Topic: Guest posting security bug?

I'm not totally sure how this happened, but my 1.22 forum recently received some aggressive spam (I reported this via the bug report link on the PunBB site on the weekend and no response).

I'm not sure how this happened, but spam was being posted into the forum, with usernames that do not exist in my database, and the users all had a user ID of 1 (which is the guest ID). I managed to block this spam but adding some extra checks in post.php blocking guest posts.

What I don't understand is how this happened.
- I double-checked all user groups and guests do not have permission to post
- I check all forums and guest post permissions were all turned off here
- I also cross-checked the IP addresses of the posters and the spammers are not any IPs of users that logged into the site

Does this look like there might be a security hole somewhere? Any ideas how this may have happened?


Re: Guest posting security bug?

since you have close the guest post permission
i don't think there is possible for a guest to post.

as my forum based on punbb1.2
if there is no permission to post on forum id 1
then you access http://xxx.tld/post.php?fid=1
the forum should give you a tip that " you have not permission to view this page"


Re: Guest posting security bug?

Hey why i can not edit my post?

You should give your URL. roll

Re: Guest posting security bug?

The vulnerability might have occurred after you installed mods. Please indicate if you installed any mods; if you did, which ones?

Re: Guest posting security bug?

I am having the same issue. I found that if I'm logged out, I can still go to ../post.php?tid=26 and it will still let me post, whether I'm a guest or not. The only plugins I am using are Anti-bot check, Forum Subscriber, Gallery Categories, and Gallery Options. This is very frustrating. Could one of those plugins leave this hole? I am using PunBB 1.2.14.

6 (edited by Starc12344 2013-04-10 14:24)

Re: Guest posting security bug?

Guest how to post security bug?