having 1 link for Guests and having a different link for Registered users then you have no security at all, all it needs is for someone to give out the link they shouldn't and anyone has access to posts they shouldn't.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
 Post Reply Post Reply Page  <12

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.