Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.3 Security breach???

Some how spam bots can with registration assign Roles Not Verified, Member. And because of Member role they can post.
How it's possible? It should be or Not Verified or Member if in settings email verification required.
How they enter capcha?!

Is there any solutions?

Comments

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP
    edited September 2014

    @‌mye

    You need to check your settings - each admin is responsible for their board's security.

    Personally, amongst other things, I created a role called 'Waiting', which I assigned the tightest permissions (read only) and then in Registration Settings set that role for applicants waiting to confirm their email address.

    I have registration set to Approval, use Registration Restrict Logger and Add Registration Question plugins (all hail the mighty @perregrine ) and have had no spam intrusion since.

  • LincLinc Detroit Admin

    @mye Some bots can indeed pass the email confirmation. Humans can do captchas before turning over the spamming reigns to a bot.

    Also, make sure your "Email Confirmation Role" is set to the "Unconfirmed" role and not "Member". (if you're using default roles & permissions).

  • Email Confirmation Role is Unconfirmed, and that role can only view discussions. But the question is how bot assign two roles: Unconfirmed and Member only by registration? Common sense telling me that Unconfirmed role should be unique and can't be multi selected with other one. It should be exclusive role. This is security breach I think.

  • LincLinc Detroit Admin
    edited September 2014

    @mye said:
    But the question is how bot assign two roles: Unconfirmed and Member only by registration?

    At the start of this discussion you said:

    Some how spam bots can with registration assign Roles Not Verified, Member

    So which is it?

    "Not Verified" isn't technically a role, it's a on/off toggle that represents whether their posts are checked by the spam filter. It's normal for users to be Not Verified. The only way that gets toggled automatically is via addons.

    "Unconfirmed" is the correct role, but a user gets moved to that role as they register, storing their default roles until they do the email confirmation step. Therefore, there's no "hack" to get both that role and the Member role at the same time; there's really no code present to accomplish that in the registration process afaik.

  • Sorry for confusion. Not Verified, Member the status of spam bot. Email Confirmation Role is Unconfirmed. So somehow bot becomes Member skipping email verification?

  • peregrineperegrine MVP
    edited September 2014

    In this ongoing or just the case of one member.

    if it is ongoing and/or more than one member,

    • post your dashboard permissions for the
      Email confirmation role and your config.php minus the sensitive info (don't include secrets or passwords, etc).

    • the other question is - did you recently upgrade from 2.0.18.x

    • it could be your confirmation role is incorrect in config. either notation or roleid

    • you also might want to look at the Role table and list out the the Roleid's associated with name.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Detroit Admin

    @mye said:
    So somehow bot becomes Member skipping email verification?

    My guess is that the "bot" is successfully passing email verification, not skipping it.

  • myemye New
    edited September 2014

    If so should the role change from Not Verified to Verified?

    @peregrine said:

    • post your dashboard permissions for the
      Email confirmation role and your config.php minus the sensitive info (don't include secrets or passwords, etc).

    • the other question is - did you recently upgrade from 2.0.18.x

    • it could be your confirmation role is incorrect in config. either notation or roleid

    • you also might want to look at the Role table and list out the the Roleid's associated with name.

    -What dashboard permissions you are asking for?
    -No upgrading. Clean 2.1

    <?php if (!defined('APPLICATION')) exit();
    
    // Conversations
    $Configuration['Conversations']['Version'] = '2.1.3';
    
    // Database
    $Configuration['Database']['Name'] = '';
    $Configuration['Database']['Host'] = '127.0.0.1';
    $Configuration['Database']['User'] = '';
    $Configuration['Database']['Password'] = '';
    
    // EnabledApplications
    $Configuration['EnabledApplications']['Conversations'] = 'conversations';
    $Configuration['EnabledApplications']['Vanilla'] = 'vanilla';
    
