moderator or premium access member action needed

HI guys please if somebody with premium access can add a ticket to TRAC. THis is seriously annoying problem and is persisting in D7. This need to be really fixed asap...

 

THis is the problem:

http://www.boonex.com/forums/topic/Help-Deleted-member-still-accessing-my-site-How-do-I-block-them-.htm

Quote · 20 Nov 2011

can please somebody pay attention here ?

Quote · 21 Nov 2011

 

can please somebody pay attention here ?

I'm on break.

 

Edit: http://www.boonex.com/trac/dolphin/ticket/2695

 

Topic moved.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 21 Nov 2011

great ..thanks mate...

Quote · 21 Nov 2011

Please can you describe on how to reproduce the problem step by step ?

Actually I believe that Dolphin 7 has enough protection agains this, especially security tokens in forms - it is impossible to submit form without opening it first and getting the token, it makes very difficult or impossible for spammers to submit forms using some automated script.

Also authentication mechanism can not allow deleted member to access your site, even if client cookie is set, however theoretically it may happen if cache file of this member still exists on the disk.

Rules → http://www.boonex.com/terms
Quote · 21 Nov 2011

ALEX: everything regarding this you can find here:

http://www.boonex.com/forums/topic/Help-Deleted-member-still-accessing-my-site-How-do-I-block-them-.htm

 

There is described what problem is and also we are there discussing how actually avoid that problem....

In short deleted members attemting to directly insert for example new blogs but as their profiles has been already deleted they causeing alot of errors in database as they hammering database with their tries to inject their code.

Problem itself doesnt affect dolphin frontend as things they trying to insert are not displayed (as their profle has been deletd) but keep causeing many database erros on their input attempts... Look to that post u find there all info...Mscott decribed problem there ...Im not programmer

 

This is what msscott say:

They are trying to insert spam directly into your database, they don't know you have deleted them and that's why it's causing errors. If you're on a VPS or dedicated server you can block them using mod_security and CSF firewall.

Where the problem lies is they are still logged in on their end (cookie) when you delete them, that is how it still shows up as their username. Dolphin doesn't let the post go through which is good, but it doesn't handle it exactly right or it wouldn't cause a database error. Anyone who isn't a member shows up as user number "0" so you can't block them completely or no one would be able to browse or join your site.

 

 

 ...for more details please see that post I mentioned...

 

 

 

Quote · 21 Nov 2011

did some testing after deleting my test account and where ever i clicked on the site it brings you to the login page.
I don't see how they can post anything. It might be something with caching if you have .php files cached

Quote · 22 Nov 2011

 I could be mistaken about the cookie. It may be the cache system that is allowing the site to think they are still a member. Several people have posted database errors in the forum that were from members who had been deleted so I do believe it's a problem, I'm just not sure how to reproduce it because I have no idea what type of script the spammers are using. I'm guessing they have written something that posts directly to the correct files to be inserted into the database once they are authenticated.

 

I'm also not sure but this could be related to the other problem where people are claiming that spammers are posting to the blogs and other areas before they have even been "activated".

This is what mscott say:

They are trying to insert spam directly into your database, they don't know you have deleted them and that's why it's causing errors. If you're on a VPS or dedicated server you can block them using mod_security and CSF firewall.

Where the problem lies is they are still logged in on their end (cookie) when you delete them, that is how it still shows up as their username. Dolphin doesn't let the post go through which is good, but it doesn't handle it exactly right or it wouldn't cause a database error. Anyone who isn't a member shows up as user number "0" so you can't block them completely or no one would be able to browse or join your site.

 

 

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 22 Nov 2011

I was not able to post blog post from deleted nor non-active member. 

So I believe that Dolphin 7 hasn't this problem.

Rules → http://www.boonex.com/terms
Quote · 22 Nov 2011

Its not about posting, its about deleted members can keep hammering database by attempts to post and cause alot of database errors...

Quote · 22 Nov 2011

 It was not any db error or anything harmful. After data submission I've got "Access Denied", so I suppose that situation is handled properly.  

Its not about posting, its about deleted members can keep hammering database by attempts to post and cause alot of database errors...

 

Rules → http://www.boonex.com/terms
Quote · 23 Nov 2011
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.