About RSS Topic & Post Feeds
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=19986
Printed Date: 11 April 2026 at 11:42am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: About RSS Topic & Post Feeds
Posted By: superlative
Subject: About RSS Topic & Post Feeds
Date Posted: 22 May 2006 at 9:42pm
|
Hi all,
I have got a suggestion. May be an option for the RSS buttons. I have got a idea :
If user want to follow to posts or topics and normally guests do not have permission to access to forums, User can not follow topics or posts via RSS, May be a option for the Admin menu, if user access to RSS button copy link shortcut and follow to RSS links or dont follow. I hope this feature become in new versions. Currently our forums do not accept to guests for this reason our user dont follow RSS feeds. I modify RSS asp pages. I know this will become a security bug. Somebody discover a topic ID and access content via RSS. Maybe user check system will be integrated to RSS viewer asp pages. I am working on this. ------------- http://www.knowhow.gen.tr" rel="nofollow"> 
|
Replies:
Posted By: jsaren
Date Posted: 23 May 2006 at 11:30pm
| good! |
Posted By: WebWiz-Bruce
Date Posted: 24 May 2006 at 8:35am
|
The original RSS Feed I made for the forum did include permissions, but this was removed for 2 reasons, 1 was performance, and the other was that RSS Feeds are meant to be viewed in an RSS News Aggragator, and as RSS News Aggragators are not able to login into forums there is little point in having a permissions system included in the RSS Feed, so RSS Feeds only work on Guest permissions. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: superlative
Date Posted: 14 June 2006 at 11:51pm
|
Hi Again Borg;
Can you use cookie authentication for RSS News Reader ? For special reasons we close our forum to guests. Only members can display. For this reason members can not follow our forum via RSS. If cookies support this maybe work. Or simple auth system may be add to RSS asp pages.
For Example :
Author ID and excrypted password send to RSS pages and simple check user permissions.
http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?FID=28 - http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?FID=28
insted of
http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?FID=28&AID=blahblah&pw=asjdhkajsd76678a5sdhhh - http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?FID=28&AID=blahblah&pw=asjdhkajsd76678a5sdhhh
Then RSS page check AID (Author ID) and encyrpted PW, then appyle user permissions. Also, members can follow forum via RSS. Sory for my bad english grammar. Borg I hope you understand me :) ------------- http://www.knowhow.gen.tr" rel="nofollow">
|
Posted By: WebWiz-Bruce
Date Posted: 15 June 2006 at 8:25am
|
By using the method you mention using permanent ID within a URL would open a huge security hole that hackers could easily use to hack the forum and gain access to information that they shouldn't be allowed to view. Cookies to do the same thing also would not be secure, and most RSS Readers do not support cookies. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: superlative
Date Posted: 15 June 2006 at 9:08am
|
Borg I explained as wrong, ID is not permanent. Hackers can forund AID (Author ID) but can not find PW. Because PW is encryted user password. RSS links different for each user. For example :
User 1 :
User name : Borg, AID (Author ID) : 1, Real PW : 1234, Encrypted PW : sdfs545d4f5645s, Permission for WWF 8x Support : Access, RSS Link :
http://forums.webwiz.net/RSS_topic_feed.asp?FID=18&AID=1&PW=sdfs545d4f5645s - http://forums.webwiz.net/RSS_topic_feed.asp?FID=18&AID=1&PW=sdfs545d4f5645s
User 2 :
User name : superlative, AID (Author ID) : 18438, Real PW : 369874, Encrypted PW : sdfsuyuewrjhss, Permission for WWF 8x Support : No Access, RSS Link : N/A (Because No Access forum)
In This case, User 1 copy his own RSS link to RSS Reader software and RSS asp page decrypt to PW and check the user permission. If OK publish content.
User 2 do not access the same forum. I am not hacker but this way very secure for RSS. RSS links generate for each member who have got access right. If guest access OK, bypass this security system for improve performance.
------------- http://www.knowhow.gen.tr" rel="nofollow">
|
Posted By: SUJO
Date Posted: 15 June 2006 at 9:54am
I agree with -boRg- here. The RSS itself was designed to be available to everyone who wants to use it. It's like going into a supermarket - everybody can go in, and everybody can buy anything (except the things they keep in stock  ). It is also encouraging. By providing the RSS feed to others, they just might get interested enough to go to your page and register - for more, or just to keep up. You have no idea how many feeds can/are being read...(you could be gaining people by not even knowing of it). Also, RSS does not include topics/threads/pages that you do not want to - eg. the permissions for forums you set. So - why would you want to complicate things where/when they are not necessary?------------- Who are you? What do you want? |
Posted By: superlative
Date Posted: 15 June 2006 at 10:15am
|
SUJO, I like your supermarket imitation. But this is not interested in our case.
