Security Breach?

[Former Member]

Forum URL: imdb2.freeforums.net/

Hi. Several members have contacted me about this thread:

imdb2.freeforums.net/thread/182317

There are 20 likes on the OP of that thread, but more than one of the members who are listed as having liked that post deny doing it, despite it showing in their activity log as well. Can someone look into this, please? Thanks.

-John

[Former Member]

Can you share the username of the members who are experiencing this issue?

[Former Member]

Aug 13, 2019 13:27:43 GMT -8 @kelvin said:

Can you share the username of the members who are experiencing this issue?

So far, I've heard from these two:

imdb2.freeforums.net/user/2848
imdb2.freeforums.net/user/1411

I have not tried contacting the other 18 yet, but knowing my members and my forum, it's highly unusual. The thread itself is suspect, given all the "thanks" the OP is posting. Something isn't right there.

[Michael]

Hi,

If a like is showing on the post then that means the user liked the post, intentionally or unintentionally.

[Former Member]

Aug 13, 2019 13:35:39 GMT -8 Michael said:

Hi,

If a like is showing on the post then that means the user liked the post, intentionally or unintentionally.

I have no reason to believe 20 people accidentally liked the same post, and the two who contacted me about it are reliable members. At any rate, it seems it was a false alarm. Shortly after starting this thread, I received this PM from my "tech support" guy:

Don't worry, it's not a breach. I checked the board for XSS vulnerabilities (i.e. bugs that would allow users to execute code) a while back. We don't have any.

I did it as a test. I had an idea for using some of the more buried functions Proboards has tucked away for future scripting. I also saw that post and thought that it would be funny.

So it's all on me.

Mystery solved. I'm sorry to have brought this up here, but I appreciate your swift attention.

[bartlesby]

Hello guys.

There's been no breach of security. I have access to the scripting and plugins on Jcarter's site. The reason for the likes was a script I was testing and then removed. I neglected to inform him, for which I apologize. I hadn't expected anybody to suspect a breach in security.

[Michael]

As a suggestion you may want to consider testing on a dedicated testing forum instead of a live forum. Remember forums are free on ProBoards

[Peter]

jcarter

Out of curiosity, I took a quick glance over the custom JavaScript that has been done and discovered a serious XSS vulnerability in some custom JavaScript done specifically for your forum.

Just to make this clear. This vulnerability is not part of the ProBoards software, but a 3rd party JavaScript wrote by you or your dev.

Obviously disclosing this in public isn't a good idea for your forum, so please contact me if you wish and I'll be happy to provide the information with proof of concept.

[Former Member]

Aug 13, 2019 18:05:27 GMT -8 Peter said:

jcarter

Out of curiosity, I took a quick glance over the custom JavaScript that has been done and discovered a serious XSS vulnerability in some custom JavaScript done specifically for your forum.

Just to make this clear. This vulnerability is not part of the ProBoards software, but a 3rd party JavaScript wrote by you or your dev.

Obviously disclosing this in public isn't a good idea for your forum, so please contact me if you wish and I'll be happy to provide the information with proof of concept.

Thanks.

bartlesby

[Peter]

jcarter,

Just letting you know there has been no communication between yourself or the person you tagged, and I'm not going to go out of my way to make contact. This really should have been sorted the day I posted. I understand people get busy, but tagging someone in the hopes they see it is not a good way to solve the issue.

The only reason I am updating you here is because your forum is pretty active, and your members will be the victims.

The chances of someone finding it might be near zero, but why take the risk when it has been reported? The vulnerability was not difficult to find, and I'm not a security specialist. So if I found it, am sure someone with some motivation could also find it.

It's disappointing when things like this are ignored / passed along and not took serious. Whereas at the end of the day this could effect your whole forum.

[Former Member]

Aug 19, 2019 4:32:58 GMT -8 Peter said:

jcarter,

Just letting you know there has been no communication between yourself or the person you tagged, and I'm not going to go out of my way to make contact. This really should have been sorted the day I posted. I understand people get busy, but tagging someone in the hopes they see it is not a good way to solve the issue.

The only reason I am updating you here is because your forum is pretty active, and your members will be the victims.

The chances of someone finding it might be near zero, but why take the risk when it has been reported? The vulnerability was not difficult to find, and I'm not a security specialist. So if I found it, am sure someone with some motivation could also find it.

It's disappointing when things like this are ignored / passed along and not took serious. Whereas at the end of the day this could effect your whole forum.

I had forgotten about this. Thanks for the reminder. Your assistance in this matter is greatly appreciated. Please PM the details of the vulnerability to me and we'll get it patched up. Thank you, Peter.

-John

[Michael]

Aug 19, 2019 13:32:02 GMT -8 jcarter said:

Aug 19, 2019 4:32:58 GMT -8 Peter said:

jcarter ,

Just letting you know there has been no communication between yourself or the person you tagged, and I'm not going to go out of my way to make contact. This really should have been sorted the day I posted. I understand people get busy, but tagging someone in the hopes they see it is not a good way to solve the issue.

The only reason I am updating you here is because your forum is pretty active, and your members will be the victims.

The chances of someone finding it might be near zero, but why take the risk when it has been reported? The vulnerability was not difficult to find, and I'm not a security specialist. So if I found it, am sure someone with some motivation could also find it.

It's disappointing when things like this are ignored / passed along and not took serious. Whereas at the end of the day this could effect your whole forum.

I had forgotten about this. Thanks for the reminder. Your assistance in this matter is greatly appreciated. Please PM the details of the vulnerability to me and we'll get it patched up. Thank you, Peter .

-John

You should probably PM him yourself. Please see that this is taken care of promptly.

[Former Member]

Aug 19, 2019 13:40:06 GMT -8 Michael said:

Aug 19, 2019 13:32:02 GMT -8 jcarter said:

I had forgotten about this. Thanks for the reminder. Your assistance in this matter is greatly appreciated. Please PM the details of the vulnerability to me and we'll get it patched up. Thank you, Peter .

-John

You should probably PM him yourself. Please see that this is taken care of promptly.

Done. Thanks.