Spam entry (forum)

[gary231178]

Hiya, i'm noticing that in my forums, threads which are set to admin post only, spammers are gaining acess and spamming as admin userclass without even a user signup created. Please see the new post just now:-

And then in admin permissions:-

How is this post possible as a spammer with admin status which hasn't even initiated a signup?

Please help.

Regards.

Gary

[gary231178]

Aah i see they are posting as annonymous but using my admin avatar, still baffled as no signup and hence no option to select a site stored avatar. Also is this then a bug with userclass perms allowing annonymous posting? As clearly i have it set that only admins can create threads in this section.

[Moc]

It has been reported before: https://github.com/e107inc/e107/issues/441 Seems like it's still present.. I haven't figured it out yet.

[gary231178]

Wow since posting over 200 spam posts now added in minutes lol.

Guess following bug report #441 will have to make forums non public, which i didn't really want to do. I do have sfs installed also which appears to be doing nothing lol.

[gary231178]

Ok hope this helps, but i have narrowed it down with the help of spammers:- It seems that they can only post in a forum thread that is subject to a Sub forum, well at least they havn't been able to post in any other topics / threads which aren't in a sub forum. Bug with the sub forum which is set to show to members only is still visible when not logged in publically when this should be hidden, thus allowing spammers to see the thread. It does then also allow public posting, as i can clearly select new topic and post away without being logged in!!

[gary231178]

OK well maybe not, not sure if it was a result of the recent forum fixes on other issues, but it now seems that i can annonomously post without being logged in, in any forum on any topic regardless of whether the topics are set to public / members only. This applies to creating a new topic and replying to open threads which should only be postable by members. Only ones i cant see and or post are the admin userclass forums.

[CaMer0n]

Please check your apache logs, you should see which script is being hit repeatedly.

[gary231178]

Sorry for the many posts, not sure if and how it is relevent but disabling cache removes the ability from posting anonymously. As soon as cache is enabled again allows for annoymous posting. Is this the bug, or am i still subject to a vulnerability somewhere.

[LaocheXe]

I had a few issues with cache on my site with CloudFare enabled as well - Moved to another website host and issues I had I no longer get - plus cache is disabled but still got my CloudFare enabled.

[Moc]

You are not subject to a hack. It's a bug that's causing this spam issue. The caching aspect was not considered before so that's useful new info.

The fatal error on emailprint is also a bug. Not a hack of any sorts.

I'll look into this issue asap

[gary231178]

Cool thanks Moc for the reassurance and speedy response.

[Moc]

When you say that disabling the cache stops the ability to post anonymously, do you mean the e107 cache (content or system cache) or some server or third party software?

I'll try to reproduce this issue asap. Once reproduced it should be easy to fix.

[gary231178]

Hi it is the system cache (when enabled) allows annonymous posting.

Regards.

Gary

[gary231178]

Your changes have fixed my issues. Once again thank you for the continued development and commitment to the e107 cms, it is much appreciated.

[CaMer0n]

Likewise @gary231178 , thank you for the positive feedback and for helping with your bug reports. :+1: