Web Wiz Forums - Security Issue

Security Issue

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=6934
Printed Date: 03 April 2026 at 11:33pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Security Issue

Posted By: Nick-V
Subject: Security Issue
Date Posted: 02 November 2003 at 5:16pm

Is it true that ALL topics headings, even those in private and hidden (secure?) forums can be seen by ALL users when they use SEARCH and ACTIVE TOPICS?

WWF contains some good security features but this sounds like a recent and significant flaw. I believe that securing topic names is just as important as securing the message itself. Just imagine !!!

Has anyone got a work-around or an add-on for this. I'd rather live with some slower performance or more basic security that allow all topic headings to be seen publicly.

Did I misunderstand this issue or what?

Replies:

Posted By: dead_angel
Date Posted: 02 November 2003 at 7:28pm

i think someone made a mod for this, but not sure who or when or where it was posted, search back in the mod foums or on mad dogs site. i'm pretty sure it's been covered somewhere.

Posted By: zadax
Date Posted: 03 November 2003 at 1:24am

can somone give link ?

i searched and searched and didnt find it

Posted By: Nick-V
Date Posted: 03 November 2003 at 3:05am

I also searched and could only find http://forums.webwiz.net/forum_posts.asp?TID=1058&KW=search+topics+hidden - http://forums.webwiz.net/forum_posts.asp?TID=1058&a mp;KW=search+topics+hidden .

The thread provides a line of code not instructions where to enter it. I suspect it just changes the topic name displayed to "Special Topic" if the topic found is from forum 1 or whatever you determine to be the sensitive forums.

As he states, its a fast cover-up but not a solution.

Posted By: Nick-V
Date Posted: 03 November 2003 at 4:28am

I am no technical authority but carried out some user testing and wish to share my results to encourage solutions.

The Active Topics Issue

First, The Search Issue is different and will be looked into separately.

It appears that forums can be included or excluded in the Active Topics list based on the following criteria:

If the Generic Forum Permission named Forum Access is set to All Users the forum topics will be included in the Active Topics list. Under all other circumstances the topics will not display.

Group Permissions are not considered in the display of topic names but do control access to the postings as one would expect. The issue, therefore, is controlling the display of the topic name. To help you:

if you have attempted to secure your forums using generic permissions, active topics will not work for NO-ONE.
If you wish EVERYONE (including guests) to see all of your topic names set the Generic Forum Permission to All Users and use Group Permissions to control access to the forum's content. Thus, topic names can be seen but threads cannot be read.
If you wish to prevent EVERYONE (including users with forum access) from seeing the topic names in specific forums, set the Generic Forum Permission for the specific forums to Private Groups and set up Group Permissions to control access to the forum's content.

If you wish to have increasing levels of users like Guests, Customers, Staff and Managers and use Active Topics you'll have to set up separate forums!!! The only three options are hidden for all, hidden for no-one, hidden for private forums.

As mentioned previously, the deficiency is that it is not possible to secure topic names without losing use of the Active Topics facility (even for those permitted to see the threads themselves).

I'd appreciate any ideas or feedback on this.

Posted By: WebWiz-Bruce
Date Posted: 03 November 2003 at 4:30am

The next version that I will release today won't show topic titles for forums the user can't view on the active users page.

This was discussed in quite some length a few weeks ago and many things tried out which resulted in a new stored procedure for SQL server and a new query for Access that I did post somewhere on this forum.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Nick-V
Date Posted: 03 November 2003 at 4:35am

Thats great news Borg...I didn't find the discussion despite some searching but I'm sure I'll find the new SQL Stored Procedure.

Borg, does the new version also fix the search issue or shall I continue to look into what it does and how to get around it?

PS. I think I found pre-release stored procedure (Active Topics not Search) but I'm waiting for new version as it need to be called with 4 bits of data in the linkage. For those interested its at http://forums.webwiz.net/forum_posts.asp?TID=6268&KW=active+topics+procedure - http://forums.webwiz.net/forum_posts.asp?TID=6268&a mp;KW=active+topics+procedure

Posted By: WebWiz-Bruce
Date Posted: 03 November 2003 at 5:06am

I've looked at all teh queries in the search.asp page but they are so complex I can't find a way to also look at the permisisons for the user without a search taking 10 minutes.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting