Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Unknown Spammer
Tama
✭✭✭
I have a forum running 2.1b,
I have installed StopForumSpam and Akismet plugins from the Vanilla Addons Repo on Github, this seemed to prevent spam for a while, but within the past few days we have had large amounts of spam by "Unknown" users, the click redirecting to profile id 0. But each one has a unique id address.
Following this I have had to enable Approval and Botstop, but I would like to know if you guys have any idea how they got through and how as "Unknown" as this makes cleaning up their spam difficult ( I have now coded a simple spam cleaner which bans them and removes their content, but this leaves gaps in the forum ).
Many Thanks 
(View log over 2GB so can't attatch xd )
There was an error rendering this rich post.
Tagged:
0
Comments
0 Users blocked?
There was an error rendering this rich post.
This is a serious security hole. have you got request logs? they could reveal some information.
grep is your friend.
check your sever request logs of those ips, this will reveal the method of injection.
edit otherwise known as access logs.
grep is your friend.
Plugins Used
Akismet 1.0.1b
Botstop 1.0.1
ButtonBar 1.6
Category based "New Discussion" button text 0.1.1
Emocss 1.0
FileUpload 1.7.1
Flagging 1.1.1
In This Discussion 1
LastEdited 1.0.2
Max Comment 1.0.1
Minecraft Avatar (custom) 2.0.18
OEmbed 1.3.1
Peregrine Badges 4.1
Peregrine Reactions 2.3
Profile Extender 3.0
Quotes 1.6.1
RoleBadges 0.2
Signatures 1.5
Sock Puppet Detector 1.0b
Split/Merge 1.1
SFS 1.0.1
Vanilla stats 2.0.4
WhosOnline 1.3.1
There was an error rendering this rich post.
is there anything before that point?
grep is your friend.
No but records for Spammer " 216.244.86.130"
SQL Query used to find spammers
There was an error rendering this rich post.
when logged out can you see a comment box?
are you able to go to /post/comment/123 where 123 is a valid discussion ID?
grep is your friend.
Yes, checked on localhost running same version , does not occur
There was an error rendering this rich post.
well your permission and roles are clearly not right.
What permission do you have for guest role (screen grab would be better).
grep is your friend.
Figured it out, this has to do with Vanilla's Embed forum functionality, it seems if you have this enabled but not the commenting system enabled, users can comment anyway
There was an error rendering this rich post.
for a category they posted in show me the permissions.
grep is your friend.
They have posted in the categories which all have the default permission settings
also check my comment above
There was an error rendering this rich post.
please show the whole list, and also the full list of roles. Meanwhile try to post a comment whilst logged out.
grep is your friend.
However I've tracked down the issue, this occurs when using the EmbedForum functionality; it enables the embed commenting system as well, allowing for the use of the commenting system whilst logged out.
There was an error rendering this rich post.
please check that outside of the embed format, you can't comment ( you might have to turn off redirection).
grep is your friend.
I am unable to , but it seems bots can as the form still shows
There was an error rendering this rich post.
PM me the site
grep is your friend.
Yes I'm able to post without being logged in you permission table is probably corrupt.
grep is your friend.
What I'd do is this:
I wonder if there a
NULLvalues or somethign else inJunctionTableJunctionColumnJunctionIDSometimes the effect of bad data dumps, means that the schema is not adhered to.
You can
DESCRIBE GDN_PermissionandSELECT * FROM GDN_Permission LIMIT 30grep is your friend.