Topic: Guest posting security bug?
I'm not totally sure how this happened, but my 1.22 forum recently received some aggressive spam (I reported this via the bug report link on the PunBB site on the weekend and no response).
I'm not sure how this happened, but spam was being posted into the forum, with usernames that do not exist in my database, and the users all had a user ID of 1 (which is the guest ID). I managed to block this spam but adding some extra checks in post.php blocking guest posts.
What I don't understand is how this happened.
- I double-checked all user groups and guests do not have permission to post
- I check all forums and guest post permissions were all turned off here
- I also cross-checked the IP addresses of the posters and the spammers are not any IPs of users that logged into the site
Does this look like there might be a security hole somewhere? Any ideas how this may have happened?