    // EnabledPlugins
    $Configuration['EnabledPlugins']['HtmLawed'] = 'HtmLawed';
    $Configuration['EnabledPlugins']['AquaWysihtml5'] = TRUE;
    $Configuration['EnabledPlugins']['DiscussionPolls'] = TRUE;
    $Configuration['EnabledPlugins']['Gravatar'] = TRUE;
    $Configuration['EnabledPlugins']['OpenID'] = TRUE;
    $Configuration['EnabledPlugins']['Pockets'] = TRUE;
    $Configuration['EnabledPlugins']['StopForumSpam'] = TRUE;
    $Configuration['EnabledPlugins']['Tagging'] = TRUE;
    $Configuration['EnabledPlugins']['timeago'] = TRUE;
    $Configuration['EnabledPlugins']['VanillaStats'] = TRUE;
    $Configuration['EnabledPlugins']['AquaTextProtector'] = TRUE;
    $Configuration['EnabledPlugins']['Facebook'] = TRUE;
    $Configuration['EnabledPlugins']['Twitter'] = TRUE;
    $Configuration['EnabledPlugins']['AllViewed'] = TRUE;
    $Configuration['EnabledPlugins']['Flagging'] = TRUE;
    $Configuration['EnabledPlugins']['ProfileExtender'] = TRUE;
    $Configuration['EnabledPlugins']['GooglePlus'] = TRUE;
    $Configuration['EnabledPlugins']['Timeago'] = TRUE;
    $Configuration['EnabledPlugins']['SignLogger'] = TRUE;
    $Configuration['EnabledPlugins']['Cleanser'] = TRUE;
    $Configuration['EnabledPlugins']['RegistrationRestrictLogger'] = TRUE;
    $Configuration['EnabledPlugins']['AddRegistrationQuestion'] = TRUE;
    
    // Garden
    $Configuration['Garden']['Title'] = 'Aquastaff';
    $Configuration['Garden']['Cookie']['Salt'] = '';
    $Configuration['Garden']['Cookie']['Domain'] = '';
    $Configuration['Garden']['Registration']['ConfirmEmail'] = '1';
    $Configuration['Garden']['Registration']['CaptchaPrivateKey'] = '';
    $Configuration['Garden']['Registration']['CaptchaPublicKey'] = '-';
    $Configuration['Garden']['Registration']['Method'] = 'Captcha';
    $Configuration['Garden']['Registration']['ConfirmEmailRole'] = '3';
    $Configuration['Garden']['Registration']['InviteExpiration'] = '-1 week';
    $Configuration['Garden']['Registration']['InviteRoles']['3'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['4'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['8'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['16'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['32'] = '0';
    $Configuration['Garden']['Email']['SupportName'] = 'Aquastaff';
    $Configuration['Garden']['Email']['SupportAddress'] = '[email protected]';
    $Configuration['Garden']['Email']['UseSmtp'] = FALSE;
    $Configuration['Garden']['Email']['SmtpHost'] = '';
    $Configuration['Garden']['Email']['SmtpUser'] = '';
    $Configuration['Garden']['Email']['SmtpPassword'] = '';
    $Configuration['Garden']['Email']['SmtpPort'] = '25';
    $Configuration['Garden']['Email']['SmtpSecurity'] = '';
    $Configuration['Garden']['InputFormatter'] = 'Html';
    $Configuration['Garden']['Version'] = '2.1.3';
    $Configuration['Garden']['RewriteUrls'] = TRUE;
    $Configuration['Garden']['Cdns']['Disable'] = FALSE;
    $Configuration['Garden']['CanProcessImages'] = TRUE;
    $Configuration['Garden']['SystemUserID'] = '2';
    $Configuration['Garden']['Installed'] = TRUE;
    $Configuration['Garden']['Theme'] = 'Aquastaff';
    $Configuration['Garden']['MobileTheme'] = 'Aquastaff';
    $Configuration['Garden']['HomepageTitle'] = 'Aquastaff';
    $Configuration['Garden']['Description'] = ' ';
    $Configuration['Garden']['ShareImage'] = 'H5FR4GA6K8I6.jpg';
    $Configuration['Garden']['Logo'] = 'logo.png';
    $Configuration['Garden']['FavIcon'] = 'favicon.png';
    $Configuration['Garden']['Messages']['Cache'] = array('Vanilla/Discussions/Index');
    $Configuration['Garden']['InstallationID'] = '6A75--DA77A634';
    $Configuration['Garden']['InstallationSecret'] = '';
    
    // Plugins
    $Configuration['Plugins']['GooglePlus']['ClientID'] = '217968011653-';
    $Configuration['Plugins']['GooglePlus']['Secret'] = '';
    $Configuration['Plugins']['GooglePlus']['SocialReactions'] = '1';
    $Configuration['Plugins']['GooglePlus']['SocialSharing'] = '1';
    $Configuration['Plugins']['GooglePlus']['Default'] = '';
    $Configuration['Plugins']['Facebook']['ApplicationID'] = '';
    $Configuration['Plugins']['Facebook']['Secret'] = '';
    $Configuration['Plugins']['Facebook']['UseFacebookNames'] = '1';
    $Configuration['Plugins']['Facebook']['SocialReactions'] = '1';
    $Configuration['Plugins']['Facebook']['SocialSharing'] = '1';
    $Configuration['Plugins']['Facebook']['SocialSignIn'] = '1';
    $Configuration['Plugins']['Twitter']['ConsumerKey'] = '';
    $Configuration['Plugins']['Twitter']['Secret'] = '';
    $Configuration['Plugins']['Twitter']['SocialReactions'] = '1';
    $Configuration['Plugins']['Twitter']['SocialSharing'] = FALSE;
    $Configuration['Plugins']['GettingStarted']['Dashboard'] = '1';
    $Configuration['Plugins']['GettingStarted']['Plugins'] = '1';
    $Configuration['Plugins']['GettingStarted']['Categories'] = '1';
    $Configuration['Plugins']['GettingStarted']['Discussion'] = '1';
    $Configuration['Plugins']['GettingStarted']['Profile'] = '1';
    $Configuration['Plugins']['GettingStarted']['Registration'] = '1';
    $Configuration['Plugins']['StopForumSpam']['UserID'] = '3';
    $Configuration['Plugins']['Akismet']['UserID'] = '10';
    $Configuration['Plugins']['AddRegistrationQuestion']['SecretCode'] = 'YES';
    $Configuration['Plugins']['AddRegistrationQuestion']['Label'] = 'Human check. Are you human? If so type: YES';
    $Configuration['Plugins']['Cleanser']['Action'] = 'create';
    $Configuration['Plugins']['Cleanser']['MaxRecords'] = '';
    $Configuration['Plugins']['Cleanser']['Offset'] = '';
    $Configuration['Plugins']['Cleanser']['RoleSet'] = '8';
    $Configuration['Plugins']['Cleanser']['IPAddress'] = '';
    $Configuration['Plugins']['Cleanser']['PatternMatch'] = '';
    
    // Routes
    $Configuration['Routes']['DefaultController'] = array('categories', 'Internal');
    
    // Vanilla
    $Configuration['Vanilla']['Version'] = '2.1.3';
    $Configuration['Vanilla']['AdminCheckboxes']['Use'] = TRUE;
    $Configuration['Vanilla']['Discussions']['Layout'] = 'modern';
    $Configuration['Vanilla']['Categories']['Layout'] = 'modern';
    $Configuration['Vanilla']['Categories']['MaxDisplayDepth'] = '4';
    $Configuration['Vanilla']['Categories']['DoHeadings'] = '1';
    $Configuration['Vanilla']['Categories']['HideModule'] = '1';
    
  • peregrineperegrine MVP
    edited September 2014

    the registration config statements looks fine.

    standard installation would have confirm email role as roleid 3

    $Configuration['Garden']['Registration']['ConfirmEmail'] = '1';
    $Configuration['Garden']['Registration']['ConfirmEmailRole'] = '3';

    do you keep on getting bots registering, or are you just trying to figure out something in the past.

    if you still get bots registering - I would make a better registration questions and see if you can track a pattern with RegistrationRestrictLogger

    if you keep on getting bots becoming members thru confirm mail, I would change to to approval status and be more vigilant about reason for joining,

    not sure how to figure out the past, if it was only a one time occurrence unless you scour the access logs.

    and I know nothing about verified or unverified - but linc explained that.

    if you continue to get really weird stuff happening - change your admin passwords, check to see if there are other admins and other roles with user edit privs , which would be 2 of the ways that a role could be changed or added.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @peregrine, thanks. Let me see how things will go. I'll post if I have news

Sign In or Register to comment.