By providing the RSS feed to others, they just might get interested enough to go to your page and register
You wrote this, If you dont give access permission to guest, anybody follow content via RSS Feed. But guests register and be member and read content via forum (Not RSS)
RSS Feeds is not only for computer users. Visitors read content via mobile phone. Many software exist for smartphones.
RSS Feeds nice feature. Some members want to follow forums, blogs via RSS. If you want to reply they will go to forum. In this case we don't discussion RSS benefits/injuries. We discussion :
How to give to RSS access permission to our members without any security hole. isn't it ? ------------- http://www.knowhow.gen.tr" rel="nofollow">
|
Posted By: WebWiz-Bruce
Date Posted: 16 June 2006 at 9:52am
|
Using the encrypted password in the querystring is also a a BIG security hole and not something I would want to use. For security reasons the database encrypted passwords, security codes, etc. are updated periodically to add extra security to the system. There is no permanent way to ID a user and any permanent solution through the use of querystrings and/or cookies would open a huge security hole in the software. Cookies, querystrings, etc. are cached and can be got by hackers very easily, if a hacker gets hold of any permanent way of ID'ing a member they can use this to gain control of that users account. Using the system you mention a hacker can very easily get hold of encrypted password, forum tracking codes, etc. then append this to an RSS Feed to view posts that they are not permitted to. I have done allot of work in securing web wiz forums with white hat hackers and spent allot of time following security sites on hacking, and know that if such a system were implemented it would be only weeks, if not days, before hackers were announcing this as a big security hole in the software, and people demanding it be patched. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: superlative
Date Posted: 16 June 2006 at 10:02am
|
You right Borg, I didnt think this. But be must a way for accomplish for RSS. I dont want to open our forums to public and I want to our members can follow forum via RSS. How how how ? I start our brain . I created any security system for our articles. (Prevent copying,stole or etc.) Check it :
http://www.knowhow.gen.tr/makaleler/article.asp?id=264 - http://www.knowhow.gen.tr/makaleler/article.asp?id=264
May be I find a way how to accomplish this. ------------- http://www.knowhow.gen.tr" rel="nofollow">
|
Posted By: superlative
Date Posted: 16 June 2006 at 10:23am
|
I think alternate way for check RSS System.
For this way using ticket system. Tickets update each week. And user must obtain new RSS link.
Tickets use same way, for example
http://forums.webwiz.net/RSS_topic_feed.asp?FID=18&ticket=sdf787cvxcv547s8dfs8d7fwe4r564 - http://forums.webwiz.net/RSS_topic_feed.asp?FID=18&ticket=sdf787cvxcv547s8dfs8d7fwe4r564
Then RSS page read ticket. Tickets contain user id and date but do not understandin (Ex:asd787a8d78a7s87d244f) Check ticket date (expired?) and user permission for this forum. If ok only publish XML content.
This way guarantee user will not hack. If somebody learn this RSS link who will access via RSS reader (not forum). And after 1 week, ticket expire. Only user must obtain new RSS link. RSS link automaticly generating when user browse to forum. Each user's RSS link is different. If user dont access to some forum (permission denied) user can not obtain RSS link.
Ticket expire date is last logon time + 7 days
What do you think this way borg ? Any security bug ? ------------- http://www.knowhow.gen.tr" rel="nofollow">
|
Posted By: superlative
Date Posted: 17 June 2006 at 9:24pm
|
Hi Borg, I try an implement for RSS security, this is very simple and easy. Please check my implement for securty holes :
This link for guests :
http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?hVQ=F - http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?hVQ=F
This link automatically generating for who didnt logon to forum.
This link for my a new user :
http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?hVQ=HGFL - http://www.knowhow.gen.tr/forum/RSS_topic_feed.asp?hVQ=HGFL
All RSS topic feed links generate automatically and for user. Checking permissions. If Borg's answer safely, I publish my code to Modification Forum.
------------- http://www.knowhow.gen.tr" rel="nofollow">
|
Posted By: WebWiz-Bruce
Date Posted: 19 June 2006 at 10:17am
|
I don't know your code, but to me just adding a 4 characters to a querystring will not take very long at all for a hacker to find an exploit in this and publish the results so that anyone can view posts they shouldn't do in forums. If all you are doing is having 1 link for Guests and having a different link for Registered users then you have no security at all, all it needs is for someone to give out the link they shouldn't and anyone has access to posts they shouldn't. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |