HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Protect against hijacking.

Hi,
I`m switchting to Vanilla from phpBB3. My last messageboard was hijacked more or less by some piratecompanies in Russia, China and Korea mainly.3000 "different" users = adresses. To reach my messageboard you were supposed to register and log in at my memberpages (none of these users did) and then there was a link to the messageboard where you also had to register and log in. I found out that you could bypass the member-part if you just wrote: http://xxxxx.zz/phpBB3 . Inoticed that it works the same way with Vanilla. How do I stop someone from reaching Vanillamessageboard without first becoming a member and then reach the messageboard from the memberpart of my site?
Can anyone help me and I hope this is the wright category. I think it might be aquestion of localization of Vanilla.

Best Answers

Answers

  • businessdadbusinessdad Stealth contributor MVP

    @Luckycat said:
    I found out that you could bypass the member-part if you just wrote: http://xxxxx.zz/phpBB3 . I noticed that it works the same way with Vanilla.

    What do you mean with that? Could you please make an example?

  • You should only be able to reach the messageboard from a link at my membersection (You have to register and log in before reaching the membersection at my site). It will be like doublesafty= You have to register twice before using the messageboard. I do not want anymore russian, chinese IP:s to be able to go straight to my messageboard like typing: http//mydomain.xx/vanilla/
    Luckycat

  • 422422 Developer MVP

    then ban them via country ip ( isnt a failsafe model ) but dooable. Also set requires approval by admin before they can proceed on the forums.

    There was an error rendering this rich post.

  • Thanks 422,
    But I did use "approval" when i used phpBB3 but somehow they bypassed that and register at my membersection. In 3 weeks I had 0ver 6000 posts. I had blocked email and got about 2500 "Delivery failed/delayed in my mailbox. So I am
    " a little cautious" now. I want to embed vanilla on a page at my membersection and stop someone going directly to vanilla the way I mentioned.

  • It is about setting it up correctly. You also probably want something like botstop, for the membership requests.

    You can also benefit from some the cdn security services, which are somewhat more intelligent that most people can achieve on their own.

    grep is your friend.

  • if you don't want non-members to view profile, you don't give guests profile permissions.

    grep is your friend.

  • Many thanks x00,
    It seems like "botstop" is the answer to my problem. If you should have the time you could check - byairmail.eu - there is a memberpart under BAM-menu That`s where I would like it to be the only chans to reach vanilla. I have vanilla at my server but it is not registered yet. Once more thanks for the tip about botstop. Anything special I should think about when installing it?

  • businessdadbusinessdad Stealth contributor MVP

    I think that there's something misconfigured on your setup. If I type "byairmail.eu/vanilla" I get Vanilla Setup page.

  • Hello businessdad,
    I have not registered vanilla at this server yet. I only put the vanilla catalogue there. But as you noticed you can bypass everything by typing http://mydomain.zz/vanilla/ and thatwhat I do not want. You should only reach vanilla via register at BAMs memberpages. You can try: byairmail.net where I have vanilla up and running incl. botstop at least I put it up. I hope to hear from you.

  • sorry what do you mean bypass? I think there is some confusion. What is it you don't want them to access, and is you forum installed in web root or in a folder.

    A webmaster is still responsible for securing a site, no script can do that on its own.

    grep is your friend.

  • With bypass I mean that you can type: http://anydomainname.zzz/vanilla/ and reach the vanillaforum. ( There is no link to the forum at website other than at the memberpages - You have to register and log in to get to the membersection). That is what I mean with bypassing. So when you type: http://anydomainname.zzz/vanilla/ you must have done some research with the intention to Hijack,use the forum for spam and son. That is what iwant to prevent.
    The website; http://byairmail.net is a testsite except fot the store.
    The Vanilla folder is in the root as are the website-files. (-html + php-files).

  • Can I recommend you not to worry about ppl reaching your forum that way? Second thing is that when you install Vanilla in another directory, people will have difficulty finding the direct link (that's what you mean, you don't want the ppl to reach your forum using the direct link to Vanilla).
    Install vanilla in http://anydomainname.zzz/thisismyforum/ and the bad people can not easily guess that address...

    Vanilla is better protected against 'hijackers' than phpBB, I know that's a dangerous thing for me to say, but botstop does its work correctly and there's a couple of other plugins that are nice. Have fun using Vanilla!

    There was an error rendering this rich post.

  • their is a plugin
    http://vanillaforums.org/addon/privatecommunity-plugin

    which gives you a private community

    ther is more lock down you can do. Some plugin may need block exceptions to work.

    grep is your friend.

  • short of at server level detecting the precedence of cookie, you may not completely prevent sniffing. The point is that sniffing is only sniffing, and not more than that.

    grep is your friend.

  • Hello,
    TO ALL OF YOU who helped me with this problem.
    THANKS!!!
    You have been of great help to solve my issue.
    Luckycat

Sign In or Register to comment.